createCustomRule

Method to create a custom rule.

Parameters

Parameter	Description	Included in request	Type	Values
`companyId`	The ID of the company to which the Custom rule item belongs to.	Optional	String	Must be a valid company ID that the user has access to managing. Default value: the company the API key used to make the request belongs to. Example companyId": "58541613aaed7090058b4567"
`type`	The type of rule to create.	Optional	Number	Possible values: `1` - Detection `2` - Exclusion
`name`	The name of the rule to be created.	Mandatory	String	No additional requirements.
`description`	The description of the rule.	Optional	String	No additional requirements.
`tags`	The list of associated tags.	Optional	Array of Strings	No additional requirements.
`settings`	Contains the settings associated to the rule.	Mandatory	Object	Refer to `settings`.
`returnRuleId`	Indicates if the request will return the ID of the new rule.	Boolean	Optional	Possible values: `true`, will return the ID of the newly created rule, if the request is successful. `false`, will not return the ID of the newly created rule. Instead, it will return a Boolean value. Default value: `False`.

Objects

`settings`

Parameter	Description	Included in request	Type	Values
`status`	Indicates if the rule is active.	Mandatory	Integer	Possible values: `0` - inactive. `1` - active.
`severity`	Indicates the severity of the incident that will be created.	Mandatory	Integer	Possible values: `1` - `Low` `2` - `Medium` `3` - `High`
`target`	Indicates the type of entity you want to target.	Mandatory	String	Possible values: `process` `file` `connection` `registry`
`criteriaList`	An object that contains the criteria on which the rule is based. You can add multiple objects.	Mandatory	Array of Objects	Each object contains the following settings: `field` - The type of entity the condition applies to. `relation` - The relationship between the values provided in the `field` and `value` parameters that is needed for the condition to be met. `value` - A custom value to compare the value of the entity specified in the `field` parameter against. Note For more information on the possible values of `criteria list` objects, refer to Detections and exclusions
`automaticActions`	Indicates if and which automatic response actions are enabled for EDR incidents created as a result of this rule.	Optional	Array of Objects	Each object contains the following settings: `type` - Indicates the type of automatic action assigned to the rule. Possible values: `1` - Isolate `2` - Collect investigation package `3` - Add to Sandbox This option is only available if `target` = `1` or `2` or if the field setting under the `criteriaList` object contains a creation process rule (for connections and registries). `4` - Kill process This option is only available if `target` = `1` or if the field setting under the `criteriaList` object contains a creation process rule (for files, connections and registries). `5` - Scan `6` - Quarantine This option is only available if `target` = `1` or `2` or if the field setting under the `criteriaList` object contains a creation process rule (for connections and registries). `7` - Risk scan `enabled` - If `true`, the action specified by the `type` setting is enabled for the incidents created as a result of this rule. `settings` - This object allows you to further customize the automatic action and is only available for specific action types. Possible values: If `type` = `4` (Kill process): `includeParent` - If `true`, the action also applies to the parent of the targeted process. `includeChildren` - If `true`, the action also applies to the children of the targeted process. If `type` = `5` (Scan): `1` - Quick scan `2` - Full scan If `type` = `6` (Quarantine) and `target` = `1` or if the field setting under the `criteriaList` object contains a creation process rule (for files, connections and registries): `includeParent` - If `true`, the action also applies to the parent of the targeted process. `includeChildren` - If `true`, the action also applies to the children of the targeted process. Companies using a Bitdefender EDR subscription or a GravityZone EDR Cloud license do not have access to automatic actions.

Detections and exclusions

Detection (type =1)	Exclusion (type=2)	Display Name	target	Field	Relation	Validator
Yes	Yes	Name	process	Process.Name	is \|contains\| any	string
Yes	Yes	Path	process	Process.Path	is \|contains\| any	string
Yes	Yes	Full Path Name	process	Process.FullPathName	is \|contains\| any	string
Yes	Yes	Command Line	process	Process.CommandLine	is \|contains\| any	string
Yes	Yes	Parent Name	process	Process.Parent.Name	is \|contains\| any	string
Yes	Yes	Parent Path	process	Process.Parent.Path	is \|contains\| any	string
Yes	Yes	Paret Full Path Name	process	Process.Parent.FullPathName	is \|contains\| any	string
Yes	Yes	Parent Command Line	process	Process.Parent.CommandLine	is \|contains\| any	string
Yes	Yes	Name	file	File.Name	is \|contains\| any	string
Yes	Yes	Path	file	File.Path	is \|contains\| any	string
Yes	Yes	Full Path Name	file	File.FullPathName	is \|contains\| any	string
Yes	Yes	Creation Process Name	file	File.CreatedBy.Name	is \|contains\| any	string
Yes	Yes	Creation Process Path	file	File.CreatedBy.Path	is \|contains\| any	string
Yes	Yes	Creation Process Full Path Name	file	File.CreatedBy.FullPathName	is \|contains\| any	string
Yes	Yes	Creation Process Command Line	file	File.CreatedBy.CommandLine	is \|contains\| any	string
Yes	Yes	Source IP	connection	Connection.SourceIP	is \|contains\| any	valid IP
Yes	Yes	Destination IP	connection	Connection.DestinationIP	is \|contains\| any	valid IP
Yes	Yes	Source Port	connection	Connection.SourcePort	is \|contains\| any	integer between 0 and 65,535
Yes	Yes	Destination Port	connection	Connection.DestinationPort	is \|contains\| any	integer between 0 and 65,535
Yes	Yes	Creation Process Name	connection	Connection.Process.Name	is \|contains\| any	string
Yes	Yes	Creation Process Path	connection	Connection.Process.Path	is \|contains\| any	string
Yes	Yes	Creation Process Full Path Name	connection	Connection.Process.FullPathName	is \|contains\| any	string
Yes	Yes	Creation Process Command Line	connection	Connection.Process.CommandLine	is \|contains\| any	string
Yes	No	Key	registry	Registry.Key	is \|contains\| any	string
Yes	No	Value	registry	Registry.Value	is \|contains\| any	string
Yes	No	Creation Process Name	registry	Registry.CreatedBy.Name	is \|contains\| any	string
Yes	No	Creation Process Path	registry	Registry.CreatedBy.Path	is \|contains\| any	string
Yes	No	Creation Process Full Path Name	registry	Registry.CreatedBy.FullPathName	is \|contains\| any	string
Yes	No	Creation Process Command Line	registry	Registry.CreatedBy.CommandLine	is \|contains\| any	string

Note

The any operator implies an array.

Return value

This method returns the ID of the newly created rule or a boolean value which is true if the creation of the custom rule was successful.

Example

Request:

{
     "params": {
         "companyId": "669fa6bb98b4ed9eb90b85b2",
         "type": 1,
         "name": "Detection Rule via API",
         "description": "Detection Rule via API Description",
         "settings": {
             "status": 0,
             "severity": 1,
             "target": "file",
             "automaticActions": [
                 {
                     "type": 1,
                     "enabled": true
                 }  
             ],
             "criteriaList": [
                 {
                     "field": "File.Name",
                     "relation": "is",
                     "value": [
                         "test-api"
                     ]
                 }
             ]
         },
         "returnRuleId": true
    },
    "jsonrpc": "2.0",
    "method": "createCustomRule",
    "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810"
}

Response:

  {
   "id": "0df7568c-59c1-48e0-a31b-18d83e6d9810",
   "jsonrpc": "2.0",
   "result": 6372b7a3897aaa77ee021642
  }

In this section:

createCustomRule

Parameters

Objects

settings

Note

Detections and exclusions

Note

Return value

Example

Search results

`settings`