Use this API to search all the alert rules.
The API return the default value for the following fields:
For Single Match: slideTime, matchCount, aggregate, aggregationKeys.
For Time-Window Scheduled Match: slideTime, matchCount.
API Request
curl -X POST
<qualys_base_url>/fim/v3/alert/rules/search
-H 'authorization: Bearer <token>'
-H 'content-type: application/json'Response
{
"customerId": "x5x0514x-x211-x1x4-809x-x3x2xx667xxx",
"applicationName": "FIM",
"id": "8xx98x30-xx5x-11x9-9036-339x439x1x4x",
"datasource": "EVENTS",
"ruleType": "simple_alert",
"name": "Rule - Alerting 2.1.2 testing updating",
"description": "Rule - Alerting 2.1.2 testing",
"qql": "(file.fullPath:'*\\System32\\*' and action:Attributes )",
"windowTime": 0,
"slideTime": 900000,
"matchCount": 3,
"fromHour": 0,
"fromMinute": 0,
"duration": 0,
"aggregate": true,
"aggregationKeys": [
"tokens"
],
"actions": [
{
"id": "54x62750-xx5x-11x9-9525-51f120x87xx9",
"actionType": "qemail",
"name": "Alerting 2.1.2 Testing",
"subject": "Alerting 2.1.2 Testing",
"alert": "Alerting 2.1.2 Testing",
"emailRecipients": [
"jd1@qualys.com",
"jd2@qualys.com",
"jd@qualys.com"
],
"slackChannel": null,
"subjectParameters": [],
"bodyParameters": []
}
],
"created": 1569172952451,
"createdBy": "John Doe",
"createdById": "doe_john",
"updated": 1569332877053,
"updatedBy": "John Doe",
"updatedById": "doe_john",
"lastRun": 1569312595868,
"active": false,
"ruleState": "DISABLED",
"actionNames": [
"Alerting 2.1.2 Testing"
],
"trigger": "Single Match"
}