Use this API to create correlation rules.
Parameter |
Mandatory/Optional |
Data Type |
Description |
---|---|---|---|
ruleName |
Mandatory |
String |
The name of the correlation rule. The length should be between 1 to 112 characters. |
description |
Optional |
String |
The description for the correlation rule. |
filterQuery |
Mandatory |
String |
Filter query using Qualys syntax to match the events with the incidents.Refer to the How to Search topic in the Online help for assistance with creating your query. |
reviewers |
Mandatory |
String |
A list of comma separated user names to review the incidents created from the rule. |
approvalType |
Mandatory |
String |
Approval Type of the Incident created by this rule. Allowed values: AUTOMATED or MANUAL |
approvalStatus |
Mandatory if the Approval Type is Automated |
String |
The approval status of the incident created by the rule. Allowed values: APPROVED , POLICY_VIOLATION, UNAPPROVED, NA. |
changeType |
Mandatory if approval type is Automated |
String |
Type of Incidents created by the rule. Allowed values: MANUAL, AUTOMATED, COMPROMISE, OTHER |
comment |
Mandatory if approval type is Automated |
String |
Comments for Incidents created by rule. |
dispositionCategory |
Mandatory if approval type is Automated |
String |
The category of the Incident created by the rule. Allowed values: PATCHING, PRE_APPROVED_CHANGE_CONTROL, CONFIGURATION_CHANGE, HUMAN_ERROR, DATA_CORRUPTION, EMERGENCY_CHANGE, CHANGE_CONTROL_VIOLATION, GENERAL_HACKING, MALWARE |
scheduleType |
Mandatory |
String |
The schedule for the rule: Allowed values: ONETIME, DAILY, WEEKLY, MONTHLY |
startTime |
Mandatory |
String |
Time when the Correlation rule must start. Format: HH:mm:ss The time must be mentioned in UTC format. |
endTime |
Mandatory if Schedule Type is selected as ONETIME |
String |
Time when the Correlation rule should end. Format: HH:mm:ss. Note: The time must be mentioned in UTC format. |
fixDate |
Mandatory if Schedule Type is selected as ONETIME |
String |
The date on which the rule is executed. Format: yyyy-MM-dd .Note: Value should not be a past date. Note: The date must be mentioned in UTC format. |
dayOfMonth |
Required if Schedule Type is selected as MONTHLY |
String |
The days of the month on which rule is executed. Allowed values: integer (1-31). |
days |
Optional |
String |
For recurring weekly schedules, it is the list of days on which rule is executed. Allowed values: Allowed values: integer (1-7), where Sunday (1) and Saturday (7). Default value is 1 (Sunday). |
API Request
curl -X POST
<qualys_base_url>/
fim/v3/autocorrelation/rules/create
-H 'authorization: Bearer <token>'
-H 'content-type: application/json'
-d @request.json
Contents of request.json
{ "fixDate": "2020-06-04", "approvalStatus": "APPROVED", "changeType": "AUTOMATED", "approvalType": "AUTOMATED", "description": "test", "reviewers": [ "<REVIEWER USERNAME OR EMAIL ID>" ], "scheduleType": "ONETIME", "ruleName": "<CORRELATION RULE NAME>", "startTime": "12:00:00", "dispositionCategory": "PRE_APPROVED_CHANGE_CONTROL", "comment": "<USER COMMENT>", "endTime": "23:59:00", "filterQuery": "action:Create" },
Response
{ "customerId": "<CUSTOMER ID>", "id": "<RULE ID>", "ruleName": "<CORRELATION RULE NAME>", "filterQuery": "action:Create", "description": "<CORRELATION RULE DESCRIPTION>", "startTime": "12:00:00", "endTime": "23:59:00", "scheduleType": "ONETIME", "days": [], "fixDate": "2023-06-04", "changeType": "NORMAL_CHANGE", "dispositionCategory": "DISREGARD_OF_ORGANIZATIONAL_POLICY", "approvalType": "AUTOMATED", "approvalStatus": "PENDING", "reviewers": [ "<USERNAME>", "USER EMAIL ID" ], "comment": "<COMMENT>", "createdBy": { "user": { "id": "<USER ID>", "name": "<USER NAME>" }, "date": 1671187879859 }, "updatedBy": { "user": { "id": "<USER ID>", "name": "<USER NAME>" }, "date": 1671187879859 } }