Skip to main content

createCustomRule

Method to create a custom rule.

Parameters

Parameter

Description

Included in request

Type

Values

type

The type of rule to create.

Optional

Number

Possible values:

  • 1 - Detection

  • 2 - Exclusion

name

The name of the rule to be created.

Mandatory

String

No additional requirements.

description

The description of the rule.

Optional

String

No additional requirements.

tags

The list of associated tags.

Optional

Array of Strings

No additional requirements.

settings

Contains the settings associated to the rule.

Mandatory

Object

Refer to settings.

returnRuleId

Indicates if the request will return the ID of the new rule.

Boolean

Optional

Possible values:

  • true, will return the ID of the newly created rule, if the request is successful.

  • false, will not return the ID of the newly created rule. Instead, it will return a Boolean value.

Default value: False.

Objects

settings

Parameter

Description

Included in request

Type

Values

status

Indicates if the rule is active.

Mandatory

Integer

Possible values:

  • 0 - inactive.

  • 1 - active.

severity

Indicates the severity of the incident that will be created.

Mandatory

Integer

Possible values:

  • 1 - Low

  • 2 - Medium

  • 3 - High

target

Indicates the type of entity you want to target.

Mandatory

String

Possible values:

  • process

  • file

  • connection

  • registry

criteriaList

An object that contains the criteria on which the rule is based. You can add multiple objects.

Mandatory

Array of Objects

Each object contains the following settings:

  • field - The type of entity the condition applies to.

  • relation - The relationship between the values provided in the field and value parameters that is needed for the condition to be met.

  • value - A custom value to compare the value of the entity specified in the field parameter against.

Note

For more information on the possible values of criteria list objects, refer to Detections and exclusions

automaticActions

Indicates if and which automatic response actions are enabled for EDR incidents created as a result of this rule.

Optional

Array of Objects

Each object contains the following settings:

  • type - Indicates the type of automatic action assigned to the rule.

    Possible values:

    • 1 - Isolate

    • 2 - Collect investigation package

    • 3 - Add to Sandbox

      This option is only available if target = 1 or 2 or if the field setting under the criteriaList object contains a creation process rule (for connections and registries).

    • 4 - Kill process

      This option is only available if target = 1 or if the field setting under the criteriaList object contains a creation process rule (for files, connections and registries).

    • 5 - Scan

    • 6 - Quarantine

      This option is only available if target = 1 or 2 or if the field setting under the criteriaList object contains a creation process rule (for connections and registries).

    • 7 - Risk scan

  • enabled - If true, the action specified by the type setting is enabled for the incidents created as a result of this rule.

  • settings - This object allows you to further customize the automatic action and is only available for specific action types.

    Possible values:

    • If type = 4 (Kill process):

      • includeParent - If true, the action also applies to the parent of the targeted process.

      • includeChildren - If true, the action also applies to the children of the targeted process.

    • If type = 5 (Scan):

      • 1 - Quick scan

      • 2 - Full scan

    • If type = 6 (Quarantine) and target = 1 or if the field setting under the criteriaList object contains a creation process rule (for files, connections and registries):

      • includeParent - If true, the action also applies to the parent of the targeted process.

      • includeChildren - If true, the action also applies to the children of the targeted process.

Companies using a Bitdefender EDR subscription or a GravityZone EDR Cloud license do not have access to automatic actions.

Detections and exclusions

Detection (type =1)

Exclusion (type=2)

Display Name

target

Field

Relation

Validator

Yes

Yes

Name

process

Process.Name

is |contains| any

string

Yes

Yes

Path

process

Process.Path

is |contains| any

string

Yes

Yes

Full Path Name

process

Process.FullPathName

is |contains| any

string

Yes

Yes

Command Line

process

Process.CommandLine

is |contains| any

string

Yes

Yes

Parent Name

process

Process.Parent.Name

is |contains| any

string

Yes

Yes

Parent Path

process

Process.Parent.Path

is |contains| any

string

Yes

Yes

Paret Full Path Name

process

Process.Parent.FullPathName

is |contains| any

string

Yes

Yes

Parent Command Line

process

Process.Parent.CommandLine

is |contains| any

string

Yes

Yes

Name

file

File.Name

is |contains| any

string

Yes

Yes

Path

file

File.Path

is |contains| any

string

Yes

Yes

Full Path Name

file

File.FullPathName

is |contains| any

string

Yes

Yes

Creation Process Name

file

File.CreatedBy.Name

is |contains| any

string

Yes

Yes

Creation Process Path

file

File.CreatedBy.Path

is |contains| any

string

Yes

Yes

Creation Process Full Path Name

file

File.CreatedBy.FullPathName

is |contains| any

string

Yes

Yes

Creation Process Command Line

file

File.CreatedBy.CommandLine

is |contains| any

string

Yes

Yes

Source IP

connection

Connection.SourceIP

is |contains| any

valid IP

Yes

Yes

Destination IP

connection

Connection.DestinationIP

is |contains| any

valid IP

Yes

Yes

Source Port

connection

Connection.SourcePort

is |contains| any

integer between 0 and 65,535

Yes

Yes

Destination Port

connection

Connection.DestinationPort

is |contains| any

integer between 0 and 65,535

Yes

Yes

Creation Process Name

connection

Connection.Process.Name

is |contains| any

string

Yes

Yes

Creation Process Path

connection

Connection.Process.Path

is |contains| any

string

Yes

Yes

Creation Process Full Path Name

connection

Connection.Process.FullPathName

is |contains| any

string

Yes

Yes

Creation Process Command Line

connection

Connection.Process.CommandLine

is |contains| any

string

Yes

No

Key

registry

Registry.Key

is |contains| any

string

Yes

No

Value

registry

Registry.Value

is |contains| any

string

Yes

No

Creation Process Name

registry

Registry.CreatedBy.Name

is |contains| any

string

Yes

No

Creation Process Path

registry

Registry.CreatedBy.Path

is |contains| any

string

Yes

No

Creation Process Full Path Name

registry

Registry.CreatedBy.FullPathName

is |contains| any

string

Yes

No

Creation Process Command Line

registry

Registry.CreatedBy.CommandLine

is |contains| any

string

Note

The any operator implies an array.

Return value

This method returns the ID of the newly created rule or a boolean value which is true if the creation of the custom rule was successful.

Example

Request:

{
     "params": {
         "companyId": "669fa6bb98b4ed9eb90b85b2",
         "type": 1,
         "name": "Detection Rule via API",
         "description": "Detection Rule via API Description",
         "settings": {
             "status": 0,
             "severity": 1,
             "target": "file",
             "automaticActions": [
                 {
                     "type": 1,
                     "enabled": true
                 }  
             ],
             "criteriaList": [
                 {
                     "field": "File.Name",
                     "relation": "is",
                     "value": [
                         "test-api"
                     ]
                 }
             ]
         },
         "returnRuleId": true
    },
    "jsonrpc": "2.0",
    "method": "createCustomRule",
    "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810"
}

Response:

  {
   "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810",
   "jsonrpc": "2.0",
   "result": 6372b7a3897aaa77ee021642
  }