Rules & Rulesets (v3)

NOTE

The Rules v3 endpoints are new in the Distributed Cloud AIP API as of March 2023. The Rules v3 and v2 endpoints will work simultaneously while Distributed Cloud AIP migrates all organizations to Rules v3. Once your organization converts to Rules v3, you should begin utilizing the new functionality.

Distributed Cloud AIP takes a behavior-based approach to security alerting, governed by rules that focus on events that you consider important. A rule is a statement that tells software what data to look for and how to react to that data. Distributed Cloud AIP uses the rules enabled in your infrastructure to continuously compare event data to alert criteria. When a rule matches alert criteria, then an alert triggers for the event.

To learn more about the different types of rules available in Distributed Cloud AIP, see Rule Creation Overview.

Managed and Unmanaged Rules

In addition to your existing, traditional (unmanaged) rules, Rules v3 includes managed rules. Distributed Cloud AIP internally coordinates and monitors these managed rules, which you can leverage in your environment to help you save time on rule creation and management.

Distributed Cloud AIP controls specific fields for managed rules, including the title, description, filter, managed suppressions, and managed classifiers. These managed rules will periodically update to ensure that your rules contain the most accurate and up-to-date information. See Rule Release and Changelog for the most recent changes.

NOTE

Rulesets and alerting properties (such as alert frequency) for managed rules are organization-specific, meaning you can change them to better fit your infrastructure. The only fixed fields for managed rules are the title, description, filters, managed classifiers, and managed suppressions.

Unmanaged, or traditional, rules are not managed by Distributed Cloud AIP. You can fully customize unmanaged rule titles, descriptions, classifiers, filters, and suppressions to fit your infrastructure’s unique needs.

These rules can help you elevate the visibility of security data that matters to you, such as specific user behaviors, container behavior, and/or compliance alignment. Unmanaged rules can also help you to exclude or suppress unactionable or unnecessary data from your environment. For more information about the types of rules you can create, see Rule Creation Overview.

List All Rulesets in an Organization

Overview

This method enables you to retrieve a list of all the rulesets in your organization.

Sample Query

List all rulesets in your organization:

https://api.threatstack.com/v3/rulesets

Request

query Parameters

token

string (PaginationToken)

This endpoint returns up to 360 records per query. Use the token value from the response to query for the next page. When the token value is null in the response, you have reached the end of the results list.

Example: token=eyAibGltaXQiOiAxMCwgIm9mZnNldCI6IDAgfQ==

Responses

200

Success

400

Bad parameters

401

Unauthorized response

409

Resource already exists

429

Rate limit hit

500

An internal error has occurred

get/rulesets

Response samples

application/json

{"rulesets": [{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"description": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z"
}
]
}

Create a Ruleset

Overview

This method enables you to create a new ruleset in your organization.

NOTE

To add a rule to a ruleset, use the Create a Rule or Update a Rule endpoints.

Sample Query

Create a ruleset in your organization:

https://api.threatstack.com/v3/rulesets

Error Handling Tips

400: Incorrect syntax in the message body.
409: The ruleset name duplicates an existing ruleset name.

Request

Request Body schema: application/json

Create ruleset object

name required	string (RuleSetName) [ 1 .. 200 ] characters Name of the ruleset WARNING: The ruleset name cannot duplicate another ruleset name in the organization.
description required	string (RuleSetDescription) [ 1 .. 300 ] characters Description of the ruleset

Responses

200

Success

400

Bad parameters

401

Unauthorized response

429

Rate limit hit

500

An internal error has occurred

post/rulesets

Request samples

Payload

application/json

{"name": "string",
"description": "string"
}

Response samples

application/json

{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"description": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z"
}

Get a Ruleset

Overview

This method enables you to retrieve the details of a ruleset using a rulesetId.

NOTE

You can only pass one rulesetId at a time.

Sample Query

Retrieve a ruleset by ID:

https://api.threatstack.com/v3/rulesets/{rulesetId}

Error Handling Tips

404: The rulesetId was not found.

Request

path Parameters

required

UUIdentifier (string) or MongoIdentifier (string) (RuleSetId)

The ID of the ruleset

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

get/rulesets/{rulesetId}

Response samples

application/json

{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"description": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z"
}

Update a Ruleset

Overview

This method enables you to update a ruleset in your organization.

NOTE

You can only pass one rulesetId at a time.

The id in the request body must match the rulesetId in the path.

Sample Query

Update a ruleset by ID:

https://api.threatstack.com/v3/rulesets/{rulesetID}

Error Handling Tips

400: Incorrect syntax in the message body.
404: One of the following occurred:
- The ruleset was not found.
- One of the rules in the ruleset does not exist.
409: The ruleset name duplicates an existing ruleset name.

Request

path Parameters

required

UUIdentifier (string) or MongoIdentifier (string) (RuleSetId)

The ID of the ruleset to update

Request Body schema: application/json

required	UUIdentifier (string) or MongoIdentifier (string) (RuleSetId)
name	string (RuleSetName) [ 1 .. 200 ] characters Name of the ruleset WARNING: The ruleset name cannot duplicate another ruleset name in the organization.
description	string (RuleSetDescription) [ 1 .. 300 ] characters Description of the ruleset

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

409

Resource already exists

429

Rate limit hit

500

An internal error has occurred

put/rulesets/{rulesetId}

Request samples

Payload

application/json

{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"description": "string"
}

Response samples

application/json

{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"description": "string",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z"
}

Delete a Ruleset

Overview

This method enables you to permanently delete a ruleset from your organization.

IMPORTANT:

This method does not delete the rules associated with the deleted ruleset. Any alerts generated by rules in the deleted ruleset are not deleted. These alerts continue to list the rule that triggered the alert, even though the ruleset no longer exists.

Sample Query

Delete a ruleset by ID:

https://api.threatstack.com/v3/rulesets/{rulesetId}

Error Handling Tips

404: The ruleset was not found.

Request

path Parameters

required

UUIdentifier (string) or MongoIdentifier (string) (RuleSetId)

The ID of the ruleset to delete

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

delete/rulesets/{rulesetId}

Response samples

application/json

{ }

List All Agents Assigned to a Ruleset

Overview

This method enables you to retrieve a list of all Agents assigned to a ruleset in your organization.

Sample Query

Retrieve a list of all Agents assigned to a ruleset by ruleset ID:

https://api.threatstack.com/v3/rulesets/{rulesetId}/agents

Error Handling Tips

404: The ruleset was not found.

Request

path Parameters

required

UUIdentifier (string) or MongoIdentifier (string) (RuleSetId)

The ID of the ruleset

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

get/rulesets/{rulesetId}/agents

Response samples

application/json

{"agents": [{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"online": true
}
]
}

List All Rules in an Organization

Overview

This method enables you to retrieve a list of all rules in your organization.

Sample Query

Retrieve a list of all rules:

https://api.threatstack.com/v3/rules

Request

query Parameters

token

string (PaginationToken)

Example: token=eyAibGltaXQiOiAxMCwgIm9mZnNldCI6IDAgfQ==

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

get/rules

Response samples

application/json

{"rules": [{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"rulesetId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"description": "string",
"filter": "user = \"root\"",
"suppressions": [{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"filter": "user = \"root\""
}
],
"ruleClassifiers": [{"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"name": "string",
"modifier": "2-4"
}
],
"ruleType": "cloudtrail",
"ruleAlertOptions": {"title": "Detected activity from {{user}}.",
"windowSeconds": 3600,
"threshold": 1,
"severity": 1,
"alertEnabled": true,
"aggregates": ["exe",
"user"
]
},
"fileIntegrityRuleOptions": {"exclusions": ["/foo/bar/*"
],
"events": ["CREATE",
"DELETE"
],
"files": [{"recursive": false,
"path": "/etc/foo/bar/*"
}
]
},
"managed": true,
"enabled": true,
"clonedFrom": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"assignmentType": "asset"
}
]
}

Create a Rule

Overview

This method enables you to create a rule in your organization.

Sample Query

Create a rule:

https://api.threatstack.com/v3/rules

Error Handling Tips

400: Incorrect syntax in the message body.

Request

Request Body schema: application/json

Create rule object

	UUIdentifier (string) or MongoIdentifier (string) Optional ID of the ruleset to which this rule belongs
name required	string (RuleName) [ 1 .. 200 ] characters Name of the rule
description required	string (RuleDescription) [ 0 .. 300 ] characters Description of the rule
filter required	string (RuleFilter) [ 0 .. 300 ] characters Defines the conditions under which a rule produces an alert. IMPORTANT: Filters must pass validation specified by the Distributed Cloud AIP filter query language.
required	Array of objects (Suppression) List of suppressions added to the rule
required	Array of objects (RuleClassifier) Classification label assigned to the rule
ruleType required	string (RuleType) Type of the rule. This field is case insensitive. IMPORTANT: Rules with the `file` type require the `fileIntegrityRuleOptions` field to be set. Enum: "cloudtrail" "file" "linux" "hostless" "kubernetes" "netflow" "windows"
required	object (RuleAlertOptions) For rules that alert, this contains the alert-specific properties and configurations. IMPORTANT: This field cannot be defined for `Classification` assignment type rules.
required	object (FileIntegrityRuleOptions) File Integrity Monitoring properties for `file` rules. IMPORTANT: You must set this option in order to create or update a `file` rule.
assignmentType	string (RuleAssignmentType) Assignment type of the rule. This field is case insensitive. This field is optional unless the `ruleAlertOptions` field is also set. Asset-based assignment: The traditional assignment method, which uses the Agents assigned to the ruleset and tags to determine if an event should have a rule applied. Classification-based assignment: Applies the rule to all events in the organization's event stream that match the rule event type. There are two restrictions: You cannot use the `Classification` assignment type with the `file` ruleEventType You cannot use the `Classification` assignment type with alerting. The `ruleAlertOptions` field cannot be defined. Enum: "asset" "classification"
enabled required	boolean Flag that shows whether the rule is enabled (`true`) or disabled (`false`)

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

409

Bad parameters

429

Rate limit hit

500

An internal error has occurred

post/rules

Request samples

Payload

application/json

{"rulesetId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"description": "string",
"filter": "user = \"root\"",
"suppressions": [{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"filter": "user = \"root\""
}
],
"ruleClassifiers": [{"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"name": "string",
"modifier": "2-4"
}
],
"ruleType": "cloudtrail",
"ruleAlertOptions": {"title": "Detected activity from {{user}}.",
"windowSeconds": 3600,
"threshold": 1,
"severity": 1,
"alertEnabled": true,
"aggregates": ["exe",
"user"
]
},
"fileIntegrityRuleOptions": {"exclusions": ["/foo/bar/*"
],
"events": ["CREATE",
"DELETE"
],
"files": [{"recursive": false,
"path": "/etc/foo/bar/*"
}
]
},
"assignmentType": "asset",
"enabled": true
}

Response samples

application/json

{"rules": [{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"rulesetId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"description": "string",
"filter": "user = \"root\"",
"suppressions": [{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"filter": "user = \"root\""
}
],
"ruleClassifiers": [{"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"name": "string",
"modifier": "2-4"
}
],
"ruleType": "cloudtrail",
"ruleAlertOptions": {"title": "Detected activity from {{user}}.",
"windowSeconds": 3600,
"threshold": 1,
"severity": 1,
"alertEnabled": true,
"aggregates": ["exe",
"user"
]
},
"fileIntegrityRuleOptions": {"exclusions": ["/foo/bar/*"
],
"events": ["CREATE",
"DELETE"
],
"files": [{"recursive": false,
"path": "/etc/foo/bar/*"
}
]
},
"managed": true,
"enabled": true,
"clonedFrom": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"assignmentType": "asset"
}
]
}

Get a Rule

Overview

This method enables you to retrieve the details of a rule in your organization.

NOTE

You can only pass one ruleId at a time.

Sample Query

Retrieve a rule by ID:

https://api.threatstack.com/v3/rules/{ruleId}

Error Handling Tips

404: The rule was not found.

Request

path Parameters

required

UUIdentifier (string) or MongoIdentifier (string) (RuleId)

The ID of the rule

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

get/rules/{ruleId}

Response samples

application/json

{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"rulesetId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"description": "string",
"filter": "user = \"root\"",
"suppressions": [{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"filter": "user = \"root\""
}
],
"ruleClassifiers": [{"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"name": "string",
"modifier": "2-4"
}
],
"ruleType": "cloudtrail",
"ruleAlertOptions": {"title": "Detected activity from {{user}}.",
"windowSeconds": 3600,
"threshold": 1,
"severity": 1,
"alertEnabled": true,
"aggregates": ["exe",
"user"
]
},
"fileIntegrityRuleOptions": {"exclusions": ["/foo/bar/*"
],
"events": ["CREATE",
"DELETE"
],
"files": [{"recursive": false,
"path": "/etc/foo/bar/*"
}
]
},
"managed": true,
"enabled": true,
"clonedFrom": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"assignmentType": "asset"
}

Update a Rule

Overview

This method enables you to update an existing rule in your environment.

NOTE

You can only pass one ruleId at a time.

The id in the request body must match the ruleId in the path.

You cannot update the ruleType with this method.

Sample Query

Update a rule by ID:

https://api.threatstack.com/v3/rules/{ruleId}

Error Handling Tips

400: Incorrect syntax in message body.
404: The rule was not found.

Request

path Parameters

required

UUIdentifier (string) or MongoIdentifier (string) (RuleId)

The ID of the rule to update

Request Body schema: application/json

Update rule obect

required	UUIdentifier (string) or MongoIdentifier (string) The ID of the rule to update. WARNING: The ID must match the ruleId in the path.
	UUIdentifier (string) or MongoIdentifier (string) Optional ID of the ruleset to which this rule belongs
name	string (RuleName) [ 1 .. 200 ] characters Name of the rule
description	string (RuleDescription) [ 0 .. 300 ] characters Description of the rule
filter	string (RuleFilter) [ 0 .. 300 ] characters Defines the conditions under which a rule produces an alert. IMPORTANT: Filters must pass validation specified by the Distributed Cloud AIP filter query language.
	Array of objects (Suppression) List of suppressions added to the rule
	Array of objects (RuleClassifier) Classification label assigned to the rule
ruleType	string (RuleType) Type of the rule. This field is case insensitive. IMPORTANT: Rules with the `file` type require the `fileIntegrityRuleOptions` field to be set. Enum: "cloudtrail" "file" "linux" "hostless" "kubernetes" "netflow" "windows"
	object (RuleAlertOptions) For rules that alert, this contains the alert-specific properties and configurations. IMPORTANT: This field cannot be defined for `Classification` assignment type rules.
	object (FileIntegrityRuleOptions) File Integrity Monitoring properties for `file` rules. IMPORTANT: You must set this option in order to create or update a `file` rule.
assignmentType	string (RuleAssignmentType) Assignment type of the rule. This field is case insensitive. This field is optional unless the `ruleAlertOptions` field is also set. Asset-based assignment: The traditional assignment method, which uses the Agents assigned to the ruleset and tags to determine if an event should have a rule applied. Classification-based assignment: Applies the rule to all events in the organization's event stream that match the rule event type. There are two restrictions: You cannot use the `Classification` assignment type with the `file` ruleEventType You cannot use the `Classification` assignment type with alerting. The `ruleAlertOptions` field cannot be defined. Enum: "asset" "classification"
enabled required	boolean Flag that shows whether the rule is enabled (`true`) or disabled (`false`)

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

put/rules/{ruleId}

Request samples

Payload

application/json

{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"rulesetId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"description": "string",
"filter": "user = \"root\"",
"suppressions": [{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"filter": "user = \"root\""
}
],
"ruleClassifiers": [{"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"name": "string",
"modifier": "2-4"
}
],
"ruleType": "cloudtrail",
"ruleAlertOptions": {"title": "Detected activity from {{user}}.",
"windowSeconds": 3600,
"threshold": 1,
"severity": 1,
"alertEnabled": true,
"aggregates": ["exe",
"user"
]
},
"fileIntegrityRuleOptions": {"exclusions": ["/foo/bar/*"
],
"events": ["CREATE",
"DELETE"
],
"files": [{"recursive": false,
"path": "/etc/foo/bar/*"
}
]
},
"assignmentType": "asset",
"enabled": true
}

Response samples

application/json

{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"rulesetId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"description": "string",
"filter": "user = \"root\"",
"suppressions": [{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"filter": "user = \"root\""
}
],
"ruleClassifiers": [{"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"name": "string",
"modifier": "2-4"
}
],
"ruleType": "cloudtrail",
"ruleAlertOptions": {"title": "Detected activity from {{user}}.",
"windowSeconds": 3600,
"threshold": 1,
"severity": 1,
"alertEnabled": true,
"aggregates": ["exe",
"user"
]
},
"fileIntegrityRuleOptions": {"exclusions": ["/foo/bar/*"
],
"events": ["CREATE",
"DELETE"
],
"files": [{"recursive": false,
"path": "/etc/foo/bar/*"
}
]
},
"managed": true,
"enabled": true,
"clonedFrom": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"assignmentType": "asset"
}

Delete a Rule

Overview

This method enables you to delete a rule from your organization.

NOTE

You can only pass one ruleId at a time.

IMPORTANT

This method does not delete any alerts that the rule has generated. These alerts continue to list the rule that triggered the alert, even though the rule no longer exists.

Sample Query

Delete a rule by ID:

https://api.threatstack.com/v3/rules/{ruleId}

Error Handling Tips

404: The rule was not found.

Request

path Parameters

required

UUIdentifier (string) or MongoIdentifier (string) (RuleId)

The ID of the rule to delete

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

delete/rules/{ruleId}

Response samples

application/json

{ }

Add a Suppression to a Rule

Overview

This method allows you to add a suppression to an existing rule in your environment.

NOTE

You can only pass one ruleId at a time.

You can only pass one suppressionId at a time.

IMPORTANT

Any active alerts that would have been suppressed prior to adding the suppression will not be retroactively suppressed.

Sample Query

Add a suppression to a rule by IDs:

https://api.threatstack.com/v3/rules/{ruleId}/suppressions/{suppressionId}

Error Handling Tips

404: One of the following occurred:
- The rule was not found.
- The suppression was not found.

Request

path Parameters

required	UUIdentifier (string) or MongoIdentifier (string) (RuleId) The ID of the rule
required	UUIdentifier (string) or MongoIdentifier (string) (SuppressionId) The ID of the suppression to add

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

put/rules/{ruleId}/suppressions/{suppressionId}

Response samples

application/json

{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"rulesetId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"description": "string",
"filter": "user = \"root\"",
"suppressions": [{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"filter": "user = \"root\""
}
],
"ruleClassifiers": [{"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"name": "string",
"modifier": "2-4"
}
],
"ruleType": "cloudtrail",
"ruleAlertOptions": {"title": "Detected activity from {{user}}.",
"windowSeconds": 3600,
"threshold": 1,
"severity": 1,
"alertEnabled": true,
"aggregates": ["exe",
"user"
]
},
"fileIntegrityRuleOptions": {"exclusions": ["/foo/bar/*"
],
"events": ["CREATE",
"DELETE"
],
"files": [{"recursive": false,
"path": "/etc/foo/bar/*"
}
]
},
"managed": true,
"enabled": true,
"clonedFrom": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"assignmentType": "asset"
}

Remove a Suppression from a Rule

Overview

This method enables you to remove a suppression from a rule in your organization.

NOTE

You can only pass one ruleId at a time.

You can only pass one suppressionId at a time.

Sample Query

Remove a suppression from a rule by IDs:

https://api.threatstack.com/v3/rules/{ruleId}/suppressions/{suppressionId}

Error Handling Tips

404: One of the following occurred:
- The rule was not found.
- The suppression was not found.

Request

path Parameters

required	UUIdentifier (string) or MongoIdentifier (string) (RuleId) The ID of the rule from which to remove the suppression
required	UUIdentifier (string) or MongoIdentifier (string) (SuppressionId) The ID of the suppression to remove

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

delete/rules/{ruleId}/suppressions/{suppressionId}

Response samples

application/json

{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"rulesetId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"description": "string",
"filter": "user = \"root\"",
"suppressions": [{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"filter": "user = \"root\""
}
],
"ruleClassifiers": [{"id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
"name": "string",
"modifier": "2-4"
}
],
"ruleType": "cloudtrail",
"ruleAlertOptions": {"title": "Detected activity from {{user}}.",
"windowSeconds": 3600,
"threshold": 1,
"severity": 1,
"alertEnabled": true,
"aggregates": ["exe",
"user"
]
},
"fileIntegrityRuleOptions": {"exclusions": ["/foo/bar/*"
],
"events": ["CREATE",
"DELETE"
],
"files": [{"recursive": false,
"path": "/etc/foo/bar/*"
}
]
},
"managed": true,
"enabled": true,
"clonedFrom": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"assignmentType": "asset"
}

List All Classification Labels Attached to a Rule

Overview

This method enables you to retrieve a list of all classification labels attached to a rule.

NOTE

You can only pass one ruleId at a time.

Sample Query

Retrieve a list of all classification labels attached to a rule by ID:

https://api.threatstack.com/v3/rules/{ruleId}/classificationLabels

Error Handling Tips

404: The rule was not found.

Request

path Parameters

required

UUIdentifier (string) or MongoIdentifier (string) (RuleId)

The ID of the rule

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

get/rules/{ruleId}/classificationLabels

Response samples

application/json

[{"labelId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"domainId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"domainName": "Compliance",
"categoryId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"categoryName": "ISO 27001",
"labelName": "A.9.2",
"labelModifier": "(b)"
}
]

Attach Multiple Classification Labels to a Rule

Overview

This method enables you to attach multiple classification labels to an existing rule.

NOTE

You can only pass one ruleId at a time.

Sample Query

Attach classification labels to a rule by ID:

https://api.threatstack.com/v3/rules/{ruleId}/classificationLabels

Error Handling Tips

404: One of the following occurred:
- The rule was not found.
- One or more of the classification labels was not found.

Request

path Parameters

required

UUIdentifier (string) or MongoIdentifier (string) (RuleId)

The ID of the rule

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

put/rules/{ruleId}/classificationLabels

Response samples

application/json

[{"labelId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"domainId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"domainName": "Compliance",
"categoryId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"categoryName": "ISO 27001",
"labelName": "A.9.2",
"labelModifier": "(b)"
}
]

Attach a Classification Label to a Rule

Overview

This method enables you to attach a classification label to a rule.

NOTE

You can only pass one ruleId at a time.

You can only pass one labelId at a time.

Sample Queries

Attach a classification label to a rule by IDs:

https://api.threatstack.com/v3/rules/{ruleId}/classificationLabels/{labelId}

Attach a classification label with modifier to a rule by IDs:

https://api.threatstack.com/v3/rules/{ruleId}/classificationLabels/{labelId}?modifier=(b)

Error Handling Tips

404: One of the following occurred:
- The rule was not found.
- The classification label was not found.

Request

path Parameters

required	UUIdentifier (string) or MongoIdentifier (string) (RuleId) The ID of the rule
required	UUIdentifier (string) or MongoIdentifier (string) (ClassificationLabelId) The ID of the classification label to attach

query Parameters

modifier

string (ClassificationLabelModifier)

The optional modifier applied to this classification label on this rule

Example: modifier=(b)

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

put/rules/{ruleId}/classificationLabels/{labelId}

Response samples

application/json

{"labelId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"domainId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"domainName": "Compliance",
"categoryId": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"categoryName": "ISO 27001",
"labelName": "A.9.2",
"labelModifier": "(b)"
}

Remove a Classification Label from a Rule

Overview

This method enables you to remove a classification label from a rule.

NOTE

You can only pass one ruleId at a time.

You can only pass one labelId at a time.

Sample Query

Remove a classification label from a rule by IDs:

https://api.threatstack.com/v3/rules/{ruleId}/classificationLabels/{labelId}

Error Handling Tips

404: One of the following occurred:
- The rule was not found.
- The classification label was not found.

Request

path Parameters

required	UUIdentifier (string) or MongoIdentifier (string) (RuleId) The ID of the rule
required	UUIdentifier (string) or MongoIdentifier (string) (ClassificationLabelId) The ID of the classification label to remove

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

delete/rules/{ruleId}/classificationLabels/{labelId}

Response samples

application/json

"Successfully removed labelId: 00000000-aaaa-0000-aaaa-0000000000 from ruleId: 00000000-aaaa-0000-aaaa-0000000000."

List All Suppressions in an Organization

Overview

This method enables you to retrieve a list of all suppressions in your organization.

Sample Queries

Retrieve a list of all suppressions:

https://api.threatstack.com/v3/suppressions

Request

query Parameters

token

string (PaginationToken)

Example: token=eyAibGltaXQiOiAxMCwgIm9mZnNldCI6IDAgfQ==

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

get/suppressions

Response samples

application/json

{"suppressions": [{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"filter": "user = \"root\""
}
]
}

Create a Suppression

Overview

This method enables you to create a rule suppression in your organization.

Sample Query

Create a suppression in your organization:

https://api.threatstack.com/v3/suppressions

Error Handling Tips

400: Incorrect syntax in the message body.

Request

Request Body schema: application/json

Create suppression object

name	string (SuppressionName) [ 1 .. 200 ] characters Name of the suppression
filter required	string (SuppressionFilter) [ 0 .. 300 ] characters Defines the conditions under which a suppression suppresses a rule alert. IMPORTANT: Filters must pass validation specified by the Distributed Cloud AIP filter query language.

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

post/suppressions

Request samples

Payload

application/json

{"name": "string",
"filter": "user = \"root\""
}

Response samples

application/json

{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"filter": "user = \"root\""
}

Get a Suppression

Overview

This method enables you to retrieve the details of a suppression using a suppressionId.

NOTE

You can only pass one suppressionId at a time.

Sample Query

Retrieve a suppression by ID:

https://api.threatstack.com/v3/suppressions/{suppressionId}

Error Handling Tips

404: The rule was not found.

Request

path Parameters

required

UUIdentifier (string) or MongoIdentifier (string) (SuppressionId)

The ID of the suppression

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

get/suppressions/{suppressionId}

Response samples

application/json

{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"filter": "user = \"root\""
}

Update a Suppression

Overview

This method enables you to update a suppression by suppressionId.

NOTE

You can only pass one suppressionId at a time.

Sample Query

Update a suppression:

https://api.threatstack.com/v3/suppressions/{suppressionId}

Error Handling Tips

400: Incorrect syntax in the message body.
404: The suppression was not found.

Request

path Parameters

required

UUIdentifier (string) or MongoIdentifier (string) (SuppressionId)

The ID of the suppression to update

Request Body schema: application/json

Update suppression object

required	UUIdentifier (string) or MongoIdentifier (string) The ID of the suppression to update. IMPORTANT: This ID must match the suppression ID in the path.
name	string (SuppressionName) [ 1 .. 200 ] characters Name of the suppression
filter	string (SuppressionFilter) [ 0 .. 300 ] characters Defines the conditions under which a suppression suppresses a rule alert. IMPORTANT: Filters must pass validation specified by the Distributed Cloud AIP filter query language.

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

put/suppressions/{suppressionId}

Request samples

Payload

application/json

{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"filter": "user = \"root\""
}

Response samples

application/json

{"id": "e5034ccf-bf8e-4005-b942-737deaf4c491",
"name": "string",
"filter": "user = \"root\""
}

Delete a Suppression

Overview

This method enables you to delete a suppression by suppressionId.

NOTE

You can only pass one suppressionId at a time.

IMPORTANT

Any suppressions that you delete are automatically removed from the rules to which they were added and no longer suppress alerts. Once the suppression is deleted, previously suppressed alerts will not generate retroactively, but new alerts may generate that previously would have been suppressed.

Sample Query

Delete a suppression:

https://api.threatstack.com/v3/suppressions/{suppressionId}

Error Handling Tips

400: Incorrect syntax in the message body.
404: The suppression was not found.

Request

path Parameters

required

UUIdentifier (string) or MongoIdentifier (string) (SuppressionId)

The ID of the suppression to delete

Responses

200

Success

400

Bad parameters

401

Unauthorized response

404

The resource was not found

429

Rate limit hit

500

An internal error has occurred

delete/suppressions/{suppressionId}

Response samples

application/json

{ }

➔ Next to Rules & Rulesets (v2)