AlertRules

id

Alert rule id. Mandatory Field

aggregate

Risk Calculation Function. Accepts values such as "min","max" and "avg". Used for calculating Risk Value of the alert. Mandatory Field

apply_jinja_template

Option to view rows that is displayed in Incident Data View in a format defined by the Jinja template. Optional Field

alert_context_template

Specify the Jinja Template syntax for rows that is displayed in the Incident Data View. Optional Field

assigned_to

ID of the user who can re-assign, comment on and view the data of the generated incident. Optional Field

attack_tag

List of attack tag IDs to categorize the alert rules. Use MitreAttacks - FetchMitreAttacks to obtain value for this parameter. Optional Field

condition_option

Accepts values such as "greaterthan", "lessthan", "equalsto", "lessequal", "equals", "moreequal" and "notequal". Mandatory Field

condition_value

Can be positive integer or 0. Mandatory Field

delay_interval_minute

Specify the value of delay interval in minutes to wait for the logs before processing. To set the value, "timestamp_on" parameter value must be "log_ts" in SystemSettingsGeneral API. Accepts values from 1 to 1440 only. Optional Field.

description

Description of the alert rule. Optional Field

flush_on_trigger

Enabling Flush on Trigger activates the next alert rule only by new set of events. Accepts only "on" as value to enable flush on trigger. Optional Field

limit

Number of logs. Minimum value for the field is 1. Mandatory Field

log_source

List of log sources from where the logs should be collected. Optional Field

manageable_by

A list of incident user groups ID where users can re-assign, comment on, view data and resolve the generated incidents. Optional Field

metadata

Optional Field. Array of key-value pair objects to define custom metadata for an alert rule. Each object in the array must include the following parameters: field: Field for the custom metadata. value: Value associated with the given field.

original_data

Alert will be generated with encrypted data where Data Privacy Module is enabled. Setting this value as "true" sends request to generate alert with original data. Can be true/false. Optional Field

owner

ID of the user who owns alert rule. Mandatory Field

query

The query for which the alert rule should be fired. Optional Field

repos

The list of the Repos that you want to monitor for the matching alert condition. Use Repos - FetchRemoteRepos to obtain value for this parameter. Mandatory Field

risk

Risk level of the Alert. Accepts values such as "low", "medium", "high" and "critical". Used for calculating Risk Value of the alert. Mandatory Field

search_interval_minute

Specify the custom search interval for retrieving the logs via search in minutes. Optional Field

searchname

Name of the alert. It should be a unique valid string. Mandatory Field

throttling_enabled

Accepts "on" as value to enable Alert Throttling. Can be "on" only. Optional Field

throttling_field

Specify a field on the basis of which alert throttling will be applied. Can be positive integer or 0. Mandatory only when the value of throttling_enabled is "on". Optional Field

throttling_time_range

Specify a time in minutes for which alert will not be dispatched. Mandatory only when the value of the value of throttling_enabled is "on". Optional Field

timerange_day

Specify the timerange in Day for which the alert condition is to be matched. Either timerange_day or timerange_hour must be present when timerange_minute is not present in the request. Optional Field

timerange_hour

Specify the timerange in Hour for which the alert condition is to be matched. Either timerange_day or timerange_hour must be present when timerange_minute is not present in the request. Optional Field

timerange_minute

Specify the timerange in Minute for which the alert condition is to be matched. Mandatory only when timerange_day and timerange_hour is not present in the request. Optional Field

id

Alert rule id. Mandatory Field

aggregate

Risk Calculation Function. Accepts values such as "min","max" and "avg". Used for calculating Risk Value of the alert. Mandatory Field

alert_context_template

Specify the Jinja Template syntax for rows that will be displayed in the Incident Data View. Optional Field

assigned_to

ID of the user who can re-assign, comment on and view the data of the generated incident. Optional Field

attack_tag

List of attack tag IDs to categorize the alert rules. Use MitreAttacks - FetchMitreAttacks to obtain value for this parameter. Optional Field

condition_option

Accepts values such as "greaterthan", "lessthan", "equalsto", "lessequal", "equals", "moreequal" and "notequal". Mandatory Field

condition_value

Can be positive integer or 0. Mandatory Field

delay_interval_minute

See Create for details. Optional Field

description

Description of the alert rule. Optional Field

flush_on_trigger

Accepts only "on". Optional Field

id

Alert rule id. Mandatory Field

limit

Number of logs. Minimum value for the field is 1. Mandatory Field

log_source

List of log sources from where the logs should be collected. Optional Field

manageable_by

List of incident user groups ID. Optional Field

metadata

Array of key-value pair objects for custom metadata. Optional Field

original_data

Can be true/false. Optional Field

query

The query for which the alert rule should be fired. Optional Field

repos

The list of the Repos that you want to monitor for the matching alert condition. Mandatory Field

risk

Risk level of the Alert. Mandatory Field

search_interval_minute

Optional Field

searchname

Name of the alert rule. Mandatory Field

throttling_enabled

Accepts "on". Optional Field

throttling_field

Mandatory only when throttling_enabled is "on". Optional Field

throttling_time_range

Mandatory only when throttling_enabled is "on". Optional Field

timerange_day

Either timerange_day or timerange_hour must be present when timerange_minute is not present. Optional Field

timerange_hour

See above. Optional Field

timerange_minute

Mandatory only when timerange_day and timerange_hour are not present. Optional Field

b64_logo

Base64 encoded logo image. Only "jpeg" image type upto 160*75 dimension is allowed. Should be a comma separated value containing type of image and base64 encoded value. Mandatory only when logo_enable is "true". Optional Field

dispatch_option

"auto" or "manual". Optional Field

email_emails

List of email addresses. Mandatory only when notify_email is "on". Optional Field

email_template

Message of the Email. Optional Field

email_threshold_option

Time Unit for email threshold. Can be minute/hour/day. Mandatory only when email_threshold_value is required. Optional Field

email_threshold_value

Value for email threshold. Can be positive integer. Mandatory only when email_threshold_option is required. Optional Field

id

Alert rule id. Mandatory Field

link_disable

true to disable the search link in the email, false to enable. Optional Field

logo_enable

true to add a logo or false to remove/disable the logo. Optional Field

notify_email

Accepts on/off. Mandatory Field

simple_view

Option to edit the notification message in plain text or view a rendered preview.

subject

Subject of the Email. Optional Field

active

Status (active/deactive) of the alert rules to fetch. true fetches active rules. Optional Field

log_source

List of log sources to filter alert rules. Optional Field

Field

Label in UI

Type

Description

active

-

boolean

Status(active/deactive) of the alert rules to fetch. Setting this value as "true" sends request to generate all active alert rules defined under SharedRules section. Can be true/false. Optional Field

log_source

-

[String]

List of log sources. Filters alert rules according to the specified log sources in the list. If at least one log source in the alert rule matches one in the list, it is included in the filtered results. Optional Field.

Field

Label in UI

Type

Description

active

-

boolean

Status(active/deactive) of the alert rules to fetch. Setting this value as "true" sends request to generate all active alert rules defined under UsedRules section. Can be true/false. Optional Field

log_source

-

[String]

List of log sources. Filters alert rules according to the specified log sources in the list. If at least one log source in the alert rule matches one in the list, it is included in the filtered results. Optional Field.

Field

Label in UI

Type

Description

active

-

boolean

Status(active/deactive) of the alert rules to fetch. Setting this value as "true" sends request to generate all active alert rules defined under UsedSharedRules section. Can be true/false. Optional Field

log_source

-

[String]

List of log sources. Filters alert rules according to the specified log sources in the list. If at least one log source in the alert rule matches one in the list, it is included in the filtered results. Optional Field.

log_source

List of log sources. Optional Field.

dispatch_option

"auto" or "manual". Optional Field

http_body

Template for the body of the HTTP notification. Provide only when http_request_type is POST, PUT, or PATCH. Optional Field

http_header

Define auth_type (basic_auth/api_token/bearer_token), auth_key, auth_value (for api_token), auth_pass (for basic_auth). Optional Field

http_querystring

Query string. Mandatory only when notify_http is "on". Optional Field

http_request_type

GET/POST/PUT/DELETE/PATCH/HEAD. Mandatory only when notify_http is "on". Optional Field

http_threshold_option

Time Unit for http threshold. minute/hour/day. Optional Field

http_threshold_value

Value for http threshold. Optional Field

http_url

URL to send HTTP notification. Mandatory only when notify_http is "on". Optional Field

id

Alert rule id. Mandatory Field

notify_http

Accepts on/off. Mandatory Field

protocol

HTTP/HTTPS. Optional Field (default HTTP when notify_http is "on" and protocol not provided).

file_location

Location of the file to install. Can be either 'private' or 'public'. Mandatory Field

file_name

Name of the pak file for AlertRules. Mandatory Field

owner

ID of the user who owns alert rule. Mandatory Field

dispatch_option

"auto" or "manual". Optional Field

id

Alert rule id. Mandatory Field

notify_sms

Accepts on/off. Mandatory Field

sms_body

SMS notification message. Optional Field

sms_password

SMS server password. Mandatory only when notify_sms is "on". Optional Field

sms_port

Port number of SMS server. Mandatory only when notify_sms is "on". Optional Field

sms_receivers

List of receiver phone numbers (3-15 digits). Mandatory only when notify_sms is "on". Optional Field

sms_sender

Sender ID for the SMS server. Mandatory only when notify_sms is "on". Optional Field

sms_server

Destination server address. Mandatory only when notify_sms is "on". Optional Field

sms_threshold_option

Time Unit for sms threshold. minute/hour/day. Optional Field

sms_threshold_value

Value for sms threshold. Optional Field

sms_username

Username for the SMS server. Mandatory only when notify_sms is "on". Optional Field

dispatch_option

"auto" or "manual". Optional Field

id

Alert rule id. Mandatory Field

notify_snmp

Accepts on/off. Mandatory Field

snmp_agent

Name of the agent that sends SNMP trap. Mandatory when snmp_version is SNMPv2c. Optional Field

snmp_authorization_key

Authorization Key for SNMPv3. Mandatory when snmp_version is SNMPv3. Optional Field

snmp_community_string

Passphrase for SNMPv2c. Optional Field

snmp_ip

IP address of trap receiver. Mandatory only when notify_snmp is "on". Optional Field

snmp_message

OID's corresponding value in the Message. Optional Field

snmp_oid

Valid SNMP trap or Enterprise specific OID in dotted decimal format. Mandatory only when notify_ssh is "on". Optional Field

snmp_port

Port number of trap receiver. Mandatory only when notify_snmp is "on". Optional Field

snmp_private_key

Private Key for SNMPv3. Optional Field

snmp_threshold_option

Time Unit for snmp threshold. minute/hour/day. Optional Field

snmp_threshold_value

Value for snmp threshold. Optional Field

snmp_username

Username for SNMPv3. Optional Field

snmp_version

SNMPv2c or SNMPv3. Optional Field

dispatch_option

"auto" or "manual". Optional Field

id

Alert rule id. Mandatory Field

notify_ssh

Accepts on/off. Mandatory Field

ssh_auth_password

Password. Mandatory when ssh_auth_type is "password". Optional Field

ssh_auth_type

"password" or "certificate". Mandatory only when notify_ssh is "on". Optional Field

ssh_cert_type

Use when ssh_auth_type is certificate. Values: system_cert, user_cert. Optional Field

ssh_command

Command to execute when the alert rule is fired. Mandatory only when notify_ssh is "on". Optional Field

ssh_port

Port number. Mandatory only when notify_ssh is "on". Optional Field

ssh_server

Destination server address. Mandatory only when notify_ssh is "on". Optional Field

ssh_threshold_option

Time Unit for ssh threshold. minute/hour/day. Optional Field

ssh_threshold_value

Value for ssh threshold. Optional Field

ssh_username

Username for the destination server. Optional Field

id

Alert rule id. Mandatory Field

rbac_config

Alert sharing config using RBAC. Either empty list or objects with group_id (mandatory), group_permission (READ/EDIT/FULL) or user_permissions (list). For user_permissions, each object must have user_id and permission (READ/EDIT/FULL). Mandatory Field

dispatch_option

"auto" or "manual". Optional Field

facility

Values 0 to 23. Optional Field

id

Alert rule id. Mandatory Field

message

Free-form message. Optional Field

notify_syslog

Accepts on/off. Mandatory Field

port

Port number of remote syslog server. Mandatory only when notify_syslog is "on". Optional Field

protocol

UDP/TCP. Mandatory only when notify_syslog is "on". Optional Field

server

Server address of remote syslog server. Mandatory only when notify_syslog is "on". Optional Field

severity

Values 0 to 7. Mandatory only when notify_syslog is "on". Optional Field

split_rows

true/false. If true send each new line as separate syslog message. Optional Field

threshold_option

Time Unit for syslog threshold. minute/hour/day. Optional Field

threshold_value

Value for syslog threshold. Optional Field

id

Alert rule id. Mandatory Field

userid

Transfer ownership to this User id. Mandatory Field

id

Alert rule id. Mandatory Field

file_name

Name of the file to be deleted. Mandatory Field

file_name

Name of the file to be deleted. Mandatory Field

id

Alert rule id. Mandatory Field

file_name

Name of the file to be uploaded.

Content-Type

application/octet-stream

replace_existing

Set 'true' to replace existing file with same name. Default 'false'. Optional

file

(pak) to be uploaded. Mandatory Field

file_name

Name of the file to be uploaded.

Content-Type

application/octet-stream

replace_existing

Set 'true' to replace existing file with same name. Default 'false'. Optional

file

(pak) to be uploaded. Mandatory Field

id

Alert rule id. Mandatory Field

owner

ID of the user who will use the given alert rule. Mandatory Field

id

Alert rule id. Mandatory Field

owner

ID of the user who owns alert rule. Mandatory Field