Contents
Viewing a list of aggregation rules
GET /xdr/api/v1/aggregator/<tenantID>/rules
Returns a list of rules that combine events in alerts for the specified tenant.
Query parameters
Name |
Data type |
Mandatory |
Description |
Value example |
tenantID |
string |
Yes |
The tenant id. If the user does not have the Read right for the specified tenants, the query fails. |
00000000-0000-0000-0000-000000000000 |
Response
HTTP code: 200
Format: JSON
Example:
[
{"TenantID":"{tenantID}", "ID":"1", "Name": "name1", "Priority": 0, ...},
{"TenantID":"{tenantID}", "ID":"2", "Name": "name2", "Priority": 1, ...},
]
|
||||
Name |
Data type |
Description |
Value example |
|
id |
string |
Rule ID (UUID). The identifier of the default rule is 8e5405a7-6740-471f-a15d-9f9414974060 |
00000000-0000-0000-0000-000000000000 |
|
name |
string |
Rule name. |
Rule1 |
|
description |
string |
Rule description |
Aggregate by rule id |
|
tenantID |
string |
Tenant ID (UUID) |
00000000-0000-0000-0000-000000000000 |
|
enabled |
boolean |
Specifies whether to enable the rule. |
Yes |
|
trigger |
string |
Rule trigger. A JQ expression that must return a boolean value. |
any(.Observables[]? | select(.Type == "username") | .Value; . == "Alice" or . == "Bob") |
|
aggregationID |
string |
Rule aggregation ID. A JQ expression that must return a string value. |
PentestByUserName |
|
alertName |
string |
The name of the incident. A JQ expression that must return a string value. In the example on the right, the rule name is from the first aggregated event. Subsequently aggregated events do not affect the resulting alert name. |
"[PentestByUserName] " + ([.Rules[]?.Name] | join(",")) |
|
aggregationInterval |
object:
|
The searching interval (30 seconds by default). |
45 |
|
maxAlertsInAggregate |
integer |
Maximum number of alerts for aggregation. Minimum is 1. Maximum is 100. |
10 |
|
priority |
integer |
Rule priority. |
2 |
|
Possible errors
HTTP code |
Description |
|
|
500 |
Any other internal errors. |
variable |
variable |