You can create rule and specify the criteria for the alert to be generated using the actions you define. Specify the necessary details in the request body that are required to create rule such as actionId, actionType, emailRecipients, emailSubject, and so on.
|
Parameter |
Mandatory/Optional | Data Type |
Description |
|---|---|---|---|
|
cloudType |
Mandatory | String |
Select the cloud provider from AWS, Azure, or GCP. |
|
ruleType |
Mandatory | String |
Select the rule type: simple_alert or time_window_schedule_alert. Depending on the rule type you select, the elements in the ruleBody are different. Select the rule type: simple_alert or time_window_schedule_alert. Depending on the rule type you select, the elements in the ruleBody are different. Simple_alert: For simple_alert rule type, below parameters are optional. aggregate aggregationKey durationHour fromHourInUTC fromMinuteInUTC
time_window_schedule_alert: For time_window_schedule_alert rule type, you need to provide all the parameters. |
|
ruleBody |
Mandatory | Body |
Specify the different elements needed in the request body for a rule. Refer to the following example for exact syntax. { "actionRequests": [ { "actionId": "string", "actionType": "qemail", "emailRecipients": [ "string" ], "emailSubject": "string", "pagerSubjectLine": "string", "slackChannel": "string" } ], "aggregate": true, "aggregationKey": "string", "description": "string", "durationHour": 0, "fromHourInUTC": 0, "fromMinuteInUTC": 0, "name": "string", "qql": "string" } Where, actionId: ID of the action you have defined. actionType: type of the action to be implemented: qemail, pagerduty, or slack. emailRecipients: valid email ID of the recipients to whom the alert should be sent. You can provide multiple email IDs separated by comma. Depending on the application mode you choose to send alerts, you may define either one or more elements: emailSubject: subject of the email action pagerSubjectLine: subject for alert using PagerDuty application slackChannel: name of the channel to access Slack application |
| ruleSeverity | Optional | String | Specify the rule severity as LOW, MEDIUM, HIGH, or NONE
|
API request
curl -k -X POST -u <username>:<password>
'https://<QualysBaseURL>/cloudview-api/rest/v1/rules?cloudType=AWS&ruleType=time_window_schedule_alert'
Request POST Data
{
"actionRequests": [
{
"actionId": "b2af9830-5dfe-11ea-b157-8ba65cd99c15",
"actionType": "slack"
}
],
"aggregate": true,
"aggregationKey": "region",
"description": "Slack Public API Rule",
"durationHour": 0,
"fromHourInUTC": 0,
"fromMinuteInUTC": 0,
"ruleSeverity\":"MEDIUM",
"name": "Slack Api",
"qql": "cid:99 and account.id:XXXXXXXXXXXX and control.result:FAIL and firstEvaluated:[now-4M .. now]"
}
Response
{
"success": "5ac209e0-9966-11e8-ab43-6187ace8f6e8"
}