Alert Transform Rules¶
Overview¶
You can use this API to configure Alert Transform Rules and their properties in BIG-IQ.
REST Endpoint: /mgmt/cm/websafe/working-config/alert-rules¶
Requests¶
GET /mgmt/cm/websafe/working-config/alert-rules/<id>¶
To retrieve an existing alert transform rule, you can send a GET request to the alert-rules collection and specify the rule’s identifier.
Request Parameters¶
None
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
| Name | Type | Description |
|---|---|---|
| accountReferences | array | An array of account reference objects which lists the accounts whose alerts get transformed. |
| name | string | Name of the resource. |
| link | string | URL of the account |
| active | boolean | True means an enabled rule. False means a disabled rule. |
| alertAction | string | Status to be applied on the matching alert. |
| alertDetails | string | Additional information displayed on the matching alert. |
| alertRecommendation | string | Recommendation displayed on the matching alert. |
| alertSeverityOrder | number | A severity value applied to the matching alert. Possible values are 0-100. |
| allAccounts | boolean | True means all accounts get transformed. False means only the accounts specified by accountReferences get transformed. |
| description | string | Description of the rule |
| find | string | A string searched for in the alert data. The fields of alert data indicated by where are searched for a match to find. |
| id | string | UUID identifier assigned by the system |
| isRegex | boolean | True if the value of find is a regular expression. False if find is not a regular expression. |
| isUserDefined | boolean | True means a rule created locally by user. False means a rule synced from Security Operations Center SOC dashboard. |
| name | string | Name of the alert transform rule |
| user | string | Name of the user who defined the rule. |
| userRegex | string | Regular expression used to match the user in the matched alert. If userRegex is defined, then all occurrences of the username identified by the regular expression will be replaced by the text: username. |
| userWhere | array | An array of strings where each represents the part of the alert where regular expression are used to find username. |
| when | array | An array of numbers which lists the categories of alerts to be transformed. Each number represents an alert category. For the mapping of numbers to alert categories, see the Mapping of alert category values section. |
| where | array | An array of strings which lists the fields of alert data being searched for a match to find. Possible values: “Alert Domain”, “Alert Query”, “Alert Referrer”, “Alert URL”, “Html”, “User Agent”, “User Id”, “User IP”, “User Proxy” |
Permissions¶
| Role | Allow |
|---|---|
| Application_Editor | Yes |
| WebSafe_Manager_Deployer | Yes |
| ASM_Manager | Yes |
| WebSafe_Manager | Yes |
| Service_Catalog_Editor | Yes |
| WebSafe_Manager_View | Yes |
| Service_Catalog_Viewer | Yes |
| WebSafe_Manager_Edit | Yes |
| Security_Manager | Yes |
POST /mgmt/cm/websafe/working-config/alert-rules¶
To add a new alert transform rule, you can send a POST request to the alert-rules collection and include the JSON describing the rule in the body of the request.
Request Parameters¶
| Name | Type | Required | Description |
|---|---|---|---|
| accountReferences | array | False | An array of account reference objects which lists the accounts whose alerts get transformed. |
| name | string | False | Name of the resource. |
| link | string | False | URL of the account |
| active | boolean | True | True means an enabled rule. False means a disabled rule. |
| alertAction | string | True | Status to be applied on the matching alert. Default value is No Change. |
| alertDetails | string | False | Additional information displayed on the matching alert. |
| alertRecommendation | string | False | Recommendation displayed on the matching alert. |
| alertSeverityOrder | number | True | A severity value applied to the matching alert. Possible values are 0-100. |
| allAccounts | boolean | True | True means all accounts get transformed. False means only the accounts specified by accountReferences get transformed. |
| description | string | False | Description of the rule |
| find | string | True | A string searched for in the alert data. The fields of alert data indicated by where are searched for a match to find. |
| isRegex | boolean | False | True if the value of find is a regular expression. False if find is not a regular expression. |
| isUserDefined | boolean | True | True means a rule created locally by user. False means a rule synced from Security Operations Center SOC dashboard. |
| name | string | True | Name of the alert transform rule |
| user | string | False | Name of the user who defined the rule. |
| userRegex | string | False | Regular expression used to match the user in the matched alert. If userRegex is defined, then all occurrences of the username identified by the regular expression will be replaced by the text: username. |
| userWhere | array | False | An array of strings where each represents the part of the alert where regular expression are used to find username. |
| when | array | True | An array of numbers which lists the categories of alerts to be transformed. Each number represents an alert category. For the mapping of numbers to alert categories, see the Mapping of alert category values section. |
| where | array | True | An array of strings which lists the fields of alert data being searched for a match to find. Possible values: “Alert Domain”, “Alert Query”, “Alert Referrer”, “Alert URL”, “Html”, “User Agent”, “User Id”, “User IP”, “User Proxy” |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
| Name | Type | Description |
|---|---|---|
| accountReferences | array | An array of account reference objects which lists the accounts whose alerts get transformed. |
| name | string | Name of the resource. |
| link | string | URL of the account |
| active | boolean | True means an enabled rule. False means a disabled rule. |
| alertAction | string | Status to be applied on the matching alert. |
| alertDetails | string | Additional information displayed on the matching alert. |
| alertRecommendation | string | Recommendation displayed on the matching alert. |
| alertSeverityOrder | number | A severity value applied to the matching alert. Possible values are 0-100. |
| allAccounts | boolean | True means all accounts get transformed. False means only the accounts specified by accountReferences get transformed. |
| description | string | Description of the rule |
| find | string | A string searched for in the alert data. The fields of alert data indicated by where are searched for a match to find. |
| id | string | UUID identifier assigned by the system |
| isRegex | boolean | True if the value of find is a regular expression. False if find is not a regular expression. |
| isUserDefined | boolean | True means a rule created locally by user. False means a rule synced from Security Operations Center SOC dashboard. |
| name | string | Name of the alert transform rule |
| user | string | Name of the user who defined the rule. |
| userRegex | string | Regular expression used to match the user in the matched alert. If userRegex is defined, then all occurrences of the username identified by the regular expression will be replaced by the text: username. |
| userWhere | array | An array of strings where each represents the part of the alert where regular expression are used to find username. |
| when | array | An array of numbers which lists the categories of alerts to be transformed. Each number represents an alert category. For the mapping of numbers to alert categories, see the Mapping of alert category values section. |
| where | array | An array of strings which lists the fields of alert data being searched for a match to find. Possible values: “Alert Domain”, “Alert Query”, “Alert Referrer”, “Alert URL”, “Html”, “User Agent”, “User Id”, “User IP”, “User Proxy” |
Permissions¶
| Role | Allow |
|---|---|
| Application_Editor | No |
| WebSafe_Manager_Deployer | No |
| ASM_Manager | No |
| WebSafe_Manager | Yes |
| Service_Catalog_Editor | No |
| WebSafe_Manager_View | No |
| Service_Catalog_Viewer | No |
| WebSafe_Manager_Edit | Yes |
| Security_Manager | Yes |
PUT /mgmt/cm/websafe/working-config/alert-rules/<id>¶
To replace an existing alert transform rule, you can send a PUT request to the alert-rules collection, specify the rule’s identifier id, and include the JSON describing the new rule in the body of the request.
Request Parameters¶
| Name | Type | Required | Description |
|---|---|---|---|
| accountReferences | array | False | An array of account reference objects which lists the accounts whose alerts get transformed. |
| name | string | False | Name of the resource. |
| link | string | False | URL of the account |
| active | boolean | True | True means an enabled rule. False means a disabled rule. |
| alertAction | string | False | Status to be applied on the matching alert. Default value is No Change. |
| alertDetails | string | False | Additional information displayed on the matching alert. |
| alertRecommendation | string | False | Recommendation displayed on the matching alert. |
| alertSeverityOrder | number | False | A severity value applied to the matching alert. Possible values are 0-100. |
| allAccounts | boolean | False | True means all accounts get transformed. False means only the accounts specified by accountReferences get transformed. |
| description | string | False | Description of the rule |
| find | string | True | A string searched for in the alert data. The fields of alert data indicated by where are searched for a match to find. |
| isRegex | boolean | False | True if the value of find is a regular expression. False if find is not a regular expression. |
| isUserDefined | boolean | True | True means a rule created locally by user. False means a rule synced from Security Operations Center SOC dashboard. |
| name | string | True | Name of the alert transform rule |
| user | string | False | Name of the user who defined the rule. |
| userRegex | string | False | Regular expression used to match the user in the matched alert. If userRegex is defined, then all occurrences of the username identified by the regular expression will be replaced by the text: username. |
| userWhere | array | False | An array of strings where each represents the part of the alert where regular expression are used to find username. |
| when | array | True | An array of numbers which lists the categories of alerts to be transformed. Each number represents an alert category. For the mapping of numbers to alert categories, see the Mapping of alert category values section. |
| where | array | True | An array of strings which lists the fields of alert data being searched for a match to find. Possible values: “Alert Domain”, “Alert Query”, “Alert Referrer”, “Alert URL”, “Html”, “User Agent”, “User Id”, “User IP”, “User Proxy” |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
| Name | Type | Description |
|---|---|---|
| accountReferences | array | An array of account reference objects which lists the accounts whose alerts get transformed. |
| name | string | Name of the resource. |
| link | string | URL of the account |
| active | boolean | True means an enabled rule. False means a disabled rule. |
| alertAction | string | Status to be applied on the matching alert. |
| alertDetails | string | Additional information displayed on the matching alert. |
| alertRecommendation | string | Recommendation displayed on the matching alert. |
| alertSeverityOrder | number | A severity value applied to the matching alert. Possible values are 0-100. |
| allAccounts | boolean | True means all accounts get transformed. False means only the accounts specified by accountReferences get transformed. |
| description | string | Description of the rule |
| find | string | A string searched for in the alert data. The fields of alert data indicated by where are searched for a match to find. |
| id | string | UUID identifier assigned by the system |
| isRegex | boolean | True if the value of find is a regular expression. False if find is not a regular expression. |
| isUserDefined | boolean | True means a rule created locally by user. False means a rule synced from Security Operations Center SOC dashboard. |
| name | string | Name of the alert transform rule |
| user | string | Name of the user who defined the rule. |
| userRegex | string | Regular expression used to match the user in the matched alert. If userRegex is defined, then all occurrences of the username identified by the regular expression will be replaced by the text: username. |
| userWhere | array | An array of strings where each represents the part of the alert where regular expression are used to find username. |
| when | array | An array of numbers which lists the categories of alerts to be transformed. Each number represents an alert category. For the mapping of numbers to alert categories, see the Mapping of alert category values section. |
| where | array | An array of strings which lists the fields of alert data being searched for a match to find. Possible values: “Alert Domain”, “Alert Query”, “Alert Referrer”, “Alert URL”, “Html”, “User Agent”, “User Id”, “User IP”, “User Proxy” |
Permissions¶
| Role | Allow |
|---|---|
| Application_Editor | No |
| WebSafe_Manager_Deployer | No |
| ASM_Manager | No |
| WebSafe_Manager | Yes |
| Service_Catalog_Editor | No |
| WebSafe_Manager_View | No |
| Service_Catalog_Viewer | No |
| WebSafe_Manager_Edit | Yes |
| Security_Manager | Yes |
PATCH /mgmt/cm/websafe/working-config/alert-rules/<id>¶
To enable or disable an existing alert transform rule, you can send a PATCH request to the alert-rules collection, specify the rule’s identifier, and include the modified value of active in the body of the request.
Request Parameters¶
| Name | Type | Required | Description |
|---|---|---|---|
| active | boolean | True | True means an enabled rule. False means a disabled rule. |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
| Name | Type | Description |
|---|---|---|
| accountReferences | array | An array of account reference objects which lists the accounts whose alerts get transformed. |
| name | string | Name of the resource. |
| link | string | URL of the account |
| active | boolean | True means an enabled rule. False means a disabled rule. |
| alertAction | string | Status to be applied on the matching alert. |
| alertDetails | string | Additional information displayed on the matching alert. |
| alertRecommendation | string | Recommendation displayed on the matching alert. |
| alertSeverityOrder | number | A severity value applied to the matching alert. Possible values are 0-100. |
| allAccounts | boolean | True means all accounts get transformed. False means only the accounts specified by accountReferences get transformed. |
| description | string | Description of the rule |
| find | string | A string searched for in the alert data. The fields of alert data indicated by where are searched for a match to find. |
| id | string | UUID identifier assigned by the system |
| isRegex | boolean | True if the value of find is a regular expression. False if find is not a regular expression. |
| isUserDefined | boolean | True means a rule created locally by user. False means a rule synced from Security Operations Center SOC dashboard. |
| name | string | Name of the alert transform rule |
| user | string | Name of the user who defined the rule. |
| userRegex | string | Regular expression used to match the user in the matched alert. If userRegex is defined, then all occurrences of the username identified by the regular expression will be replaced by the text: username. |
| userWhere | array | An array of strings where each represents the part of the alert where regular expression are used to find username. |
| when | array | An array of numbers which lists the categories of alerts to be transformed. Each number represents an alert category. For the mapping of numbers to alert categories, see the Mapping of alert category values section. |
| where | array | An array of strings which lists the fields of alert data being searched for a match to find. Possible values: “Alert Domain”, “Alert Query”, “Alert Referrer”, “Alert URL”, “Html”, “User Agent”, “User Id”, “User IP”, “User Proxy” |
Permissions¶
| Role | Allow |
|---|---|
| Application_Editor | No |
| WebSafe_Manager_Deployer | No |
| ASM_Manager | No |
| WebSafe_Manager | Yes |
| Service_Catalog_Editor | No |
| WebSafe_Manager_View | No |
| Service_Catalog_Viewer | No |
| WebSafe_Manager_Edit | Yes |
| Security_Manager | Yes |
DELETE /mgmt/cm/websafe/working-config/alert-rules/<id>¶
To remove an existing alert transform rule, you can send a DELETE request to the alert-rules collection and specify the rule’s identifier id.
Request Parameters¶
None
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
| Name | Type | Description |
|---|---|---|
| accountReferences | array | An array of account reference objects which lists the accounts whose alerts get transformed. |
| name | string | Name of the resource. |
| link | string | URL of the account |
| active | boolean | True means an enabled rule. False means a disabled rule. |
| alertAction | string | Status to be applied on the matching alert. |
| alertDetails | string | Additional information displayed on the matching alert. |
| alertRecommendation | string | Recommendation displayed on the matching alert. |
| alertSeverityOrder | number | A severity value applied to the matching alert. Possible values are 0-100. |
| allAccounts | boolean | True means all accounts get transformed. False means only the accounts specified by accountReferences get transformed. |
| description | string | Description of the rule |
| find | string | A string searched for in the alert data. The fields of alert data indicated by where are searched for a match to find. |
| id | string | UUID identifier assigned by the system |
| isRegex | boolean | True if the value of find is a regular expression. False if find is not a regular expression. |
| isUserDefined | boolean | True means a rule created locally by user. False means a rule synced from Security Operations Center SOC dashboard. |
| name | string | Name of the alert transform rule |
| user | string | Name of the user who defined the rule. |
| userRegex | string | Regular expression used to match the user in the matched alert. If userRegex is defined, then all occurrences of the username identified by the regular expression will be replaced by the text: username. |
| userWhere | array | An array of strings where each represents the part of the alert where regular expression are used to find username. |
| when | array | An array of numbers which lists the categories of alerts to be transformed. Each number represents an alert category. For the mapping of numbers to alert categories, see the Mapping of alert category values section. |
| where | array | An array of strings which lists the fields of alert data being searched for a match to find. Possible values: “Alert Domain”, “Alert Query”, “Alert Referrer”, “Alert URL”, “Html”, “User Agent”, “User Id”, “User IP”, “User Proxy” |
Permissions¶
| Role | Allow |
|---|---|
| Application_Editor | No |
| WebSafe_Manager_Deployer | No |
| ASM_Manager | No |
| WebSafe_Manager | Yes |
| Service_Catalog_Editor | No |
| WebSafe_Manager_View | No |
| Service_Catalog_Viewer | No |
| WebSafe_Manager_Edit | Yes |
| Security_Manager | Yes |
Mapping of alert category values¶
The when field contains an array of numbers. Each number in the array represents an alert category. The mapping of these numbers to alert categories is described in the following table.
| Value | Meaning |
|---|---|
| 1 | phishing |
| 2 | advanced phishing |
| 3 | user defined phishing |
| 4 | generic malware |
| 5 | targeted malware |
| 6 | external scripts |
| 7 | page modification |
| 8 | browser automation |
| 10 | transaction modification |
| 11 | user defined auto transactions |
| 12 | remote access tools |
| 13 | stolen credentials |
| 14 | user inspection |
| 15 | mobile malware |
| 16 | mobile man-in-the-middle |
| 17 | mobile security |
| 18 | user defined mobile |
| 19 | transaction errors |
| 20 | missing components |
| 21 | encryption errors |
| 22 | mobile errors |
| 23 | infected users |
| 26 | client logs |
Examples¶
GET to get an alert transform rule¶
To get information for an alert transform rule, send a GET request to the alert-rules collection and specify the account’s identifier.
GET /mgmt/cm/websafe/working-config/alert-rules/<id>
Response¶
HTTP/1.1 200 OK
{
"id": "96753ad4-032e-326b-b126-1e8135ce648c",
"find": "foo",
"kind": "cm:websafe:working-config:alert-rules:alertrulestate",
"name": "test",
"user": "userName",
"when": [
"1",
"2"
],
"where": [
"Alert Query",
"Alert URL"
],
"active": true,
"isRegex": true,
"selfLink": "https://localhost/mgmt/cm/websafe/working-config/alert-rules/96753ad4-032e-326b-b126-1e8135ce648c",
"partition": "Common",
"userRegex": "userRegex",
"userWhere": [
"Alert Referrer",
"Html"
],
"generation": 4,
"alertAction": "Open",
"allAccounts": true,
"description": "description",
"alertDetails": "alert details",
"isUserDefined": true,
"lastUpdateMicros": 1578392172548047,
"alertSeverityOrder": 28,
"alertRecommendation": "alert Recommendation"
}
POST to create an alert transform rule¶
To create a new alert transform rule, send a POST request to the alert-rules collection and include the account rule information in the body of the request.
POST /mgmt/cm/websafe/working-config/alert-rules
The JSON in the body of the POST can look similar to the following example.
{
"partition": "Common",
"alertAction": "No Action",
"allAccounts": true,
"isUserDefined": true,
"active": true,
"name": "test",
"description": "description",
"find": "foo",
"isRegex": true,
"alertSeverityOrder": 20,
"alertDetails": "Alert Details",
"alertRecommendation": "Alert Recommendation",
"userRegex": "userRegex",
"when": [
"6"
],
"where": [
"Alert URL"
],
"userWhere": [
"Html"
],
"user": "userName"
}
Response¶
The response to the POST can look similar to the following.
HTTP/1.1 200 OK
{
"allAccounts": true,
"find": "foo",
"isRegex": true,
"where": [
"Alert URL"
],
"when": [
"6"
],
"alertDetails": "Alert Details",
"alertRecommendation": "Alert Recommendation",
"alertAction": "No Action",
"user": "userName",
"alertSeverityOrder": 20,
"userRegex": "userRegex",
"userWhere": [
"Html"
],
"active": true,
"isUserDefined": true,
"partition": "Common",
"name": "test",
"description": "description",
"id": "d6cab60e-af8c-3ba7-a79e-d32d292b7ffc",
"generation": 1,
"lastUpdateMicros": 1578396734557302,
"kind": "cm:websafe:working-config:alert-rules:alertrulestate",
"selfLink": "https://localhost/mgmt/cm/websafe/working-config/alert-rules/d6cab60e-af8c-3ba7-a79e-d32d292b7ffc"
}
PUT to edit an alert transform rule¶
To edit an existing alert transform rule, send a PUT request to the alert-rules collection, specify the rule’s identifier, and include the modified information in the body of the request.
PUT /mgmt/cm/websafe/working-config/alert-rules/<id>
The JSON in the body of the PUT can look similar to the following example.
{
"id": "d6cab60e-af8c-3ba7-a79e-d32d292b7ffc",
"find": "foo",
"name": "test",
"user": "userName",
"when": [
"6"
],
"where": [
"Alert URL"
],
"active": true,
"isRegex": true,
"selfLink": "https://localhost/mgmt/cm/websafe/working-config/alert-rules/d6cab60e-af8c-3ba7-a79e-d32d292b7ffc",
"partition": "Common",
"userRegex": "userRegex",
"userWhere": [
"Html"
],
"alertAction": "No Action",
"allAccounts": true,
"description": "description",
"alertDetails": "Alert Details",
"isUserDefined": true,
"alertSeverityOrder": 20,
"alertRecommendation": "Alert Recommendation"
}
Response¶
The response to the PUT can look similar to the following.
HTTP/1.1 200 OK
{
"allAccounts": true,
"find": "foo",
"isRegex": true,
"where": [
"Alert URL"
],
"when": [
"6"
],
"alertDetails": "Alert Details",
"alertRecommendation": "Alert Recommendation",
"alertAction": "No Action",
"user": "userName",
"alertSeverityOrder": 20,
"userRegex": "userRegex",
"userWhere": [
"Html"
],
"active": true,
"isUserDefined": true,
"partition": "Common",
"name": "test",
"description": "description",
"id": "d6cab60e-af8c-3ba7-a79e-d32d292b7ffc",
"generation": 2,
"lastUpdateMicros": 1578398133116252,
"kind": "cm:websafe:working-config:alert-rules:alertrulestate",
"selfLink": "https://localhost/mgmt/cm/websafe/working-config/alert-rules/d6cab60e-af8c-3ba7-a79e-d32d292b7ffc"
}
PATCH to edit an alert transform rule¶
To edit an existing alert transform rule, send a PATCH request to the alert-rules collection, specify the rule’s identifier, and include the modified information in the body of the request.
PATCH /mgmt/cm/websafe/working-config/alert-rules/<id>
{
"active": false
}
Response¶
The response to the PATCH can look similar to the following.
HTTP/1.1 200 OK
{
"allAccounts": true,
"find": "foo",
"isRegex": true,
"where": [
"Alert URL"
],
"when": [
"6"
],
"alertDetails": "Alert Details",
"alertRecommendation": "Alert Recommendation",
"alertAction": "No Action",
"user": "userName",
"alertSeverityOrder": 20,
"userRegex": "userRegex",
"userWhere": [
"Html"
],
"active": false,
"isUserDefined": true,
"partition": "Common",
"name": "test",
"description": "description",
"id": "d6cab60e-af8c-3ba7-a79e-d32d292b7ffc",
"generation": 3,
"lastUpdateMicros": 1578398635035623,
"kind": "cm:websafe:working-config:alert-rules:alertrulestate",
"selfLink": "https://localhost/mgmt/cm/websafe/working-config/alert-rules/d6cab60e-af8c-3ba7-a79e-d32d292b7ffc"
}
DELETE to delete an alert transform rule¶
To delete an alert transform rule, send a DELETE request to the alert-rules collection and specify the rule’s identifier.
DELETE /mgmt/cm/websafe/working-config/alert-rules/<id>
Response¶
The response to the DELETE can look similar to the following.
HTTP/1.1 200 OK
{
"allAccounts": true,
"find": "foo",
"isRegex": true,
"where": [
"Alert URL"
],
"when": [
"6"
],
"alertDetails": "Alert Details",
"alertRecommendation": "Alert Recommendation",
"alertAction": "No Action",
"user": "userName",
"alertSeverityOrder": 20,
"userRegex": "userRegex",
"userWhere": [
"Html"
],
"active": false,
"isUserDefined": true,
"partition": "Common",
"name": "test",
"description": "description",
"id": "d6cab60e-af8c-3ba7-a79e-d32d292b7ffc",
"generation": 3,
"lastUpdateMicros": 1578398910254438,
"kind": "cm:websafe:working-config:alert-rules:alertrulestate",
"selfLink": "https://localhost/mgmt/cm/websafe/working-config/alert-rules/d6cab60e-af8c-3ba7-a79e-d32d292b7ffc"
}