Skip Navigation

Create detection rule

Allows a caller to create a new detection rule by sending the native JSON structure of a detection rule.
Service endpoint
/rules/v2
Optional query string parameters
Example
https://protectapi.cylance.com/rules/v2
Method
HTTP/1.1 POST
Request headers
  • Accept: application/json
  • Authorization: Bearer
    JWT Token returned by Auth API
    with the opticsrule:create scope encoded

Request

{ "Name": "Name of Detection Rule", "Description": "Description of Detection Rule", "Severity": "Medium", "ObjectType": "DetectionRule", "OperatingSystems": [ { "Name": "Windows" } ], "Plugin": { "Name": "OpticsDetector" }, "Product": { "Name": "CylanceOPTICS" }, "SchemaVersion": 1, "States": [ { "Name": "MaliciousApp", "Scope": "Global", "Function": "Function", "FieldOperators": { "Function": { "Type": "EqualsAny", "Operands": [ { "Source": "LiteralSet", "Data": "badapp.exe" } ], "OperandType": "string", "Options": { "IgnoreCase": true } } }, "Actions": [ { "Type": "AOI", "ItemName": "InstigatingProcess", "Position": "PostActivation" } ], "Filters": [ { "Type": "Event", "Data": { "Category": "Process", "SubCategory": "", "Type": "*" } } ] } ], "Tags": [ "CylanceOPTICS" ] }

Response

Please see the Response status codes for more information.

Request JSON schema

Field Name
Description
Description
This is the description for the detection rule.
Name
This is the name of the detection rule.
ObjectType
This is the type of object defined in this rule.
  • DetectionRule
  • ResponseRule
OperatingSystems
These are the affected operating systems.
  • Name: This is the name of the type of operating system (like Windows, macOS, or Linux).
Plugin
This is the
BlackBerry Optics
plugin associated with the detection rule.
Product
This is the name of the product associated with the detection rule.
SchemaVersion
This is the version of the schema.
Severity
This is the severity assigned to the detection rule. Possible values are:
  • High
  • Medium
  • Low
  • Informational
States
This is the list of all available states. If no paths are specified, the states are transitioned in the order they are specified.
Tags
This is a list of tags associated with the detection rule.

Response JSON schema

Field Name
Description
Description
This is the description for the detection rule.
Id
This is the unique identifier for the detection rule.
Name
This is the name of the detection rule.
ObjectType
This is the type of object defined in this rule.
  • DetectionRule
  • ResponseRule
OperatingSystems
This is the affected operating systems.
  • Name: This is the name of the type of operating system (like Windows, macOS, or Linux).
Plugin
This is the
BlackBerry Optics
plugin associated with the detection rule.
Product
This is the name of the product associated with the detection rule.
RuleSourceGrouping
This is the classification or designator for the rule source (for example, Optics).
SchemaVersion
This is the version of the schema.
Severity
This is the severity assigned to the detection rule. The possible values are:
  • High
  • Medium
  • Low
  • Informational
States
This is the list of all available states. If no paths are specified, the states are transitioned in the order they are specified.
Tags
This is a list of tags associated with the detection rule.
Version
This is the version of the detection rule.
The response JSON schema contains the entirety of the Detection Rule Logic.
The "id" and "version" fields are automatically populated when the request is submitted.