Update Rule
Updates (overwrites) a single rule by its unique ID.
Basic Parameters
| Parameter | Description |
|---|---|
| Rule | The attributes of the rule to overwrite. Provide all attributes. For instance: <br/>{<br/> "kind": "it:rule:detection",<br/> "predicate": {<br/> "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453",<br/> "definition": {},<br/> "patterns": [<br/> {}<br/> ],<br/> "predicates": [<br/> {}<br/> ],<br/> "lists": [<br/> {}<br/> ]<br/> },<br/> "actions": [<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ],<br/> [<br/> {<br/> "kind": "it:rule:action:kind:incident",<br/> "parameters": {<br/> "probability": 0.15,<br/> "impact": 0.1,<br/> "score": 0.015,<br/> "urgency": 0.2,<br/> "severity": "incident:severity:100:low"<br/> }<br/> },<br/> {<br/> "kind": "it:rule:action:kind:notification",<br/> "parameters": {<br/> "target": {<br/> "id": "someUUID"<br/> }<br/> }<br/> }<br/> ]<br/> ],<br/> "target": {<br/> "defaults": [<br/> {<br/> "kind": "endpoint:agent",<br/> "overlay": true<br/> }<br/> ],<br/> "realms": [<br/> {<br/> "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453",<br/> "overlay": true<br/> }<br/> ]<br/> },<br/> "options": {<br/> "filter": {<br/> "simple": {<br/> "include": [<br/> {<br/> "activity.clumps.primary.item.designations": [<br/> "it:activity:clump:item:first",<br/> "it:activity:clump:item:intermediate",<br/> "it:activity:clump:item:last"<br/> ]<br/> }<br/> ]<br/> }<br/> }<br/> },<br/> "details": {<br/> "name": "USA Part Codes",<br/> "description": "Two-letter codes of all USA parts including states, territories and the DC"<br/> },<br/> "alias": "USA_PART_CODES",<br/> "iver": 319,<br/> "sver": "1.2.3",<br/> "createdAt": "2018-04-12T16:36:51.700Z",<br/> "createdBy": {<br/> "principal": {<br/> "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"<br/> }<br/> },<br/> "updatedAt": "2018-04-12T16:36:51.700Z",<br/> "updatedBy": {<br/> "principal": {<br/> "id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"<br/> }<br/> },<br/> "tenant": 123456789,<br/> "extent": "tenant",<br/> "status": "active",<br/> "tags": [<br/> "rules",<br/> "windows",<br/> "agent"<br/> ]<br/>}<br/> |
| Rule ID | Rule's unique ID (uuid). |
Advanced Parameters
| Parameter | Description |
|---|---|
| Consistency | Return when data is ready for read or query. |
| Correlation ID | ID to correlate multiple requests. |
| Timeout | Time to wait before consistency=query throws. |
| Transaction ID | ID for a transaction. |
Example Output
{
"_status": {
"status": 0,
"code": "string"
},
"_meta": {
"stats": {
"offset": 0,
"limit": 0,
"total": 0
},
"origin": {}
},
"kind": "it:rule:detection",
"predicate": {
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453",
"definition": {},
"patterns": [
{}
],
"predicates": [
{}
],
"lists": [
{}
]
},
"actions": [
[
{
"kind": "it:rule:action:kind:incident",
"parameters": {
"probability": 0.15,
"impact": 0.1,
"score": 0.015,
"urgency": 0.2,
"severity": "incident:severity:100:low"
}
},
{
"kind": "it:rule:action:kind:notification",
"parameters": {
"target": {
"id": "someUUID"
}
}
}
],
[
{
"kind": "it:rule:action:kind:incident",
"parameters": {
"probability": 0.15,
"impact": 0.1,
"score": 0.015,
"urgency": 0.2,
"severity": "incident:severity:100:low"
}
},
{
"kind": "it:rule:action:kind:notification",
"parameters": {
"target": {
"id": "someUUID"
}
}
}
],
[
{
"kind": "it:rule:action:kind:incident",
"parameters": {
"probability": 0.15,
"impact": 0.1,
"score": 0.015,
"urgency": 0.2,
"severity": "incident:severity:100:low"
}
},
{
"kind": "it:rule:action:kind:notification",
"parameters": {
"target": {
"id": "someUUID"
}
}
}
],
[
{
"kind": "it:rule:action:kind:incident",
"parameters": {
"probability": 0.15,
"impact": 0.1,
"score": 0.015,
"urgency": 0.2,
"severity": "incident:severity:100:low"
}
},
{
"kind": "it:rule:action:kind:notification",
"parameters": {
"target": {
"id": "someUUID"
}
}
}
],
[
{
"kind": "it:rule:action:kind:incident",
"parameters": {
"probability": 0.15,
"impact": 0.1,
"score": 0.015,
"urgency": 0.2,
"severity": "incident:severity:100:low"
}
},
{
"kind": "it:rule:action:kind:notification",
"parameters": {
"target": {
"id": "someUUID"
}
}
}
],
[
{
"kind": "it:rule:action:kind:incident",
"parameters": {
"probability": 0.15,
"impact": 0.1,
"score": 0.015,
"urgency": 0.2,
"severity": "incident:severity:100:low"
}
},
{
"kind": "it:rule:action:kind:notification",
"parameters": {
"target": {
"id": "someUUID"
}
}
}
],
[
{
"kind": "it:rule:action:kind:incident",
"parameters": {
"probability": 0.15,
"impact": 0.1,
"score": 0.015,
"urgency": 0.2,
"severity": "incident:severity:100:low"
}
},
{
"kind": "it:rule:action:kind:notification",
"parameters": {
"target": {
"id": "someUUID"
}
}
}
],
[
{
"kind": "it:rule:action:kind:incident",
"parameters": {
"probability": 0.15,
"impact": 0.1,
"score": 0.015,
"urgency": 0.2,
"severity": "incident:severity:100:low"
}
},
{
"kind": "it:rule:action:kind:notification",
"parameters": {
"target": {
"id": "someUUID"
}
}
}
],
[
{
"kind": "it:rule:action:kind:incident",
"parameters": {
"probability": 0.15,
"impact": 0.1,
"score": 0.015,
"urgency": 0.2,
"severity": "incident:severity:100:low"
}
},
{
"kind": "it:rule:action:kind:notification",
"parameters": {
"target": {
"id": "someUUID"
}
}
}
],
[
{
"kind": "it:rule:action:kind:incident",
"parameters": {
"probability": 0.15,
"impact": 0.1,
"score": 0.015,
"urgency": 0.2,
"severity": "incident:severity:100:low"
}
},
{
"kind": "it:rule:action:kind:notification",
"parameters": {
"target": {
"id": "someUUID"
}
}
}
]
],
"target": {
"defaults": [
{
"kind": "endpoint:agent",
"overlay": true
}
],
"realms": [
{
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453",
"overlay": true
}
]
},
"options": {
"filter": {
"simple": {
"include": [
{
"activity.clumps.primary.item.designations": [
"it:activity:clump:item:first",
"it:activity:clump:item:intermediate",
"it:activity:clump:item:last"
]
}
]
}
}
},
"details": {
"name": "USA Part Codes",
"description": "Two-letter codes of all USA parts including states, territories and the DC"
},
"alias": "USA_PART_CODES",
"iver": 319,
"sver": "1.2.3",
"createdAt": "2018-04-12T16:36:51.700Z",
"createdBy": {
"principal": {
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
}
},
"updatedAt": "2018-04-12T16:36:51.700Z",
"updatedBy": {
"principal": {
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
}
},
"tenant": 123456789,
"extent": "tenant",
"status": "active",
"tags": [
"rules",
"windows",
"agent"
],
"id": "b73fc7b3-af84-48b6-bb2f-f3afd115a453"
}
Workflow Library Example
Update Rule with Proofpoint Itm and Send Results Via Email
Preview this Workflow on desktop