Create detection rule
Allows a caller to create a new detection rule by sending the native JSON structure of a detection rule.
Service endpoint | /rules/v2 |
Optional query string parameters | — |
Example | https://protectapi.cylance.com/rules/v2 |
Method | HTTP/1.1 POST |
Request headers |
|
Request
{ "Name": "Name of Detection Rule", "Description": "Description of Detection Rule", "Severity": "Medium", "ObjectType": "DetectionRule", "OperatingSystems": [ { "Name": "Windows" } ], "Plugin": { "Name": "OpticsDetector" }, "Product": { "Name": "CylanceOPTICS" }, "SchemaVersion": 1, "States": [ { "Name": "MaliciousApp", "Scope": "Global", "Function": "Function", "FieldOperators": { "Function": { "Type": "EqualsAny", "Operands": [ { "Source": "LiteralSet", "Data": "badapp.exe" } ], "OperandType": "string", "Options": { "IgnoreCase": true } } }, "Actions": [ { "Type": "AOI", "ItemName": "InstigatingProcess", "Position": "PostActivation" } ], "Filters": [ { "Type": "Event", "Data": { "Category": "Process", "SubCategory": "", "Type": "*" } } ] } ], "Tags": [ "CylanceOPTICS" ] }
Response
Please see the Response status codes for more information.
Request JSON schema
Field Name | Description |
|---|---|
Description | This is the description for the detection rule. |
Name | This is the name of the detection rule. |
ObjectType | This is the type of object defined in this rule.
|
OperatingSystems | These are the affected operating systems.
|
Plugin | This is the CylanceOPTICS plugin associated with the detection rule. |
Product | This is the name of the product associated with the detection rule. |
SchemaVersion | This is the version of the schema. |
Severity | This is the severity assigned to the detection rule. Possible values are:
|
States | This is the list of all available states. If no paths are specified, the states are transitioned in the order they are specified. |
Tags | This is a list of tags associated with the detection rule. |
Response JSON schema
Field Name | Description |
|---|---|
Description | This is the description for the detection rule. |
Id | This is the unique identifier for the detection rule. |
Name | This is the name of the detection rule. |
ObjectType | This is the type of object defined in this rule.
|
OperatingSystems | This is the affected operating systems.
|
Plugin | This is the CylanceOPTICS plugin associated with the detection rule. |
Product | This is the name of the product associated with the detection rule. |
RuleSourceGrouping | This is the classification or designator for the rule source (for example, CylanceOPTICS ). |
SchemaVersion | This is the version of the schema. |
Severity | This is the severity assigned to the detection rule. The possible values are:
|
States | This is the list of all available states. If no paths are specified, the states are transitioned in the order they are specified. |
Tags | This is a list of tags associated with the detection rule. |
Version | This is the version of the detection rule. |
The response JSON schema contains the entirety of the Detection Rule Logic.
The "id" and "version" fields are automatically populated when the request is submitted.