Update Stream Rule

Updates a specified stream rule.

HTTP Request

PUT /api/sonar/stream-rules/:guid
Request using cURL
curl -H "Authorization: Bearer <API_KEY>" \
     -d priority="MEDIUM" \
     -d name="Access to known botnet networks" \
     -d msg="Access to known botnet networks: $dst_ip" \
     -d schema_code="session" \
     -d commands="[{'template_id': 3, 'query': 'matchnet invert=t field=dst_ip guid=697393b6-aecf-4e9d-a32c-8724cd8f067e verify=f', 'field_name': 'dst_ip', 'args':{'subnet':'697393b6-aecf-4e9d-a32c-8724cd8f067e'}}]" 
     -X PUT \
     https://HOSTNAME/api/sonar/stream-rules/5a6b63f0-87d5-49c4-a5a1-94da4141b2f5
Request Parameters
KeyRequiredTypeDescriptionNote
priorityOStringPriorityLOW or MEDIUM or HIGH
guidOStringStream rule GUID36 characters
nameOStringStream rule nameMinimum 1 to maximum 255 characters
descriptionXStringStream rule DescriptionMaximum 2,000 characters
msgOStringMessage templateMinimum 1 to maximum 2,000 characters
enabledXBooleanWhether the rule is enabled or nottrue or false
category_guidXStringStream rule category GUID36 characters
schema_codeOStringLog schema codeMinimum 1 to maximum 50 characters
logger_guidsOArrayLogger GUID list
commandsOArrayList of stream rulesAt leat 1 command required. Refer to the below description.
address_group_guidXStringAddress group GUID36 characters
address_fieldXStringAddress fieldAddress group field name. Maximum 50 characters.
ticket_repo_guidXStringTicket repository GUID36 characters. If not specified, a ticket is not generated.
ticket_assignee_guidXStringTicket assignee GUIDIf specified, ticket is assigned automatically.
ticket_suppress_intervalX32-bit integerSuppression period for duplicated ticket in secondsIf set to 0 or not specified, duplicate tickets are not merged.
event_suppress_intervalX32-bit integerSuppression period for duplicated event in secondsIf set to 0 or not specified, duplicate events are not merged.
suppress_keyXStringSuppress key fieldMacro in $field format available. Max. 2,000 characters
keep_aliveXBooleanWhether to keep the suppression timer alivetrue to keep the timer alive, false to reset it.
audit_category_guidXStringAudit category GUID36 characters. If not specified, an auto audit request is not sent.
auditor_guidXStringAuditor GUID36 characters. If not specified, the department head is assigned as default.
audit_daysX32-bit integerAudit due dateMinimum 1 to maximum 365 days
employee_key_fieldXStringEmployee number fieldMaximum 50 characters. If not specified, an auto audit request is not sent.
alarm_group_guidXStringAlarm group GUID36 characters
field_orderXStringEvidence field output orderMaximum 2,000 characters

Each array element in commands is as follows:

KeyRequiredTypeDescriptionNote
template_idO32-bit integerStream rule command template ID
queryOStringQuery string portion
field_nameXStringTarget field name
argsXMapArgument key/value
invertXBooleanWhether to use an invert match option

Success Response

{}

Error Responses

Required argument is missing

HTTP status code 400

{
    "error_code": "null-argument",
    "error_msg": "schema_code should be not null"
}
Invalid argument length

HTTP status code 400

{
    "error_code": "invalid-argument",
    "error_msg": "'schema_code' must be shorter than or equal to 50 characters."
}
Invalid priority value

HTTP status code 400

{
    "error_code": "invalid-argument",
    "error_msg": "priority should be one of 'LOW', 'MEDIUM', 'HIGH'."
}
Identifier is not in valid GUID format

HTTP status code 400

{
    "error_code": "invalid-param-type",
    "error_msg": "category_guid should be guid type."
}
List of stream rule commands is not in valid JSON format

HTTP status code 400

{
    "error_code": "invalid-argument",
    "error_msg": "'commands' parameter should follow valid JSON syntax"
}
Stream rule is not found

HTTP status code 500

{
    "error_code": "illegal-state",
    "error_msg": "stream rule not found: 9071a6fe-6b91-4448-9761-7123381cb026"
}
Log schema is not found

HTTP status code 500

{
    "error_code": "illegal-state",
    "error_msg": "schema not found: unknown"
}
No privilege to create a stream rule

HTTP status code 500

{
    "error_code": "illegal-state",
    "error_msg": "no-permission"
}