createCustomRule
Method to create a custom rule.
Parameters
Parameter | Description | Included in request | Type | Values |
---|---|---|---|---|
| The type of rule to create. | Optional | Number | Possible values:
|
| The name of the rule to be created. | Mandatory | String | No additional requirements. |
| The description of the rule. | Optional | String | No additional requirements. |
| The list of associated tags. | Optional | Array of Strings | No additional requirements. |
| Contains the settings associated to the rule. | Mandatory | Object | Refer to |
| Indicates if the request will return the ID of the new rule. | Boolean | Optional | Possible values:
Default value: |
Objects
settings
Parameter | Description | Included in request | Type | Values |
---|---|---|---|---|
| Indicates if the rule is active. | Mandatory | Integer | Possible values:
|
| Indicates the severity of the incident that will be created. | Mandatory | Integer | Possible values:
|
| Indicates the type of entity you want to target. | Mandatory | String | Possible values:
|
| Contains the criteria on which the rule is based. You can add multiple objects. | Mandatory | Array of Objects | Each object contains the following settings:
NoteFor more information on the possible values of |
| Specifies the details of the exclusions to be implemented for this rule. | Optional | Array of Objects | Each object contains the following settings:
|
| Indicates if and which automatic response actions are enabled for EDR incidents created as a result of this rule. The actions are only compatible with EDR incidents. | Optional | Array of Objects | Each object contains the following settings:
Companies using a Bitdefender EDR subscription or a GravityZone EDR Cloud license do not have access to automatic actions. |
Detections and exclusions
Detection (type =1) | Exclusion (type=2) | Display Name | Target | Field | Technology | Relation | Validator |
---|---|---|---|---|---|---|---|
No | Yes | Alert name | N/A | detection | Both | is | |
Yes | Yes | Name | process | Process.Name | EDR | is |contains| any | string |
Yes | Yes | Path | process | Process.Path | EDR | is |contains| any | string |
Yes | Yes | Full Path Name | process | Process.FullPathName | EDR | is |contains| any | string |
Yes | Yes | Command Line | process | Process.CommandLine | EDR | is |contains| any | string |
Yes | Yes | Parent Name | process | Process.Parent.Name | EDR | is |contains| any | string |
Yes | Yes | Parent Path | process | Process.Parent.Path | EDR | is |contains| any | string |
Yes | Yes | Paret Full Path Name | process | Process.Parent.FullPathName | EDR | is |contains| any | string |
Yes | Yes | Parent Command Line | process | Process.Parent.CommandLine | EDR | is |contains| any | string |
No | Yes | File.Name | process | Process.User | EDR | is |contains| any | string |
No | Yes | File.Path | process | Process.MD5 | EDR | is |contains| any | string |
No | Yes | SHA256 | process | Process.SHA2 | EDR | is | contains | any | string |
Yes | Yes | Name | file | File.Name | Both | is | contains | any | string |
Yes | Yes | Path | file | File.Path | Both | is | contains | any | string |
Yes | Yes | Full Path Name | file | File.FullPathName | Both | is |contains| any | string |
Yes | Yes | Creation Process Name | file | File.CreatedBy.Name | EDR | is |contains| any | string |
Yes | Yes | Creation Process Path | file | File.CreatedBy.Path | EDR | is |contains| any | string |
Yes | Yes | Creation Process Full Path Name | file | File.CreatedBy.FullPathName | EDR | is |contains| any | string |
Yes | Yes | Creation Process Command Line | file | File.CreatedBy.CommandLine | EDR | is |contains| any | string |
No | Yes | Operation | file | File.Operation NoteThis field must contain this exact value: | EDR | is | any | string |
No | Yes | MD5 | file | File.MD5 | XDR | is | contains | any | string |
No | Yes | SHA256 | file | File.SHA256 | XDR | is | contains | any | string |
No | Yes | Url | file | File.Url | XDR | is | contains | any | string |
No | Yes | Creation process user | file | File.CreatedBy.User | EDR | is | contains | any | string |
Yes | Yes | Source IP | connection | Connection.SourceIP | Both | is |contains| any | valid IP |
Yes | Yes | Destination IP | connection | Connection.DestinationIP | Both | is |contains| any | valid IP |
Yes | Yes | Source Port | connection | Connection.SourcePort | EDR | is |contains| any | integer between 0 and 65,535 |
Yes | Yes | Destination Port | connection | Connection.DestinationPort | EDR | is |contains| any | integer between 0 and 65,535 |
Yes | Yes | Creation Process Name | connection | Connection.Process.Name | EDR | is |contains| any | string |
Yes | Yes | Creation Process Path | connection | Connection.Process.Path | EDR | is |contains| any | string |
Yes | Yes | Creation Process Full Path Name | connection | Connection.Process.FullPathName | EDR | is |contains| any | string |
Yes | Yes | Creation Process Command Line | connection | Connection.Process.CommandLine | EDR | is |contains| any | string |
No | Yes | Creation process user | connection | Connection.Process.User | EDR | is |contains| any | string |
No | Yes | Url | connection | Connection.URL | EDR | is | contains | any | string |
No | Yes | HTTP user | connection | Connection.HTTPUser | EDR | is | contains | any | string |
No | Yes | HTTP downloaded file | connection | Connection.HTTPDownloadedFile | EDR | is | contains | any | string |
No | Yes | HTTP uploaded file | connection | Connection.HTTPUploadedFile | EDR | is | contains | any | string |
No | Yes | FTP user | connection | Connection.FTPUser | EDR | is | contains | any | string |
No | Yes | SMB domain | connection | Connection.SMBDomain | EDR | is | contains | any | string |
No | Yes | SMB share path | connection | Connection.SMBSharePath | EDR | is | contains | any | string |
No | Yes | SMB user | connection | Connection.SMBUser | EDR | is | contains | any | string |
No | Yes | SSH user | connection | Connection.SSHUser | EDR | is | contains | any | string |
No | Yes | WMI exec query | connection | Connection.WMIExecQuery | EDR | is | contains | any | string |
No | Yes | Telnet user | connection | Connection.TelnetUser | EDR | is | contains | any | string |
No | Yes | File remote operation | connection | Connection.FileRemoteOperation NoteThis field must contain this exact value: | EDR | is | any | string |
No | Yes | File remote path | connection | Connection.FileRemotePath | EDR | is | contains | any | string |
No | Yes | File name | connection | Connection.File.Name | XDR | is | contains | any | string |
No | Yes | Email subject | connection | Connection.Email.Subject | XDR | is | contains | any | string |
No | Yes | Application name | connection | Connection.Application.Name | XDR | is | contains | any | string |
No | Yes | Key vault name | connection | Connection.KeyVault.Name | XDR | is | contains | any | string |
No | Yes | Role name | connection | Connection.Role.Name | XDR | is | contains | any | string |
No | Yes | Policy name | connection | Connection.Policy.Name | XDR | is | contains | any | string |
No | Yes | Sharing link name | connection | Connection.SharingLink.Name | XDR | is | contains | any | string |
No | Yes | Flow name | connection | Connection.Flow.Name | XDR | is | contains | any | string |
No | Yes | URL name | connection | Connection.Url.Name | XDR | is | contains | any | string |
No | Yes | SSH key name | connection | Connection.SshKey.Name | XDR | is | contains | any | string |
No | Yes | Launch template name | connection | Connection.LaunchTemplate.Name | XDR | is | contains | any | string |
No | Yes | Service principal name | connection | Connection.ServicePrincipal.Name | XDR | is | contains | any | string |
No | Yes | User group name | connection | Connection.UserGroup.Name | XDR | is | contains | any | string |
No | Yes | Automation account name | connection | Connection.AutomationAccount.Name | XDR | is | contains | any | string |
No | Yes | Automation account hook name | connection | Connection.AutomationAccountHook.Name | XDR | is | contains | any | string |
No | Yes | Api name | connection | Connection.Api.Name | XDR | is | contains | any | string |
No | Yes | Certificate authority name | connection | Connection.CertificateAuthority.Name | XDR | is | contains | any | string |
No | Yes | Bucket name | connection | Connection.Bucket.Name | XDR | is | contains | any | string |
No | Yes | Source user | connection | Connection.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | connection | Connection.DestinationUser | XDR | is | contains | any | string |
Yes | No | Key | registry | Registry.Key | EDR | is | contains | any | string |
Yes | No | Value | registry | Registry.Value | EDR | is | contains | any | string |
No | No | Creation Process Name | registry | Registry.CreatedBy.Name | EDR | is |contains| any | string |
Yes | No | Creation Process Path | registry | Registry.CreatedBy.Path | EDR | is |contains| any | string |
Yes | No | Creation Process Full Path Name | registry | Registry.CreatedBy.FullPathName | EDR | is |contains| any | string |
Yes | No | Creation Process Command Line | registry | Registry.CreatedBy.CommandLine | EDR | is |contains| any | string |
No | Yes | Name | user connection | UserLogin.Name | EDR | is | contains | any | string |
No | Yes | Source user | user connection | UserLogin.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | user connection | UserLogin.DestinationUser | XDR | is | contains | any | string |
No | Yes | Domain | user connection | UserLogin.Domain | EDR | is | contains | any | string |
No | Yes | File name | user connection | UserLogin.File.Name | XDR | is | contains | any | string |
No | Yes | Email subject | user connection | UserLogin.Email.Subject | XDR | is | contains | any | string |
No | Yes | Application name | user connection | UserLogin.Application.Name | XDR | is | contains | any | string |
No | Yes | Key vault name | user connection | UserLogin.KeyVault.Name | XDR | is | contains | any | string |
No | Yes | Role name | user connection | UserLogin.Role.Name | XDR | is | contains | any | string |
No | Yes | Policy name | user connection | UserLogin.Policy.Name | XDR | is | contains | any | string |
No | Yes | Sharing link name | user connection | UserLogin.SharingLink.Name | XDR | is | contains | any | string |
No | Yes | Flow name | user connection | UserLogin.Flow.Name | XDR | is | contains | any | string |
No | Yes | URL name | user connection | UserLogin.Url.Name | XDR | is | contains | any | string |
No | Yes | SSH key name | user connection | UserLogin.SshKey.Name | XDR | is | contains | any | string |
No | Yes | Launch template name | user connection | UserLogin.LaunchTemplate.Name | XDR | is | contains | any | string |
No | Yes | Service principal name | user connection | UserLogin.ServicePrincipal.Name | XDR | is | contains | any | string |
No | Yes | User group name | user connection | UserLogin.UserGroup.Name | XDR | is | contains | any | string |
No | Yes | Automation account name | user connection | UserLogin.AutomationAccount.Name | XDR | is | contains | any | string |
No | Yes | Automation account hook name | user connection | UserLogin.AutomationAccountHook.Name | XDR | is | contains | any | string |
No | Yes | Api name | user connection | UserLogin.Api.Name | XDR | is | contains | any | string |
No | Yes | Certificate authority name | user connection | UserLogin.CertificateAuthority.Name | XDR | is | contains | any | string |
No | Yes | Bucket name | user connection | UserLogin.Bucket.Name | XDR | is | contains | any | string |
No | Yes | Source IP | user connection | UserLogin.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | user connection | UserLogin.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Subject | Email.Subject | Both | is | contains | any | string | |
No | Yes | Sender | Email.Sender | Both | is | contains | any | string | |
No | Yes | Receiver | Email.Receivers | Both | is | contains | any | string | |
No | Yes | Attachment | Email.Attachments | Both | is | contains | any | string | |
No | Yes | Url | Email.Url | XDR | is | contains | any | string | |
No | Yes | Name | application | Application.Name | XDR | is | contains | any | string |
No | Yes | Id | application | Application.Id | XDR | is | contains | any | string |
No | Yes | Application address | application | Application.Address | XDR | is | contains | any | string |
No | Yes | Source user | application | Application.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | application | Application.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | application | Application.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | application | Application.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | key vault | KeyVault.Name | XDR | is | contains | any | string |
No | Yes | Source user | key vault | KeyVault.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | key vault | KeyVault.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | key vault | KeyVault.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | key vault | KeyVault.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | role | Role.Name | XDR | is | contains | any | string |
No | Yes | Id | role | Role.Id | XDR | is | contains | any | string |
No | Yes | Source user | role | Role.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | role | Role.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | role | Role.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | role | Role.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | policy | Policy.Name | XDR | is | contains | any | string |
No | Yes | Id | policy | Policy.Id | XDR | is | contains | any | string |
No | Yes | Resource policy type | policy | Policy.ResourcePolicyType | XDR | is | contains | any | string |
No | Yes | Source user | policy | Policy.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | policy | Policy.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | policy | Policy.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | policy | Policy.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | sharing link | SharingLink.Name | XDR | is | contains | any | string |
No | Yes | Url | sharing link | SharingLink.Url | XDR | is | contains | any | string |
No | Yes | Source user | sharing link | SharingLink.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | sharing link | SharingLink.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | sharing link | SharingLink.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | sharing link | SharingLink.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | flow | Flow.Name | XDR | is | contains | any | string |
No | Yes | Id | flow | Flow.Id | XDR | is | contains | any | string |
No | Yes | Url | flow | Flow.Url | XDR | is | contains | any | string |
No | Yes | Source user | flow | Flow.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | flow | Flow.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | flow | Flow.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | flow | Flow.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | flow | Url.Name | XDR | is | contains | any | string |
No | Yes | Url | url | Url.Url | XDR | is | contains | any | string |
No | Yes | Source user | url | Url.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | url | Url.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | url | Url.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | url | Url.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | SSH key | SshKey.Name | XDR | is | contains | any | string |
No | Yes | SSH public key | SSH key | SshKey.PublicKey | XDR | is | contains | any | string |
No | Yes | Source user | SSH key | SshKey.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | SSH key | SshKey.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | SSH key | SshKey.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | SSH key | SshKey.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | launch template | LaunchTemplate.Name | XDR | is | contains | any | string |
No | Yes | Id | launch template | LaunchTemplate.Id | XDR | is | contains | any | string |
No | Yes | Source user | launch template | LaunchTemplate.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | launch template | LaunchTemplate.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | launch template | LaunchTemplate.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | launch template | LaunchTemplate.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | service principal | ServicePrincipal.Name | XDR | is | contains | any | is | contains | any |
No | Yes | Id | service principal | ServicePrincipal.Id | XDR | is | contains | any | string |
No | Yes | Source user | service principal | ServicePrincipal.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | service principal | ServicePrincipal.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | service principal | ServicePrincipal.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | service principal | ServicePrincipal.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | user group | UserGroup.Name | XDR | is | contains | any | string |
No | Yes | Id | user group | UserGroup.Id | XDR | is | contains | any | string |
No | Yes | Source user | user group | UserGroup.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | user group | UserGroup.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | user group | UserGroup.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | user group | UserGroup.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | automation account | AutomationAccount.Name | XDR | is | contains | any | string |
No | Yes | Id | automation account | AutomationAccount.Id | XDR | is | contains | any | string |
No | Yes | Source user | automation account | AutomationAccount.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | automation account | AutomationAccount.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | automation account | AutomationAccount.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | automation account | AutomationAccount.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | automation account hook | AutomationAccountHook.Name | XDR | is | contains | any | string |
No | Yes | Id | automation account hook | AutomationAccountHook.Id | XDR | is | contains | any | string |
No | Yes | Source user | automation account hook | AutomationAccountHook.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | automation account hook | AutomationAccountHook.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | automation account hook | AutomationAccountHook.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | automation account hook | AutomationAccountHook.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | API | Api.Name | XDR | is | contains | any | string |
No | Yes | Id | API | Api.Id | XDR | is | contains | any | string |
No | Yes | Destination user | API | Api.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | API | Api.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | API | Api.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | certificate authority | CertificateAuthority.Name | XDR | is | contains | any | string |
No | Yes | Source user | certificate authority | CertificateAuthority.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | certificate authority | CertificateAuthority.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | certificate authority | CertificateAuthority.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | certificate authority | CertificateAuthority.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | bucket | Bucket.Name | XDR | is | contains | any | string |
No | Yes | Source user | bucket | Bucket.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | bucket | Bucket.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | bucket | Bucket.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | bucket | Bucket.DestinationIP | XDR | is | contains | any | valid IP |
Note
The any
operator implies an array.
Return value
This method returns the ID of the newly created rule or a boolean value which is true
if the creation of the custom rule was successful.
Example
Request:
{ "params": { "companyId": "669fa6bb98b4ed9eb90b85b2", "type": 1, "name": "Detection Rule via API", "description": "Detection Rule via API Description", "settings": { "status": 0, "severity": 1, "target": "file", "automaticActions": [ { "type": 1, "enabled": true } ], "criteriaList": [ { "field": "File.Name", "relation": "is", "value": [ "abcd" ] } ] "filters": [ { "field": "detection", "value": [ "test-api" ] } ] }, "returnRuleId": true }, "jsonrpc": "2.0", "method": "createCustomRule", "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810" }
Response:
{ "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810", "jsonrpc": "2.0", "result": 6372b7a3897aaa77ee021642 }