Contents
Replacing aggregation rules
PUT /xdr/api/v1/aggregator/<tenantID>/rules/
Replaces aggregation rules for the specified tenant.
To edit existing aggregation rules for a tenant:
- Use the GET /xdr/api/v1/aggregator/<tenantID>/rules/ method to obtain current rules.
- Edit the obtained rules file.
- Use PUT /xdr/api/v1/aggregator/<tenantID>/rules/ to apply edited rules to the tenant.
Query parameters
Name |
Data type |
Mandatory |
Description |
Value example |
tenantID |
string |
Yes |
The tenant id. If the user does not have the Read right for the specified tenant, the query fails. |
00000000-0000-0000-0000-000000000000 |
Request body
Format: JSON
An array of rules.
[
{"TenantID":"{tenantID}", "ID":"2", "Name": "changedName", "Priority": 1, ...},
{"TenantID":"{tenantID}", "ID":"3", "Name": "name3", "Priority": 2, ...}
]
|
Name |
Data type |
Mandatory |
Description |
Value example |
id |
string |
No |
Rule ID (UUID). The identifier of the default rule is 8e5405a7-6740-471f-a15d-9f9414974060 |
00000000-0000-0000-0000-000000000000 |
name |
string |
Yes |
Rule name. |
Rule1 |
description |
string |
No |
Rule description |
Aggregate by rule id |
tenantID |
string |
Yes |
Tenant ID (UUID) |
00000000-0000-0000-0000-000000000000 |
enabled |
boolean |
Yes |
Specifies whether to enable the rule. |
Yes |
trigger |
string |
Yes |
Rule trigger. A JQ expression that must return a boolean value. |
any(.Observables[]? | select(.Type == "username") | .Value; . == "Alice" or . == "Bob") |
aggregationID |
string |
Yes |
Rule aggregation ID. A JQ expression that must return a string value. |
PentestByUserName |
alertName |
string |
Yes |
The name of the alert. A JQ expression that must return a string value. In the example on the right, the rule name is from the first aggregated event. Subsequently aggregated events do not affect the resulting alert name. |
"[PentestByUserName] " + ([.Rules[]?.Name] | join(",")) |
aggregationInterval |
object:
|
No |
The searching interval (30 seconds by default). |
45 |
maxAlertsInAggregate |
integer |
No |
Maximum number of alerts for aggregation. Minimum is 1. Maximum is 100. |
10 |
priority |
integer |
No |
Rule priority. The lower the number you specify, the higher the priority of the rule. |
2 |
If you want to obtain alerts without the default 30-second delay, you can set the aggregationInterval parameter to the value less than 30 or set the maxAlertsInAggregate to the minimum value of 1.
Possible errors
HTTP code |
Description |
|
|
204 |
The specified JSON file with rules is empty. |
variable |
variable |
400 |
Bad request. |
variable |
variable |
409 |
The specified JSON file contains rules with duplicate names. |
variable |
variable |