Create Batch Rule

Creates a new batch rule.

HTTP Request

POST /api/sonar/batch-rules
Request using cURL
curl -H "Authorization: Bearer <API_KEY>" \
     -d priority="LOW" \
     -d name="Scan web vulnerabilities" \
     -d schedule="*/30 * * * *"
     -d msg="Scan web vulnerabilities: $dst_ip" \
     -d query="table duration=30m weblog | search status >= 400 | stats count as error_count, dc(path) as page_count, values(concat(method, " ", path)) as request by src_ip | eval request = strjoin("\n", request) | lof eps=0.1 error_count, page_count | search _lof > 1.5 | sort -_lof" \
     -X POST \
     https://HOSTNAME/api/sonar/batch-rules
Request Parameters
KeyRequiredTypeDescriptionNote
priorityOStringPriorityLOW or MEDIUM or HIGH
guidXStringBatch rule GUID36 characters
nameOStringBatch rule nameMinimum 1 to maximum 255 characters
descriptionXStringBatch rule descriptionMaximum 2,000 characters
msgOStringMessage templateMinimum 1 to maximum 2,000 characters
enabledXBooleanWhether the batch rule is enabledtrue or false
category_guidXStringBatch rule category GUID36 characters
scheduleOStringExecution cycleCRON schedule format
durationX32-bit integerTime window of the data to be analyzed, based on the current timeUp to 31536000 seconds (365 days)
datetruncX32-bit integerDate truncation unit1 or 60 or 3600 or 86400 (seconds)
dataset_guidXStringDataset GUID36 character. At least one of dataset_guid and query must be provided.
queryXStringDetection queryMaximum 65,535 characters. At least one of dataset_guid and query must be provided.
address_group_guidXStringAddress group GUID36 characters
address_fieldXStringAddress field nameAddress group field name. Maximum 50 characters.
ticket_repo_guidXStringTicket repository GUID36 characters. If not specified, a ticket is not generated.
ticket_assignee_guidXStringTicket assignee GUIDIf specified, a ticket is assigned automatically.
ticket_suppress_intervalX32-bit integerSuppression period for duplicate ticket (in seconds)If set to 0 or not specified, duplicate tickets are not merged.
event_suppress_intervalX32-bit integerSuppression period for duplicated event (in seconds)If set to 0 or not specified, duplicate events are not merged.
suppress_keyXStringSuppress key fieldMaximum 2,000 characters. Macro in $field format available.
keep_aliveXBooleanWhether to keep the suppression timer alivetrue to keep the timer alive, false to reset it.
audit_category_guidXStringAudit category GUID36 characters. If not specified, an auto audit request is not sent.
auditor_guidXStringAuditor GUID36 characters. If not specified, the department head is assigned as default.
audit_daysX32-bit integerAudit due dateMinimum 1 to maximum 365 days
employee_key_fieldXStringEmployee number fieldMaximum 50 characters. If not specified, an auto audit request is not sent.
alarm_group_guidXStringAlarm group GUID36 characters
field_orderXStringEvidence field output orderMaximum 2,000 characters

Success Response

{}

Error Responses

Required argument is missing

HTTP status code 400

{
  "error_code": "null-argument",
  "error_msg": "schedule should be not null"
}
Invalid argument length

HTTP status code 400

{
  "error_code": "invalid-argument",
  "error_msg": "'address_field' must be shorter than or equal to 50 characters."
}
Invalid priority value

HTTP status code 400

{
  "error_code": "invalid-argument",
  "error_msg": "priority should be one of 'LOW', 'MEDIUM', 'HIGH'."
}
Identifier is not in valid GUID format

HTTP status code 400

{
  "error_code": "invalid-param-type",
  "error_msg": "category_guid should be guid type."
}
CRON expression is not valid

HTTP status code 400

{
  "error_code": "invalid-argument",
  "error_msg": "schedule has wrong cron expression format: * * * * * *"
}
Both dataset and query are not specified

HTTP status code 400

{
  "error_code": "null-argument",
  "error_msg": "query should be not null"
}
Invalid date truncation unit value

HTTP status code 400

{
  "error_code": "invalid-argument",
  "error_msg": "datetrunc should be one of 1 (1 second), 60 (1 minute), 3600 (1 hour), 86400 (1 day)."
}
No privilege to create a batch rule

HTTP status code 500

{
  "error_code": "illegal-state",
  "error_msg": "no-permission"
}