Update detection rule set
Update a detection rule set by sending a new JSON structure.
Service endpoint | /rulesets/v2/{ruleset_id} |
Optional query string parameters | — |
Example | https://protectapi.cylance.com/rulesets/v2/c407f28a-3805-4014-b32c-0c2553ac1e17 |
Method | HTTP/1.1 PUT |
Request headers |
|
Request
{ "name": "", "description": "", "notification_message": "", "category": "Custom", "rules": [ { "detection_rule_id": "998ece50-49af-472a-b0d8-3c3700883736", "detection_rule_version": 1, "detection_name": "Gatekeeper Bypass (MITRE)", "detection_description": "Detects on usage of xattr or spctl to bypass Gatekeeper, by a non-root user (MITRE1144)", "category": "Cylance MITRE ATT&CK Rules", "severity": "High", "operating_systems": [ { "Name": "macOS" } ], "date_added": "2018-11-20T17:58:49Z", "enabled": false, "notification_enabled": false, "responses": [ { "template_id": "9986d82e-1b1d-45a9-977a-cf86f1063b14", "response_id": "95947b5c-71ce-4a7e-a5e0-df5043402b5c", "response_rule_version": 1, "description": "DisplayDesktopNotification", "value": {}, "enabled": false, "created": "2018-11-20T17:58:49Z" } ], "exceptions": [ { "exception_id": "9f12a426-a956-4f4e-a698-df732ba1b295", "enabled": false, "name": "AO Exception" } ], "playbooks": [] } ] }
Response
Please see the Response status codes for more information.
Response JSON schema
Field Name | Description |
|---|---|
name | This is the name of the detection rule set. |
description | This is the description of the detection rule set. |
notification_message | This is the message to display on the endpoint when a detection rule is triggered. |
rules | This is a list of detection rule objects and their associated response actions, detection exceptions, and package playbooks. |
detection_rule_id | This is the unique ID of the detection rule. |
detection_rule_version | This is the version of the detection rule. |
detection_name | This is the name of the detection rule. |
detection_description | This is the description of the detection rule set. |
category | This is the category of the detection rule. |
severity | This is the severity assigned to the detection rule. Possible values are:
|
operating_systems | This is an object detailing the operating systems to which the detection rule can be applied. It will include the "name" field. This can consist of:
|
date_added | This is the timestamp (in UTC) when the detection rule was added to the tenant. |
enabled | This determines whether or not a detection rule is enabled in the detection rule set. When viewing the content of a detection rule set, this should always be set to 'true'. |
notification_enabled | This determines whether or not the message defined in the 'notification_message' field should display on the device when the detection rule is triggered. To enable display desktop notification on device using the API, set notification_enabled and DisplayDesktopNotification to "true". To disable, set both to "false". The DisplayDesktopNotification setting enables or disables the feature. The notification_enabled setting affects the display desktop notification on device checkbox in the console as enabled (checked) or disabled (unchecked). |
responses | This is a list of response objects for each response action enabled for a particular detection rule. Each object will include the following fields:
|
exceptions | This is a list of exception rule objects that should be applied to the detection rule. Each object will include the following fields:
|
playbooks | This is a list of package playbook unique IDs that will be executed when the detection rule is triggered on the device. |