Create detection rule set
Create a new detection rule set. Detection rule sets can require a large number of fields and unique IDs to function properly. It is recommended to make a GET request to '/rulesets/v2/default' to obtain a properly formatted template prior to submitting a POST request described below.
Service endpoint | /rulesets/v2 |
Optional query string parameters | — |
Example | https://protectapi.cylance.com/rulesets/v2 |
Method | HTTP/1.1 POST |
Request headers |
|
Request
{ "name": "Test Rule Set", "description": "Test Detection Rule Set", "notification_message": "", "category": "Custom", "rules": [ { "detection_rule_id": "008ece50-49af-472a-b0d8-3c3700883738", "detection_rule_version": 1, "detection_name": "Gatekeeper Bypass (MITRE)", "detection_description": "Detects on usage to bypass Gatekeeper", "category": "Custom", "severity": "Low", "operating_systems": [ { "Name": "macOS" } ], "date_added": "2018-11-20T17:58:49Z", "enabled": false, "notification_enabled": false, "responses": [ { "template_id": "9686d82e-1b1d-45a9-977a-cf86f1063b15", "response_id": "c6a26a8b-edce-4a68-8e18-4d16df74e455", "response_rule_version": 1, "description": "DisplayNotification", "value": {}, "enabled": false, "created": "2018-11-20T17:58:49Z" } ], "exceptions": [ { "exception_id": "", "enabled": , "name": "" } ], "playbooks": [ "" ] } ] }
Response
Please see the Response status codes for more information.
Response JSON schema
Field Name | Description |
|---|---|
name | This is the name of the detection rule set. |
description | This is the description of the detection rule set. |
notification_message | This is the message to display on the endpoint when a detection rule is triggered. |
id | This is the unique ID of the detection rule set. |
last_modified | This is the timestamp (in UTC) of the last time that the detection rule set was modified. |
modified_by | This is an object detailing the last user to modify the detection rule. It includes the following fields:
|
rules | This is a list of detection rule objects and their associated response actions, detection exceptions, and package playbooks. |
detection_rule_id | This is the unique ID of the detection rule. |
detection_rule_version | This is the version of the detection rule. |
detection_name | This is the name of the detection rule. |
detection_description | This is the description of the detection rule set. |
category | This is the category of the detection rule. |
severity | This is the severity assigned to the detection rule. Possible values are:
|
operating_systems | This is an object detailing the operating systems to which the detection rule can be applied. It will include the "name" field. This can consist of:
|
date_added | This is the timestamp (in UTC) when the detection rule was added to the tenant. |
enabled | This determines whether or not a detection rule is enabled in the detection rule set. When viewing the content of a detection rule set, this should always be set to 'true'. |
notification_enabled | This determines whether or not the message defined in the 'notification_message' field should display on the device when the detection rule is triggered. To enable display desktop notification on device using the API, set notification_enabled and DisplayDesktopNotification to "true". To disable, set both to "false". The DisplayDesktopNotification setting enables or disables the feature. The notification_enabled setting affects the display desktop notification on device checkbox in the console as enabled (checked) or disabled (unchecked). |
responses | This is a list of response objects for each response action enabled for a particular detection rule. Each object will include the following fields:
|
exceptions | This is a list of exception rule objects that should be applied to the detection rule. Each object will include the following fields:
|
playbooks | This is a list of package playbook unique IDs that will be executed when the detection rule is triggered on the device. |