Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Cylance User API guide
  4. Detection rule API
  5. Get detection rule

Get detection rule

Retrieve the content of a detection rule in its native JSON structure.
Service Endpoint
/rules/v2/{rule_id}
Optional query string parameters
Example
https://protectapi.cylance.com/rules/v2/008ece50-49af-472a-b0d8-3c3700883738
Method
HTTP/1.1 GET
Request headers
  • Accept: application/json
  • Authorization: Bearer
    JWT Token returned by Auth API
     with the opticsdetect:read scope encoded

Request

None

Response

Please see the Response status codes for more information.

Response JSON schema

Field Name
Description
ActivationCanUtlize
DeviceStateEvents
This indicates if state events (historical rundowns) should be considered when evaluating for matches.
ActivationLifetimeLimit
This is the amount of time a rule is active. If the rule has been active past this duration, then the instance of the rule will be removed.
AllowMultipleActivations
PerContext
This indicates if the rule can be activated multiple times, simultaneously.
Description
This is the description for the detection rule.
Id
This is the unique identifier for the detection rule.
MaximumConcurrent
Activations
This indicates the maximum number of concurrently executing instances of this rule.
Name
This is the name of the detection rule.
NotValidAfter
This is the date and time (in UTC) after which the detection rule is not valid.
NotValidBefore
This is the date and time (in UTC) before which the detection rule is not valid.
ObjectType
This is the type of object defined in this rule.
  • DetectionRule
  • ResponseRule
OperatingSystems
These are the affected operating systems.
  • Name: The name of the type of operating system (like Windows, macOS, or Linux).
Paths
This defines the paths by which this deterministic finite automata (DFA) can be iterated.
Plugin
This is the
CylanceOPTICS
 plugin associated with the detection rule.
Product
This is the name of the product associated with the detection rule.
RuleSource
This is the source of the rule (for example, Cylance).
RuleSourceGrouping
This is the classification or designator for the rule source (for example,
CylanceOPTICS
).
SchemaVersion
This is the version of the schema.
Severity
This is the severity assigned to the detection rule. Possible values are:
  • High
  • Medium
  • Low
  • Informational
States
This is the list of all available states. If no paths are specified, the states are transitioned in the order they are specified.
Tags
This is a list of tags associated with the detection rule.
TerminateActiveDfaIf
ActivatingProcessesEnd
If the activating process (and, if applicable, all other processes that have been absorbed as activating processes) end, then this will terminate the active DFA.
Version
This is the version of the detection rule.