Create Correlation Rules API

Use this API to create correlation rules. 

POST/fim/v3/autocorrelation/rules/create

Input ParametersInput Parameters

Parameter

Mandatory/Optional

Data Type

Description

ruleName

Mandatory

String

The name of the correlation rule. The length should be between 1 to 112 characters.

description 

 Optional

String

The description for the correlation rule.

filterQuery 

Mandatory

String

Filter query using Qualys syntax to match the events with the incidents.Refer to the How to Search topic in the Online help for assistance with creating your query.

reviewers

Mandatory

String

A list of comma separated user names to review the incidents created from the rule.

approvalType

Mandatory

String

Approval Type of the Incident created by this rule.

Allowed values: AUTOMATED or MANUAL

approvalStatus

Mandatory if the Approval Type is Automated

String

The approval status of the incident created by the rule.

Allowed values: APPROVED , POLICY_VIOLATION, UNAPPROVED, NA.

changeType

Mandatory if approval type is Automated

String

Type of Incidents created by the rule.

Allowed values: MANUAL, AUTOMATED, COMPROMISE, OTHER

comment 

Mandatory if approval type is Automated

String

Comments for Incidents created by rule.

dispositionCategory

Mandatory if approval type is Automated

String

The category of the Incident created by the rule.

Allowed values: PATCHING, PRE_APPROVED_CHANGE_CONTROL, CONFIGURATION_CHANGE, HUMAN_ERROR, DATA_CORRUPTION, EMERGENCY_CHANGE, CHANGE_CONTROL_VIOLATION, GENERAL_HACKING,

MALWARE

scheduleType

Mandatory

String

The schedule for the rule:

Allowed values: ONETIME, DAILY, WEEKLY, MONTHLY

startTime

Mandatory

String

Time when the Correlation rule must start.

Format: HH:mm:ss

The time must be mentioned in UTC format.

endTime

Mandatory if Schedule Type is selected as ONETIME

String

Time when the Correlation rule should end.

Format: HH:mm:ss.

Note: The time must be mentioned in UTC format.

fixDate

Mandatory if Schedule Type is selected as ONETIME

String

The date on which the rule is executed.

Format: yyyy-MM-dd .Note: Value should not be a past date.

Note: The date must be mentioned in UTC format.

dayOfMonth

Required if Schedule Type is selected as MONTHLY

String

The days of the month on which rule is executed.

Allowed values: integer (1-31).

days

 Optional

String

For recurring weekly schedules, it is the list of days on which rule is executed.

Allowed values: Allowed values: integer (1-7), where Sunday (1) and Saturday (7). Default value is 1 (Sunday).

SampleSample

API Request

curl -X POST
<qualys_base_url>/fim/v3/autocorrelation/rules/create 
-H 'authorization: Bearer <token>' 
-H 'content-type: application/json' 
-d @request.json

Contents of request.json

{
  "fixDate": "2020-06-04",
  "approvalStatus": "APPROVED",
  "changeType": "AUTOMATED",
  "approvalType": "AUTOMATED",
  "description": "test",
  "reviewers": [
    "<REVIEWER USERNAME OR EMAIL ID>"
  ],
  "scheduleType": "ONETIME",
  "ruleName": "<CORRELATION RULE NAME>",
  "startTime": "12:00:00",
  "dispositionCategory": "PRE_APPROVED_CHANGE_CONTROL",
  "comment": "<USER COMMENT>",
  "endTime": "23:59:00",
  "filterQuery": "action:Create"
},
    

Response

{
  "customerId": "<CUSTOMER ID>",
  "id": "<RULE ID>",
  "ruleName": "<CORRELATION RULE NAME>",
  "filterQuery": "action:Create",
  "description": "<CORRELATION RULE DESCRIPTION>",
  "startTime": "12:00:00",
  "endTime": "23:59:00",
  "scheduleType": "ONETIME",
  "days": [],
  "fixDate": "2023-06-04",
  "changeType": "NORMAL_CHANGE",
  "dispositionCategory": "DISREGARD_OF_ORGANIZATIONAL_POLICY",
  "approvalType": "AUTOMATED",
  "approvalStatus": "PENDING",
  "reviewers": [
    "<USERNAME>",
    "USER EMAIL ID"
  ],
  "comment": "<COMMENT>",
  "createdBy": {
    "user": {
      "id": "<USER ID>",
      "name": "<USER NAME>"
    },
    "date": 1671187879859
  },
  "updatedBy": {
    "user": {
      "id": "<USER ID>",
      "name": "<USER NAME>"
    },
    "date": 1671187879859
  }
}