Create Rules

Creates multiple rules.

Basic Parameters

Parameter Description

Rules List List of rules represented by json objects to create.

For example, here's a list of one rule:
 [ { "kind": "it:rule:detection", "predicate": { "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453", "definition": {}, "patterns": [ {} ], "predicates": [ {} ], "lists": [ {} ] }, "actions": [ [ { "kind": "it:rule:action:kind:incident", "parameters": { "probability": 0.15, "impact": 0.1, "score": 0.015, "urgency": 0.2, "severity": "incident:severity:100:low" } }, { "kind": "it:rule:action:kind:notification", "parameters": { "target": { "id": "someUUID" } } } ], [ { "kind": "it:rule:action:kind:incident", "parameters": { "probability": 0.15, "impact": 0.1, "score": 0.015, "urgency": 0.2, "severity": "incident:severity:100:low" } }, { "kind": "it:rule:action:kind:notification", "parameters": { "target": { "id": "someUUID" } } } ], [ { "kind": "it:rule:action:kind:incident", "parameters": { "probability": 0.15, "impact": 0.1, "score": 0.015, "urgency": 0.2, "severity": "incident:severity:100:low" } }, { "kind": "it:rule:action:kind:notification", "parameters": { "target": { "id": "someUUID" } } } ], [ { "kind": "it:rule:action:kind:incident", "parameters": { "probability": 0.15, "impact": 0.1, "score": 0.015, "urgency": 0.2, "severity": "incident:severity:100:low" } }, { "kind": "it:rule:action:kind:notification", "parameters": { "target": { "id": "someUUID" } } } ], [ { "kind": "it:rule:action:kind:incident", "parameters": { "probability": 0.15, "impact": 0.1, "score": 0.015, "urgency": 0.2, "severity": "incident:severity:100:low" } }, { "kind": "it:rule:action:kind:notification", "parameters": { "target": { "id": "someUUID" } } } ], [ { "kind": "it:rule:action:kind:incident", "parameters": { "probability": 0.15, "impact": 0.1, "score": 0.015, "urgency": 0.2, "severity": "incident:severity:100:low" } }, { "kind": "it:rule:action:kind:notification", "parameters": { "target": { "id": "someUUID" } } } ], [ { "kind": "it:rule:action:kind:incident", "parameters": { "probability": 0.15, "impact": 0.1, "score": 0.015, "urgency": 0.2, "severity": "incident:severity:100:low" } }, { "kind": "it:rule:action:kind:notification", "parameters": { "target": { "id": "someUUID" } } } ], [ { "kind": "it:rule:action:kind:incident", "parameters": { "probability": 0.15, "impact": 0.1, "score": 0.015, "urgency": 0.2, "severity": "incident:severity:100:low" } }, { "kind": "it:rule:action:kind:notification", "parameters": { "target": { "id": "someUUID" } } } ], [ { "kind": "it:rule:action:kind:incident", "parameters": { "probability": 0.15, "impact": 0.1, "score": 0.015, "urgency": 0.2, "severity": "incident:severity:100:low" } }, { "kind": "it:rule:action:kind:notification", "parameters": { "target": { "id": "someUUID" } } } ], [ { "kind": "it:rule:action:kind:incident", "parameters": { "probability": 0.15, "impact": 0.1, "score": 0.015, "urgency": 0.2, "severity": "incident:severity:100:low" } }, { "kind": "it:rule:action:kind:notification", "parameters": { "target": { "id": "someUUID" } } } ] ], "target": { "defaults": [ { "kind": "endpoint:agent", "overlay": true } ], "realms": [ { "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453", "overlay": true } ] }, "options": { "filter": { "simple": { "include": [ { "activity.clumps.primary.item.designations": [ "it:activity:clump:item:first", "it:activity:clump:item:intermediate", "it:activity:clump:item:last" ] } ] } } }, "details": { "name": "USA Part Codes", "description": "Two-letter codes of all USA parts including states, territories and the DC" }, "alias": "USA_PART_CODES", "iver": 319, "sver": "1.2.3", "createdAt": "2018-04-12T16:36:51.700Z", "createdBy": { "principal": { "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453" } }, "updatedAt": "2018-04-12T16:36:51.700Z", "updatedBy": { "principal": { "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453" } }, "tenant": 123456789, "extent": "tenant", "status": "active", "tags": [ "rules", "windows", "agent" ], "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453" } ]

Parameter	Description
Rules List	List of rules represented by json objects to create. For example, here's a list of one rule: <br/>[<br/> {<br/> "kind": "it:rule:detection",<br/> "predicate": {<br/> "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453",<br/> "definition": {},<br/> "patterns": [<br/> {}<br/> ],<br/> "predicates": [<br/> {}<br/> ],<br/> "lists": [<br/> {}<br/> ]<br/> },<br/> "actions": [<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ]<br/> ],<br/> "target": {<br/> "defaults": [<br/> {<br/> "kind": "endpoint:agent",<br/> "overlay": true<br/> }<br/> ],<br/> "realms": [<br/> {<br/> "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453",<br/> "overlay": true<br/> }<br/> ]<br/> },<br/> "options": {<br/> "filter": {<br/> "simple": {<br/> "include": [<br/> {<br/> "activity.clumps.primary.item.designations": [<br/> "it:activity:clump:item:first",<br/> "it:activity:clump:item:intermediate",<br/> "it:activity:clump:item:last"<br/> ]<br/> }<br/> ]<br/> }<br/> }<br/> },<br/> "details": {<br/> "name": "USA Part Codes",<br/> "description": "Two-letter codes of all USA parts including states, territories and the DC"<br/> },<br/> "alias": "USA_PART_CODES",<br/> "iver": 319,<br/> "sver": "1.2.3",<br/> "createdAt": "2018-04-12T16:36:51.700Z",<br/> "createdBy": {<br/> "principal": {<br/> "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"<br/> }<br/> },<br/> "updatedAt": "2018-04-12T16:36:51.700Z",<br/> "updatedBy": {<br/> "principal": {<br/> "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"<br/> }<br/> },<br/> "tenant": 123456789,<br/> "extent": "tenant",<br/> "status": "active",<br/> "tags": [<br/> "rules",<br/> "windows",<br/> "agent"<br/> ],<br/> "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"<br/> }<br/>]<br/>

Advanced Parameters

Parameter	Description
Consistency	Return when data is ready for read or query.
Correlation ID	ID to correlate multiple requests.
Timeout	Time to wait before consistency=query throws.
Transaction ID	ID for a transaction.

Example Output

{
    "_status": {
        "status": 0,
        "code": "string"
    },
    "_meta": {
        "stats": {
            "offset": 0,
            "limit": 0,
            "total": 0
        },
        "origin": {}
    },
    "data": [
        "string"
    ]
}

Workflow Library Example

Create Rules with Proofpoint Itm and Send Results Via Email

Preview this Workflow on desktop

Create Rules

Basic Parameters​

Advanced Parameters​

Example Output​

Workflow Library Example​

Basic Parameters

Advanced Parameters

Example Output

Workflow Library Example