Use this API to create correlation rules.
|
Parameter |
Mandatory/Optional |
Data Type |
Description |
|---|---|---|---|
|
ruleName |
Mandatory |
String |
The name of the correlation rule. The length should be between 1 to 112 characters. |
|
description |
Optional |
String |
The description for the correlation rule. |
|
filterQuery |
Mandatory |
String |
Filter query using Qualys syntax to match the events with the incidents.Refer to the How to Search topic in the Online help for assistance with creating your query. |
|
reviewers |
Mandatory |
String |
A list of comma separated user names to review the incidents created from the rule. |
|
approvalType |
Mandatory |
String |
Approval Type of the Incident created by this rule. Allowed values: AUTOMATED or MANUAL |
|
approvalStatus |
Mandatory if the Approval Type is Automated |
String |
The approval status of the incident created by the rule. Allowed values: APPROVED , POLICY_VIOLATION, UNAPPROVED, NA. |
|
changeType |
Mandatory if approval type is Automated |
String |
Type of Incidents created by the rule. Allowed values: MANUAL, AUTOMATED, COMPROMISE, OTHER |
|
comment |
Mandatory if approval type is Automated |
String |
Comments for Incidents created by rule. |
|
dispositionCategory |
Mandatory if approval type is Automated |
String |
The category of the Incident created by the rule. Allowed values: PATCHING, PRE_APPROVED_CHANGE_CONTROL, CONFIGURATION_CHANGE, HUMAN_ERROR, DATA_CORRUPTION, EMERGENCY_CHANGE, CHANGE_CONTROL_VIOLATION, GENERAL_HACKING, MALWARE |
|
scheduleType |
Mandatory |
String |
The schedule for the rule: Allowed values: ONETIME, DAILY, WEEKLY, MONTHLY |
|
startTime |
Mandatory |
String |
Time when the Correlation rule must start. Format: HH:mm:ss The time must be mentioned in UTC format. |
|
endTime |
Mandatory if Schedule Type is selected as ONETIME |
String |
Time when the Correlation rule should end. Format: HH:mm:ss. Note: The time must be mentioned in UTC format. |
|
fixDate |
Mandatory if Schedule Type is selected as ONETIME |
String |
The date on which the rule is executed. Format: yyyy-MM-dd .Note: Value should not be a past date. Note: The date must be mentioned in UTC format. |
|
dayOfMonth |
Required if Schedule Type is selected as MONTHLY |
String |
The days of the month on which rule is executed. Allowed values: integer (1-31). |
|
days |
Optional |
String |
For recurring weekly schedules, it is the list of days on which rule is executed. Allowed values: Allowed values: integer (1-7), where Sunday (1) and Saturday (7). Default value is 1 (Sunday). |
API Request
curl -X POST
<qualys_base_url>/fim/v3/autocorrelation/rules/create
-H 'authorization: Bearer <token>'
-H 'content-type: application/json'
-d @request.json
Contents of request.json
{
"fixDate": "2020-06-04",
"approvalStatus": "APPROVED",
"changeType": "AUTOMATED",
"approvalType": "AUTOMATED",
"description": "test",
"reviewers": [
"<REVIEWER USERNAME OR EMAIL ID>"
],
"scheduleType": "ONETIME",
"ruleName": "<CORRELATION RULE NAME>",
"startTime": "12:00:00",
"dispositionCategory": "PRE_APPROVED_CHANGE_CONTROL",
"comment": "<USER COMMENT>",
"endTime": "23:59:00",
"filterQuery": "action:Create"
},
Response
{
"customerId": "<CUSTOMER ID>",
"id": "<RULE ID>",
"ruleName": "<CORRELATION RULE NAME>",
"filterQuery": "action:Create",
"description": "<CORRELATION RULE DESCRIPTION>",
"startTime": "12:00:00",
"endTime": "23:59:00",
"scheduleType": "ONETIME",
"days": [],
"fixDate": "2023-06-04",
"changeType": "NORMAL_CHANGE",
"dispositionCategory": "DISREGARD_OF_ORGANIZATIONAL_POLICY",
"approvalType": "AUTOMATED",
"approvalStatus": "PENDING",
"reviewers": [
"<USERNAME>",
"USER EMAIL ID"
],
"comment": "<COMMENT>",
"createdBy": {
"user": {
"id": "<USER ID>",
"name": "<USER NAME>"
},
"date": 1671187879859
},
"updatedBy": {
"user": {
"id": "<USER ID>",
"name": "<USER NAME>"
},
"date": 1671187879859
}
}