Validating YAML files

When using the Detection Rules as Code feature, you can use the API to check that your detection rules are valid and the tests pass in Scanner before checking them into Github.

We have the following APIs for validating detection rules and running detection rule tests.

Note: this API is for a beta feature, and may be subject to change.

Validate detection rule

POST /v1/detection_rule_yaml/validate

Validate a detection rule YAML.

Example

curl $API_BASE/v1/detection_rule_yaml/validate \
-H "Authorization: Bearer $SCANNER_API_KEY" \
-X POST \
--data-binary @src/some_detection.yaml

Response

Returns whether the detection rule is_valid and any error messages. error is null if the detection rule is valid.

{
  "is_valid":true,
  "error":null
}

Run detection rule tests

POST /v1/detection_rule_yaml/run_tests

Run tests specified in the given detection rule YAML.

Example

curl $API_BASE/v1/detection_rule_yaml/run_tests \
-H "Authorization: Bearer $SCANNER_API_KEY" \
-X POST \
--data-binary @src/some_detection.yaml

Response

Returns results, a map of test names to their corresponding status (passed or failed). results is empty if there are no tests found in the given file.

{
  "results": {
    "Example detection rule": "Passed"
  }
}

PreviousEvent Sinks NextBeta features

Last updated 4 months ago