createCustomRule
Method to create a custom rule.
Parameters
Parameter | Description | Included in request | Type | Values |
---|---|---|---|---|
| The type of rule to create. | Optional | Number | Possible values:
|
| The name of the rule to be created. | Mandatory | String | No additional requirements. |
| The description of the rule. | Optional | String | No additional requirements. |
| The list of associated tags. | Optional | Array of Strings | No additional requirements. |
| Contains the settings associated to the rule. | Mandatory | Object | Refer to |
| Indicates if the request will return the ID of the new rule. | Boolean | Optional | Possible values:
Default value: |
Objects
settings
Parameter | Description | Included in request | Type | Values |
---|---|---|---|---|
| Indicates if the rule is active. | Mandatory | Integer | Possible values:
|
| Indicates the severity of the incident that will be created. | Mandatory | Integer | Possible values:
|
| Indicates the type of entity you want to target. | Mandatory | String | Possible values:
|
| An object that contains the criteria on which the rule is based. You can add multiple objects. | Mandatory | Array of Objects | Each object contains the following settings:
NoteFor more information on the possible values of |
| Indicates if and which automatic response actions are enabled for EDR incidents created as a result of this rule. | Optional | Array of Objects | Each object contains the following settings:
Companies using a Bitdefender EDR subscription or a GravityZone EDR Cloud license do not have access to automatic actions. |
Detections and exclusions
Detection (type =1) | Exclusion (type=2) | Display Name | target | Field | Relation | Validator |
---|---|---|---|---|---|---|
Yes | Yes | Name | process | Process.Name | is |contains| any | string |
Yes | Yes | Path | process | Process.Path | is |contains| any | string |
Yes | Yes | Full Path Name | process | Process.FullPathName | is |contains| any | string |
Yes | Yes | Command Line | process | Process.CommandLine | is |contains| any | string |
Yes | Yes | Parent Name | process | Process.Parent.Name | is |contains| any | string |
Yes | Yes | Parent Path | process | Process.Parent.Path | is |contains| any | string |
Yes | Yes | Paret Full Path Name | process | Process.Parent.FullPathName | is |contains| any | string |
Yes | Yes | Parent Command Line | process | Process.Parent.CommandLine | is |contains| any | string |
Yes | Yes | Name | file | File.Name | is |contains| any | string |
Yes | Yes | Path | file | File.Path | is |contains| any | string |
Yes | Yes | Full Path Name | file | File.FullPathName | is |contains| any | string |
Yes | Yes | Creation Process Name | file | File.CreatedBy.Name | is |contains| any | string |
Yes | Yes | Creation Process Path | file | File.CreatedBy.Path | is |contains| any | string |
Yes | Yes | Creation Process Full Path Name | file | File.CreatedBy.FullPathName | is |contains| any | string |
Yes | Yes | Creation Process Command Line | file | File.CreatedBy.CommandLine | is |contains| any | string |
Yes | Yes | Source IP | connection | Connection.SourceIP | is |contains| any | valid IP |
Yes | Yes | Destination IP | connection | Connection.DestinationIP | is |contains| any | valid IP |
Yes | Yes | Source Port | connection | Connection.SourcePort | is |contains| any | integer between 0 and 65,535 |
Yes | Yes | Destination Port | connection | Connection.DestinationPort | is |contains| any | integer between 0 and 65,535 |
Yes | Yes | Creation Process Name | connection | Connection.Process.Name | is |contains| any | string |
Yes | Yes | Creation Process Path | connection | Connection.Process.Path | is |contains| any | string |
Yes | Yes | Creation Process Full Path Name | connection | Connection.Process.FullPathName | is |contains| any | string |
Yes | Yes | Creation Process Command Line | connection | Connection.Process.CommandLine | is |contains| any | string |
Yes | No | Key | registry | Registry.Key | is |contains| any | string |
Yes | No | Value | registry | Registry.Value | is |contains| any | string |
Yes | No | Creation Process Name | registry | Registry.CreatedBy.Name | is |contains| any | string |
Yes | No | Creation Process Path | registry | Registry.CreatedBy.Path | is |contains| any | string |
Yes | No | Creation Process Full Path Name | registry | Registry.CreatedBy.FullPathName | is |contains| any | string |
Yes | No | Creation Process Command Line | registry | Registry.CreatedBy.CommandLine | is |contains| any | string |
Note
The any
operator implies an array.
Return value
This method returns the ID of the newly created rule or a boolean value which is true
if the creation of the custom rule was successful.
Example
Request:
{ "params": { "companyId": "669fa6bb98b4ed9eb90b85b2", "type": 1, "name": "Detection Rule via API", "description": "Detection Rule via API Description", "settings": { "status": 0, "severity": 1, "target": "file", "automaticActions": [ { "type": 1, "enabled": true } ], "criteriaList": [ { "field": "File.Name", "relation": "is", "value": [ "test-api" ] } ] }, "returnRuleId": true }, "jsonrpc": "2.0", "method": "createCustomRule", "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810" }
Response:
{ "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810", "jsonrpc": "2.0", "result": 6372b7a3897aaa77ee021642 }