Create Stream Rule

Creates a new stream rule.

HTTP Request

POST /api/sonar/stream-rules
Request using cURL
curl -H "Authorization: Bearer <API_KEY>" \
     -d priority="HIGH" \
     -d name="Access to known botnet networks" \
     -d msg="Access to known botnet networks: $dst_ip" \
     -d schema_code="session" \
     -d commands="[{'template_id': 3, 'query': 'matchnet invert=t field=dst_ip guid=697393b6-aecf-4e9d-a32c-8724cd8f067e verify=f', 'field_name': 'dst_ip', 'args':{'subnet':'697393b6-aecf-4e9d-a32c-8724cd8f067e'}}]" \
     -X POST \
     https://HOSTNAME/api/sonar/stream-rules
Request Parameters
KeyRequiredTypeDescriptionNote
priorityOStringPriorityLOW or MEDIUM or HIGH.
guidXStringStream rule GUID36 characters
nameOStringStream rule nameMinimum 1 to maximum 255 characters
descriptionXStringStream rule descriptionMaximum 2,000 characters
msgOStringMessage templateMinimum 1 to maximum 2,000 characters
enabledXBooleanWhether the stream rule is enabled or nottrue or false
category_guidXStringStream rule category GUID36 characters
schema_codeOStringLog schema codeMinimum 1 to maximum 50 characters
logger_guidsOArrayLogger GUID list
commandsOArrayList of stream rulesAt least one command required. Refer to the below description.
address_group_guidXStringAddress group GUID36 characters
address_fieldXStringAddress fieldAddress group field name. Maximum 50 characters.
ticket_repo_guidXStringTicket repository GUID36 characters. If not specified, a ticket is not generated.
ticket_assignee_guidXStringTicket assignee GUIDIf specified, ticket is assigned automatically.
ticket_suppress_intervalX32-bit integerSuppression period for duplicated ticket (in seconds)If set to 0 or not specified, duplicate tickets are not merged.
event_suppress_intervalX32-bit integerSuppression period for duplicated event (in seconds)If set to 0 or not specified, duplicate events are not merged.
suppress_keyXStringSuppress key fieldMaximum 2,000 characters. Macro in $field format available.
keep_aliveXBooleanWhether to keep the suppression timer alivetrue to keep the timer alive, false to reset it.
audit_category_guidXStringAudit category GUID36 characters. If not specified, an auto audit request is not sent.
auditor_guidXStringAuditor GUID36 characters. If not specified, the department head is assigned as default.
audit_daysX32-bit integerAudit due dateMinimum 1 to maximum 365 days
employee_key_fieldXStringEmployee number fieldMaximum 50 characters. If not specified, an auto audit request is not sent.
alarm_group_guidXStringAlarm group GUID36 characters
field_orderXStringEvidence field output orderMaximum 2,000 characters

Each array element in commands is defined as follows:

KeyRequiredTypeDescriptionNote
template_idO32-bit integerStream rule command template ID
queryOStringQuery string portion
field_nameXStringTarget field name
argsXMapArgument key/value
invertXBooleanWhether to use an invert match option

Success Response

{}

Error Responses

Required argument is missing

HTTP status code 400

{
  "error_code": "null-argument",
  "error_msg": "schema_code should be not null"
}
Invalid argument length

HTTP status code 400

{
  "error_code": "invalid-argument",
  "error_msg": "'schema_code' must be shorter than or equal to 50 characters."
}
Invalid priority value

HTTP status code 400

{
  "error_code": "invalid-argument",
  "error_msg": "priority should be one of 'LOW', 'MEDIUM', 'HIGH'."
}
Identifier is not in valid GUID format

HTTP status code 400

{
  "error_code": "invalid-param-type",
  "error_msg": "category_guid should be guid type."
}
List of stream rules is not in valid JSON format

HTTP status code 400

{
  "error_code": "invalid-argument",
  "error_msg": "'commands' parameter should follow valid JSON syntax"
}
Log schema is not found

HTTP status code 500

{
  "error_code": "illegal-state",
  "error_msg": "schema not found: unknown"
}
No privilege to create a stream rule

HTTP status code 500

{
  "error_code": "illegal-state",
  "error_msg": "no-permission"
}