Alert Forwarding Rules¶
Overview¶
You can use this API to configure Alert Forwarding Rules and their properties in BIG-IQ.
REST Endpoint: /mgmt/cm/websafe/working-config/forwarding-alert-rules¶
Requests¶
GET /mgmt/cm/websafe/working-config/forwarding-alert-rules/<id>¶
Request Parameters¶
None
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
| Name | Type | Description |
|---|---|---|
| id | string (UUID) | A unique identifier given by the system. |
| alertCategory | array_of_numbers | An array of numbers, where each number maps to an alert category. Specify the categories of events that need to be forwarded. |
| alertStatus | array_of_strings | An array of strings of statuses to forward. The only allowed value is “New”. |
| alertSeverity | number | A number (0-100). Alerts with a severity equal to or greater than the specified value will be forwarded. |
| notificationTarget | array_of_strings | An array of the notification targets. The possible values for each element in the array are: email, webservice, syslog, or custom. |
| forwardingFields | array_of_strings | An array of the fields that should get forwarded. The list of fields includes: Alert GUID, GeoIP City, Alert Date, Alert Domain, Alert URL, Alert Details, Alert Recommendation, Client Language, Client HostName, Client Proxy HostName, Client Username, Device Params, GeoIP Country, Client Session Data, Alert Referrer, Alert Severity, Alert Status, Alert Type, Client User Agent, Client IP, Client Proxy IP, Full Alert Query, and Device ID. |
| ruleStatus | string | The status of the rule. The possible values are enabled/disabled. |
| userNameRequired | boolean | Determines whether a user name is required for an alert to get forwarded. |
| socServiceEnabled | string | Enable or disable forwarding to the Security Operations Center SOC. |
| allAccounts | boolean | Determines whether alerts of all accounts will get forwarded, or only specific accounts. |
| accountReferences | reference | Used to select the accounts whose alerts will get forwarded. |
| name | string | Name of the resource. |
| link | string | URI link of the reference. |
| webserviceReference | reference | A reference to the webservice object that alerts will get forwarded to. |
| name | string | Name of the resource. |
| link | string | URI link of the reference. |
| emailRecipients | array_of_strings | The email addresses of the recipients of email when email forwarding is enabled. |
| emailBodyTemplate | string | A template used to format the body of the email being forwarded. |
| emailEnabled | string | Determines whether email forwarding is enabled. The possible values are enabled/disabled. |
| emailSender | string | The name that will appear as sender for the email being forwarded. |
| emailSenderAddress | string | The email address of the email sender. |
| emailSubject | string | The subject of the email. |
| smsTemplate | string | This field is unused and can be empty. |
| syslogTemplate | string | The content of the forwarded message. |
| syslogServer | string | The address of the syslog server. |
| syslogPort | string | The port of the syslog server. |
| syslogProtocol | string | The Syslog protocol. |
| syslogSeverity | string | The Syslog severity. |
| syslogFacility | string | The Syslog facility. |
| syslogEnabled | string | Determines whether forwarding to syslog is enabled. The possible values are enabled/disabled. |
| customWSEnabled | string | Determines whether forwarding to a custom web service is enabled. The possible values are enabled/disabled. |
| wsUsesToken | string | Determines whether an authentication token is used to authenticate the web service. |
| wsTokenTimeout | number | Sets the age of a token used to authenticate a custom web service. |
| wsTokenUrl | string | The URL used to obtain the token. |
| wsTokenMethod | string | The HTTP method used for the request to obtain the token. |
| wsTokenHeaders | array_of_strings | The headers used in the request to obtain the token. |
| wsTokenRequest | string | The query string used when requesting the token. |
| wsTokenResponse | string | A pattern used to extract the token out of the response. |
| wsAlertUrl | string | The custom webservice URL endpoint. |
| wsAlertMethod | string | The method used to send the alerts, can either be GET or POST. |
| wsAlertHeaders | array_of_strings | An array of strings, where each represents a header name and value separated by ‘:’. |
| wsAlertRequest | string | The body of the alert. |
| useCustomForwardingProxy | boolean | Determines whether a custom proxy should be used. |
| customForwardingProxyname | string | Name of the proxy object used to connect to the target. |
| useJsonParsing | boolean | Determines whether json parsing is used when keywords are replaced. |
alertCategory¶
The alertCategory field contains an array of numbers. Each number in the array represents an alert category, as described in the following table.
| Value | Meaning |
|---|---|
| 1 | phishing |
| 2 | advanced phishing |
| 3 | user defined phishing |
| 4 | generic malware |
| 5 | targeted malware |
| 6 | external scripts |
| 7 | page modification |
| 8 | browser automation |
| 10 | transaction modification |
| 11 | user defined auto transactions |
| 12 | remote access tools |
| 13 | stolen credentials |
| 14 | user inspection |
| 15 | mobile malware |
| 16 | mobile man-in-the-middle |
| 17 | mobile security |
| 18 | user defined mobile |
| 19 | transaction errors |
| 20 | missing components |
| 21 | encryption errors |
| 22 | mobile errors |
| 23 | infected users |
| 26 | client logs |
Permissions¶
| Role | Allow |
|---|---|
| Application_Editor | Yes |
| WebSafe_Manager_Deployer | Yes |
| ASM_Manager | Yes |
| WebSafe_Manager | Yes |
| Service_Catalog_Editor | Yes |
| WebSafe_Manager_View | Yes |
| Service_Catalog_Viewer | Yes |
| WebSafe_Manager_Edit | Yes |
| Security_Manager | Yes |
POST /mgmt/cm/websafe/working-config/forwarding-alert-rules¶
Request Parameters¶
| Name | Type | Required | Description |
|---|---|---|---|
| name | string | True | The name of the alert forwarding rule. |
| alertCategory | array_of_numbers | False | An array of numbers, where each number maps to an alert category. Specify the categories of events that need to be forwarded. |
| alertStatus | array_of_strings | False | An array of strings of statuses to forward. The only allowed value is “New”. |
| alertSeverity | number | False | A number (0-100). Alerts with a severity equal to or greater than the specified value will be forwarded. |
| notificationTarget | array_of_strings | False | An array of the notification targets. The possible values for each element in the array are: email, webservice, syslog, or custom. |
| forwardingFields | array_of_strings | False | An array of the fields that should get forwarded. The list of fields includes: Alert GUID, GeoIP City, Alert Date, Alert Domain, Alert URL, Alert Details, Alert Recommendation, Client Language, Client HostName, Client Proxy HostName, Client Username, Device Params, GeoIP Country, Client Session Data, Alert Referrer, Alert Severity, Alert Status, Alert Type, Client User Agent, Client IP, Client Proxy IP, Full Alert Query, and Device ID. |
| ruleStatus | string | False | The status of the rule. The possible values are enabled/disabled. |
| userNameRequired | boolean | False | Determines whether a user name is required for an alert to get forwarded. |
| socServiceEnabled | string | False | Enable or disable forwarding to the Security Operations Center SOC. |
| allAccounts | boolean | False | Determines whether alerts of all accounts will get forwarded, or only specific accounts. |
| accountReferences | reference | False | Used to select the accounts whose alerts will get forwarded. |
| name | string | False | Name of the resource. |
| link | string | False | URI link of the reference. |
| webserviceReference | reference | False | A reference to the webservice object that alerts will get forwarded to. |
| name | string | False | Name of the resource. |
| link | string | False | URI link of the reference. |
| emailRecipients | array_of_strings | False | The email addresses of the recipients of email when email forwarding is enabled. |
| emailBodyTemplate | string | False | A template used to format the body of the email being forwarded. |
| emailEnabled | string | False | Determines whether email forwarding is enabled. The possible values are enabled/disabled. |
| emailSender | string | False | The name that will appear as sender for the email being forwarded. |
| emailSenderAddress | string | False | The email address of the email sender. |
| emailSubject | string | False | The subject of the email. |
| smsTemplate | string | False | This field is unused and can be empty. |
| syslogTemplate | string | False | The content of the forwarded message. |
| syslogServer | string | False | The address of the syslog server. |
| syslogPort | string | False | The port of the syslog server. |
| syslogProtocol | string | False | The Syslog protocol. |
| syslogSeverity | string | False | The Syslog severity. |
| syslogFacility | string | False | The Syslog facility. |
| syslogEnabled | string | False | Determines whether forwarding to syslog is enabled. The possible values are enabled/disabled. |
| customWSEnabled | string | False | Determines whether forwarding to a custom web service is enabled. The possible values are enabled/disabled. |
| wsUsesToken | string | False | Determines whether an authentication token is used to authenticate the web service. |
| wsTokenTimeout | number | False | Sets the age of a token used to authenticate a custom web service. |
| wsTokenUrl | string | False | The URL used to obtain the token. |
| wsTokenMethod | string | False | The HTTP method used for the request to obtain the token. |
| wsTokenHeaders | array_of_strings | False | The headers used in the request to obtain the token. |
| wsTokenRequest | string | False | The query string used when requesting the token. |
| wsTokenResponse | string | False | A pattern used to extract the token out of the response. |
| wsAlertUrl | string | False | The custom webservice URL endpoint. |
| wsAlertMethod | string | False | The method used to send the alerts, can either be GET or POST. |
| wsAlertHeaders | array_of_strings | False | An array of strings, where each represents a header name and value separated by ‘:’. |
| wsAlertRequest | string | False | The body of the alert. |
| useCustomForwardingProxy | boolean | False | Determines whether a custom proxy should be used. |
| customForwardingProxyname | string | False | Name of the proxy object used to connect to the target. |
| useJsonParsing | boolean | False | Determines whether json parsing is used when keywords are replaced. |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
| Name | Type | Description |
|---|---|---|
| id | string (UUID) | A unique identifier given by the system. |
| alertCategory | array_of_numbers | An array of numbers, where each number maps to an alert category. Specify the categories of events that need to be forwarded. |
| alertStatus | array_of_strings | An array of strings of statuses to forward. The only allowed value is “New”. |
| alertSeverity | number | A number (0-100). Alerts with a severity equal to or greater than the specified value will be forwarded. |
| notificationTarget | array_of_strings | An array of the notification targets. The possible values for each element in the array are: email, webservice, syslog, or custom. |
| forwardingFields | array_of_strings | An array of the fields that should get forwarded. The list of fields includes: Alert GUID, GeoIP City, Alert Date, Alert Domain, Alert URL, Alert Details, Alert Recommendation, Client Language, Client HostName, Client Proxy HostName, Client Username, Device Params, GeoIP Country, Client Session Data, Alert Referrer, Alert Severity, Alert Status, Alert Type, Client User Agent, Client IP, Client Proxy IP, Full Alert Query, and Device ID. |
| ruleStatus | string | The status of the rule. The possible values are enabled/disabled. |
| userNameRequired | boolean | Determines whether a user name is required for an alert to get forwarded. |
| socServiceEnabled | string | Enable or disable forwarding to the Security Operations Center SOC. |
| allAccounts | boolean | Determines whether alerts of all accounts will get forwarded, or only specific accounts. |
| accountReferences | reference | Used to select the accounts whose alerts will get forwarded. |
| name | string | Name of the resource. |
| link | string | URI link of the reference. |
| webserviceReference | reference | A reference to the webservice object that alerts will get forwarded to. |
| name | string | Name of the resource. |
| link | string | URI link of the reference. |
| emailRecipients | array_of_strings | The email addresses of the recipients of email when email forwarding is enabled. |
| emailBodyTemplate | string | A template used to format the body of the email being forwarded. |
| emailEnabled | string | Determines whether email forwarding is enabled. The possible values are enabled/disabled. |
| emailSender | string | The name that will appear as sender for the email being forwarded. |
| emailSenderAddress | string | The email address of the email sender. |
| emailSubject | string | The subject of the email. |
| smsTemplate | string | This field is unused and can be empty. |
| syslogTemplate | string | The content of the forwarded message. |
| syslogServer | string | The address of the syslog server. |
| syslogPort | string | The port of the syslog server. |
| syslogProtocol | string | The Syslog protocol. |
| syslogSeverity | string | The Syslog severity. |
| syslogFacility | string | The Syslog facility. |
| syslogEnabled | string | Determines whether forwarding to syslog is enabled. The possible values are enabled/disabled. |
| customWSEnabled | string | Determines whether forwarding to a custom web service is enabled. The possible values are enabled/disabled. |
| wsUsesToken | string | Determines whether an authentication token is used to authenticate the web service. |
| wsTokenTimeout | number | Sets the age of a token used to authenticate a custom web service. |
| wsTokenUrl | string | The URL used to obtain the token. |
| wsTokenMethod | string | The HTTP method used for the request to obtain the token. |
| wsTokenHeaders | array_of_strings | The headers used in the request to obtain the token. |
| wsTokenRequest | string | The query string used when requesting the token. |
| wsTokenResponse | string | A pattern used to extract the token out of the response. |
| wsAlertUrl | string | The custom webservice URL endpoint. |
| wsAlertMethod | string | The method used to send the alerts, can either be GET or POST. |
| wsAlertHeaders | array_of_strings | An array of strings, where each represents a header name and value separated by ‘:’. |
| wsAlertRequest | string | The body of the alert. |
| useCustomForwardingProxy | boolean | Determines whether a custom proxy should be used. |
| customForwardingProxyname | string | Name of the proxy object used to connect to the target. |
| useJsonParsing | boolean | Determines whether json parsing is used when keywords are replaced. |
Permissions¶
| Role | Allow |
|---|---|
| Application_Editor | No |
| WebSafe_Manager_Deployer | No |
| ASM_Manager | No |
| WebSafe_Manager | Yes |
| Service_Catalog_Editor | No |
| WebSafe_Manager_View | No |
| Service_Catalog_Viewer | No |
| WebSafe_Manager_Edit | Yes |
| Security_Manager | Yes |
PUT /mgmt/cm/websafe/working-config/forwarding-alert-rules/<id>¶
Request Parameters¶
| Name | Type | Required | Description |
|---|---|---|---|
| alertCategory | array_of_numbers | False | An array of numbers, where each number maps to an alert category. Specify the categories of events that need to be forwarded. |
| alertStatus | array_of_strings | False | An array of strings of statuses to forward. The only allowed value is “New”. |
| alertSeverity | number | False | A number (0-100). Alerts with a severity equal to or greater than the specified value will be forwarded. |
| notificationTarget | array_of_strings | False | An array of the notification targets. The possible values for each element in the array are: email, webservice, syslog, or custom. |
| forwardingFields | array_of_strings | False | An array of the fields that should get forwarded. The list of fields includes: Alert GUID, GeoIP City, Alert Date, Alert Domain, Alert URL, Alert Details, Alert Recommendation, Client Language, Client HostName, Client Proxy HostName, Client Username, Device Params, GeoIP Country, Client Session Data, Alert Referrer, Alert Severity, Alert Status, Alert Type, Client User Agent, Client IP, Client Proxy IP, Full Alert Query, and Device ID. |
| ruleStatus | string | False | The status of the rule. The possible values are enabled/disabled. |
| userNameRequired | boolean | False | Determines whether a user name is required for an alert to get forwarded. |
| socServiceEnabled | string | False | Enable or disable forwarding to the Security Operations Center SOC. |
| allAccounts | boolean | False | Determines whether alerts of all accounts will get forwarded, or only specific accounts. |
| accountReferences | reference | False | Used to select the accounts whose alerts will get forwarded. |
| name | string | False | Name of the resource. |
| link | string | False | URI link of the reference. |
| webserviceReference | reference | False | A reference to the webservice object that alerts will get forwarded to. |
| name | string | False | Name of the resource. |
| link | string | False | URI link of the reference. |
| emailRecipients | array_of_strings | False | The email addresses of the recipients of email when email forwarding is enabled. |
| emailBodyTemplate | string | False | A template used to format the body of the email being forwarded. |
| emailEnabled | string | False | Determines whether email forwarding is enabled. The possible values are enabled/disabled. |
| emailSender | string | False | The name that will appear as sender for the email being forwarded. |
| emailSenderAddress | string | False | The email address of the email sender. |
| emailSubject | string | False | The subject of the email. |
| smsTemplate | string | False | This field is unused and can be empty. |
| syslogTemplate | string | False | The content of the forwarded message. |
| syslogServer | string | False | The address of the syslog server. |
| syslogPort | string | False | The port of the syslog server. |
| syslogProtocol | string | False | The Syslog protocol. |
| syslogSeverity | string | False | The Syslog severity. |
| syslogFacility | string | False | The Syslog facility. |
| syslogEnabled | string | False | Determines whether forwarding to syslog is enabled. The possible values are enabled/disabled. |
| customWSEnabled | string | False | Determines whether forwarding to a custom web service is enabled. The possible values are enabled/disabled. |
| wsUsesToken | string | False | Determines whether an authentication token is used to authenticate the web service. |
| wsTokenTimeout | number | False | Sets the age of a token used to authenticate a custom web service. |
| wsTokenUrl | string | False | The URL used to obtain the token. |
| wsTokenMethod | string | False | The HTTP method used for the request to obtain the token. |
| wsTokenHeaders | array_of_strings | False | The headers used in the request to obtain the token. |
| wsTokenRequest | string | False | The query string used when requesting the token. |
| wsTokenResponse | string | False | A pattern used to extract the token out of the response. |
| wsAlertUrl | string | False | The custom webservice URL endpoint. |
| wsAlertMethod | string | False | The method used to send the alerts, can either be GET or POST. |
| wsAlertHeaders | array_of_strings | False | An array of strings, where each represents a header name and value separated by ‘:’. |
| wsAlertRequest | string | False | The body of the alert. |
| useCustomForwardingProxy | boolean | False | Determines whether a custom proxy should be used. |
| customForwardingProxyname | string | False | Name of the proxy object used to connect to the target. |
| useJsonParsing | boolean | False | Determines whether json parsing is used when keywords are replaced. |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
| Name | Type | Description |
|---|---|---|
| alertCategory | array_of_numbers | Array of numbers, each maps to an alert category. Specify the categories of events that needs to be forwarded. |
| alertStatus | array_of_strings | Array of strings of statuses to forward. The only allowed value is “New”. |
| alertSeverity | number | A number (0-100). Alerts with severity equal or greater than the value will be forwarded. |
| notificationTarget | array_of_strings | An array of the notification targets. The possible values for each element in the array are: email, webservice, syslog, custom. |
| forwardingFields | array_of_strings | An array of the fields that should get forwarded. The list of fields include: Alert GUID, GeoIP City, Alert Date, Alert Domain, Alert URL, Alert Details, Alert Recommendation, Client Language, Client HostName, Client Proxy HostName, Client Username, Device Params, GeoIP Country, Client Session Data, Alert Referrer, Alert Severity, Alert Status, Alert Type, Client User Agent, Client IP, Client Proxy IP, Full Alert Query, Device ID. |
| ruleStatus | string | The status of the rule, can either be enabled or disabled. |
| userNameRequired | boolean | Determines whether a user name is required for an alert to get forwarded. |
| socServiceEnabled | string | Enable or disable forwarding to the SOC |
| allAccounts | boolean | Determines whether alerts of all accounts will get forwarded, or only specific accounts |
| accountReferences | reference | Used to select the accounts whose alerts will get forwarded |
| name | string | Name of the resource |
| link | string | URI link of the reference |
| webserviceReference | reference | A reference to the webservice object that alerts will get forwarded to |
| name | string | Name of the resource |
| link | string | URI link of the reference |
| emailRecipients | array_of_strings | Recipients of email when email forwarding is used |
| emailBodyTemplate | string | A template used to format the body of an the email being forwarded |
| emailEnabled | string | Determines whether email forwarding is enabled. The possible values are enabled/disabled. |
| emailSender | string | Sender name |
| emailSenderAddress | string | The address of the email sender. |
| emailSubject | string | The subject of the email |
| smsTemplate | string | This field is unused and can be empty. |
| syslogTemplate | string | The content of the forwarded message |
| syslogServer | string | Address of the syslog server. |
| syslogPort | string | Port of the syslog server |
| syslogProtocol | string | Syslog protocol |
| syslogSeverity | string | Syslog severity |
| syslogFacility | string | Syslog facility |
| syslogEnabled | string | Determines whether forwarding to syslog is enabled. The value of the string can be “enabled” or “disabled”. |
| customWSEnabled | string | Determines whether forwarding to a custom web service is enabled. The value of the string can be “enabled” or “disabled”. |
| wsUsesToken | string | Determines whether an authentication token is used to authenticate to the web service |
| wsTokenTimeout | number | Set the age of a token used to authenticate with a custom web service |
| wsTokenUrl | string | The URL used to obtain the token |
| wsTokenMethod | string | The HTTP method used for the request to obtain the token |
| wsTokenHeaders | array_of_strings | Headers used in the request to obtain the token |
| wsTokenRequest | string | The query string used when requesting auth token |
| wsTokenResponse | string | A pattern used to extract the auth token out of the response |
| wsAlertUrl | string | The custom webservice URL endpoint |
| wsAlertMethod | string | The method used to send the alerts, can either be GET or POST |
| wsAlertHeaders | array_of_strings | An array of strings, each represent header name and value separated by ‘:’ |
| wsAlertRequest | string | The body of the alert |
| useCustomForwardingProxy | boolean | Set whether a custom proxy should be used |
| customForwardingProxyname | string | Name of the proxy object used to connect to the target |
| useJsonParsing | boolean | Set whether json parsing is used when keywords are replaced |
Permissions¶
| Role | Allow |
|---|---|
| Application_Editor | No |
| WebSafe_Manager_Deployer | No |
| ASM_Manager | No |
| WebSafe_Manager | Yes |
| Service_Catalog_Editor | No |
| WebSafe_Manager_View | No |
| Service_Catalog_Viewer | No |
| WebSafe_Manager_Edit | Yes |
| Security_Manager | Yes |
PATCH /mgmt/cm/websafe/working-config/forwarding-alert-rules/<id>¶
Request Parameters¶
| Name | Type | Required | Description |
|---|---|---|---|
| alertCategory | array_of_numbers | False | An array of numbers, where each number maps to an alert category. Specify the categories of events that need to be forwarded. |
| alertStatus | array_of_strings | False | An array of strings of statuses to forward. The only allowed value is “New”. |
| alertSeverity | number | False | A number (0-100). Alerts with a severity equal to or greater than the specified value will be forwarded. |
| notificationTarget | array_of_strings | False | An array of the notification targets. The possible values for each element in the array are: email, webservice, syslog, or custom. |
| forwardingFields | array_of_strings | False | An array of the fields that should get forwarded. The list of fields includes: Alert GUID, GeoIP City, Alert Date, Alert Domain, Alert URL, Alert Details, Alert Recommendation, Client Language, Client HostName, Client Proxy HostName, Client Username, Device Params, GeoIP Country, Client Session Data, Alert Referrer, Alert Severity, Alert Status, Alert Type, Client User Agent, Client IP, Client Proxy IP, Full Alert Query, and Device ID. |
| ruleStatus | string | False | The status of the rule. The possible values are enabled/disabled. |
| userNameRequired | boolean | False | Determines whether a user name is required for an alert to get forwarded. |
| socServiceEnabled | string | False | Enable or disable forwarding to the Security Operations Center SOC. |
| allAccounts | boolean | False | Determines whether alerts of all accounts will get forwarded, or only specific accounts. |
| accountReferences | reference | False | Used to select the accounts whose alerts will get forwarded. |
| name | string | False | Name of the resource. |
| link | string | False | URI link of the reference. |
| webserviceReference | reference | False | A reference to the webservice object that alerts will get forwarded to. |
| name | string | False | Name of the resource. |
| link | string | False | URI link of the reference. |
| emailRecipients | array_of_strings | False | The email addresses of the recipients of email when email forwarding is enabled. |
| emailBodyTemplate | string | False | A template used to format the body of the email being forwarded. |
| emailEnabled | string | False | Determines whether email forwarding is enabled. The possible values are enabled/disabled. |
| emailSender | string | False | The name that will appear as sender for the email being forwarded. |
| emailSenderAddress | string | False | The email address of the email sender. |
| emailSubject | string | False | The subject of the email. |
| smsTemplate | string | False | This field is unused and can be empty. |
| syslogTemplate | string | False | The content of the forwarded message. |
| syslogServer | string | False | The address of the syslog server. |
| syslogPort | string | False | The port of the syslog server. |
| syslogProtocol | string | False | The Syslog protocol. |
| syslogSeverity | string | False | The Syslog severity. |
| syslogFacility | string | False | The Syslog facility. |
| syslogEnabled | string | False | Determines whether forwarding to syslog is enabled. The possible values are enabled/disabled. |
| customWSEnabled | string | False | Determines whether forwarding to a custom web service is enabled. The possible values are enabled/disabled. |
| wsUsesToken | string | False | Determines whether an authentication token is used to authenticate the web service. |
| wsTokenTimeout | number | False | Sets the age of a token used to authenticate a custom web service. |
| wsTokenUrl | string | False | The URL used to obtain the token. |
| wsTokenMethod | string | False | The HTTP method used for the request to obtain the token. |
| wsTokenHeaders | array_of_strings | False | The headers used in the request to obtain the token. |
| wsTokenRequest | string | False | The query string used when requesting the token. |
| wsTokenResponse | string | False | A pattern used to extract the token out of the response. |
| wsAlertUrl | string | False | The custom webservice URL endpoint. |
| wsAlertMethod | string | False | The method used to send the alerts, can either be GET or POST. |
| wsAlertHeaders | array_of_strings | False | An array of strings, where each represents a header name and value separated by ‘:’. |
| wsAlertRequest | string | False | The body of the alert. |
| useCustomForwardingProxy | boolean | False | Determines whether a custom proxy should be used. |
| customForwardingProxyname | string | False | Name of the proxy object used to connect to the target. |
| useJsonParsing | boolean | False | Determines whether json parsing is used when keywords are replaced. |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
| Name | Type | Description |
|---|---|---|
| alertCategory | array_of_numbers | Array of numbers, each maps to an alert category. Specify the categories of events that needs to be forwarded. |
| alertStatus | array_of_strings | Array of strings of statuses to forward. The only allowed value is “New”. |
| alertSeverity | number | A number (0-100). Alerts with severity equal or greater than the value will be forwarded. |
| notificationTarget | array_of_strings | An array of the notification targets. The possible values for each element in the array are: email, webservice, syslog, custom. |
| forwardingFields | array_of_strings | An array of the fields that should get forwarded. The list of fields include: Alert GUID, GeoIP City, Alert Date, Alert Domain, Alert URL, Alert Details, Alert Recommendation, Client Language, Client HostName, Client Proxy HostName, Client Username, Device Params, GeoIP Country, Client Session Data, Alert Referrer, Alert Severity, Alert Status, Alert Type, Client User Agent, Client IP, Client Proxy IP, Full Alert Query, Device ID. |
| ruleStatus | string | The status of the rule, can either be enabled or disabled. |
| userNameRequired | boolean | Determines whether a user name is required for an alert to get forwarded. |
| socServiceEnabled | string | Enable or disable forwarding to the SOC |
| allAccounts | boolean | Determines whether alerts of all accounts will get forwarded, or only specific accounts |
| accountReferences | reference | Used to select the accounts whose alerts will get forwarded |
| name | string | Name of the resource |
| link | string | URI link of the reference |
| webserviceReference | reference | A reference to the webservice object that alerts will get forwarded to |
| name | string | Name of the resource |
| link | string | URI link of the reference |
| emailRecipients | array_of_strings | Recipients of email when email forwarding is used |
| emailBodyTemplate | string | A template used to format the body of an the email being forwarded |
| emailEnabled | string | Determines whether email forwarding is enabled. The possible values are enabled/disabled. |
| emailSender | string | Sender name |
| emailSenderAddress | string | The address of the email sender. |
| emailSubject | string | The subject of the email |
| smsTemplate | string | This field is unused and can be empty. |
| syslogTemplate | string | The content of the forwarded message |
| syslogServer | string | Address of the syslog server. |
| syslogPort | string | Port of the syslog server |
| syslogProtocol | string | Syslog protocol |
| syslogSeverity | string | Syslog severity |
| syslogFacility | string | Syslog facility |
| syslogEnabled | string | Determines whether forwarding to syslog is enabled. The value of the string can be “enabled” or “disabled”. |
| customWSEnabled | string | Determines whether forwarding to a custom web service is enabled. The value of the string can be “enabled” or “disabled”. |
| wsUsesToken | string | Determines whether an authentication token is used to authenticate to the web service |
| wsTokenTimeout | number | Set the age of a token used to authenticate with a custom web service |
| wsTokenUrl | string | The URL used to obtain the token |
| wsTokenMethod | string | The HTTP method used for the request to obtain the token |
| wsTokenHeaders | array_of_strings | Headers used in the request to obtain the token |
| wsTokenRequest | string | The query string used when requesting auth token |
| wsTokenResponse | string | A pattern used to extract the auth token out of the response |
| wsAlertUrl | string | The custom webservice URL endpoint |
| wsAlertMethod | string | The method used to send the alerts, can either be GET or POST |
| wsAlertHeaders | array_of_strings | An array of strings, each represent header name and value separated by ‘:’ |
| wsAlertRequest | string | The body of the alert |
| useCustomForwardingProxy | boolean | Set whether a custom proxy should be used |
| customForwardingProxyname | string | Name of the proxy object used to connect to the target |
| useJsonParsing | boolean | Set whether json parsing is used when keywords are replaced |
Permissions¶
| Role | Allow |
|---|---|
| Application_Editor | No |
| WebSafe_Manager_Deployer | No |
| ASM_Manager | No |
| WebSafe_Manager | Yes |
| Service_Catalog_Editor | No |
| WebSafe_Manager_View | No |
| Service_Catalog_Viewer | No |
| WebSafe_Manager_Edit | Yes |
| Security_Manager | Yes |
DELETE /mgmt/cm/websafe/working-config/forwarding-alert-rules/<id>¶
Request Parameters¶
None
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
| Name | Type | Description |
|---|---|---|
| alertCategory | array_of_numbers | Array of numbers, each maps to an alert category. Specify the categories of events that needs to be forwarded. |
| alertStatus | array_of_strings | Array of strings of statuses to forward. The only allowed value is “New”. |
| alertSeverity | number | A number (0-100). Alerts with severity equal or greater than the value will be forwarded. |
| notificationTarget | array_of_strings | An array of the notification targets. The possible values for each element in the array are: email, webservice, syslog, custom. |
| forwardingFields | array_of_strings | An array of the fields that should get forwarded. The list of fields include: Alert GUID, GeoIP City, Alert Date, Alert Domain, Alert URL, Alert Details, Alert Recommendation, Client Language, Client HostName, Client Proxy HostName, Client Username, Device Params, GeoIP Country, Client Session Data, Alert Referrer, Alert Severity, Alert Status, Alert Type, Client User Agent, Client IP, Client Proxy IP, Full Alert Query, Device ID. |
| ruleStatus | string | The status of the rule, can either be enabled or disabled. |
| userNameRequired | boolean | Determines whether a user name is required for an alert to get forwarded. |
| socServiceEnabled | string | Enable or disable forwarding to the SOC |
| allAccounts | boolean | Determines whether alerts of all accounts will get forwarded, or only specific accounts |
| accountReferences | reference | Used to select the accounts whose alerts will get forwarded |
| name | string | Name of the resource |
| link | string | URI link of the reference |
| webserviceReference | reference | A reference to the webservice object that alerts will get forwarded to |
| name | string | Name of the resource |
| link | string | URI link of the reference |
| emailRecipients | array_of_strings | Recipients of email when email forwarding is used |
| emailBodyTemplate | string | A template used to format the body of an the email being forwarded |
| emailEnabled | string | Determines whether email forwarding is enabled. The possible values are enabled/disabled. |
| emailSender | string | Sender name |
| emailSenderAddress | string | The address of the email sender. |
| emailSubject | string | The subject of the email |
| smsTemplate | string | This field is unused and can be empty. |
| syslogTemplate | string | The content of the forwarded message |
| syslogServer | string | Address of the syslog server. |
| syslogPort | string | Port of the syslog server |
| syslogProtocol | string | Syslog protocol |
| syslogSeverity | string | Syslog severity |
| syslogFacility | string | Syslog facility |
| syslogEnabled | string | Determines whether forwarding to syslog is enabled. The value of the string can be “enabled” or “disabled”. |
| customWSEnabled | string | Determines whether forwarding to a custom web service is enabled. The value of the string can be “enabled” or “disabled”. |
| wsUsesToken | string | Determines whether an authentication token is used to authenticate to the web service |
| wsTokenTimeout | number | Set the age of a token used to authenticate with a custom web service |
| wsTokenUrl | string | The URL used to obtain the token |
| wsTokenMethod | string | The HTTP method used for the request to obtain the token |
| wsTokenHeaders | array_of_strings | Headers used in the request to obtain the token |
| wsTokenRequest | string | The query string used when requesting auth token |
| wsTokenResponse | string | A pattern used to extract the auth token out of the response |
| wsAlertUrl | string | The custom webservice URL endpoint |
| wsAlertMethod | string | The method used to send the alerts, can either be GET or POST |
| wsAlertHeaders | array_of_strings | An array of strings, each represent header name and value separated by ‘:’ |
| wsAlertRequest | string | The body of the alert |
| useCustomForwardingProxy | boolean | Set whether a custom proxy should be used |
| customForwardingProxyname | string | Name of the proxy object used to connect to the target |
| useJsonParsing | boolean | Set whether json parsing is used when keywords are replaced |
Permissions¶
| Role | Allow |
|---|---|
| Application_Editor | No |
| WebSafe_Manager_Deployer | No |
| ASM_Manager | No |
| WebSafe_Manager | Yes |
| Service_Catalog_Editor | No |
| WebSafe_Manager_View | No |
| Service_Catalog_Viewer | No |
| WebSafe_Manager_Edit | Yes |
| Security_Manager | Yes |
Examples¶
GET to get a forwarding alert rule¶
To get information for a forwarding alert rule, send a GET request to the forwarding-alert-rules collection and specify the account’s identifier.
GET /mgmt/cm/websafe/working-config/forwarding-alert-rules/<id>
Response¶
HTTP/1.1 200 OK
{
"alertCategory": "[1,2]",
"alertStatus": "['new']",
"alertSeverity": 10,
"notificationTarget": "['email', 'syslog']",
"forwardingFields": "['Client IP']",
"ruleStatus": "enabled",
"userNameRequired": true,
"socServiceEnabled": true,
"allAccounts": true,
"accountReferences": [{
"name": "resourceName",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
}],
"webserviceReference": {
"name": "resourceName",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"emailRecipients": "['a@b.com']",
"emailBodyTemplate": "Alert Type: {name}, Alert Severity: {severity}, Alert Status: {status},Alert URL: {url} Alert Details: {details} Client Username: {user} Client IP: {ip} Client Hostname: {hostname} Client Language: {language} Client User-Agent: {agent}",
"emailEnabled": "enabled",
"emailSender": "John Doe",
"emailSenderAddress": "a@b.com",
"emailSubject": "Forwarded alert",
"smsTemplate": "",
"syslogTemplate": "{accountid} - {name} %{severity} - {url}",
"syslogServer": "2.2.2.2",
"syslogPort": "6514",
"syslogProtocol": "tcp",
"syslogSeverity": "info",
"syslogFacility": "10",
"syslogEnabled": "enabled",
"customWSEnabled": "disabled",
"wsUsesToken": "No",
"wsTokenTimeout": 4,
"wsTokenUrl": "https://a.com",
"wsTokenMethod": "POST",
"wsTokenHeaders": "",
"wsTokenRequest": "",
"wsTokenResponse": "",
"wsAlertUrl": "http://a.com",
"wsAlertMethod": "POST",
"wsAlertHeaders": "",
"wsAlertRequest": "",
"useCustomForwardingProxy": false,
"customForwardingProxyname": "proxy",
"useJsonParsing": true
}
POST to create a forwarding alert rule¶
To create a new forwarding alert rule, send a POST request to the forwarding-alert-rules collection and include the account rule information in the body of the request.
POST /mgmt/cm/websafe/working-config/forwarding-alert-rules
The Json in the body of the POST can look similar to the following example.
{
"alertCategory": "[1,2]",
"alertStatus": "['new']",
"alertSeverity": 10,
"notificationTarget": "['email', 'syslog']",
"forwardingFields": "['Client IP']",
"ruleStatus": "enabled",
"userNameRequired": true,
"socServiceEnabled": true,
"allAccounts": true,
"accountReferences": [{
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
}],
"webserviceReference": {
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"emailRecipients": "['a@b.com']",
"emailBodyTemplate": "Alert Type: {name}, Alert Severity: {severity}, Alert Status: {status},Alert URL: {url} Alert Details: {details} Client Username: {user} Client IP: {ip} Client Hostname: {hostname} Client Language: {language} Client User-Agent: {agent}",
"emailEnabled": "enabled",
"emailSender": "John Doe",
"emailSenderAddress": "a@b.com",
"emailSubject": "Forwarded alert",
"smsTemplate": "",
"syslogTemplate": "{accountid} - {name} %{severity} - {url}",
"syslogServer": "2.2.2.2",
"syslogPort": "6514",
"syslogProtocol": "tcp",
"syslogSeverity": "info",
"syslogFacility": "10",
"syslogEnabled": "enabled",
"customWSEnabled": "disabled",
"wsUsesToken": "No",
"wsTokenTimeout": 4,
"wsTokenUrl": "https://a.com",
"wsTokenMethod": "POST",
"wsTokenHeaders": "",
"wsTokenRequest": "",
"wsTokenResponse": "",
"wsAlertUrl": "http://a.com",
"wsAlertMethod": "POST",
"wsAlertHeaders": "",
"wsAlertRequest": "",
"useCustomForwardingProxy": false,
"customForwardingProxyname": "proxy",
"useJsonParsing": true
}
Response¶
The response to the POST can look similar to the following.
HTTP/1.1 200 OK
{
"alertCategory": "[1,2]",
"alertStatus": "['new']",
"alertSeverity": 10,
"notificationTarget": "['email', 'syslog']",
"forwardingFields": "['Client IP']",
"ruleStatus": "enabled",
"userNameRequired": true,
"socServiceEnabled": true,
"allAccounts": true,
"accountReferences": [{
"name": "resourceName",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
}],
"webserviceReference": {
"name": "resourceName",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"emailRecipients": "['a@b.com']",
"emailBodyTemplate": "Alert Type: {name}, Alert Severity: {severity}, Alert Status: {status},Alert URL: {url} Alert Details: {details} Client Username: {user} Client IP: {ip} Client Hostname: {hostname} Client Language: {language} Client User-Agent: {agent}",
"emailEnabled": "enabled",
"emailSender": "John Doe",
"emailSenderAddress": "a@b.com",
"emailSubject": "Forwarded alert",
"smsTemplate": "",
"syslogTemplate": "{accountid} - {name} %{severity} - {url}",
"syslogServer": "2.2.2.2",
"syslogPort": "6514",
"syslogProtocol": "tcp",
"syslogSeverity": "info",
"syslogFacility": "10",
"syslogEnabled": "enabled",
"customWSEnabled": "disabled",
"wsUsesToken": "No",
"wsTokenTimeout": 4,
"wsTokenUrl": "https://a.com",
"wsTokenMethod": "POST",
"wsTokenHeaders": "",
"wsTokenRequest": "",
"wsTokenResponse": "",
"wsAlertUrl": "http://a.com",
"wsAlertMethod": "POST",
"wsAlertHeaders": "",
"wsAlertRequest": "",
"useCustomForwardingProxy": false,
"customForwardingProxyname": "proxy",
"useJsonParsing": true
}
PUT to edit a forwarding alert rule¶
To edit an existing forwarding alert rule, send a PUT request to the forwarding-alert-rules collection, specify the rule’s identifier, and include the modified information in the body of the request.
PUT /mgmt/cm/websafe/working-config/forwarding-alert-rules/<id>
The Json in the body of the PUT can look similar to the following example.
{
"alertCategory": "[1,2]",
"alertStatus": "['new']",
"alertSeverity": 10,
"notificationTarget": "['email', 'syslog']",
"forwardingFields": "['Client IP']",
"ruleStatus": "enabled",
"userNameRequired": true,
"socServiceEnabled": true,
"allAccounts": true,
"accountReferences": [{
"name": "resourceName",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
}],
"webserviceReference": {
"name": "resourceName",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"emailRecipients": "['a@b.com']",
"emailBodyTemplate": "Alert Type: {name}, Alert Severity: {severity}, Alert Status: {status},Alert URL: {url} Alert Details: {details} Client Username: {user} Client IP: {ip} Client Hostname: {hostname} Client Language: {language} Client User-Agent: {agent}",
"emailEnabled": "enabled",
"emailSender": "John Doe",
"emailSenderAddress": "a@b.com",
"emailSubject": "Forwarded alert",
"smsTemplate": "",
"syslogTemplate": "{accountid} - {name} %{severity} - {url}",
"syslogServer": "2.2.2.2",
"syslogPort": "6514",
"syslogProtocol": "tcp",
"syslogSeverity": "info",
"syslogFacility": "10",
"syslogEnabled": "enabled",
"customWSEnabled": "disabled",
"wsUsesToken": "No",
"wsTokenTimeout": 4,
"wsTokenUrl": "https://a.com",
"wsTokenMethod": "POST",
"wsTokenHeaders": "",
"wsTokenRequest": "",
"wsTokenResponse": "",
"wsAlertUrl": "http://a.com",
"wsAlertMethod": "POST",
"wsAlertHeaders": "",
"wsAlertRequest": "",
"useCustomForwardingProxy": false,
"customForwardingProxyname": "proxy",
"useJsonParsing": true
}
Response¶
The response to the PUT can look similar to the following.
HTTP/1.1 200 OK
{
"alertCategory": "[1,2]",
"alertStatus": "['new']",
"alertSeverity": 10,
"notificationTarget": "['email', 'syslog']",
"forwardingFields": "['Client IP']",
"ruleStatus": "enabled",
"userNameRequired": true,
"socServiceEnabled": true,
"allAccounts": true,
"accountReferences": [{
"name": "resourceName",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
}],
"webserviceReference": {
"name": "resourceName",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"emailRecipients": "['a@b.com']",
"emailBodyTemplate": "Alert Type: {name}, Alert Severity: {severity}, Alert Status: {status},Alert URL: {url} Alert Details: {details} Client Username: {user} Client IP: {ip} Client Hostname: {hostname} Client Language: {language} Client User-Agent: {agent}",
"emailEnabled": "enabled",
"emailSender": "John Doe",
"emailSenderAddress": "a@b.com",
"emailSubject": "Forwarded alert",
"smsTemplate": "",
"syslogTemplate": "{accountid} - {name} %{severity} - {url}",
"syslogServer": "2.2.2.2",
"syslogPort": "6514",
"syslogProtocol": "tcp",
"syslogSeverity": "info",
"syslogFacility": "10",
"syslogEnabled": "enabled",
"customWSEnabled": "disabled",
"wsUsesToken": "No",
"wsTokenTimeout": 4,
"wsTokenUrl": "https://a.com",
"wsTokenMethod": "POST",
"wsTokenHeaders": "",
"wsTokenRequest": "",
"wsTokenResponse": "",
"wsAlertUrl": "http://a.com",
"wsAlertMethod": "POST",
"wsAlertHeaders": "",
"wsAlertRequest": "",
"useCustomForwardingProxy": false,
"customForwardingProxyname": "proxy",
"useJsonParsing": true
}
PATCH to edit a forwarding alert rule¶
To edit an existing forwarding alert rule, send a PATCH request to the forwarding-alert-rules collection, specify the rule’s identifier, and include the modified information in the body of the request.
PATCH /mgmt/cm/websafe/working-config/forwarding-alert-rules/<id>
{
"alertCategory": "[1,2]",
"alertStatus": "['new']",
"alertSeverity": 10,
"notificationTarget": "['email', 'syslog']",
"forwardingFields": "['Client IP']",
"ruleStatus": "enabled",
"userNameRequired": true,
"socServiceEnabled": true,
"allAccounts": true,
"accountReferences": [{
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
}],
"webserviceReference": {
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"emailRecipients": "['a@b.com']",
"emailBodyTemplate": "Alert Type: {name}, Alert Severity: {severity}, Alert Status: {status},Alert URL: {url} Alert Details: {details} Client Username: {user} Client IP: {ip} Client Hostname: {hostname} Client Language: {language} Client User-Agent: {agent}",
"emailEnabled": "enabled",
"emailSender": "John Doe",
"emailSenderAddress": "a@b.com",
"emailSubject": "Forwarded alert",
"smsTemplate": "",
"syslogTemplate": "{accountid} - {name} %{severity} - {url}",
"syslogServer": "2.2.2.2",
"syslogPort": "6514",
"syslogProtocol": "tcp",
"syslogSeverity": "info",
"syslogFacility": "10",
"syslogEnabled": "enabled",
"customWSEnabled": "disabled",
"wsUsesToken": "No",
"wsTokenTimeout": 4,
"wsTokenUrl": "https://a.com",
"wsTokenMethod": "POST",
"wsTokenHeaders": "",
"wsTokenRequest": "",
"wsTokenResponse": "",
"wsAlertUrl": "http://a.com",
"wsAlertMethod": "POST",
"wsAlertHeaders": "",
"wsAlertRequest": "",
"useCustomForwardingProxy": false,
"customForwardingProxyname": "proxy",
"useJsonParsing": true
}
Response¶
The response to the PATCH can look similar to the following.
HTTP/1.1 200 OK
{
"alertCategory": "[1,2]",
"alertStatus": "['new']",
"alertSeverity": 10,
"notificationTarget": "['email', 'syslog']",
"forwardingFields": "['Client IP']",
"ruleStatus": "enabled",
"userNameRequired": true,
"socServiceEnabled": true,
"allAccounts": true,
"accountReferences": [{
"name": "resourceName",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
}],
"webserviceReference": {
"name": "resourceName",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"emailRecipients": "['a@b.com']",
"emailBodyTemplate": "Alert Type: {name}, Alert Severity: {severity}, Alert Status: {status},Alert URL: {url} Alert Details: {details} Client Username: {user} Client IP: {ip} Client Hostname: {hostname} Client Language: {language} Client User-Agent: {agent}",
"emailEnabled": "enabled",
"emailSender": "John Doe",
"emailSenderAddress": "a@b.com",
"emailSubject": "Forwarded alert",
"smsTemplate": "",
"syslogTemplate": "{accountid} - {name} %{severity} - {url}",
"syslogServer": "2.2.2.2",
"syslogPort": "6514",
"syslogProtocol": "tcp",
"syslogSeverity": "info",
"syslogFacility": "10",
"syslogEnabled": "enabled",
"customWSEnabled": "disabled",
"wsUsesToken": "No",
"wsTokenTimeout": 4,
"wsTokenUrl": "https://a.com",
"wsTokenMethod": "POST",
"wsTokenHeaders": "",
"wsTokenRequest": "",
"wsTokenResponse": "",
"wsAlertUrl": "http://a.com",
"wsAlertMethod": "POST",
"wsAlertHeaders": "",
"wsAlertRequest": "",
"useCustomForwardingProxy": false,
"customForwardingProxyname": "proxy",
"useJsonParsing": true
}
DELETE to delete a forwarding alert rule¶
To delete a forwarding alert rule, send a DELETE request to the forwarding-alert-rules collection and specify the rule’s identifier.
DELETE /mgmt/cm/websafe/working-config/forwarding-alert-rules/<id>
Response¶
The response to the DELETE can look similar to the following.
HTTP/1.1 200 OK
{
"alertCategory": "[1,2]",
"alertStatus": "['new']",
"alertSeverity": 10,
"notificationTarget": "['email', 'syslog']",
"forwardingFields": "['Client IP']",
"ruleStatus": "enabled",
"userNameRequired": true,
"socServiceEnabled": true,
"allAccounts": true,
"accountReferences": [{
"name": "resourceName",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
}],
"webserviceReference": {
"name": "resourceName",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"emailRecipients": "['a@b.com']",
"emailBodyTemplate": "Alert Type: {name}, Alert Severity: {severity}, Alert Status: {status},Alert URL: {url} Alert Details: {details} Client Username: {user} Client IP: {ip} Client Hostname: {hostname} Client Language: {language} Client User-Agent: {agent}",
"emailEnabled": "enabled",
"emailSender": "John Doe",
"emailSenderAddress": "a@b.com",
"emailSubject": "Forwarded alert",
"smsTemplate": "",
"syslogTemplate": "{accountid} - {name} %{severity} - {url}",
"syslogServer": "2.2.2.2",
"syslogPort": "6514",
"syslogProtocol": "tcp",
"syslogSeverity": "info",
"syslogFacility": "10",
"syslogEnabled": "enabled",
"customWSEnabled": "disabled",
"wsUsesToken": "No",
"wsTokenTimeout": 4,
"wsTokenUrl": "https://a.com",
"wsTokenMethod": "POST",
"wsTokenHeaders": "",
"wsTokenRequest": "",
"wsTokenResponse": "",
"wsAlertUrl": "http://a.com",
"wsAlertMethod": "POST",
"wsAlertHeaders": "",
"wsAlertRequest": "",
"useCustomForwardingProxy": false,
"customForwardingProxyname": "proxy",
"useJsonParsing": true
}