Get Batch Rule

Gets a specified batch rule.

HTTP Request

GET /api/sonar/batch-rules/:guid
cURL Example
curl -H "Authorization: Bearer <API_KEY>" \
     https://HOSTNAME/api/sonar/batch-rules/f4ca02c8-0679-49e7-8c10-76667c26b595
Request Parameter
Path Parameters
KeyTypeDescriptionNote
guidStringBatch rule GUID36 characters

Success Response

Below is a partial list of batch rules.

{
  "rule": {
    "guid": "f4ca02c8-0679-49e7-8c10-76667c26b595",
    "priority": "LOW",
    "name": "DMZ 포트 스캔",
    "description": "",
    "msg": "DMZ 포트 스캔: $src_ip",
    "enabled": false,
    "category_guid": "8270a382-a47c-401d-9318-037c5d639f2e",
    "category_name": "정보 수집",
    "schedule": "*/10 * * * *",
    "duration": null,
    "datetrunc": null,
    "dataset_guid": null,
    "dataset_name": null,
    "query": "table duration=30m FW_*\n| fields _time, _schema, src_ip, src_port, dst_ip, dst_port, protocol, app, action, sent_pkts, rcvd_pkts, sent_bytes, rcvd_bytes\n| search _schema == \"session\" and protocol == \"TCP\" and sent_bytes <= 200\n| lookup geoip src_ip output country as src_country\n| lookup geoip dst_ip output country as dst_country\n| search src_country != \"--\"\n| eval _time = datetrunc(_time, \"10m\") \n| stats dc(dst_port) as port_count, values(dst_port) as dst_port by src_ip, dst_ip, _time \n| search port_count >= 10 \n| explode dst_port \n| eval protocol = \"TCP\" \n| order _time, host_count, src_ip, dst_ip, dst_port, protocol",
    "address_group_guid": null,
    "address_field": null,
    "ticket_repo_guid": null,
    "ticket_assignee_guid": null,
    "ticket_assignee_name": null,
    "ticket_suppress_interval": 3600,
    "event_suppress_interval": 0,
    "suppress_key": null,
    "keep_alive": false,
    "audit_category_guid": null,
    "audit_category_name": null,
    "auditor_guid": null,
    "auditor_name": null,
    "audit_days": 14,
    "employee_key_field": null,
    "alarm_group_guid": null,
    "alarm_group_name": null,
    "field_order": "_time, host_count, src_ip, dst_ip, dst_port, protocol",
    "company_guid": "6fbe27b7-f1ae-4d7a-a1a5-76d8fa9aa311",
    "company_name": "로그프레소",
    "user_guid": "ffaf431b-653a-4329-8f83-913cbb00342d",
    "user_name": "관리자",
    "created": "2022-09-01 00:31:15+0900",
    "updated": "2022-09-01 00:31:15+0900"
  }
}
  • rule (Map): Batch rule
    • priority (String): LOW, MEDIUM, HIGH
    • guid (String): Batch rule GUID
    • name (String): Batch rule name
    • description (String): Batch rule description
    • msg (String): Message template. Macro in the $field format available.
    • enabled (Boolean): Whether the rule is enabled or not
    • category_guid (String): Batch rule category GUID
    • category_name (String): Batch rule category name
    • schedule (String): Execution schedule in CRON schedule format
    • duration (32-bit integer): Time window of the data to be analyzed, based on the current time (in seconds). The value is passed to the from and to parameters of the query.
    • datetrunc (32-bit integer): Date truncation unit (in seconds). Date truncation unit for the from, to parameters of the query.
    • dataset_guid (String): Dataset GUID
    • dataset_name (String): Dataset name
    • address_group_guid (String): Address group GUID
    • address_field (String): Target field to add to the address group
    • ticket_repo_guid (String): Ticket repository GUID
    • ticket_assignee_guid (String): Ticket assignee GUID
    • ticket_assignee_name (String): Ticket assignee name
    • ticket_suppress_interval (32-bit integer): Suppression period for duplicated ticket in seconds (in seconds)
    • event_suppress_interval (32-bit integer): Suppression period for duplicated event in seconds (in seconds)
    • suppress_key (String): Suppress key field. Macro in the $field format available.
    • keep_alive (Boolean): true to keep the timer alive, false to reset it.
      Note
      When keeping the suppression timer, even if a user completes the ticket, the event will be merged into the existing ticket until the expiration time is reached.
    • audit_category_guid (String): Audit category GUID
    • audit_category_name (String): Audit category name
    • auditor_guid (String): Auditor GUID. If not specified, the department head is assigned as default.
    • auditor_name (String): Auditor name. If not specified, the department head is assigned as default.
    • audit_days (32-bit integer): Audit due date (days)
    • employee_key_field (String): Employee number field. Typically using a normalized emp_key field.
    • alarm_group_guid (String): Alarm group GUID
    • alarm_group_name (String): Alarm group name
    • field_order (String): Evidence file output order. Comma-separated list of field names.
    • company_guid (String): GUID of the company (tenant) to which the batch rule belongs
    • company_name (String): Name of the company (tenant) to which the batch rule belongs
    • user_guid (String): GUID of the user who creates the batch rule
    • user_name (String): Name of the user who creates the batch rule
    • created (String): Date and time of creation (yyyy-MM-dd HH:mm:ssZ)
    • updated (String): Date and time of last modification (yyyy-MM-dd HH:mm:ssZ)

Error Responses

Error Responses

Batch rule is not found

HTTP status code 200

{
  "rule": null
}
Identifier is not in valid GUID format
{
  "error_code": "invalid-param-type",
  "error_msg": "guid should be guid type."
}