Object type: Correlation rule object | |
---|---|
A single Correlation rule object. | |
Field | Description |
actions | This indicates the actions to be executed when a rule fires. |
active | This is a Boolean value. If true, the rule is enabled and deployed, otherwise the rule is disabled. This is applicable only if the rule is deployed in a correlation engine. |
deployed | This is Boolean value. If true, the rule is deployed into a correlation engine. |
duration | The time duration within which the rule should fire. |
engineId | This is the unique ID of the Correlation engine where the rules are deployed. This is applicable only if the rule is deployed into a correlation engine. |
health | The health object of the rule. This is applicable if the rule is deployed into a correlation engine. |
isGate | This is a Boolean value. If true, the rule is a composite rule. Otherwise, the rule is a sequence/simple rule. |
mode | This indicates one of the subrules that must be triggered for the Composite rule to fire. |
offline | This is a Boolean value. If true, the engine is in stopped or error state. This is applicable only if the rule is deployed into a correlation engine. |
ruledescription | This is the description of the rule. |
ruleId | This is the unique identifier of the rule. |
rulename | This is the name of the rule. |
subrules | This indicates the rules are the rule definitions for 1 to n subrules. Each subrule is an independent, valid, correlation rule. |
updatetime | The time to initiate action execution when a rule fires. |
Object type: Correlation rule health object | |
---|---|
Correlation rule health data. | |
Field | Description |
Cardinality | This is the health data of a rule. This indicates the number of strings and related structures held in memory by this rule. This is applicable only if the rule is deployed into a correlation engine. |
EPSCapacity | This is the health data of a rule. This indicates the processing time the rule consumes relative to the capacity of the engine. This is applicable only if the rule is deployed into a correlation engine. |
EventRefCount | This is the health data of a rule. This indicates the number of events held in memory by this rule. This is applicable only if the rule is deployed into a correlation engine. |
FiredCount | This is the health data of a rule. This indicates the number of times the rule has fired since it was deployed. This is applicable only if the rule is deployed into a correlation engine. |
LastFiredTime | This is the health data of a rule. This indicates the last time (in milliseconds) the rule fired. This is applicable only if the rule is deployed into a correlation engine. |
OutputRate | This is the health data of a rule. This indicates the number of times the rule has fired relative to the events processed. This is applicable only if the rule is deployed into a correlation engine. |
StatusChangedTime | This is the health data of a rule. This indicates the time (in milliseconds) the rule state was changed. This is applicable only if the rule is deployed into a correlation engine. |
StatusDuration | This is the health data of a rule. This indicates the duration (in milliseconds) the rule is in its present state. This is applicable only if the rule is deployed into a correlation engine. |
TotalProcessingTime | This is the health data of a rule. This indicates the total time spent (in milliseconds) by the Correlation Engine processing the rule since it was deployed or enabled. This is applicable only if the rule is deployed into a correlation engine. |
Object type: Correlation rule subrule object | |
---|---|
A sub rule object which build a Correlation rule. | |
Field | Description |
count | This indicates the number of times the expressions must meet the specified criteria for the subrule/rule to fire. |
duration | The duration within which the subrule should fire. |
expressions | This indicates the criteria for subrule. |
isAnd | This indicates the condion between the expression in a subrule |
isTrigger | This is a boolean value. If true, the subrule should fire more than one time within a time range. |
operator | This indicates the condition used in the expression. |
tag | This indicates the event attributes that form an expression. |
value | This indicates the value of the event attribute. |
GET correlation/rules/3E285CF0-54B3-102B-B39D-00C09F472961
{"ruleId":"3E285CF0-54B3-102B-B39D-00C09F472961","rulename":"Monitor Sentinel Core Solution Pack Controls","ruledescription":"This rule monitors the system to ensure that if any controls in this Solution Pack are uninstalled, security analysts are alerted.","rulelg":"filter(((e.EventName = "UNINSTALLED")) AND ((e.TargetDataContainer match regex (".*obj:///Sentinel Core Solution Pack.*"))))","isGate":"false","duration":"0","updatetime":"0","deployed":"true","engineId":"696080E0-9A20-1029-ADDD-0003BAC9707D","active":"true","offline":"false","health":{"FiredCount":"0","StatusDuration":"177233726","ProcessedCount":"5336","StatusChangedTime":"1316410548886","Cardinality":"0","EventRefCount":"0","LastFiredTime":"0","TotalProcessingTime":"1945","EPSCapacity":"0.0010","OutputRate":"0.0"},"subrules":[{"isAnd":"true","isTrigger":"false","duration":"0","count":"0","expressions":[{"tag":"e.EventName","operator":"=","value":""UNINSTALLED""},{"tag":"e.TargetDataContainer","operator":"match regex","value":"".*obj:///Sentinel Core Solution Pack.*""}]}],"actions":["522C5A23-A001-102E-BC0C-000C29BEC6AC"]}
The resource not found.
GET correlation/rules/3E285CF0-54B3-102B-B39D-00C09F472961
{"ruleId":"1E6470B0-C4AF-102E-B507-0019B94687A1","rulename":"Multiple Password Change","ruledescription":"This is the scenario when same user logs in and changes the password more than 2 times ,this rule has to trigger.","rulelg":"gate(filter(((e.EventName = "LoginUser"))),filter(((e.EventName = "ChangeUserPassword")) AND ((e.InitiatorUserName = e.TargetUserName)))flow trigger(2,59) ,all,59)","isGate":"true","duration":"59","mode":"all","updatetime":"3600","deployed":"true","engineId":"696080E0-9A20-1029-ADDD-0003BAC9707D","active":"true","offline":"false","health":{"FiredCount":"0","StatusDuration":"3528629","ProcessedCount":"111","StatusChangedTime":"1316593974074","Cardinality":"0","EventRefCount":"0","LastFiredTime":"0","TotalProcessingTime":"118","EPSCapacity":"0.0033","OutputRate":"0.0"},"subrules":[{"isAnd":"false","isTrigger":"false","duration":"0","count":"0","expressions":[{"tag":"e.EventName","operator":"=","value":""LoginUser""}]},{"isAnd":"true","isTrigger":"true","duration":"59","count":"2","expressions":[{"tag":"e.EventName","operator":"=","value":""ChangeUserPassword""},{"tag":"e.InitiatorUserName","operator":"=","value":"e.TargetUserName"}]}],"actions":["777E5100-1960-102B-9985-001321B5C0B3"]}
The resource not found.