Validate detection rule

Allows a user to validate a detection rule's JSON by sending the native JSON structure of a detection rule to a validation service.

Service endpoint

/rules/v2/validate

Optional query string parameters

Example

https://protectapi.cylance.com/rules/v2/validate

Method

HTTP/1.1 POST

Request headers
  • Accept: application/json
  • Authorization: Bearer JWT Token returned by Auth API with the opticsrule:read scope encoded

Request

JSON 
{
    "Name": "Name of Detection Rule",
    "Description": "Description of Detection Rule",
    "Severity": "Medium",
    "ObjectType": "DetectionRule",
    "OperatingSystems": [
        {
            "Name": "Windows",
        }
    ],
    "Plugin": {
        "Name": "OpticsDetector"
    },
    "Product": {
        "Name": "CylanceOPTICS"
    },
    "SchemaVersion": 1,
    "States": [
        {
            "Name": "MaliciousApp",
            "Scope": "Global",
            "Function": "Function",
            "FieldOperators": {
                "Function": {
                    "Type": "EqualsAny",
                    "Operands": [
                        {
                            "Source": "LiteralSet",
                            "Data": "badapp.exe"
                        }
                    ],
                    "OperandType": "string",
                    "Options": {
                        "IgnoreCase": true
                    }
                }
            },
            "Actions": [
                {
                    "Type": "AOI",
                    "ItemName": "InstigatingProcess",
                    "Position": "PostActivation"
                }
            ],
            "Filters": [
                {
                    "Type": "Event",
                    "Data": {
                        "Category": "Process",
                        "SubCategory": "",
                        "Type": "*"
                    }
                }
            ]
        }
    ],
    "Tags": [
        "CylanceOPTICS"
    ]
}

Response

Please see the Response status codes for more information.

Request JSON schema

Field Name Description

Description

This is the description for the detection rule.

Name

This is the name of the detection rule.

ObjectType

This is the type of object defined in this rule.

  • DetectionRule
  • ResponseRule

OperatingSystems

This is the affected operating systems.

  • Name: This is the name of the type of operating system (like Windows, macOS, or Linux).

Plugin

This is the Aurora Focus plugin associated with the detection rule.

Product

This is the name of the product associated with the detection rule.

SchemaVersion

This is the version of the schema.

Severity

This is the severity assigned to the detection rule. Possible values are:

  • High
  • Medium
  • Low
  • Informational

States

This is the list of all available states. If no paths are specified, the states are transitioned in the order they are specified.

Tags

This is a list of tags associated with the Detection Rule.

Response JSON schema

Field Name Description

errors

This is a list of error messages that will prevent the Detection Rule from validating and operating correctly.

valid

This returns "true" if the Detection Rule passes validation. It returns "false" if the Detection Rule does not pass validation.

warnings

This is a list of warning message strings that may impact the performance or validity of the Detection Rule.