Correlation - Create Correlation Rule

URI

https://164.99.19.131:8443/SentinelRESTServices/correlation/rules

Supported Methods

POST

This API creates a new correlation rule and optionally associates a set of actions with the rule.

Authentication

Authentication Types

X-SAML

Sentinel Permissions Needed

manageCorrelation
_adminRole_

URL Parameters

None.

Success Codes

200 OK

Fault Codes

Request Data

Object type: Request object for Correlation rule creation
Correlation rule creation.
Field	Required	Description
actions	false	This indicates the actions to be executed when a rule fires.
active	false	This is a Boolean value. If true, the rule is enabled and deployed, otherwise the rule is disabled. This is applicable only if the rule is deployed in a correlation engine.
deployed	false	This is Boolean value. If true, the rule is deployed into a correlation engine.
ruledescription	false	This is the description of the rule.
ruleId	true	This is the unique identifier of the rule.
rulelg	true	This is the correlation rule language.
rulename	true	This is the name of the rule.
updatetime	false	The time to initiate action execution when a rule fires.

Response Data

Object type: Response object for Correlation rule creation
Correlation rule creation.
Field	Description
actions	This indicates the actions to be executed when a rule fires.
active	This is a Boolean value. If true, the rule is enabled and deployed, otherwise the rule is disabled. This is applicable only if the rule is deployed in a correlation engine.
deployed	This is Boolean value. If true, the rule is deployed into a correlation engine.
duration	The time duration within which the rule should fire.
isGate	This is a Boolean value. If true, the rule is a composite rule. Otherwise, the rule is a sequence/simple rule.
offline	This is a Boolean value. If true, the engine is in stopped or error state. This is applicable only if the rule is deployed into a correlation engine.
ruledescription	This is the description of the rule.
ruleId	This is the unique identifier of the rule.
rulelg	This is the correlation rule language.
rulename	This is the name of the rule.
updatetime	The time to initiate action execution when a rule fires.

Sample Request

POST correlation/rules

{"ruleId":"2476D076-3E12-102E-9265-000C29D8AA3D", "rulename":"Failure Then Success", "ruledescription":"Failure Then Success", "rulelg":"sequence(filter(((e.XDASClass = 2) AND (e.XDASIdentifier = 0) AND (e.XDASOutcome = 1))),filter(((e.XDASClass = 2) AND (e.XDASIdentifier = 0) AND (e.XDASOutcome = 0))) ,300,discriminator(e.InitiatorUserName))", "active":false, "deployed":false, "updatetime":0, "actions":["777E5100-1960-102B-9985-001321B5C0B3"]}&#10;

Sample Response for application/json

Status: 200

{"ruleId":"1E6470B0-C4AF-102E-B6AA-0019B94687A1","rulename":"Failure Then Success","ruledescription":"Failure Then Success","rulelg":"sequence(filter(((e.XDASClass = 2) AND (e.XDASIdentifier = 0) AND (e.XDASOutcome = 1))),filter(((e.XDASClass = 2) AND (e.XDASIdentifier = 0) AND (e.XDASOutcome = 0))) ,300,discriminator(e.InitiatorUserName))","isGate":"false","duration":"0","updatetime":"0","deployed":"false","active":"false","offline":"false","actions":["777E5100-1960-102B-9985-001321B5C0B3"]}&#10;

Back to main API page