Correlation - Get Correlation Rule

URI

https://164.99.19.131:8443/SentinelRESTServices/correlation/rules/{id}

Supported Methods

GET

This API gets the correlation rule specified by {id} and its associated health, and parses the rule into a set of subrules.

Authentication

Authentication Types
Sentinel Permissions Needed

URL Parameters

None.

Success Codes

Fault Codes

Response Data

Object type: Correlation rule object
A single Correlation rule object.
FieldDescription
actionsThis indicates the actions to be executed when a rule fires.
activeThis is a Boolean value. If true, the rule is enabled and deployed, otherwise the rule is disabled. This is applicable only if the rule is deployed in a correlation engine.
deployedThis is Boolean value. If true, the rule is deployed into a correlation engine.
durationThe time duration within which the rule should fire.
engineIdThis is the unique ID of the Correlation engine where the rules are deployed. This is applicable only if the rule is deployed into a correlation engine.
healthThe health object of the rule. This is applicable if the rule is deployed into a correlation engine.
isGateThis is a Boolean value. If true, the rule is a composite rule. Otherwise, the rule is a sequence/simple rule.
modeThis indicates one of the subrules that must be triggered for the Composite rule to fire.
offlineThis is a Boolean value. If true, the engine is in stopped or error state. This is applicable only if the rule is deployed into a correlation engine.
ruledescriptionThis is the description of the rule.
ruleIdThis is the unique identifier of the rule.
rulenameThis is the name of the rule.
subrulesThis indicates the rules are the rule definitions for 1 to n subrules. Each subrule is an independent, valid, correlation rule.
updatetimeThe time to initiate action execution when a rule fires.

Response Data

Object type: Correlation rule health object
Correlation rule health data.
FieldDescription
CardinalityThis is the health data of a rule. This indicates the number of strings and related structures held in memory by this rule. This is applicable only if the rule is deployed into a correlation engine.
EPSCapacityThis is the health data of a rule. This indicates the processing time the rule consumes relative to the capacity of the engine. This is applicable only if the rule is deployed into a correlation engine.
EventRefCountThis is the health data of a rule. This indicates the number of events held in memory by this rule. This is applicable only if the rule is deployed into a correlation engine.
FiredCountThis is the health data of a rule. This indicates the number of times the rule has fired since it was deployed. This is applicable only if the rule is deployed into a correlation engine.
LastFiredTimeThis is the health data of a rule. This indicates the last time (in milliseconds) the rule fired. This is applicable only if the rule is deployed into a correlation engine.
OutputRateThis is the health data of a rule. This indicates the number of times the rule has fired relative to the events processed. This is applicable only if the rule is deployed into a correlation engine.
StatusChangedTimeThis is the health data of a rule. This indicates the time (in milliseconds) the rule state was changed. This is applicable only if the rule is deployed into a correlation engine.
StatusDurationThis is the health data of a rule. This indicates the duration (in milliseconds) the rule is in its present state. This is applicable only if the rule is deployed into a correlation engine.
TotalProcessingTimeThis is the health data of a rule. This indicates the total time spent (in milliseconds) by the Correlation Engine processing the rule since it was deployed or enabled. This is applicable only if the rule is deployed into a correlation engine.

Response Data

Object type: Correlation rule subrule object
A sub rule object which build a Correlation rule.
FieldDescription
countThis indicates the number of times the expressions must meet the specified criteria for the subrule/rule to fire.
durationThe duration within which the subrule should fire.
expressionsThis indicates the criteria for subrule.
isAndThis indicates the condion between the expression in a subrule
isTriggerThis is a boolean value. If true, the subrule should fire more than one time within a time range.
operatorThis indicates the condition used in the expression.
tagThis indicates the event attributes that form an expression.
valueThis indicates the value of the event attribute.

Sample Request

GET correlation/rules/3E285CF0-54B3-102B-B39D-00C09F472961
Sample Response for application/json
Status: 200
{"ruleId":"3E285CF0-54B3-102B-B39D-00C09F472961","rulename":"Monitor Sentinel Core Solution Pack Controls","ruledescription":"This rule monitors the system to ensure that if any controls in this Solution Pack are uninstalled, security analysts are alerted.","rulelg":"filter(((e.EventName = "UNINSTALLED")) AND ((e.TargetDataContainer match regex (".*obj:///Sentinel Core Solution Pack.*"))))","isGate":"false","duration":"0","updatetime":"0","deployed":"true","engineId":"696080E0-9A20-1029-ADDD-0003BAC9707D","active":"true","offline":"false","health":{"FiredCount":"0","StatusDuration":"177233726","ProcessedCount":"5336","StatusChangedTime":"1316410548886","Cardinality":"0","EventRefCount":"0","LastFiredTime":"0","TotalProcessingTime":"1945","EPSCapacity":"0.0010","OutputRate":"0.0"},"subrules":[{"isAnd":"true","isTrigger":"false","duration":"0","count":"0","expressions":[{"tag":"e.EventName","operator":"=","value":""UNINSTALLED""},{"tag":"e.TargetDataContainer","operator":"match regex","value":"".*obj:///Sentinel Core Solution Pack.*""}]}],"actions":["522C5A23-A001-102E-BC0C-000C29BEC6AC"]}

Sample Response for application/json
Status: 404
The resource not found.

Sample Request

GET correlation/rules/3E285CF0-54B3-102B-B39D-00C09F472961
Sample Response for application/json
Status: 200
{"ruleId":"1E6470B0-C4AF-102E-B507-0019B94687A1","rulename":"Multiple Password Change","ruledescription":"This is the scenario when same user logs in and changes the password more than 2 times ,this rule has to trigger.","rulelg":"gate(filter(((e.EventName = "LoginUser"))),filter(((e.EventName = "ChangeUserPassword")) AND ((e.InitiatorUserName = e.TargetUserName)))flow trigger(2,59) ,all,59)","isGate":"true","duration":"59","mode":"all","updatetime":"3600","deployed":"true","engineId":"696080E0-9A20-1029-ADDD-0003BAC9707D","active":"true","offline":"false","health":{"FiredCount":"0","StatusDuration":"3528629","ProcessedCount":"111","StatusChangedTime":"1316593974074","Cardinality":"0","EventRefCount":"0","LastFiredTime":"0","TotalProcessingTime":"118","EPSCapacity":"0.0033","OutputRate":"0.0"},"subrules":[{"isAnd":"false","isTrigger":"false","duration":"0","count":"0","expressions":[{"tag":"e.EventName","operator":"=","value":""LoginUser""}]},{"isAnd":"true","isTrigger":"true","duration":"59","count":"2","expressions":[{"tag":"e.EventName","operator":"=","value":""ChangeUserPassword""},{"tag":"e.InitiatorUserName","operator":"=","value":"e.TargetUserName"}]}],"actions":["777E5100-1960-102B-9985-001321B5C0B3"]}

Sample Response for application/json
Status: 404
The resource not found.