getCustomRulesList
This method retrieves the Custom Rules list for a specific company.
Parameters
Parameter | Type | Optional | Description |
|---|---|---|---|
| Number | No | The results page number. The default value is 1. |
| Number | No | The number of items displayed in a page. The upper limit is 100 items per page. Default value:30 items per page |
| String | No | The ID of the company for which to retrieve the list of custom Rules. The default value is the ID of the company linked to the user who generated the API key. |
| Number | No | The type of rule to return. Possible values: 1 - Detection, 2 - Exclusion |
Return value
This method returns an Array containing information on the custom rules items. The returned object contains:
page- the current page displayedpagesCount- the total number of available pagesperPage- the total number of returned items per pageitems- the list of custom rules items items. Each entry in the list has the following fields:idownernamecompanyIdstatustagssettings- The rule settings. These are the available settings:statusseverity(if Detection Rule)target(e.g process, connection, file)criteria list, array of objects. Each object contains afield, arelationand avalue.Note
For more information on the possible values of
criteria listobjects, refer to Detections and exclusions.
Detections and exclusions
Detection (type =1) | Exclusion (type=2) | Display Name | target | Field | Relation | Validator |
|---|---|---|---|---|---|---|
Yes | Yes | Name | process | Process.Name | is |contains| any | string |
Yes | Yes | Path | process | Process.Path | is |contains| any | string |
Yes | Yes | Full Path Name | process | Process.FullPathName | is |contains| any | string |
Yes | Yes | Command Line | process | Process.CommandLine | is |contains| any | string |
Yes | Yes | Parent Name | process | Process.Parent.Name | is |contains| any | string |
Yes | Yes | Parent Path | process | Process.Parent.Path | is |contains| any | string |
Yes | Yes | Paret Full Path Name | process | Process.Parent.FullPathName | is |contains| any | string |
Yes | Yes | Parent Command Line | process | Process.Parent.CommandLine | is |contains| any | string |
Yes | Yes | Name | file | File.Name | is |contains| any | string |
Yes | Yes | Path | file | File.Path | is |contains| any | string |
Yes | Yes | Full Path Name | file | File.FullPathName | is |contains| any | string |
Yes | Yes | Creation Process Name | file | File.CreatedBy.Name | is |contains| any | string |
Yes | Yes | Creation Process Path | file | File.CreatedBy.Path | is |contains| any | string |
Yes | Yes | Creation Process Full Path Name | file | File.CreatedBy.FullPathName | is |contains| any | string |
Yes | Yes | Creation Process Command Line | file | File.CreatedBy.CommandLine | is |contains| any | string |
Yes | Yes | Source IP | connection | Connection.SourceIP | is |contains| any | valid IP |
Yes | Yes | Destination IP | connection | Connection.DestinationIP | is |contains| any | valid IP |
Yes | Yes | Source Port | connection | Connection.SourcePort | is |contains| any | integer between 0 and 65,535 |
Yes | Yes | Destination Port | connection | Connection.DestinationPort | is |contains| any | integer between 0 and 65,535 |
Yes | Yes | Creation Process Name | connection | Connection.Process.Name | is |contains| any | string |
Yes | Yes | Creation Process Path | connection | Connection.Process.Path | is |contains| any | string |
Yes | Yes | Creation Process Full Path Name | connection | Connection.Process.FullPathName | is |contains| any | string |
Yes | Yes | Creation Process Command Line | connection | Connection.Process.CommandLine | is |contains| any | string |
Yes | No | Key | registry | Registry.Key | is |contains| any | string |
Yes | No | Value | registry | Registry.Value | is |contains| any | string |
Yes | No | Creation Process Name | registry | Registry.CreatedBy.Name | is |contains| any | string |
Yes | No | Creation Process Path | registry | Registry.CreatedBy.Path | is |contains| any | string |
Yes | No | Creation Process Full Path Name | registry | Registry.CreatedBy.FullPathName | is |contains| any | string |
Yes | No | Creation Process Command Line | registry | Registry.CreatedBy.CommandLine | is |contains| any | string |
Note
The any operator implies an array.
Example
Request:
{
"params": {
"companyId": "61827b8036492c2fc0718722",
"type": 1,
"page": 1,
"perPage": 100
},
"jsonrpc": "2.0",
"method": "getCustomRulesList",
"id": "0df7568c-59c1-48e0-a31b-18d83e6d9810"
} Response:
{
"id": "0df7568c-59c1-48e0-a31b-18d83e6d9810",
"jsonrpc": "2.0",
"result": {
"total": 1,
"page": 1,
"perPage": 100,
"pagesCount": 1,
"items": [
{
"id": "6188dfc42a1a0155e84afa57",
"name": "testApi1111",
"ownerId": "6082afe13cf8082cab49cacb",
"description": "description test api",
"companyId": "61827b8036492c2fc0718722",
"status": 0,
"tags": [
"test",
"api",
"demo"
],
"settings": {
"status": 0,
"target": "connection",
"criteriaList": [
{
"field": "Connection.DestinationPort",
"relation": "is",
"value": [
"25691"
]
},
{
"field": "Connection.Process.Name",
"relation": "contains",
"value": [
"./network1"
],
"operator": "AND"
},
{
"field": "Connection.SourcePort",
"relation": "any",
"value": [
"22",
"23",
"24"
],
"operator": "AND"
}
],
"severity": 1
}
}
]
}
}