Object type: Correlation rules object | |
---|---|
All existing Correlation rules in the Sentinel system. | |
Field | Description |
active | This is a Boolean value. If true, the rule is enabled and deployed, otherwise the rule is disabled. This is applicable only if the rule is deployed in a correlation engine. |
deployed | This is Boolean value. If true, the rule is deployed into a correlation engine. |
duration | The time duration within which the rule should fire. |
engineId | This is the unique ID of the Correlation engine where the rules are deployed. This is applicable only if the rule is deployed into a correlation engine. |
health | The health object of the rule. This is applicable if the rule is deployed into a correlation engine. |
isGate | This is a Boolean value. If true, the rule is a composite rule. Otherwise, the rule is a sequence/simple rule. |
offline | This is a Boolean value. If true, the engine is in stopped or error state. This is applicable only if the rule is deployed into a correlation engine. |
ruledescription | This is the description of the rule. |
ruleId | This is the unique identifier of the rule. |
rulename | This is the name of the rule. |
rules | The list of Correlation rule objects. |
updatetime | The time to initiate action execution when a rule fires. |
Object type: Correlation rule health object | |
---|---|
Correlation rule health data. | |
Field | Description |
Cardinality | This is the health data of a rule. This indicates the number of strings and related structures held in memory by this rule. This is applicable only if the rule is deployed into a correlation engine. |
EPSCapacity | This is the health data of a rule. This indicates the processing time the rule consumes relative to the capacity of the engine. This is applicable only if the rule is deployed into a correlation engine. |
EventRefCount | This is the health data of a rule. This indicates the number of events held in memory by this rule. This is applicable only if the rule is deployed into a correlation engine. |
FiredCount | This is the health data of a rule. This indicates the number of times the rule has fired since it was deployed. This is applicable only if the rule is deployed into a correlation engine. |
LastFiredTime | This is the health data of a rule. This indicates the last time (in milliseconds) the rule fired. This is applicable only if the rule is deployed into a correlation engine. |
OutputRate | This is the health data of a rule. This indicates the number of times the rule has fired relative to the events processed. This is applicable only if the rule is deployed into a correlation engine. |
StatusChangedTime | This is the health data of a rule. This indicates the time (in milliseconds) the rule state was changed. This is applicable only if the rule is deployed into a correlation engine. |
StatusDuration | This is the health data of a rule. This indicates the duration (in milliseconds) the rule is in its present state. This is applicable only if the rule is deployed into a correlation engine. |
TotalProcessingTime | This is the health data of a rule. This indicates the total time spent (in milliseconds) by the Correlation Engine processing the rule since it was deployed or enabled. This is applicable only if the rule is deployed into a correlation engine. |
GET correlation/rules
{"rules":[{"ruleId":"FE4BDFB0-9539-102E-98DA-000C29D8AA3D","rulename":"Event Source No Timezone","ruledescription":"Event Source created with unspecified timezone.","isGate":"false","duration":"0","updatetime":"0","deployed":"false","active":"false","offline":"false"},{"ruleId":"3E285CF0-54B3-102B-B39D-00C09F472961","rulename":"Monitor Sentinel Core Solution Pack Controls","ruledescription":"This rule monitors the system to ensure that if any controls in this Solution Pack are uninstalled, security analysts are alerted.","isGate":"false","duration":"0","updatetime":"0","deployed":"true","engineId":"696080E0-9A20-1029-ADDD-0003BAC9707D","active":"true","offline":"false","health":{"FiredCount":"0","StatusDuration":"119007903","ProcessedCount":"3591","StatusChangedTime":"1316410548886","Cardinality":"0","EventRefCount":"0","LastFiredTime":"0","TotalProcessingTime":"897","EPSCapacity":"7.0E-4","OutputRate":"0.0"}}]}