Skip to main content

List Rules

Retrieves all rules in an organization's inventory.

Example Output

[
{
"avl_author": "securityteam@anvilogic.com",
"avl_community_efficacy": 75,
"avl_community_rating": 4,
"avl_custom_labels": [
"text"
],
"avl_data_category": [
"Powershell logs",
"Process command-line parameters"
],
"avl_deployed": false,
"avl_details": "Identify hosts using PowerShell commands containing s...",
"avl_entities_of_interest": [
"text"
],
"avl_exploits": [
"text"
],
"avl_kill_chain_phase": [
"Actions on Objectives"
],
"avl_last_deployed_hash": "text",
"avl_mitre_ext_ids": [
"T1059.001",
"T1007"
],
"avl_mitre_tactic": [
"Execution",
"Discovery"
],
"avl_mitre_technique": [
"System Service Discovery",
"Command and Scripting Interpreter"
],
"avl_references": [
"https://github.com/rasta-mouse/Sherlock/blob/master/Sherlock.ps1"
],
"avl_rule_confidence": "High",
"avl_rule_creation_time": "text",
"avl_rule_domain": [
"Endpoint"
],
"avl_rule_id": "AVL_R1000",
"avl_rule_link": "https://secure.anvilogic.com/rules?id=AVL_R1000",
"avl_rule_mode": "Warn",
"avl_rule_modified_time": "text",
"avl_rule_name": "avl:ti:avl_r1000:sherlock_ps1_vulnerability_scanner",
"avl_rule_severity": "Medium",
"avl_rule_sub_domain": [
"text"
],
"avl_running": false,
"avl_scenario_info": [
"text"
],
"avl_security_controls": [
"text"
],
"avl_source": "avl:ti:avl_uc1000:sherlock_ps1_vulnerability_scanner",
"avl_sourcetype": "avl:eoi:endpoint:windows",
"avl_techniques_fqn": [
"execution:command and scripting interpreter:powershell",
"discovery"
],
"avl_threat_groups": [
"text"
],
"avl_title": "Sherlock.ps1 Vulnerability Scanner (Powershell)",
"avl_triage_steps": [
"Verify that the activity is not expected",
"Review the authentication..."
],
"avl_use_case_category": "Reconnaissance",
"avl_use_case_description": "The Sherlock PowerShell script queries a...",
"avl_use_case_id": "AVL_UC1000",
"avl_use_case_impact": "Low",
"avl_use_case_name": "avl:ti:avl_uc1000:sherlock_ps1_vulnerability_scanner",
"avl_use_case_sub_category": "Signature",
"avl_use_case_title": "Sherlock.ps1 Vulnerability Scanner",
"avl_use_case_type": "Threat Identifier",
"avl_victim_platform": [
"Windows"
],
"avl_victim_product": [
"Windows"
],
"avl_vulnerabilities": [
"text"
]
}
]

Workflow Library Example

List Rules with Anvilogic and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop