Create detection rule
Allows a caller to create a new detection rule by sending the native JSON structure of a detection rule.
|
Service endpoint |
/rules/v2 |
|
Optional query string parameters |
— |
|
Example |
https://protectapi.cylance.com/rules/v2 |
|
Method |
HTTP/1.1 POST |
|
Request headers |
|
Request
{
"Name": "Name of Detection Rule",
"Description": "Description of Detection Rule",
"Severity": "Medium",
"ObjectType": "DetectionRule",
"OperatingSystems": [
{
"Name": "Windows"
}
],
"Plugin": {
"Name": "OpticsDetector"
},
"Product": {
"Name": "CylanceOPTICS"
},
"SchemaVersion": 1,
"States": [
{
"Name": "MaliciousApp",
"Scope": "Global",
"Function": "Function",
"FieldOperators": {
"Function": {
"Type": "EqualsAny",
"Operands": [
{
"Source": "LiteralSet",
"Data": "badapp.exe"
}
],
"OperandType": "string",
"Options": {
"IgnoreCase": true
}
}
},
"Actions": [
{
"Type": "AOI",
"ItemName": "InstigatingProcess",
"Position": "PostActivation"
}
],
"Filters": [
{
"Type": "Event",
"Data": {
"Category": "Process",
"SubCategory": "",
"Type": "*"
}
}
]
}
],
"Tags": [
"CylanceOPTICS"
]
}Response
Please see the Response status codes for more information.
Request JSON schema
| Field Name | Description |
|---|---|
|
Description |
This is the description for the detection rule. |
|
Name |
This is the name of the detection rule. |
|
ObjectType |
This is the type of object defined in this rule.
|
|
OperatingSystems |
These are the affected operating systems.
|
|
Plugin |
This is the Aurora Focus plugin associated with the detection rule. |
|
Product |
This is the name of the product associated with the detection rule. |
|
SchemaVersion |
This is the version of the schema. |
|
Severity |
This is the severity assigned to the detection rule. Possible values are:
|
|
States |
This is the list of all available states. If no paths are specified, the states are transitioned in the order they are specified. |
|
Tags |
This is a list of tags associated with the detection rule. |
Response JSON schema
| Field Name | Description |
|---|---|
|
Description |
This is the description for the detection rule. |
|
Id |
This is the unique identifier for the detection rule. |
|
Name |
This is the name of the detection rule. |
|
ObjectType |
This is the type of object defined in this rule.
|
|
OperatingSystems |
This is the affected operating systems.
|
|
Plugin |
This is the Aurora Focus plugin associated with the detection rule. |
|
Product |
This is the name of the product associated with the detection rule. |
|
RuleSourceGrouping |
This is the classification or designator for the rule source (for example, Aurora Focus). |
|
SchemaVersion |
This is the version of the schema. |
|
Severity |
This is the severity assigned to the detection rule. The possible values are:
|
|
States |
This is the list of all available states. If no paths are specified, the states are transitioned in the order they are specified. |
|
Tags |
This is a list of tags associated with the detection rule. |
|
Version |
This is the version of the detection rule. |
The response JSON schema contains the entirety of the Detection Rule Logic.
The "id" and "version" fields are automatically populated when the request is submitted.