Update detection rule set
Update a detection rule set by sending a new JSON structure.
|
Service endpoint |
/rulesets/v2/{ruleset_id} |
|
Optional query string parameters |
— |
|
Example |
https://protectapi.cylance.com/rulesets/v2/c407f28a-3805-4014-b32c-0c2553ac1e17 |
|
Method |
HTTP/1.1 PUT |
|
Request headers |
|
Request
{
"name": "",
"description": "",
"notification_message": "",
"category": "Custom",
"rules": [
{
"detection_rule_id": "998ece50-49af-472a-b0d8-3c3700883736",
"detection_rule_version": 1,
"detection_name": "Gatekeeper Bypass (MITRE)",
"detection_description": "Detects on usage of xattr or spctl to bypass Gatekeeper, by a non-root user (MITRE1144)",
"category": "Cylance MITRE ATT&CK Rules",
"severity": "High",
"operating_systems": [
{
"Name": "macOS"
}
],
"date_added": "2018-11-20T17:58:49Z",
"enabled": false,
"notification_enabled": false,
"responses": [
{
"template_id": "9986d82e-1b1d-45a9-977a-cf86f1063b14",
"response_id": "95947b5c-71ce-4a7e-a5e0-df5043402b5c",
"response_rule_version": 1,
"description": "DisplayDesktopNotification",
"value": {},
"enabled": false,
"created": "2018-11-20T17:58:49Z"
}
],
"exceptions": [
{
"exception_id": "9f12a426-a956-4f4e-a698-df732ba1b295",
"enabled": false,
"name": "AO Exception"
}
],
"playbooks": []
}
]
}Response
Please see the Response status codes for more information.
Response JSON schema
| Field Name | Description |
|---|---|
|
name |
This is the name of the detection rule set. |
|
description |
This is the description of the detection rule set. |
|
notification_message |
This is the message to display on the endpoint when a detection rule is triggered. |
|
rules |
This is a list of detection rule objects and their associated response actions, detection exceptions, and package playbooks. |
|
detection_rule_id |
This is the unique ID of the detection rule. |
|
detection_rule_version |
This is the version of the detection rule. |
|
detection_name |
This is the name of the detection rule. |
|
detection_description |
This is the description of the detection rule set. |
|
category |
This is the category of the detection rule. |
|
severity |
This is the severity assigned to the detection rule. Possible values are:
|
|
operating_systems |
This is an object detailing the operating systems to which the detection rule can be applied. It will include the "name" field. This can consist of:
|
|
date_added |
This is the timestamp (in UTC) when the detection rule was added to the tenant. |
|
enabled |
This determines whether or not a detection rule is enabled in the detection rule set. When viewing the content of a detection rule set, this should always be set to 'true'. |
|
notification_enabled |
This determines whether or not the message defined in the 'notification_message' field should display on the device when the detection rule is triggered. To enable display desktop notification on device using the API, set notification_enabled and DisplayDesktopNotification to "true". To disable, set both to "false". The DisplayDesktopNotification setting enables or disables the feature. The notification_enabled setting affects the display desktop notification on device checkbox in the console as enabled (checked) or disabled (unchecked). |
|
responses |
This is a list of response objects for each response action enabled for a particular detection rule. Each object will include the following fields:
|
|
exceptions |
This is a list of exception rule objects that should be applied to the detection rule. Each object will include the following fields:
|
|
playbooks |
This is a list of package playbook unique IDs that will be executed when the detection rule is triggered on the device. |