Skip to main content

List Rules

Retrieves all rules in an organization's inventory.

Example Output

[
    {
        "avl_author": "securityteam@anvilogic.com",
        "avl_community_efficacy": 75,
        "avl_community_rating": 4,
        "avl_custom_labels": [
            "text"
        ],
        "avl_data_category": [
            "Powershell logs",
            "Process command-line parameters"
        ],
        "avl_deployed": false,
        "avl_details": "Identify hosts using PowerShell commands containing s...",
        "avl_entities_of_interest": [
            "text"
        ],
        "avl_exploits": [
            "text"
        ],
        "avl_kill_chain_phase": [
            "Actions on Objectives"
        ],
        "avl_last_deployed_hash": "text",
        "avl_mitre_ext_ids": [
            "T1059.001",
            "T1007"
        ],
        "avl_mitre_tactic": [
            "Execution",
            "Discovery"
        ],
        "avl_mitre_technique": [
            "System Service Discovery",
            "Command and Scripting Interpreter"
        ],
        "avl_references": [
            "https://github.com/rasta-mouse/Sherlock/blob/master/Sherlock.ps1"
        ],
        "avl_rule_confidence": "High",
        "avl_rule_creation_time": "text",
        "avl_rule_domain": [
            "Endpoint"
        ],
        "avl_rule_id": "AVL_R1000",
        "avl_rule_link": "https://secure.anvilogic.com/rules?id=AVL_R1000",
        "avl_rule_mode": "Warn",
        "avl_rule_modified_time": "text",
        "avl_rule_name": "avl:ti:avl_r1000:sherlock_ps1_vulnerability_scanner",
        "avl_rule_severity": "Medium",
        "avl_rule_sub_domain": [
            "text"
        ],
        "avl_running": false,
        "avl_scenario_info": [
            "text"
        ],
        "avl_security_controls": [
            "text"
        ],
        "avl_source": "avl:ti:avl_uc1000:sherlock_ps1_vulnerability_scanner",
        "avl_sourcetype": "avl:eoi:endpoint:windows",
        "avl_techniques_fqn": [
            "execution:command and scripting interpreter:powershell",
            "discovery"
        ],
        "avl_threat_groups": [
            "text"
        ],
        "avl_title": "Sherlock.ps1 Vulnerability Scanner (Powershell)",
        "avl_triage_steps": [
            "Verify that the activity is not expected",
            "Review the authentication..."
        ],
        "avl_use_case_category": "Reconnaissance",
        "avl_use_case_description": "The Sherlock PowerShell script queries a...",
        "avl_use_case_id": "AVL_UC1000",
        "avl_use_case_impact": "Low",
        "avl_use_case_name": "avl:ti:avl_uc1000:sherlock_ps1_vulnerability_scanner",
        "avl_use_case_sub_category": "Signature",
        "avl_use_case_title": "Sherlock.ps1 Vulnerability Scanner",
        "avl_use_case_type": "Threat Identifier",
        "avl_victim_platform": [
            "Windows"
        ],
        "avl_victim_product": [
            "Windows"
        ],
        "avl_vulnerabilities": [
            "text"
        ]
    }
]

Workflow Library Example

List Rules with Anvilogic and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop