Retrieve a List of Disabled Custom Detection Rules

Endpoint URL: https://<your server>/rest/v2/customRules/decisionFeature/deleted
Endpoint URI: v2/customRules/decisionFeature/deleted

Action: GET

Returns a list of all custom rules currently disabled in your environment.

Note

Ensure that you have logged into the Cybereason platform. For details, see Log in with the API.

Request Headers

You must add an Content-Type:application/json header with the request.

Note

If you are using cURL, add the authorization cookie details or the path to the file with cookie details with every request.


Request Body

None


Request Parameters

URL/URI parameters: none

Request Body Parameters: none


Response Status Codes

This request can return the following status codes:

  • 200: Success OK


Response Success Schema

The response includes the following fields:

Field

Type

Description

rules

Array

An object containing a list of all the rules currently active in the environment.

id

Integer

The unique identification number used by Cybereason to identify the custom detection rule.

name

String

The name given to the custom detection rule when it was created.

rootCause

Enum

The Element identified as the root cause of the Malop generated from the custom detection rule. Possible values include:

  • self

  • imageFile

  • parentProcess

malopDetectionType

Enum

The detection type assigned for the Malops generated from this custom detection rule. Possible values include:

  • BLACKLIST

  • CNC

  • CUSTOM_RULE

  • UNAUTHORIZED_USER

  • CREDENTIAL_THEFT

  • DATA_TRANSMISSION_VOLUME

  • ELEVATED_ACCESS

  • EXTENSION_MANIPULATION

  • KNOWN_MALWARE

  • LATERAL_MOVEMENT

  • MALWARE_PROCESS

  • MALICIOUS_PROCESS

  • PUP

  • PERSISTENCE

  • PHISHING

  • PROCESS_INJECTION

  • RANSOMWARE

  • RECONNAISSANCE

rule

Array

An object containing the details for one specific rule.

parentId

Integer

The identifier used for the parent of this rule if it was created from another rule.

root

Array

An object containing the Elements and Features used in the custom detection rule.

elementType

Enum/String

The Element on which the custom detection rule generates a Malop or adds an additional Element in the chain.

For the initial Element of the rule, possible values include:

  • Process

  • LogonSession

For additional Elements, the string displays the Element name.

filters

Array

An object containing details of the Feature filters added to the root Element for this custom detection rule.

facetName

String

The name of the Feature used for the filter.

values

String/Boolean/Integer

The value to use for the filter. The value type depends on the specific Feature.

filterType

Enum

The operator to use for this Feature The available operators differ depending on the type of Feature.

featureTranslation

String

The regular language name used for the Feature.

children

Array

An object containing details on the next Elements added to the custom detection rule. If this field reports a null value, there are no additional Elements used in the custom rule.

connectionFeature

String

The Feature used to connect Elements.

elementTypeTranslation

String

The regular language name for the Element.

malopActivitytype

Enum

The type of Malop. Possible values include:

  • CNC_COMMUNICATION

  • DATA_THEFT

  • MALICIOUS_INFECTION

  • LATERAL_MOVEMENT

  • PRIVILEGE_ESCALATION

  • RANSOMWARE

  • SCANNING

  • STOLEN_CREDENTIALS

description

String

The description added for the custom detection rule when created.

enabled

Boolean

Indicates whether the custom detection is enabled in the environment.

userName

String

The Cybereason user name for the user that created the custom detection rule.

creationTime

Integer

The time (in epoch) when the custom detection rule is created.

updateTime

Integer

The time (in epoch) when the custom detection was last updated.

lastTriggerTime

Integer

The time (in epoch) when a Malop was generated based on this detection rule. If no Malops have been generated for this detection rule, this value returns null.

limitExceed

Boolean

Indicates whether the exceed limit is enforced for this specific rule.


Response Failure Schema

None


Important Response Fields

Important information is found in these fields:

  • rules object: An object containing a list of all custom detection rules active in the platform.

  • id parameter: The unique identifier the Cybereason platform uses for the custom detection rule.

  • name parameter: The name of the custom detection rule.

  • rootCause parameter: The Element identified as the root cause for any Malops generated by the custom detection rule.

  • malopDetectionType parameter: The type of detection set for Malops generated by the custom detection rule.

  • rule object: An object containing details on a specific custom detection rule.

  • elementType parameter: The Element used as the starting Element in the rule.

  • filters object: The object containing the objects used to filter the specified Element.

  • facetName parameter: The name of the Feature used to filter the Element.

  • values parameter: The value used with the facetName parameter.

  • children object: The object containing details on Elements linked to the first Element in the custom rule.

  • connectionFeature parameter: The Feature that connects the Elements in a chain used in the custom rule.


Example: Get a list of disabled custom detection rules

Request

curl --request GET \
  --url https://12.34.56.78/rest/v2/customRules/decisionFeature/deleted \
  --header 'Content-Type:application/json' \

Response

{
                              "rules": [
                                {
                                  "id": 1543491693276,
                                  "name": "Suspicious PS command line",
                                  "rootCause": "self",
                                  "malopDetectionType": "CUSTOM_RULE",
                                  "rule": {
                                    "parentId": 1543491693276,
                                    "root": {
                                      "elementType": "Process",
                                      "filters": [
                                        {
                                          "facetName": "clearCommandLine",
                                          "values": [
                                            "powershell"
                                          ],
                                          "filterType": "ContainsIgnoreCase",
                                          "featureTranslation": "Clear command line"
                                        }
                                      ],
                                      "children": [
                                        {
                                          "connectionFeature": "imageFile",
                                          "elementType": "File",
                                          "filters": [
                                            {
                                              "facetName": "name",
                                              "values": [
                                                "powershell"
                                              ],
                                              "filterType": "NotContainsIgnoreCase",
                                              "featureTranslation": "Name"
                                            }
                                          ],
                                          "children": null,
                                          "elementTypeTranslation": "File",
                                          "connectionFeatureTranslation": "Image file"
                                        }
                                      ],
                                      "elementTypeTranslation": "Process"
                                    },
                                    "malopActivityType": "MALICIOUS_INFECTION"
                                  },
                                  "description": "Powershell in command line and image file is not powershell",
                                  "enabled": false,
                                  "userName": "[email protected]",
                                  "creationTime": 1543491694263,
                                  "updateTime": 1558788890273,
                                  "lastTriggerTime": null,
                                  "autoRemediationActions": null,
                                  "autoRemediationStatus": null
                                }
                              ],
                              "limitExceed": false
                            }