Retrieve a List of Disabled Custom Detection Rules
Endpoint URL: https://<your server>/rest/v2/customRules/decisionFeature/deleted
Endpoint URI: v2/customRules/decisionFeature/deleted
Action: GET
Returns a list of all custom rules currently disabled in your environment.
Note
Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.
Request Headers
You must add an Content-Type:application/json header with the request.
Note
If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.
Request Body
None
Request Parameters
URL/URI parameters: none
Request Body Parameters: none
Response Status Codes
This request can return the following status codes:
200: Success OK
Response Success Schema
The response includes the following fields:
Field |
Type |
Description |
---|---|---|
rules |
Array |
An object containing a list of all the rules currently active in the environment. |
id |
Integer |
The unique identification number used by Cybereason to identify the custom detection rule. |
name |
String |
The name given to the custom detection rule when it was created. |
rootCause |
Enum |
The Element identified as the root cause of the Malop generated from the custom detection rule. Possible values include:
|
malopDetectionType |
Enum |
The detection type assigned for the Malops generated from this custom detection rule. Possible values include:
|
rule |
Array |
An object containing the details for one specific rule. |
parentId |
Integer |
The identifier used for the parent of this rule if it was created from another rule. |
root |
Array |
An object containing the Elements and Features used in the custom detection rule. |
elementType |
Enum/String |
The Element on which the custom detection rule generates a Malop or adds an additional Element in the chain. For the initial Element of the rule, possible values include:
For additional Elements, the string displays the Element name. |
filters |
Array |
An object containing details of the Feature filters added to the root Element for this custom detection rule. |
facetName |
String |
The name of the Feature used for the filter. |
values |
String/Boolean/Integer |
The value to use for the filter. The value type depends on the specific Feature. |
filterType |
Enum |
The operator to use for this Feature The available operators differ depending on the type of Feature. |
featureTranslation |
String |
The regular language name used for the Feature. |
children |
Array |
An object containing details on the next Elements added to the custom detection rule. If this field reports a null value, there are no additional Elements used in the custom rule. |
connectionFeature |
String |
The Feature used to connect Elements. |
elementTypeTranslation |
String |
The regular language name for the Element. |
malopActivitytype |
Enum |
The type of Malop. Possible values include:
|
description |
String |
The description added for the custom detection rule when created. |
enabled |
Boolean |
Indicates whether the custom detection is enabled in the environment. |
userName |
String |
The Cybereason user name for the user that created the custom detection rule. |
creationTime |
Integer |
The time (in epoch) when the custom detection rule is created. |
updateTime |
Integer |
The time (in epoch) when the custom detection was last updated. |
lastTriggerTime |
Integer |
The time (in epoch) when a Malop was generated based on this detection rule. If no Malops have been generated for this detection rule, this value returns null. |
limitExceed |
Boolean |
Indicates whether the exceed limit is enforced for this specific rule. |
Response Failure Schema
None
Important Response Fields
Important information is found in these fields:
rules object: An object containing a list of all custom detection rules active in the platform.
id parameter: The unique identifier the Cybereason platform uses for the custom detection rule.
name parameter: The name of the custom detection rule.
rootCause parameter: The Element identified as the root cause for any Malops generated by the custom detection rule.
malopDetectionType parameter: The type of detection set for Malops generated by the custom detection rule.
rule object: An object containing details on a specific custom detection rule.
elementType parameter: The Element used as the starting Element in the rule.
filters object: The object containing the objects used to filter the specified Element.
facetName parameter: The name of the Feature used to filter the Element.
values parameter: The value used with the facetName parameter.
children object: The object containing details on Elements linked to the first Element in the custom rule.
connectionFeature parameter: The Feature that connects the Elements in a chain used in the custom rule.
Example: Get a list of disabled custom detection rules
Request
curl --request GET \
--url https://12.34.56.78/rest/v2/customRules/decisionFeature/deleted \
--header 'Content-Type:application/json' \
Response
{
"rules": [
{
"id": 1543491693276,
"name": "Suspicious PS command line",
"rootCause": "self",
"malopDetectionType": "CUSTOM_RULE",
"rule": {
"parentId": 1543491693276,
"root": {
"elementType": "Process",
"filters": [
{
"facetName": "clearCommandLine",
"values": [
"powershell"
],
"filterType": "ContainsIgnoreCase",
"featureTranslation": "Clear command line"
}
],
"children": [
{
"connectionFeature": "imageFile",
"elementType": "File",
"filters": [
{
"facetName": "name",
"values": [
"powershell"
],
"filterType": "NotContainsIgnoreCase",
"featureTranslation": "Name"
}
],
"children": null,
"elementTypeTranslation": "File",
"connectionFeatureTranslation": "Image file"
}
],
"elementTypeTranslation": "Process"
},
"malopActivityType": "MALICIOUS_INFECTION"
},
"description": "Powershell in command line and image file is not powershell",
"enabled": false,
"userName": "[email protected]",
"creationTime": 1543491694263,
"updateTime": 1558788890273,
"lastTriggerTime": null,
"autoRemediationActions": null,
"autoRemediationStatus": null
}
],
"limitExceed": false
}
Request
Use this request body:
Response
{
"rules": [
{
"id": 1543491693276,
"name": "Suspicious PS command line",
"rootCause": "self",
"malopDetectionType": "CUSTOM_RULE",
"rule": {
"parentId": 1543491693276,
"root": {
"elementType": "Process",
"filters": [
{
"facetName": "clearCommandLine",
"values": [
"powershell"
],
"filterType": "ContainsIgnoreCase",
"featureTranslation": "Clear command line"
}
],
"children": [
{
"connectionFeature": "imageFile",
"elementType": "File",
"filters": [
{
"facetName": "name",
"values": [
"powershell"
],
"filterType": "NotContainsIgnoreCase",
"featureTranslation": "Name"
}
],
"children": null,
"elementTypeTranslation": "File",
"connectionFeatureTranslation": "Image file"
}
],
"elementTypeTranslation": "Process"
},
"malopActivityType": "MALICIOUS_INFECTION"
},
"description": "Powershell in command line and image file is not powershell",
"enabled": false,
"userName": "[email protected]",
"creationTime": 1543491694263,
"updateTime": 1558788890273,
"lastTriggerTime": null,
"autoRemediationActions": null,
"autoRemediationStatus": null
}
],
"limitExceed": false
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/v2/customRules/decisionFeature/deleted"
api_url = base_url + endpoint_url
api_headers = {'Content-Type':'application/json'}
api_response = session.request("GET", api_url, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Response
{
"rules": [
{
"id": 1543491693276,
"name": "Suspicious PS command line",
"rootCause": "self",
"malopDetectionType": "CUSTOM_RULE",
"rule": {
"parentId": 1543491693276,
"root": {
"elementType": "Process",
"filters": [
{
"facetName": "clearCommandLine",
"values": [
"powershell"
],
"filterType": "ContainsIgnoreCase",
"featureTranslation": "Clear command line"
}
],
"children": [
{
"connectionFeature": "imageFile",
"elementType": "File",
"filters": [
{
"facetName": "name",
"values": [
"powershell"
],
"filterType": "NotContainsIgnoreCase",
"featureTranslation": "Name"
}
],
"children": null,
"elementTypeTranslation": "File",
"connectionFeatureTranslation": "Image file"
}
],
"elementTypeTranslation": "Process"
},
"malopActivityType": "MALICIOUS_INFECTION"
},
"description": "Powershell in command line and image file is not powershell",
"enabled": false,
"userName": "[email protected]",
"creationTime": 1543491694263,
"updateTime": 1558788890273,
"lastTriggerTime": null,
"autoRemediationActions": null,
"autoRemediationStatus": null
}
],
"limitExceed": false
}