getCustomRulesList
This method retrieves the Custom Rules list for a specific company.
Parameters
Parameter | Type | Optional | Description |
|---|---|---|---|
| Number | No | The results page number. The default value is 1. |
| Number | No | The number of items displayed in a page. The upper limit is 100 items per page. Default value:30 items per page |
| String | No | The ID of the company for which to retrieve the list of custom Rules. The default value is the ID of the company linked to the user who generated the API key. |
| Number | No | The type of rule to return. Possible values: 1 - Detection, 2 - Exclusion |
Return value
This method returns an Array containing information on the custom rules items. The returned object contains:
page- the current page displayedpagesCount- the total number of available pagesperPage- the total number of returned items per pageitems- the list of custom rules items items. Each entry in the list has the following fields:idownernamecompanyIdstatustagssettings- The rule settings. These are the available settings:statusseverity(if Detection Rule)target(e.g process, connection, file)criteria list, array of objects. Each object contains afield, arelationand avalue.Note
For more information on the possible values of
criteria listobjects, refer to Detections and exclusions.
Detections and exclusions
Detection (type =1) | Exclusion (type=2) | Display Name | Target | Field | Technology | Relation | Validator |
|---|---|---|---|---|---|---|---|
No | Yes | Alert name | N/A | detection | Both | is | |
Yes | Yes | Name | process | Process.Name | EDR | is |contains| any | string |
Yes | Yes | Path | process | Process.Path | EDR | is |contains| any | string |
Yes | Yes | Full Path Name | process | Process.FullPathName | EDR | is |contains| any | string |
Yes | Yes | Command Line | process | Process.CommandLine | EDR | is |contains| any | string |
Yes | Yes | Parent Name | process | Process.Parent.Name | EDR | is |contains| any | string |
Yes | Yes | Parent Path | process | Process.Parent.Path | EDR | is |contains| any | string |
Yes | Yes | Paret Full Path Name | process | Process.Parent.FullPathName | EDR | is |contains| any | string |
Yes | Yes | Parent Command Line | process | Process.Parent.CommandLine | EDR | is |contains| any | string |
No | Yes | File.Name | process | Process.User | EDR | is |contains| any | string |
No | Yes | File.Path | process | Process.MD5 | EDR | is |contains| any | string |
No | Yes | SHA256 | process | Process.SHA2 | EDR | is | contains | any | string |
Yes | Yes | Name | file | File.Name | Both | is | contains | any | string |
Yes | Yes | Path | file | File.Path | Both | is | contains | any | string |
Yes | Yes | Full Path Name | file | File.FullPathName | Both | is |contains| any | string |
Yes | Yes | Creation Process Name | file | File.CreatedBy.Name | EDR | is |contains| any | string |
Yes | Yes | Creation Process Path | file | File.CreatedBy.Path | EDR | is |contains| any | string |
Yes | Yes | Creation Process Full Path Name | file | File.CreatedBy.FullPathName | EDR | is |contains| any | string |
Yes | Yes | Creation Process Command Line | file | File.CreatedBy.CommandLine | EDR | is |contains| any | string |
No | Yes | Operation | file | File.Operation NoteThis field must contain this exact value: | EDR | is | any | string |
No | Yes | MD5 | file | File.MD5 | XDR | is | contains | any | string |
No | Yes | SHA256 | file | File.SHA256 | XDR | is | contains | any | string |
No | Yes | Url | file | File.Url | XDR | is | contains | any | string |
No | Yes | Creation process user | file | File.CreatedBy.User | EDR | is | contains | any | string |
Yes | Yes | Source IP | connection | Connection.SourceIP | Both | is |contains| any | valid IP |
Yes | Yes | Destination IP | connection | Connection.DestinationIP | Both | is |contains| any | valid IP |
Yes | Yes | Source Port | connection | Connection.SourcePort | EDR | is |contains| any | integer between 0 and 65,535 |
Yes | Yes | Destination Port | connection | Connection.DestinationPort | EDR | is |contains| any | integer between 0 and 65,535 |
Yes | Yes | Creation Process Name | connection | Connection.Process.Name | EDR | is |contains| any | string |
Yes | Yes | Creation Process Path | connection | Connection.Process.Path | EDR | is |contains| any | string |
Yes | Yes | Creation Process Full Path Name | connection | Connection.Process.FullPathName | EDR | is |contains| any | string |
Yes | Yes | Creation Process Command Line | connection | Connection.Process.CommandLine | EDR | is |contains| any | string |
No | Yes | Creation process user | connection | Connection.Process.User | EDR | is |contains| any | string |
No | Yes | Url | connection | Connection.URL | EDR | is | contains | any | string |
No | Yes | HTTP user | connection | Connection.HTTPUser | EDR | is | contains | any | string |
No | Yes | HTTP downloaded file | connection | Connection.HTTPDownloadedFile | EDR | is | contains | any | string |
No | Yes | HTTP uploaded file | connection | Connection.HTTPUploadedFile | EDR | is | contains | any | string |
No | Yes | FTP user | connection | Connection.FTPUser | EDR | is | contains | any | string |
No | Yes | SMB domain | connection | Connection.SMBDomain | EDR | is | contains | any | string |
No | Yes | SMB share path | connection | Connection.SMBSharePath | EDR | is | contains | any | string |
No | Yes | SMB user | connection | Connection.SMBUser | EDR | is | contains | any | string |
No | Yes | SSH user | connection | Connection.SSHUser | EDR | is | contains | any | string |
No | Yes | WMI exec query | connection | Connection.WMIExecQuery | EDR | is | contains | any | string |
No | Yes | Telnet user | connection | Connection.TelnetUser | EDR | is | contains | any | string |
No | Yes | File remote operation | connection | Connection.FileRemoteOperation NoteThis field must contain this exact value: | EDR | is | any | string |
No | Yes | File remote path | connection | Connection.FileRemotePath | EDR | is | contains | any | string |
No | Yes | File name | connection | Connection.File.Name | XDR | is | contains | any | string |
No | Yes | Email subject | connection | Connection.Email.Subject | XDR | is | contains | any | string |
No | Yes | Application name | connection | Connection.Application.Name | XDR | is | contains | any | string |
No | Yes | Key vault name | connection | Connection.KeyVault.Name | XDR | is | contains | any | string |
No | Yes | Role name | connection | Connection.Role.Name | XDR | is | contains | any | string |
No | Yes | Policy name | connection | Connection.Policy.Name | XDR | is | contains | any | string |
No | Yes | Sharing link name | connection | Connection.SharingLink.Name | XDR | is | contains | any | string |
No | Yes | Flow name | connection | Connection.Flow.Name | XDR | is | contains | any | string |
No | Yes | URL name | connection | Connection.Url.Name | XDR | is | contains | any | string |
No | Yes | SSH key name | connection | Connection.SshKey.Name | XDR | is | contains | any | string |
No | Yes | Launch template name | connection | Connection.LaunchTemplate.Name | XDR | is | contains | any | string |
No | Yes | Service principal name | connection | Connection.ServicePrincipal.Name | XDR | is | contains | any | string |
No | Yes | User group name | connection | Connection.UserGroup.Name | XDR | is | contains | any | string |
No | Yes | Automation account name | connection | Connection.AutomationAccount.Name | XDR | is | contains | any | string |
No | Yes | Automation account hook name | connection | Connection.AutomationAccountHook.Name | XDR | is | contains | any | string |
No | Yes | Api name | connection | Connection.Api.Name | XDR | is | contains | any | string |
No | Yes | Certificate authority name | connection | Connection.CertificateAuthority.Name | XDR | is | contains | any | string |
No | Yes | Bucket name | connection | Connection.Bucket.Name | XDR | is | contains | any | string |
No | Yes | Source user | connection | Connection.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | connection | Connection.DestinationUser | XDR | is | contains | any | string |
Yes | No | Key | registry | Registry.Key | EDR | is | contains | any | string |
Yes | No | Value | registry | Registry.Value | EDR | is | contains | any | string |
No | No | Creation Process Name | registry | Registry.CreatedBy.Name | EDR | is |contains| any | string |
Yes | No | Creation Process Path | registry | Registry.CreatedBy.Path | EDR | is |contains| any | string |
Yes | No | Creation Process Full Path Name | registry | Registry.CreatedBy.FullPathName | EDR | is |contains| any | string |
Yes | No | Creation Process Command Line | registry | Registry.CreatedBy.CommandLine | EDR | is |contains| any | string |
No | Yes | Name | user connection | UserLogin.Name | EDR | is | contains | any | string |
No | Yes | Source user | user connection | UserLogin.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | user connection | UserLogin.DestinationUser | XDR | is | contains | any | string |
No | Yes | Domain | user connection | UserLogin.Domain | EDR | is | contains | any | string |
No | Yes | File name | user connection | UserLogin.File.Name | XDR | is | contains | any | string |
No | Yes | Email subject | user connection | UserLogin.Email.Subject | XDR | is | contains | any | string |
No | Yes | Application name | user connection | UserLogin.Application.Name | XDR | is | contains | any | string |
No | Yes | Key vault name | user connection | UserLogin.KeyVault.Name | XDR | is | contains | any | string |
No | Yes | Role name | user connection | UserLogin.Role.Name | XDR | is | contains | any | string |
No | Yes | Policy name | user connection | UserLogin.Policy.Name | XDR | is | contains | any | string |
No | Yes | Sharing link name | user connection | UserLogin.SharingLink.Name | XDR | is | contains | any | string |
No | Yes | Flow name | user connection | UserLogin.Flow.Name | XDR | is | contains | any | string |
No | Yes | URL name | user connection | UserLogin.Url.Name | XDR | is | contains | any | string |
No | Yes | SSH key name | user connection | UserLogin.SshKey.Name | XDR | is | contains | any | string |
No | Yes | Launch template name | user connection | UserLogin.LaunchTemplate.Name | XDR | is | contains | any | string |
No | Yes | Service principal name | user connection | UserLogin.ServicePrincipal.Name | XDR | is | contains | any | string |
No | Yes | User group name | user connection | UserLogin.UserGroup.Name | XDR | is | contains | any | string |
No | Yes | Automation account name | user connection | UserLogin.AutomationAccount.Name | XDR | is | contains | any | string |
No | Yes | Automation account hook name | user connection | UserLogin.AutomationAccountHook.Name | XDR | is | contains | any | string |
No | Yes | Api name | user connection | UserLogin.Api.Name | XDR | is | contains | any | string |
No | Yes | Certificate authority name | user connection | UserLogin.CertificateAuthority.Name | XDR | is | contains | any | string |
No | Yes | Bucket name | user connection | UserLogin.Bucket.Name | XDR | is | contains | any | string |
No | Yes | Source IP | user connection | UserLogin.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | user connection | UserLogin.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Subject | Email.Subject | Both | is | contains | any | string | |
No | Yes | Sender | Email.Sender | Both | is | contains | any | string | |
No | Yes | Receiver | Email.Receivers | Both | is | contains | any | string | |
No | Yes | Attachment | Email.Attachments | Both | is | contains | any | string | |
No | Yes | Url | Email.Url | XDR | is | contains | any | string | |
No | Yes | Name | application | Application.Name | XDR | is | contains | any | string |
No | Yes | Id | application | Application.Id | XDR | is | contains | any | string |
No | Yes | Application address | application | Application.Address | XDR | is | contains | any | string |
No | Yes | Source user | application | Application.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | application | Application.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | application | Application.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | application | Application.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | key vault | KeyVault.Name | XDR | is | contains | any | string |
No | Yes | Source user | key vault | KeyVault.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | key vault | KeyVault.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | key vault | KeyVault.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | key vault | KeyVault.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | role | Role.Name | XDR | is | contains | any | string |
No | Yes | Id | role | Role.Id | XDR | is | contains | any | string |
No | Yes | Source user | role | Role.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | role | Role.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | role | Role.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | role | Role.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | policy | Policy.Name | XDR | is | contains | any | string |
No | Yes | Id | policy | Policy.Id | XDR | is | contains | any | string |
No | Yes | Resource policy type | policy | Policy.ResourcePolicyType | XDR | is | contains | any | string |
No | Yes | Source user | policy | Policy.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | policy | Policy.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | policy | Policy.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | policy | Policy.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | sharing link | SharingLink.Name | XDR | is | contains | any | string |
No | Yes | Url | sharing link | SharingLink.Url | XDR | is | contains | any | string |
No | Yes | Source user | sharing link | SharingLink.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | sharing link | SharingLink.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | sharing link | SharingLink.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | sharing link | SharingLink.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | flow | Flow.Name | XDR | is | contains | any | string |
No | Yes | Id | flow | Flow.Id | XDR | is | contains | any | string |
No | Yes | Url | flow | Flow.Url | XDR | is | contains | any | string |
No | Yes | Source user | flow | Flow.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | flow | Flow.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | flow | Flow.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | flow | Flow.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | flow | Url.Name | XDR | is | contains | any | string |
No | Yes | Url | url | Url.Url | XDR | is | contains | any | string |
No | Yes | Source user | url | Url.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | url | Url.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | url | Url.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | url | Url.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | SSH key | SshKey.Name | XDR | is | contains | any | string |
No | Yes | SSH public key | SSH key | SshKey.PublicKey | XDR | is | contains | any | string |
No | Yes | Source user | SSH key | SshKey.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | SSH key | SshKey.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | SSH key | SshKey.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | SSH key | SshKey.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | launch template | LaunchTemplate.Name | XDR | is | contains | any | string |
No | Yes | Id | launch template | LaunchTemplate.Id | XDR | is | contains | any | string |
No | Yes | Source user | launch template | LaunchTemplate.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | launch template | LaunchTemplate.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | launch template | LaunchTemplate.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | launch template | LaunchTemplate.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | service principal | ServicePrincipal.Name | XDR | is | contains | any | is | contains | any |
No | Yes | Id | service principal | ServicePrincipal.Id | XDR | is | contains | any | string |
No | Yes | Source user | service principal | ServicePrincipal.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | service principal | ServicePrincipal.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | service principal | ServicePrincipal.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | service principal | ServicePrincipal.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | user group | UserGroup.Name | XDR | is | contains | any | string |
No | Yes | Id | user group | UserGroup.Id | XDR | is | contains | any | string |
No | Yes | Source user | user group | UserGroup.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | user group | UserGroup.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | user group | UserGroup.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | user group | UserGroup.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | automation account | AutomationAccount.Name | XDR | is | contains | any | string |
No | Yes | Id | automation account | AutomationAccount.Id | XDR | is | contains | any | string |
No | Yes | Source user | automation account | AutomationAccount.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | automation account | AutomationAccount.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | automation account | AutomationAccount.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | automation account | AutomationAccount.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | automation account hook | AutomationAccountHook.Name | XDR | is | contains | any | string |
No | Yes | Id | automation account hook | AutomationAccountHook.Id | XDR | is | contains | any | string |
No | Yes | Source user | automation account hook | AutomationAccountHook.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | automation account hook | AutomationAccountHook.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | automation account hook | AutomationAccountHook.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | automation account hook | AutomationAccountHook.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | API | Api.Name | XDR | is | contains | any | string |
No | Yes | Id | API | Api.Id | XDR | is | contains | any | string |
No | Yes | Destination user | API | Api.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | API | Api.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | API | Api.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | certificate authority | CertificateAuthority.Name | XDR | is | contains | any | string |
No | Yes | Source user | certificate authority | CertificateAuthority.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | certificate authority | CertificateAuthority.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | certificate authority | CertificateAuthority.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | certificate authority | CertificateAuthority.DestinationIP | XDR | is | contains | any | valid IP |
No | Yes | Name | bucket | Bucket.Name | XDR | is | contains | any | string |
No | Yes | Source user | bucket | Bucket.SourceUser | XDR | is | contains | any | string |
No | Yes | Destination user | bucket | Bucket.DestinationUser | XDR | is | contains | any | string |
No | Yes | Source IP | bucket | Bucket.SourceIP | XDR | is | contains | any | valid IP |
No | Yes | Destination IP | bucket | Bucket.DestinationIP | XDR | is | contains | any | valid IP |
Note
The any operator implies an array.
Example
Request:
{
"params": {
"companyId": "61827b8036492c2fc0718722",
"type": 1,
"page": 1,
"perPage": 100
},
"jsonrpc": "2.0",
"method": "getCustomRulesList",
"id": "0df7568c-59c1-48e0-a31b-18d83e6d9810"
} Response:
{
"id": "0df7568c-59c1-48e0-a31b-18d83e6d9810",
"jsonrpc": "2.0",
"result": {
"total": 1,
"page": 1,
"perPage": 100,
"pagesCount": 1,
"items": [
{
"id": "6188dfc42a1a0155e84afa57",
"name": "testApi1111",
"ownerId": "6082afe13cf8082cab49cacb",
"description": "description test api",
"companyId": "61827b8036492c2fc0718722",
"status": 0,
"tags": [
"test",
"api",
"demo"
],
"settings": {
"status": 0,
"target": "connection",
"criteriaList": [
{
"field": "Connection.DestinationPort",
"relation": "is",
"value": [
"25691"
]
},
{
"field": "Connection.Process.Name",
"relation": "contains",
"value": [
"./network1"
],
"operator": "AND"
},
{
"field": "Connection.SourcePort",
"relation": "any",
"value": [
"22",
"23",
"24"
],
"operator": "AND"
}
],
"severity": 1
}
}
]
}
}