Get detection rule

Retrieve the content of a detection rule in its native JSON structure.

Service Endpoint

/rules/v2/{rule_id}

Optional query string parameters

Example

https://protectapi.cylance.com/rules/v2/008ece50-49af-472a-b0d8-3c3700883738

Method

HTTP/1.1 GET

Request headers
  • Accept: application/json
  • Authorization: Bearer JWT Token returned by Auth API with the opticsdetect:read scope encoded

Request

None

Response

Please see the Response status codes for more information.

Response JSON schema

Field Name Description

ActivationCanUtlize

DeviceStateEvents

This indicates if state events (historical rundowns) should be considered when evaluating for matches.

ActivationLifetimeLimit

This is the amount of time a rule is active. If the rule has been active past this duration, then the instance of the rule will be removed.

AllowMultipleActivations

PerContext

This indicates if the rule can be activated multiple times, simultaneously.

Description

This is the description for the detection rule.

Id

This is the unique identifier for the detection rule.

MaximumConcurrent

Activations

This indicates the maximum number of concurrently executing instances of this rule.

Name

This is the name of the detection rule.

NotValidAfter

This is the date and time (in UTC) after which the detection rule is not valid.

NotValidBefore

This is the date and time (in UTC) before which the detection rule is not valid.

ObjectType

This is the type of object defined in this rule.

  • DetectionRule
  • ResponseRule

OperatingSystems

These are the affected operating systems.

  • Name: The name of the type of operating system (like Windows, macOS, or Linux).

Paths

This defines the paths by which this deterministic finite automata (DFA) can be iterated.

Plugin

This is the Aurora Focus plugin associated with the detection rule.

Product

This is the name of the product associated with the detection rule.

RuleSource

This is the source of the rule (for example, Cylance).

RuleSourceGrouping

This is the classification or designator for the rule source (for example, Aurora Focus).

SchemaVersion

This is the version of the schema.

Severity

This is the severity assigned to the detection rule. Possible values are:

  • High
  • Medium
  • Low
  • Informational

States

This is the list of all available states. If no paths are specified, the states are transitioned in the order they are specified.

Tags

This is a list of tags associated with the detection rule.

TerminateActiveDfaIf

ActivatingProcessesEnd

If the activating process (and, if applicable, all other processes that have been absorbed as activating processes) end, then this will terminate the active DFA.

Version

This is the version of the detection rule.