Get Stream Rule

Retrieves information of a specified stream rule.

Required Permissions

Requires the MEMBER role or higher.

HTTP Request

GET /api/sonar/stream-rules/:guid
cURL Example
curl -H "Authorization: Bearer <API_KEY>" \
     https://HOSTNAME/api/sonar/stream-rules/3b05608f-8dd0-4218-9d6d-391515b6280d
Request Parameter
KeyRequiredTypeDescriptionNote
guidOStringStream rule GUID36 characters

Success Response

{
  "rule": {
    "priority": "LOW",
    "guid": "3b05608f-8dd0-4218-9d6d-391515b6280d",
    "name": "Disabling Windows Firewall",
    "description": "(T1089) Disabling Security Tools\n(T1047) Windows Management Instrumentation ",
    "msg": "Disabling Windows Firewall: $primary_ip",
    "enabled": false,
    "category_guid": "aedc65d6-25ee-4d9e-9040-e21ebe823f8d",
    "category_name": "Evasion",
    "schema_code": "edr-process",
    "schema_name": "EDR Process",
    "source_type": "LOGGER",
    "logger_guids": [],
    "logger_names": [],
    "commands": [
      {
        "template_id": 1,
        "field_name": "",
        "args": {},
        "query": "search (lower(image) == \"*\\\\netsh.exe\" and lower(cmd_line) == \"*advfirewall*\" and lower(cmd_line) == \"*off*\") or (lower(image) == \"*\\\\netsh.exe\" and lower(cmd_line) == \"*firewall*\" and lower(cmd_line) == \"*disable*\")",
        "invert": false,
        "ordinal": 0
      }
    ],
    "address_group_guid": null,
    "address_group_name": null,
    "address_field": null,
    "ticket_issue_cond": "ALWAYS",
    "ticket_repo_guid": null,
    "ticket_repo_name": null,
    "ticket_assignee_guid": null,
    "ticket_assignee_name": null,
    "ticket_assignee_guids": [],
    "ticket_assignee_names": [],
    "ticket_suppress_interval": 3600,
    "event_suppress_interval": 0,
    "suppress_key": null,
    "blacklist_expire_minute": 0,
    "keep_alive": false,
    "mitre_techniques": [
      {
        "mitre_id": "T1089",
        "name": "Disabling Security Tools",
        "display_name": "Defense Evasion: Disabling Security Tools",
        "url": "https://attack.mitre.org/techniques/T1089/",
        "tactics": [
          {
            "mitre_id": "TA0005",
            "name": "Defense Evasion"
          }
        ]
      }
    ],
    "mitre_tactics": ["TA0005"],
    "audit_category_guid": null,
    "audit_category_name": null,
    "reviewer_guid": null,
    "reviewer_name": null,
    "auditor_guid": null,
    "auditor_name": null,
    "audit_days": 14,
    "employee_key_field": null,
    "user_note": null,
    "alarm_group_guid": null,
    "alarm_group_name": null,
    "field_order": "cmd_line, image",
    "company_guid": "6fbe27b7-f1ae-4d7a-a1a5-76d8fa9aa311",
    "company_name": "Logpresso",
    "user_guid": "ffaf431b-653a-4329-8f83-913cbb00342d",
    "user_name": "Admin",
    "signature_app": null,
    "app_code": null,
    "app_built_in": false,
    "version": 1,
    "created": "2022-09-01 00:31:15+0900",
    "updated": "2022-09-01 00:31:15+0900"
  }
}
  • rule (Map): Stream rule
    • priority (String): One of the following: LOW, MEDIUM, HIGH.
    • guid (String): Stream rule GUID
    • name (String): Stream rule name
    • description (String): Stream rule description
    • msg (String): Message template. Macro in the $field format available.
    • enabled (Boolean): Whether the rule is enabled or not
    • category_guid (String): Stream rule category GUID
    • category_name (String): Stream rule category name
    • schema_code (String): Log schema code
    • schema_name (String): Log schema name
    • source_type (String): Source type. One of LOGGER or LOGGER_MODEL.
    • logger_guids (Array): Logger GUID list
    • logger_names (Array): Logger name list
    • commands (Array): List of stream rule commands
      • template_id (32-bit integer): Stream rule command template ID
      • field_name (String): Target field name
      • args (Map): Argument key/value pairs
      • query (String): Query string with arguments
      • invert (Boolean): NOT condition when invert = true
      • ordinal (32-bit integer): Order
    • address_group_guid (String): Address group GUID
    • address_group_name (String): Address group name
    • address_field (String): Target fields to add to the address group
    • ticket_issue_cond (String): Ticket issuance condition. One of: never issue (NEVER), ETIR threshold-based (ETIR_THRESHOLD), always issue (ALWAYS).
    • ticket_repo_guid (String): Ticket repository GUID
    • ticket_repo_name (String): Ticket repository name
    • ticket_assignee_guid (String): Ticket assignee GUID
    • ticket_assignee_name (String): Ticket assignee name
    • ticket_assignee_guids (String Array): List of ticket assignee GUIDs
    • ticket_assignee_names (String Array): List of ticket assignee names
    • ticket_suppress_interval (32-bit integer): Suppression period for duplicated ticket in seconds (in seconds)
    • event_suppress_interval (32-bit integer): Suppression period for duplicated event in seconds (in seconds)
    • suppress_key (String): Suppress key field. Macro in the $field format available.
    • blacklist_expire_minute (32-bit integer): Retention period (minutes)
    • keep_alive (Boolean): true to keep the timer alive, false to reset it.
      Note
      When keeping the suppression timer, even if a user completes the ticket, the event will be merged into the existing ticket until the expiration time is reached.
    • mitre_techniques (Array): List of associated MITRE ATT&CK techniques
      • mitre_id (String): MITRE ATT&CK technique ID
      • name (String): Technique name
      • display_name (String): Display name including tactic name
      • url (String): MITRE ATT&CK official documentation URL
      • tactics (Array): List of associated tactics
        • mitre_id (String): MITRE ATT&CK tactic ID
        • name (String): Tactic name
    • mitre_tactics (String Array): List of associated MITRE ATT&CK tactic IDs
    • audit_category_guid (String): Audit category GUID
    • audit_category_name (String): Audit category name
    • reviewer_guid (String): Reviewer GUID
    • reviewer_name (String): Reviewer name
    • auditor_guid (String): Auditor GUID. If not specified, the department head is assigned as default.
    • auditor_name (String): Auditor name. If not specified, the department head is assigned as default.
    • audit_days (32-bit integer): Audit due date (days)
    • employee_key_field (String): Employee number field. Typically using a normalized emp_key field.
    • user_note (String): Explanation request message
    • alarm_group_guid (String): Alarm group GUID
    • alarm_group_name (String): Alarm group name
    • field_order (String): Evidence file output order. Comma-separated list of field names.
    • company_guid (String): GUID of the company (tenant) to which the stream rule belongs
    • company_name (String): Name of the company (tenant) to which the stream rule belongs
    • user_guid (String): GUID of the user who creates the stream rule
    • user_name (String): Name of the user who creates the stream rule
    • signature_app (String): Signature app name
    • app_code (String): App code
    • app_built_in (Boolean): Whether it is a built-in app
    • version (32-bit integer): Scenario version
    • created (String): Date and time of creation (yyyy-MM-dd HH:mm:ssZ)
    • updated (String): Date and time of last modification (yyyy-MM-dd HH:mm:ssZ)

Error Responses

Stream rule is not found

HTTP status code 200

{
  "rule": null
}
Identifier is not in valid GUID format

HTTP status code 400

{
  "error_code": "invalid-param-type",
  "error_msg": "guid should be guid type."
}