Update Predicate
Updates (overwrites) a single predicate by its unique ID.
Basic Parameters
| Parameter | Description |
|---|---|
| Predicate | The attributes of the predicate to overwrite. Provide all attributes. For instance: <br/>{<br/> "definition": {<br/> "$and": [<br/> {<br/> "$stringStartsWith": {<br/> "message.kind": {<br/> "$value": "email",<br/> "$assignIfTrue": [<br/> {<br/> "$dstIndex": "condition.RoyalMessage.methodEmail",<br/> "$srcMode": "const",<br/> "$srcParam": true<br/> }<br/> ],<br/> "$assignIfFalse": [<br/> {<br/> "$dstIndex": "condition.RoyalMessage.methodEmail",<br/> "$srcMode": "const",<br/> "$srcParam": false<br/> }<br/> ]<br/> }<br/> }<br/> },<br/> {<br/> "$stringMatch": {<br/> "message.sender.email": {<br/> "$value": "@proofpoint[^\\.]*",<br/> "$assignIfTrue": [<br/> {<br/> "$dstIndex": "condition.RoyalMessage.emailHit",<br/> "$srcMode": "match"<br/> },<br/> {<br/> "$dstIndex": "condition.RoyalMessage.emailHitFirst",<br/> "$srcMode": "first"<br/> },<br/> {<br/> "$dstIndex": "condition.RoyalMessage.emailHitLast",<br/> "$srcMode": "last"<br/> },<br/> {<br/> "$dstIndex": "condition.RoyalMessage.emailHitRange",<br/> "$srcMode": "array",<br/> "$srcParam": [<br/> {<br/> "$srcMode": "first"<br/> },<br/> {<br/> "$srcMode": "last"<br/> }<br/> ]<br/> }<br/> ],<br/> "$assignIfFalse": [<br/> {<br/> "$dstIndex": "condition.RoyalMessage.emailMiss",<br/> "$srcMode": "param",<br/> "srcParam": "message.sender.email"<br/> }<br/> ]<br/> }<br/> }<br/> },<br/> {<br/> "$stringBetween": {<br/> "message.sender.displayName": [<br/> "king",<br/> "queen"<br/> ],<br/> "$assignIfTrue": [<br/> {<br/> "$dstIndex": "condition.RoyalMessage.title",<br/> "$srcMode": "param",<br/> "$srcParam": "message.sender.displayName"<br/> }<br/> ]<br/> }<br/> }<br/> ]<br/> },<br/> "details": {<br/> "name": "USA Part Codes",<br/> "description": "Two-letter codes of all USA parts including states, territories and the DC",<br/> "meta": {}<br/> },<br/> "alias": "USA_PART_CODES",<br/> "iver": 319,<br/> "kind": "it:predicate:custom:match",<br/> "purposes": [<br/> "it:purpose:detection:rule:condition",<br/> "it:purpose:endpoint:policy:match",<br/> "it:purpose:exploration:search:filter",<br/> "it:purpose:authorization:abac:condition"<br/> ],<br/> "sver": "1.2.3",<br/> "createdAt": "2018-04-12T16:36:51.700Z",<br/> "createdBy": {<br/> "principal": {<br/> "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"<br/> },<br/> "clients": [<br/> {<br/> "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"<br/> }<br/> ]<br/> },<br/> "updatedAt": "2018-04-12T16:36:51.700Z",<br/> "updatedBy": {<br/> "principal": {<br/> "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"<br/> },<br/> "clients": [<br/> {<br/> "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"<br/> }<br/> ]<br/> },<br/> "tenant": 123456789,<br/> "extent": "tenant",<br/> "status": "active",<br/> "risk": {<br/> "default": {}<br/> },<br/> "tags": [<br/> "rules",<br/> "windows",<br/> "agent"<br/> ]<br/>}<br/> |
| Predicate ID | Predicate's unique ID (uuid). |
Advanced Parameters
| Parameter | Description |
|---|---|
| Consistency | Return when data is ready for read or query. |
| Correlation ID | ID to correlate multiple requests. |
| Timeout | Time to wait before consistency=query throws. |
| Transaction ID | ID for a transaction. |
Example Output
{
"_status": {
"status": 0,
"code": "string"
},
"_meta": {
"stats": {
"offset": 0,
"limit": 0,
"total": 0
},
"origin": {}
},
"definition": {
"$and": [
{
"$stringStartsWith": {
"message.kind": {
"$value": "email",
"$assignIfTrue": [
{
"$dstIndex": "condition.RoyalMessage.methodEmail",
"$srcMode": "const",
"$srcParam": true
}
],
"$assignIfFalse": [
{
"$dstIndex": "condition.RoyalMessage.methodEmail",
"$srcMode": "const",
"$srcParam": false
}
]
}
}
},
{
"$stringMatch": {
"message.sender.email": {
"$value": "@proofpoint[^\\.]*",
"$assignIfTrue": [
{
"$dstIndex": "condition.RoyalMessage.emailHit",
"$srcMode": "match"
},
{
"$dstIndex": "condition.RoyalMessage.emailHitFirst",
"$srcMode": "first"
},
{
"$dstIndex": "condition.RoyalMessage.emailHitLast",
"$srcMode": "last"
},
{
"$dstIndex": "condition.RoyalMessage.emailHitRange",
"$srcMode": "array",
"$srcParam": [
{
"$srcMode": "first"
},
{
"$srcMode": "last"
}
]
}
],
"$assignIfFalse": [
{
"$dstIndex": "condition.RoyalMessage.emailMiss",
"$srcMode": "param",
"srcParam": "message.sender.email"
}
]
}
}
},
{
"$stringBetween": {
"message.sender.displayName": [
"king",
"queen"
],
"$assignIfTrue": [
{
"$dstIndex": "condition.RoyalMessage.title",
"$srcMode": "param",
"$srcParam": "message.sender.displayName"
}
]
}
}
]
},
"details": {
"name": "USA Part Codes",
"description": "Two-letter codes of all USA parts including states, territories and the DC",
"meta": {}
},
"alias": "USA_PART_CODES",
"iver": 319,
"kind": "it:predicate:custom:match",
"purposes": [
"it:purpose:detection:rule:condition",
"it:purpose:endpoint:policy:match",
"it:purpose:exploration:search:filter",
"it:purpose:authorization:abac:condition"
],
"sver": "1.2.3",
"createdAt": "2018-04-12T16:36:51.700Z",
"createdBy": {
"principal": {
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
},
"clients": [
{
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
}
]
},
"updatedAt": "2018-04-12T16:36:51.700Z",
"updatedBy": {
"principal": {
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
},
"clients": [
{
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
}
]
},
"tenant": 123456789,
"extent": "tenant",
"status": "active",
"risk": {
"default": {}
},
"tags": [
"rules",
"windows",
"agent"
],
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
}
Workflow Library Example
Update Predicate with Proofpoint Itm and Send Results Via Email
Preview this Workflow on desktop