Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Cylance User API guide
  4. Detection rule API
  5. Validate detection rule

Validate detection rule

Allows a user to validate a detection rule's JSON by sending the native JSON structure of a detection rule to a validation service.
Service endpoint
/rules/v2/validate
Optional query string parameters
Example
https://protectapi.cylance.com/rules/v2/validate
Method
HTTP/1.1 POST
Request headers
  • Accept: application/json
  • Authorization: Bearer
    JWT Token returned by Auth API
     with the opticsrule:read scope encoded

Request

{
    "Name": "Name of Detection Rule",
    "Description": "Description of Detection Rule",
    "Severity": "Medium",
    "ObjectType": "DetectionRule",
    "OperatingSystems": [
        {
            "Name": "Windows",
        }
    ],
    "Plugin": {
        "Name": "OpticsDetector"
    },
    "Product": {
        "Name": "CylanceOPTICS"
    },
    "SchemaVersion": 1,
    "States": [
        {
            "Name": "MaliciousApp",
            "Scope": "Global",
            "Function": "Function",
            "FieldOperators": {
                "Function": {
                    "Type": "EqualsAny",
                    "Operands": [
                        {
                            "Source": "LiteralSet",
                            "Data": "badapp.exe"
                        }
                    ],
                    "OperandType": "string",
                    "Options": {
                        "IgnoreCase": true
                    }
                }
            },
            "Actions": [
                {
                    "Type": "AOI",
                    "ItemName": "InstigatingProcess",
                    "Position": "PostActivation"
                }
            ],
            "Filters": [
                {
                    "Type": "Event",
                    "Data": {
                        "Category": "Process",
                        "SubCategory": "",
                        "Type": "*"
                    }
                }
            ]
        }
    ],
    "Tags": [
        "CylanceOPTICS"
    ]
}

Response

Please see the Response status codes for more information.

Request JSON schema

Field Name
Description
Description
This is the description for the detection rule.
Name
This is the name of the detection rule.
ObjectType
This is the type of object defined in this rule.
  • DetectionRule
  • ResponseRule
OperatingSystems
This is the affected operating systems.
  • Name: This is the name of the type of operating system (like Windows, macOS, or Linux).
Plugin
This is the
CylanceOPTICS
 plugin associated with the detection rule.
Product
This is the name of the product associated with the detection rule.
SchemaVersion
This is the version of the schema.
Severity
This is the severity assigned to the detection rule. Possible values are:
  • High
  • Medium
  • Low
  • Informational
States
This is the list of all available states. If no paths are specified, the states are transitioned in the order they are specified.
Tags
This is a list of tags associated with the Detection Rule.

Response JSON schema

Field Name
Description
errors
This is a list of error messages that will prevent the Detection Rule from validating and operating correctly.
valid
This returns "true" if the Detection Rule passes validation. It returns "false" if the Detection Rule does not pass validation.
warnings
This is a list of warning message strings that may impact the performance or validity of the Detection Rule.