Correlation - Convert Rule/LG To Subrule

URI

https://164.99.19.131:8443/SentinelRESTServices/correlation/parseSubrule

Supported Methods

POST

Given a valid correlation Rule/LG expresson, attempt to convert it to a structured form that can be rendered as a set of Boolean expressions. If it is not possible to perform this conversion, simply return the same Rule/LG in a displayable form.

Authentication

Authentication Types
Sentinel Permissions Needed

URL Parameters

None.

Success Codes

Fault Codes

Sample Request

POST correlation/parseSubrule
{"rulelg":"filter(((e.Severity = 1)) AND ((e.EventName = \"Test\")) AND not(isnull(e.SubResource)))"}

Sample Response for application/json
Status: 200
{"isAnd":"true","isTrigger":"false","duration":"0","count":"0","expressions":[{"tag":"e.Severity","operator":"=","value":"1"},{"tag":"e.EventName","operator":"=","value":"\"Test\""},{"tag":"e.SubResource","operator":"not isnull"}]}


Sample Request

POST correlation/parseSubrule
{"rulelg":"filter(((e.XDASClass = 0) AND (e.XDASIdentifier = 0) AND ((e.XDASOutcome = 1) OR (e.XDASOutcome = 2))))"}

Sample Response for application/json
Status: 200
{"isAnd":"false","isTrigger":"false","duration":"0","count":"0","expressions":[{"xdasclass":"0","xdasidentifier":"0","xdasoutcomes":["1","2"]}]}


Sample Request

POST correlation/parseSubrule
{"rulelg":"filter(e.sev = 1 or (not e.sev > 1))"}

Sample Response for application/json
Status: 200
{"nonStructuredRuleLG":"filter(((e.Severity = 1) or ( not (e.Severity > 1))))","isAnd":"false","isTrigger":"false","duration":"0","count":"0"}