Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt

Use this file to discover all available pages before exploring further.

Modifies (patches without overwriting) a single predicate by its unique ID.

Basic Parameters

ParameterDescription
PredicateThe attributes of the predicate to overwrite. Provide only the attributes that need to be changed.

For instance:
{
  “status”: “active”
}
Predicate IDPredicate’s unique ID (uuid).

Advanced Parameters

ParameterDescription
ConsistencyReturn when data is ready for read or query.
Correlation IDID to correlate multiple requests.
TimeoutTime to wait before consistency=query throws.
Transaction IDID for a transaction.

Example Output

{
	"_status": {
		"status": 0,
		"code": "string"
	},
	"_meta": {
		"stats": {
			"offset": 0,
			"limit": 0,
			"total": 0
		},
		"origin": {}
	},
	"definition": {
		"$and": [
			{
				"$stringStartsWith": {
					"message.kind": {
						"$value": "email",
						"$assignIfTrue": [
							{
								"$dstIndex": "condition.RoyalMessage.methodEmail",
								"$srcMode": "const",
								"$srcParam": true
							}
						],
						"$assignIfFalse": [
							{
								"$dstIndex": "condition.RoyalMessage.methodEmail",
								"$srcMode": "const",
								"$srcParam": false
							}
						]
					}
				}
			},
			{
				"$stringMatch": {
					"message.sender.email": {
						"$value": "@proofpoint[^\\.]*",
						"$assignIfTrue": [
							{
								"$dstIndex": "condition.RoyalMessage.emailHit",
								"$srcMode": "match"
							},
							{
								"$dstIndex": "condition.RoyalMessage.emailHitFirst",
								"$srcMode": "first"
							},
							{
								"$dstIndex": "condition.RoyalMessage.emailHitLast",
								"$srcMode": "last"
							},
							{
								"$dstIndex": "condition.RoyalMessage.emailHitRange",
								"$srcMode": "array",
								"$srcParam": [
									{
										"$srcMode": "first"
									},
									{
										"$srcMode": "last"
									}
								]
							}
						],
						"$assignIfFalse": [
							{
								"$dstIndex": "condition.RoyalMessage.emailMiss",
								"$srcMode": "param",
								"srcParam": "message.sender.email"
							}
						]
					}
				}
			},
			{
				"$stringBetween": {
					"message.sender.displayName": [
						"king",
						"queen"
					],
					"$assignIfTrue": [
						{
							"$dstIndex": "condition.RoyalMessage.title",
							"$srcMode": "param",
							"$srcParam": "message.sender.displayName"
						}
					]
				}
			}
		]
	},
	"details": {
		"name": "USA Part Codes",
		"description": "Two-letter codes of all USA parts including states, territories and the DC",
		"meta": {}
	},
	"alias": "USA_PART_CODES",
	"iver": 319,
	"kind": "it:predicate:custom:match",
	"purposes": [
		"it:purpose:detection:rule:condition",
		"it:purpose:endpoint:policy:match",
		"it:purpose:exploration:search:filter",
		"it:purpose:authorization:abac:condition"
	],
	"sver": "1.2.3",
	"createdAt": "2018-04-12T16:36:51.700Z",
	"createdBy": {
		"principal": {
			"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
		},
		"clients": [
			{
				"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
			}
		]
	},
	"updatedAt": "2018-04-12T16:36:51.700Z",
	"updatedBy": {
		"principal": {
			"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
		},
		"clients": [
			{
				"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
			}
		]
	},
	"tenant": 123456789,
	"extent": "tenant",
	"status": "active",
	"risk": {
		"default": {}
	},
	"tags": [
		"rules",
		"windows",
		"agent"
	],
	"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
}

Workflow Library Example

Modify Predicate with Proofpoint Itm and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop