Detection Rules
A detection rule is a query that runs continuously on new logs as they arrive in Scanner. You can create create, read, update, and delete detection rules with the Scanner API.
Last updated
A detection rule is a query that runs continuously on new logs as they arrive in Scanner. You can create create, read, update, and delete detection rules with the Scanner API.
Last updated
POST
/v1/detection_rule
Create a new detection rule with the specified data.
If the detection rule is active, it will be immediately scheduled for backfill and execution.
Body
Name | Type | Description |
---|---|---|
Example
Response
Returns the newly created detection rule.
GET
/v1/detection_rule
List all detection rules for a tenant.
Query parameters
Example
Response
Returns a list of detection rule summaries. The detection rule summary object is the same as the detection rule object, but it does not include event_sink_ids
.
GET
/v1/detection_rule/{id}
Get the detection rule with the given id.
Example
Response
Returns the detection rule.
PUT
/v1/detection_rule/{id}
Update the detection rule with the given id.
Body
Example
Response
Returns the updated detection rule.
DELETE
/v1/detection_rule/{id}
Delete the detection rule with the given id.
Example
Response
Returns the id
and tenant_id
for the deleted detection rule.
time_range_s
is the lookback period for the detection rule and run_frequency_s
is how often the detection rule is run. Valid values for time_range_s
and run_frequency_s
are:
60 (1 minute)
300 (5 minutes)
900 (15 minutes)
3600 (1 hour)
21600 (6 hours)
86400 (24 hours)
run_frequency_s
is at most two levels below time_range_s
. For example, if time_range_s
is 300, valid values for run_frequency_s
are 60, 300, and 900.
We use the OCSF schema for detection severity:
Unknown
Information
Low
Medium
High
Critical
Fatal
Other
The detection severity must be one of these string values, e.g.
Name | Type | Description |
---|---|---|
Name | Type | Description |
---|---|---|
tenant_id
required
string
Unique identifier for the tenant
tenant_id
required
string
Unique identifier for the tenant
name
required
string
Name of the detection rule
description
required
string
Description of the detection rule
time_range_s
required
Lookback period (in seconds)
run_frequency_s
required
How frequently to run the detection rule (in seconds)
enabled
required
boolean
Whether the detection rule is enabled
severity
required
The severity of the detection
query_text
required
string
Query for the detection rule
event_sink_ids
required
list of strings
Event sinks to send event alerts to
sync_key
string
Sync key, used by automatic detection rule syncers
id
required
string
Unique identifier for the detection rule
name
string
Update the name of the detection rule
description
string
Update the description of the detection rule
time_range_s
Update the lookback period of the detection rule
run_frequency_s
Update the how frequently the detection rule is run
enabled
boolean
Enable or disable the detection rule
severity
Update the severity of the detection rule
query_text
string
Update the query for the detection rule
event_sink_ids
list of strings
Update the event sinks for the detection rule
sync_key
string
Update the sync key for the detection rule
See
See
See
See
See
See