Update a security rule
PUT/v2/security/rules/:ruleId
Applies changes to a rule, identified by its ID. Can also be used to enable or disable a rule. Please ensure to change the region in the URL to match your account's region.
Request
Path Parameters
- application/json
Body
- Array [
- Array [
- ]
- Array [
- ]
-
If
COUNT
,fieldToAggregateOn
must be null, andgroupBy
fields must not be empty. -
If
NONE
,fieldToAggregateOn
must be null, andgroupBy
field must not be empty (or null). -
If
PERCENTAGE
,valueToAggregateOn
must be specified. -
If any other operator type (other than
NONE
orCOUNT
),fieldToAggregateOn
must not be null. - Cannot be a field already in use for
groupBy
. - Only relevant for the
PERCENTAGE
aggregation. - Array [
- ]
- ]
Rule title
A description of the event, its significance, and suggested next steps or instructions for the team.
Possible values: <= 25
Tags for filtering rules and triggered rules. Can be used in Kibana Discover, dashboards, and more.
output object
Automatically sends out notifications with sample results when the rule triggers.
recipients object
Add email addresses and/or endpoint channels to automatically receive notifications with sample data when the rule triggers.
Array of email addresses to be notified when the rule triggers.
Array of IDs of pre-configured endpoint channels to notify when the rule triggers.
Possible values: >= 5
and <= 1440
Add a waiting period in minutes to space out notifications. (The rule will still trigger but will not send out notifications during the waiting period.)
Possible values: [JSON
, TABLE
]
Selects the output format for the rule notification. If the rule has no aggregations/group by fields, JSON
offers the option to send full sample logs without selecting specific fields.
Possible values: >= 5
and <= 1440
The time frame for evaluating the log data is a sliding window, with 1 minute granularity.
The recommended minimum and maximum values are not validated, but needed to guarantee the rule's accuracy.
The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy.
The maximum recommended time frame is 1440 minutes (24 hours). The rule runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC.
subComponents object[]required
Sets the search criteria using a search query, filters, group by aggregations, accounts to search, and trigger conditions.
queryDefinition object
Determines when the rule should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions.
Default value: *
Provide a Kibana search query written in Lucene syntax. The search query together with the filters select for the relevant logs.
Cannot be null - send an asterisk wildcard *
if not using a search query.
filters object
Apply must
and must_not
filters to the monitoring alert. Filters are more efficient compared to a query, so it's recommended to opt for a filter over a query, where possible. See Elasticsearch Bool-Query for more detail.
bool object
Runs Elasticsearch Bool Query filters on the data (before the search query is applied). The most efficient way to grab the logs you are looking for.
must object[]
match_phrase object
Field object
must_not object[]
match_phrase object
Field object
Possible values: <= 3
Specify 1-3 fields by which to group the results and count them. If you apply a group by operation, the rule returns a count of the results aggregated by unique values.
aggregation object
Specifies a trigger condition that acts as a threshold.
Possible values: [SUM
, MIN
, MAX
, AVG
, COUNT
, UNIQUE_COUNT
, NONE
, PERCENTAGE
, PERCENTILE
]
Specifies the aggregation operator.
Selects the field on which to run the aggregation for the trigger condition.
Used by the PERCENTAGE
aggregation to select the field’s value. This value is used to determine if its ratio out of the total amount of logs in the query satisfies the trigger condition.
Default value: true
Only applicable when the rule is run from the main account. If true
, the rule runs on the main account and all associated searchable sub accounts. If false
, specify relevant account IDs for the rule to monitor using the accountIdsToQueryOn
field.
Specify Account IDs to select which accounts the rule should monitor. The rule will be checked only on these accounts.
trigger object
Sets the triggering threshold and severity tab to label the event when the rule triggers.
Possible values: [LESS_THAN
, GREATER_THAN
, LESS_THAN_OR_EQUALS
, GREATER_THAN_OR_EQUALS
, EQUALS
, NOT_EQUALS
]
Specifies the operator for evaluating the results.
Possible values: [INFO
, LOW
, MEDIUM
, HIGH
, SEVERE
]
Default value: [object Object]
Sets a severity label per trigger threshold as a key:value pair.
If using more than one sub-component, only 1 severityThresholdTiers is allowed. Otherwise, 1 per enum
are allowed (for a total of 5 thresholds of increasing severities).
Increasing severity must adhere to the logic of the operator.
output object
Selects the data output to be sent in the notification when the rule triggers. Not applicable, when grouping by fields or aggregating results, as the output is auto-selected.
columns object[]
Specify the fields to be included in the notification.
Trims the data using regex filters. Learn more
Possible values: [DESC
, ASC
]
Specify a single field to sort by. The field cannot be an analyzed field (a field that supports free text search or searching by part of a message, such as the 'message' field).
correlations object
Only applicable when multiple sub-components are in use. Selects a logic for correlating the rule’s sub-components.
AND
is currently the only supported operator. When AND
is the correlationOperator
, both sub-components must meet their triggering criteria for the rule to trigger.
Possible values: [AND
]
Specifies which group by fields must have the same values to trigger the rule.
Joins the group by fields from the first and second sub-components. The key represents the index of the sub component in the array (See the example - the index of the first sub-component is 0, the second is 1).
The fields must be ordered pairs of the group by fields already in use in the queryDefinition
.
If true
, the alert is enabled and active.
Responses
- 200
successful operation
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- Array [
- ]
- Array [
- ]
-
If
COUNT
,fieldToAggregateOn
must be null, andgroupBy
fields must not be empty. -
If
NONE
,fieldToAggregateOn
must be null, andgroupBy
field must not be empty (or null). -
If
PERCENTAGE
,valueToAggregateOn
must be specified. -
If any other operator type (other than
NONE
orCOUNT
),fieldToAggregateOn
must not be null. - Cannot be a field already in use for
groupBy
. - Only relevant for the
PERCENTAGE
aggregation. - Array [
- ]
- ]
Logz.io rule ID.
Date and time in UTC when the rule was last updated.
Email of the user who last updated the rule.
Date and time in UTC when the rule was first created.
Email of the user who first created the rule.
If true
, the rule is currently active.
Rule title.
A description of the event, its significance, and suggested next steps or instructions for the team.
Tags for filtering rules and triggered rules. Can be used in Kibana Discover, dashboards, and more.
output object
Automatically sends out notifications with sample results when the rule triggers.
recipients object
Add email addresses and/or endpoint channels to automatically receive notifications with sample data when the rule triggers.
Array of email addresses to be notified when the rule triggers.
Array of IDs of pre-configured endpoint channels to notify when the rule triggers.
Possible values: >= 5
and <= 1440
Add a waiting period in minutes to space out notifications. (The rule will still trigger but will not send out notifications during the waiting period.)
Possible values: [JSON
, TABLE
]
Selects the output format for the rule notification. If the rule has no aggregations/group by fields, JSON
offers the option to send full sample logs without selecting specific fields.
Possible values: >= 5
and <= 1440
The time frame for evaluating the log data is a sliding window, with 1 minute granularity.
The recommended minimum and maximum values are not validated, but needed to guarantee the rule's accuracy.
The minimum recommended time frame is 5 minutes, as anything shorter will be less reliable and unnecessarily resource-heavy.
The maximum recommended time frame is 1440 minutes (24 hours). The rule runs on the index from today and yesterday (in UTC) and the maximum time frame increases throughout the day, reaching 48 hours exactly before midnight UTC.
subComponents object[]
Determines when the rule should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions.
queryDefinition object
Determines when the rule should trigger using any combination of a search query, filters, group by aggregations, accounts to search, and trigger conditions.
Default value: *
Provide a Kibana search query written in Lucene syntax. The search query together with the filters select for the relevant logs.
Cannot be null - send an asterisk wildcard *
if not using a search query.
filters object
Apply must
and must_not
filters to the monitoring alert. Filters are more efficient compared to a query, so it's recommended to opt for a filter over a query, where possible. See Elasticsearch Bool-Query for more detail.
bool object
Runs Elasticsearch Bool Query filters on the data (before the search query is applied). The most efficient way to grab the logs you are looking for.
must object[]
match_phrase object
Field object
must_not object[]
match_phrase object
Field object
Possible values: <= 3
Specify 1-3 fields by which to group the results and count them. If you apply a group by operation, the rule returns a count of the results aggregated by unique values.
aggregation object
Specifies a trigger condition that acts as a threshold.
Possible values: [SUM
, MIN
, MAX
, AVG
, COUNT
, UNIQUE_COUNT
, NONE
, PERCENTAGE
, PERCENTILE
]
Specifies the aggregation operator.
Selects the field on which to run the aggregation for the trigger condition.
Used by the PERCENTAGE
aggregation to select the field’s value. This value is used to determine if its ratio out of the total amount of logs in the query satisfies the trigger condition.
Default value: true
Only applicable when the rule is run from the main account. If true
, the rule runs on the main account and all associated searchable sub accounts. If false
, specify relevant account IDs for the rule to monitor using the accountIdsToQueryOn
field.
Specify Account IDs to select which accounts the rule should monitor. The rule will be checked only on these accounts.
trigger object
Sets the triggering threshold and severity tab to label the event when the rule triggers.
Possible values: [LESS_THAN
, GREATER_THAN
, LESS_THAN_OR_EQUALS
, GREATER_THAN_OR_EQUALS
, EQUALS
, NOT_EQUALS
]
Specifies the operator for evaluating the results.
Possible values: [INFO
, LOW
, MEDIUM
, HIGH
, SEVERE
]
Default value: [object Object]
Sets a severity label per trigger threshold as a key:value pair.
If using more than one sub-component, only 1 severityThresholdTiers is allowed. Otherwise, 1 per enum
are allowed (for a total of 5 thresholds of increasing severities).
Increasing severity must adhere to the logic of the operator.
output object
Selects the data output to be sent in the notification when the rule triggers. Not applicable, when grouping by fields or aggregating results, as the output is auto-selected.
columns object[]
Specify the fields to be included in the notification.
Trims the data using regex filters. Learn more
Possible values: [DESC
, ASC
]
Specify a single field to sort by. The field cannot be an analyzed field (a field that supports free text search or searching by part of a message, such as the 'message' field).
correlations object
Only applicable when multiple sub-components are in use. Selects a logic for correlating the rule’s sub-components.
AND
is currently the only supported operator. When AND
is the correlationOperator
, both sub-components must meet their triggering criteria for the rule to trigger.
Possible values: [AND
]
Specifies which group by fields must have the same values to trigger the rule.
Joins the group by fields from the first and second sub-components. The key represents the index of the sub component in the array (See the example - the index of the first sub-component is 0, the second is 1).
The fields must be ordered pairs of the group by fields already in use in the queryDefinition
.
schedule object
Defines the intervals in which an alert will be evaluated. This feature is still in production, but the payload already contains the data.
Cron job for the intervals schedule.
Time zone for the cron job. If no time zone is selected, UTC will be used by default.
{
"id": 627816,
"updatedAt": "2020-04-02T18:58:16.000Z",
"updatedBy": "tomer@logz.io",
"createdAt": "2020-02-02T18:58:16.000Z",
"createdBy": "tomer@logz.io",
"enabled": true,
"title": "Excessive WARN levels in PROD",
"description": "Steps to remediate...",
"tags": [
"network",
"aws"
],
"output": {
"recipients": {
"emails": [
"tom.a@logz.io"
],
"notificationEndpointIds": [
0
]
},
"suppressNotificationsMinutes": 60,
"type": "JSON"
},
"searchTimeFrameMinutes": 0,
"subComponents": [
{
"queryDefinition": {
"query": "type:apache_access",
"filters": {
"bool": {
"must": [
{
"match_phrase": {
"Field": {
"query": "value"
}
}
}
],
"must_not": [
{
"match_phrase": {
"Field": {
"query": "value"
}
}
}
]
}
},
"groupBy": [
"string"
],
"aggregation": {
"aggregationType": "SUM",
"fieldToAggregateOn": "string",
"valueToAggregateOn": "string"
},
"shouldQueryOnAllAccounts": false,
"accountIdsToQueryOn": [
2321
]
},
"trigger": {
"operator": "GREATER_THAN_OR_EQUALS",
"severityThresholdTiers": {
"MEDIUM": 10,
"HIGH": 100,
"SEVERE": 300
}
},
"output": {
"columns": [
{
"fieldName": "string",
"regex": "string",
"sort": "DESC"
}
]
}
}
],
"correlations": {
"correlationOperators": [
"AND"
],
"joins": [
{
"0": "region",
"1": "region"
}
]
},
"schedule": {
"cronExpression": "string",
"timezone": "string"
}
}