Update Batch Rule
Updates a specified batch rule.
Required Permissions
Requires the ADMIN role or higher.
HTTP Request
PUT /api/sonar/batch-rules/:guid
cURL Example
curl -H "Authorization: Bearer <API_KEY>" \
-d priority="LOW" \
-d name="Scan web vulnerabilities" \
-d schedule="*/10 * * * *"
-d msg="Scan web vulnerabilities: $dst_ip" \
-d query="table duration=30m weblog | search status >= 400 | stats count as error_count, dc(path) as page_count, values(concat(method, " ", path)) as request by src_ip | eval request = strjoin("\n", request) | lof eps=0.1 error_count, page_count | search _lof > 1.5 | sort -_lof" \
-X PUT \
https://HOSTNAME/api/sonar/batch-rules/410fe6af-b2f8-4674-af70-8d5b12ddc3fe
Request Parameters
| Key | Required | Type | Description | Note |
|---|---|---|---|---|
| priority | O | String | Priority | LOW, MEDIUM, HIGH |
| guid | O | String | Batch rule GUID | 36 characters |
| name | O | String | Batch rule name | Minimum 1 to maximum 255 characters |
| description | X | String | Batch rule description | Maximum 2,000 characters |
| msg | O | String | Message template | Minimum 1 to maximum 2,000 characters |
| enabled | X | Boolean | Whether the rule is enabled or not | true or false |
| category_guid | X | String | Batch rule category GUID | 36 characters |
| schedule | O | String | Execution schedule | In CRON schedule format |
| duration | X | 32-bit integer | Time window of the data to be analyzed, based on the current time | In seconds. Maximum 31536000 second (365 days) |
| datetrunc | X | 32-bit integer | Time truncation | 1 or 60 or 3600 or 86400 (seconds) |
| dataset_guid | X | String | Dataset GUID | At least one of dataset_guid and query must be provided. 36 characters long |
| query | X | String | Detection query | Maximum 65,535 characters. At least one of dataset_guid and query must be provided. |
| address_group_guid | X | String | Address group GUID | 36 characters |
| address_field | X | String | Address field | Address group field name. Maximum 50 characters. |
| ticket_issue_cond | X | String | Ticket issuance condition | One of NEVER, ETIR_THRESHOLD, ALWAYS |
| ticket_repo_guid | X | String | Ticket repository GUID | Required when ticket_issue_cond is not NEVER. 36 characters |
| ticket_assignee_guid | X | String | Ticket assignee GUID | If specified, ticket is assigned automatically |
| ticket_suppress_interval | X | 32-bit integer | Suppression period for duplicated ticket in seconds | If set to 0 or not specified, duplicate tickets are not merged. |
| event_suppress_interval | X | 32-bit integer | Suppression period for duplicated event in seconds | If set to 0 or not specified, duplicate events are not merged. |
| suppress_key | X | String | Suppress key field | Maximum 2,000 characters. Macro in $field format available. |
| keep_alive | X | Boolean | Whether to keep the suppression timer alive | true to keep the timer alive, false to reset it. |
| audit_category_guid | X | String | Audit category GUID | If not specified, an auto audit request is not sent. 36 characters long |
| reviewer_guid | X | String | Reviewer GUID | 36 characters |
| auditor_guid | X | String | Auditor GUID | 36 characters. If not specified, the department head is assigned as default. |
| audit_days | X | 32-bit integer | Audit due date | Minimum 1 to maximum 365 days |
| employee_key_field | X | String | Employee number field | Maximum 50 characters. If not specified, an auto audit request is not sent. |
| alarm_group_guid | X | String | Alarm group GUID | 36 characters |
| field_order | X | String | Evidence field output order | Maximum 2,000 characters |
| user_note | X | String | Explanation request message | Maximum 2,000 characters |
| mitre_techniques | X | String List | MITRE ATT&CK technique ID | Comma-separated technique ID list. Related tactics are automatically included when set |
| mitre_tactics | X | String List | MITRE ATT&CK tactic ID | Comma-separated tactic ID list. Used when specifying tactics only |
| signature_app | X | String | Signature app name |
Success Response
{}
Error Responses
Required argument is missing
HTTP status code 400
{
"error_code": "null-argument",
"error_msg": "schedule should be not null"
}
Invalid argument length
HTTP status code 400
{
"error_code": "invalid-argument",
"error_msg": "'address_field' must be shorter than or equal to 50 characters."
}
Invalid priority value
HTTP status code 400
{
"error_code": "invalid-argument",
"error_msg": "priority should be one of 'LOW', 'MEDIUM', 'HIGH'."
}
Identifier is not in valid GUID format
HTTP status code 400
{
"error_code": "invalid-param-type",
"error_msg": "category_guid should be guid type."
}
CRON expression is not valid
HTTP status code 400
{
"error_code": "invalid-argument",
"error_msg": "schedule has wrong cron expression format: * * * * * *"
}
Both dataset and query are not specified
HTTP status code 400
{
"error_code": "null-argument",
"error_msg": "query should be not null"
}
Invalid value for datetrunc
HTTP status code 400
{
"error_code": "invalid-argument",
"error_msg": "datetrunc should be one of 1 (1 second), 60 (1 minute), 3600 (1 hour), 86400 (1 day)."
}
Batch rule is not found
HTTP status code 500
{
"error_code": "illegal-state",
"error_msg": "batch rule not found: 9071a6fe-6b91-4448-9761-7123381cb026"
}
No privilege to create a batch rule
HTTP status code 500
{
"error_code": "illegal-state",
"error_msg": "no-permission"
}