Get Batch Rules

Gets a list of batch rules that match the specified search keyword.

HTTP Request

GET /api/sonar/batch-rules
Request using cURL
curl -H "Authorization: Bearer <API_KEY>" \
     https://HOSTNAME/api/sonar/batch-rules
Request Parameters
KeyRequiredTypeDescriptionNote
offsetX32-bit integerNumber of records to skipDefault: 0
limitX32-bit integerMaximum number of records to loadIf not specified, load all records
keywordsXStringKeywordsSearch available by name, description, query target

Success Response

Below is a partial list of batch rules.

{
  "total_count": 1,
  "rules": [
    {
      "guid": "f4ca02c8-0679-49e7-8c10-76667c26b595",
      "priority": "LOW",
      "name": "DMZ 포트 스캔",
      "description": "",
      "msg": "DMZ 포트 스캔: $src_ip",
      "enabled": false,
      "category_guid": "8270a382-a47c-401d-9318-037c5d639f2e",
      "category_name": "정보 수집",
      "schedule": "*/10 * * * *",
      "duration": null,
      "datetrunc": null,
      "dataset_guid": null,
      "dataset_name": null,
      "query": "table duration=30m FW_*\n| fields _time, _schema, src_ip, src_port, dst_ip, dst_port, protocol, app, action, sent_pkts, rcvd_pkts, sent_bytes, rcvd_bytes\n| search _schema == \"session\" and protocol == \"TCP\" and sent_bytes <= 200\n| lookup geoip src_ip output country as src_country\n| lookup geoip dst_ip output country as dst_country\n| search src_country != \"--\"\n| eval _time = datetrunc(_time, \"10m\") \n| stats dc(dst_port) as port_count, values(dst_port) as dst_port by src_ip, dst_ip, _time \n| search port_count >= 10 \n| explode dst_port \n| eval protocol = \"TCP\" \n| order _time, host_count, src_ip, dst_ip, dst_port, protocol",
      "address_group_guid": null,
      "address_field": null,
      "ticket_repo_guid": null,
      "ticket_assignee_guid": null,
      "ticket_assignee_name": null,
      "ticket_suppress_interval": 3600,
      "event_suppress_interval": 0,
      "suppress_key": null,
      "keep_alive": false,
      "audit_category_guid": null,
      "audit_category_name": null,
      "auditor_guid": null,
      "auditor_name": null,
      "audit_days": 14,
      "employee_key_field": null,
      "alarm_group_guid": null,
      "alarm_group_name": null,
      "field_order": "_time, host_count, src_ip, dst_ip, dst_port, protocol",
      "company_guid": "6fbe27b7-f1ae-4d7a-a1a5-76d8fa9aa311",
      "company_name": null,
      "user_guid": "ffaf431b-653a-4329-8f83-913cbb00342d",
      "user_name": "관리자",
      "created": "2022-09-01 00:31:15+0900",
      "updated": "2022-09-01 00:31:15+0900"
    }
  ]
}
  • total_count (32-bit integer): Total number of the batch rules that match the search keyword.
  • rules (Array): Paged list of batch rules
    • priority (String): LOW or MEDIUM or HIGH
    • guid (String): Batch Rule GUID
    • name (String): Batch Rule name
    • description (String): Batch rule description
    • msg (String): Message template. Macro in the $field format available.
    • enabled (Boolean): Whether the rule is enabled or not
    • category_guid (String): Batch rule category GUID
    • category_name (String): Batch rule category name
    • schedule (String): Execution schedule in CRON schedule format
    • duration (32-bit integer): Time window of the data to be analyzed, based on the current time (in seconds). The value is passed to the from and to parameters of the query.
    • datetrunc (32-bit integer): Date truncation unit (in seconds). Date truncation unit for the from, to parameters of the query.
    • dataset_guid (String): Dataset GUID
    • dataset_name (String): Dataset name
    • address_group_guid (String): Address group GUID
    • address_field (String): Target fields to add to the address group
    • ticket_repo_guid (String): Ticket repository GUID
    • ticket_assignee_guid (String): Ticket assignee GUID
    • ticket_assignee_name (String): Ticket assignee name
    • ticket_suppress_interval (32-bit integer): Suppression period for duplicated ticket in seconds (in seconds)
    • event_suppress_interval (32-bit integer): Suppression period for duplicated event in seconds (in seconds)
    • suppress_key (String): Suppress key field. Macro in the $field format available.
    • keep_alive (Boolean): true to keep the timer alive, false to reset it.
      Note
      When keeping the suppression timer, even if a user completes the ticket, the event will be merged into the existing ticket until the expiration time is reached.
    • audit_category_guid (String): Audit category GUID
    • audit_category_name (String): Audit category name
    • auditor_guid (String): Auditor GUID. If not specified, the department head is assigned as default.
    • auditor_name (String): Auditor name. If not specified, the department head is assigned as default.
    • audit_days (32-bit integer): Audit due date (days)
    • employee_key_field (String): Employee number field. Typically using a normalized emp_key field.
    • alarm_group_guid (String): Alarm group GUID
    • alarm_group_name (String): Alarm group name
    • field_order (String): Evidence file output order. Comma-separated list of field names.
    • company_guid (String): GUID of the company (tenant) to which the batch rule belongs
    • company_name (String): Name of the company (tenant) to which the batch rule belongs
    • user_guid (String): GUID of the user who creates the batch rule
    • user_name (String): Name of the user who creates the batch rule
    • created (String): Date and time of creation (yyyy-MM-dd HH:mm:ssZ)
    • updated (String): Date and time of last modification (yyyy-MM-dd HH:mm:ssZ)

Error Responses

offset or limit value is not an integer

HTTP status code 400

{
  "error_code": "invalid-argument",
  "error_msg": "'offset' parameter should be int type"
}
offset or limit value is negative

HTTP status code 400

{
  "error_code": "invalid-argument",
  "error_msg": "'offset' must be greater than or equal to 0."
}