Create Stream Rule
Creates a new stream rule.
Required Permissions
Requires the ADMIN role or higher.
HTTP Request
POST /api/sonar/stream-rules
cURL Example
curl -H "Authorization: Bearer <API_KEY>" \
-d priority="HIGH" \
-d name="Access to known botnet networks" \
-d msg="Access to known botnet networks: $dst_ip" \
-d schema_code="session" \
-d commands="[{'template_id': 3, 'query': 'matchnet invert=t field=dst_ip guid=697393b6-aecf-4e9d-a32c-8724cd8f067e verify=f', 'field_name': 'dst_ip', 'args':{'subnet':'697393b6-aecf-4e9d-a32c-8724cd8f067e'}}]" \
-X POST \
https://HOSTNAME/api/sonar/stream-rules
Request Parameters
| Key | Required | Type | Description | Note |
|---|---|---|---|---|
| priority | O | String | Priority | LOW or MEDIUM or HIGH. |
| guid | X | String | Stream rule GUID | 36 characters |
| name | O | String | Stream rule name | Minimum 1 to maximum 255 characters |
| description | X | String | Stream rule description | Maximum 2,000 characters |
| msg | O | String | Message template | Minimum 1 to maximum 2,000 characters |
| enabled | X | Boolean | Whether the stream rule is enabled or not | true or false |
| category_guid | X | String | Stream rule category GUID | 36 characters |
| schema_code | O | String | Log schema code | Minimum 1 to maximum 50 characters |
| logger_guids | O | Array | Logger GUID list | |
| commands | O | Array | List of stream rules | At least one command required. Refer to the below description. |
| address_group_guid | X | String | Address group GUID | 36 characters |
| address_field | X | String | Address field | Address group field name. Maximum 50 characters. |
| ticket_issue_cond | X | String | Ticket issuance condition | One of NEVER, ETIR_THRESHOLD, ALWAYS |
| ticket_repo_guid | X | String | Ticket repository GUID | Required when ticket_issue_cond is not NEVER. 36 characters |
| ticket_assignee_guid | X | String | Ticket assignee GUID | If specified, ticket is assigned automatically. |
| ticket_suppress_interval | X | 32-bit integer | Suppression period for duplicated ticket (in seconds) | If set to 0 or not specified, duplicate tickets are not merged. |
| event_suppress_interval | X | 32-bit integer | Suppression period for duplicated event (in seconds) | If set to 0 or not specified, duplicate events are not merged. |
| suppress_key | X | String | Suppress key field | Maximum 2,000 characters. Macro in $field format available. |
| keep_alive | X | Boolean | Whether to keep the suppression timer alive | true to keep the timer alive, false to reset it. |
| audit_category_guid | X | String | Audit category GUID | 36 characters. If not specified, an auto audit request is not sent. |
| reviewer_guid | X | String | Reviewer GUID | 36 characters |
| auditor_guid | X | String | Auditor GUID | 36 characters. If not specified, the department head is assigned as default. |
| audit_days | X | 32-bit integer | Audit due date | Minimum 1 to maximum 365 days |
| employee_key_field | X | String | Employee number field | Maximum 50 characters. If not specified, an auto audit request is not sent. |
| alarm_group_guid | X | String | Alarm group GUID | 36 characters |
| field_order | X | String | Evidence field output order | Maximum 2,000 characters |
| user_note | X | String | Explanation request message | Maximum 2,000 characters |
| mitre_techniques | X | String List | MITRE ATT&CK technique ID | Comma-separated IDs. Related tactics are automatically included. |
| mitre_tactics | X | String List | MITRE ATT&CK tactic ID | Comma-separated IDs. Used when specifying tactics only. |
| signature_app | X | String | Signature app name |
Each array element in commands is defined as follows:
| Key | Required | Type | Description | Note |
|---|---|---|---|---|
| template_id | O | 32-bit integer | Stream rule command template ID | |
| query | O | String | Query string portion | |
| field_name | X | String | Target field name | |
| args | X | Map | Argument key/value | |
| invert | X | Boolean | Whether to use an invert match option |
Success Response
{}
Error Responses
Required argument is missing
HTTP status code 400
{
"error_code": "null-argument",
"error_msg": "schema_code should be not null"
}
Invalid argument length
HTTP status code 400
{
"error_code": "invalid-argument",
"error_msg": "'schema_code' must be shorter than or equal to 50 characters."
}
Invalid priority value
HTTP status code 400
{
"error_code": "invalid-argument",
"error_msg": "priority should be one of 'LOW', 'MEDIUM', 'HIGH'."
}
Identifier is not in valid GUID format
HTTP status code 400
{
"error_code": "invalid-param-type",
"error_msg": "category_guid should be guid type."
}
List of stream rules is not in valid JSON format
HTTP status code 400
{
"error_code": "invalid-argument",
"error_msg": "'commands' parameter should follow valid JSON syntax"
}
Log schema is not found
HTTP status code 500
{
"error_code": "illegal-state",
"error_msg": "schema not found: unknown"
}
No privilege to create a stream rule
HTTP status code 500
{
"error_code": "illegal-state",
"error_msg": "no-permission"
}