Skip to content

Sekoia.io

Sekoia.io

Sekoia.io

Configuration

This module accepts no configuration.

Triggers

Alert Comment Created

A comment was added to an existing Alert

Arguments

Name Type Description
rule_filter string Create a run only for alerts matching a rule name

Outputs

Name Type Description
comment object Alert comment (object containing comment uuid, content, author, date).
file_path string File path to the alert on disk.
event_type string Action that triggered this Sekoia.io Alert notification (could be for example “alert-created”, “alert-status-changed”, etc.)
alert_uuid string Unique identifier of the Alert (UUID string).
short_id string Unique short identifier of the Alert.
status object Status of the Alert (object containing status description and name).
created_at integer Creation date of the Alert (timestamp).
urgency integer Current urgency of the Alert.
entity object Description of the entity involved with this Alert (object containing entity UUID and name).
alert_type object Category of the Alert
rule object
first_seen_at string
last_seen_at string

Alert Created

A new Alert was created in the Operation Center

Arguments

Name Type Description
rule_filter string Create a run only for alerts matching a rule name

Outputs

Name Type Description
file_path string File path to the alert on disk.
event_type string Action that triggered this Sekoia.io Alert notification (could be for example “alert-created”, “alert-status-changed”, etc.)
alert_uuid string Unique identifier of the Alert (UUID string).
short_id string Unique short identifier of the Alert.
status object Status of the Alert (object containing status description and name).
created_at integer Creation date of the Alert (timestamp).
urgency integer Current urgency of the Alert.
entity object Description of the entity involved with this Alert (object containing entity UUID and name).
alert_type object Category of the Alert
rule object
first_seen_at string
last_seen_at string

Alert Status Changed

The status of an existing alert was changed

Arguments

Name Type Description
rule_filter string Create a run only for alerts matching a rule name

Outputs

Name Type Description
file_path string File path to the alert on disk.
event_type string Action that triggered this Sekoia.io Alert notification (could be for example “alert-created”, “alert-status-changed”, etc.)
alert_uuid string Unique identifier of the Alert (UUID string).
short_id string Unique short identifier of the Alert.
status object Status of the Alert (object containing status description and name).
created_at integer Creation date of the Alert (timestamp).
urgency integer Current urgency of the Alert.
entity object Description of the entity involved with this Alert (object containing entity UUID and name).
alert_type object Category of the Alert
rule object
first_seen_at string
last_seen_at string

Alert Updated

An existing alert was updated

Arguments

Name Type Description
rule_filter string Create a run only for alerts matching a rule name

Outputs

Name Type Description
file_path string File path to the alert on disk.
event_type string Action that triggered this Sekoia.io Alert notification (could be for example “alert-created”, “alert-status-changed”, etc.)
alert_uuid string Unique identifier of the Alert (UUID string).
short_id string Unique short identifier of the Alert.
status object Status of the Alert (object containing status description and name).
created_at integer Creation date of the Alert (timestamp).
urgency integer Current urgency of the Alert.
entity object Description of the entity involved with this Alert (object containing entity UUID and name).
alert_type object Category of the Alert
rule object
first_seen_at string
last_seen_at string

Manual Trigger

Webhook Trigger to receive specific Sekoia.io Alerts

Outputs

Name Type Description
alert_uuid string Unique identifier of the Alert (UUID string).

Feed Consumption

Get all non-revoked objects from Sekoia.io Intelligence feed

Arguments

Name Type Description
feed_id string ID of the Sekoia.io feed to get data from
batch_size_limit integer Size of the batch of elements to get from the Sekoia.io feed in one time
modified_after string Date from which IOCs should be retrieved. It must be a valid RFC-3339 date-time string (i.e. 2024-04-12T23:20:50.52Z)

Outputs

Name Type Description
stix_objects_path string Filepath of the STIX objects fetched from the collection

Feed IOC Consumption

Get all valid IOCs from Sekoia.io Intelligence feed

Arguments

Name Type Description
feed_id string ID of the Sekoia.io feed to get data from
batch_size_limit integer Size of the batch of elements to get from the Sekoia.io feed in one time
modified_after string Date from which IOCs should be retrieved. It must be a valid RFC-3339 date-time string (i.e. 2024-04-12T23:20:50.52Z)

Outputs

Name Type Description
stix_objects_path string Filepath of the STIX objects fetched from the collection

Any Alert Update

Create an event for each alert creation or modification

Arguments

Name Type Description
rule_filter string Create a run only for alerts matching a rule name

Outputs

Name Type Description
file_path string File path to the alert on disk.
event_type string Action that triggered this Sekoia.io Alert notification (could be for example “alert-created”, “alert-status-changed”, etc.)
alert_uuid string Unique identifier of the Alert (UUID string).
short_id string Unique short identifier of the Alert.
status object Status of the Alert (object containing status description and name).
created_at integer Creation date of the Alert (timestamp).
urgency integer Current urgency of the Alert.
entity object Description of the entity involved with this Alert (object containing entity UUID and name).
alert_type object Category of the Alert
rule object
first_seen_at string
last_seen_at string

Actions

Activate Countermeasure

Mark as active a countermeasure

Arguments

Name Type Description
cm_uuid string
comment object

Outputs

Name Type Description
action_steps array
activated_by_type string Type of the profile that activated the countermeasure
comments array
activated_at string Date the countermeasure was activated
relevance integer Relevance of the countermeasure
denied_by_type string Type of the profile that denied the countermeasure
status string (deprecated) Status of the countermeasure
created_by string UUID of profile that created the countermeasure
model_uuid string UUID of the model from which this countermeasure has been created
activated_by string UUID of profile that activated the countermeasure
description string Description of the countermeasure
name string Name of the countermeasure
uuid string UUID of the countermeasure
duration string Estimated duration to apply the countermeasures
alert_uuid string UUID of the alert related to the countermeasure
denied_at string Date the countermeasure was denied
created_by_type string Type of the profile that created the countermeasure
course_of_action object (deprecated) STIX2 object course of action
dynamic_relevance integer Dynamic relevance of the countermeasure
denied_by string UUID of profile that denied the countermeasure
assignee string UUID of the profile assigned to the progress of the countermeasure
created_at string Date the countermeasure was created

Add IOC to IOC Collection

Add indicators to an IOC Collection

Arguments

Name Type Description
indicators array List of indicators to add to an IOC collection
indicators_path string Path of the indicators file to add to an IOC collection
ioc_collection_id string Identifier of the IOC collection
indicator_type string Type of IOC
valid_for integer Validity period for the created indicators (in days)

Add attribute to Asset

Add an attribute to an asset

Arguments

Name Type Description
uuid string
name string
value string

Outputs

Name Type Description
value string
uuid string
name string

Add key to Asset

Adds a key to an asset

Arguments

Name Type Description
uuid string
name string
value string

Outputs

Name Type Description
value string
uuid string
name string

Attach Alerts to Case

Attach one or more alerts to a specific case

Arguments

Name Type Description
case_uuid string
alerts array The list of identifiers of alerts to add

Outputs

Name Type Description
status string

Create Tracker Notification

Create a notification for a specific tracker

Arguments

Name Type Description
data object

Outputs

Name Type Description
data object

Create rule

Create a new rule

Arguments

Name Type Description
community_uuid string
name string
type string
description string
payload string
severity integer
effort integer
alert_type_uuid string
tags array
related_object_refs array
datasources array
event_fields array
enabled boolean
parameters array
all_entities boolean
entities array
all_assets boolean
assets array
goal string
false_positives string
similarity_strategy array
available_for_subcommunities boolean

Outputs

Name Type Description
uuid string The identifier of the rule
enabled boolean Is the rule enabled ?
community_uuid string The community uuid if the rule is attached to one
parameters array The parameters of the rule
all_entities boolean Should the rule be applied on all entities ?
entities array The list of entities the rule should be applied on
all_assets boolean Should the rule be applied on all assets ?
assets array The list of assets identifiers the rule should be applied on
last_compilation_success boolean Did the last compilation succeed ?
last_compilation_message string The message of the last compilation
last_compilation_at string The last compilation date of the rule
name string The name of the rule
type `` The type of the rule
private boolean Is the rule available only for the community ?
is_private boolean Is the rule available only for the community ?
description string The descrition of the rule
payload string The payload of the rule
severity integer The severity of the rule
effort integer The effort of the rule
alert_type object The alert type associated to the rule
alert_category object The alert category associated to the rule
tags array The list of tags associated to the rule
source string The source of the rule
verified boolean Is the rule verified ?
related_object_refs array The list of reference of objects related to the rule
datasources array The list of datasources of the rule
event_fields array The list of fields to show when displaying a matched event
similarity_strategy array Similarity Strategy used by this rule
created_at string The creation date of the rule
created_by string The profile who created the rule
created_by_type string The profile type who created the rule can be 'avatar', 'application', 'apikey'
updated_at string The modification date of the rule
updated_by string The profile who updated the rule
updated_by_type string The profile type who updated the rule can be 'rule', 'application', 'apikey'
goal string A high-level description explaining the contribution of the rule
false_positives string A possible legitimate usage which can raise a false alert
references string Details on what led to write this rule
available_for_subcommunities boolean Is the rule available for subcommunities (if applicable) ?
instance_uuid string The identifier of the instance of the rule

Create Asset

Create a new asset

Arguments

Name Type Description
asset_type object
name string
criticity integer
description string
attributes array
keys array
owners array
community_uuid string

Outputs

Name Type Description
keys array
attributes array
uuid string
name string
created_at string
criticity object
asset_type object
updated_at string
description string
owners array
community_uuid string
category object

Delete rule

Delete a rule

Arguments

Name Type Description
uuid string
community_uuid string

Delete an asset

Delete the requested asset

Arguments

Name Type Description
uuid string The identifier of the asset

Deny Countermeasure

Mark as denied a countermeasure

Arguments

Name Type Description
cm_uuid string
comment object

Outputs

Name Type Description
action_steps array
activated_by_type string Type of the profile that activated the countermeasure
comments array
activated_at string Date the countermeasure was activated
relevance integer Relevance of the countermeasure
denied_by_type string Type of the profile that denied the countermeasure
status string (deprecated) Status of the countermeasure
created_by string UUID of profile that created the countermeasure
model_uuid string UUID of the model from which this countermeasure has been created
activated_by string UUID of profile that activated the countermeasure
description string Description of the countermeasure
name string Name of the countermeasure
uuid string UUID of the countermeasure
duration string Estimated duration to apply the countermeasures
alert_uuid string UUID of the alert related to the countermeasure
denied_at string Date the countermeasure was denied
created_by_type string Type of the profile that created the countermeasure
course_of_action object (deprecated) STIX2 object course of action
dynamic_relevance integer Dynamic relevance of the countermeasure
denied_by string UUID of profile that denied the countermeasure
assignee string UUID of the profile assigned to the progress of the countermeasure
created_at string Date the countermeasure was created

Disable rule

Disable a rule

Arguments

Name Type Description
uuid string
community_uuid string

Outputs

Name Type Description
uuid string The identifier of the rule
enabled boolean Is the rule enabled ?
community_uuid string The community uuid if the rule is attached to one
parameters array The parameters of the rule
all_entities boolean Should the rule be applied on all entities ?
entities array The list of entities the rule should be applied on
all_assets boolean Should the rule be applied on all assets ?
assets array The list of assets identifiers the rule should be applied on
last_compilation_success boolean Did the last compilation succeed ?
last_compilation_message string The message of the last compilation
last_compilation_at string The last compilation date of the rule
name string The name of the rule
type `` The type of the rule
private boolean Is the rule available only for the community ?
is_private boolean Is the rule available only for the community ?
description string The descrition of the rule
payload string The payload of the rule
severity integer The severity of the rule
effort integer The effort of the rule
alert_type object The alert type associated to the rule
alert_category object The alert category associated to the rule
tags array The list of tags associated to the rule
source string The source of the rule
verified boolean Is the rule verified ?
related_object_refs array The list of reference of objects related to the rule
datasources array The list of datasources of the rule
event_fields array The list of fields to show when displaying a matched event
similarity_strategy array Similarity Strategy used by this rule
created_at string The creation date of the rule
created_by string The profile who created the rule
created_by_type string The profile type who created the rule can be 'avatar', 'application', 'apikey'
updated_at string The modification date of the rule
updated_by string The profile who updated the rule
updated_by_type string The profile type who updated the rule can be 'rule', 'application', 'apikey'
goal string A high-level description explaining the contribution of the rule
false_positives string A possible legitimate usage which can raise a false alert
references string Details on what led to write this rule
available_for_subcommunities boolean Is the rule available for subcommunities (if applicable) ?
instance_uuid string The identifier of the instance of the rule

Enable rule

Enable a rule

Arguments

Name Type Description
uuid string
community_uuid string

Outputs

Name Type Description
uuid string The identifier of the rule
enabled boolean Is the rule enabled ?
community_uuid string The community uuid if the rule is attached to one
parameters array The parameters of the rule
all_entities boolean Should the rule be applied on all entities ?
entities array The list of entities the rule should be applied on
all_assets boolean Should the rule be applied on all assets ?
assets array The list of assets identifiers the rule should be applied on
last_compilation_success boolean Did the last compilation succeed ?
last_compilation_message string The message of the last compilation
last_compilation_at string The last compilation date of the rule
name string The name of the rule
type `` The type of the rule
private boolean Is the rule available only for the community ?
is_private boolean Is the rule available only for the community ?
description string The descrition of the rule
payload string The payload of the rule
severity integer The severity of the rule
effort integer The effort of the rule
alert_type object The alert type associated to the rule
alert_category object The alert category associated to the rule
tags array The list of tags associated to the rule
source string The source of the rule
verified boolean Is the rule verified ?
related_object_refs array The list of reference of objects related to the rule
datasources array The list of datasources of the rule
event_fields array The list of fields to show when displaying a matched event
similarity_strategy array Similarity Strategy used by this rule
created_at string The creation date of the rule
created_by string The profile who created the rule
created_by_type string The profile type who created the rule can be 'avatar', 'application', 'apikey'
updated_at string The modification date of the rule
updated_by string The profile who updated the rule
updated_by_type string The profile type who updated the rule can be 'rule', 'application', 'apikey'
goal string A high-level description explaining the contribution of the rule
false_positives string A possible legitimate usage which can raise a false alert
references string Details on what led to write this rule
available_for_subcommunities boolean Is the rule available for subcommunities (if applicable) ?
instance_uuid string The identifier of the instance of the rule

Get aggregation query

Make an aggregation query

Arguments

Name Type Description
aggregation_type string The aggregation type. Can be avg, cardinality, max, min, sum or count.
aggregation_field string The field on which apply the aggregation. Should be null only for count aggregation.
query_term string
earliest_time string
latest_time string
minutes_per_bucket integer
filters array

Outputs

Name Type Description
aggregations array
anomaly_detection_candidate_score_y_acf1 number
anomaly_detection_candidate_score_y_acf5 number
anomaly_detection_candidate_score_seas_acf1 number
anomaly_detection_candidate boolean

Get Alert

Retrieve the definition of an alert

Arguments

Name Type Description
uuid string
stix boolean

Outputs

Name Type Description
urgency object
history array
is_incident boolean
assets array
countermeasures array
updated_at integer
comments array
ttps array
number_of_unseen_comments integer
status object
created_by string
updated_by string
source string
community_uuid string
number_of_total_comments integer
uuid string
rule object
adversaries array
short_id string
first_seen_at string
last_seen_at string
event_uuids array
kill_chain_short_id string
similar integer
alert_type object
details string
stix object
created_by_type string
entity object
created_at integer
updated_by_type string
title string
target string

Get Community

Retrieve a community

Arguments

Name Type Description
uuid string

Outputs

Name Type Description
uuid string The UUID of the community
name string The name of the community
description string The description of the community
homepage_url string URL of the community's homepage
created_at string The date and time the community was created
created_by string The user who created the community
created_by_type string The type of user who created the community
updated_at string The date and time the community was last updated
is_parent boolean Whether the community is a multi-tenant community
parent_community_uuid string The UUID of the parent community (if any)
subcommunities array List of UUIDs of communities that are managed by this multi-tenant community
is_mfa_enforced boolean Whether the community has enforced multi-factor authentication
session_timeout number The session timeout in minutes for the community (if any)
disable_inactive_avatars boolean Whether the community automatically disables inactive avatars (after 90 days)
disabled boolean Whether the community is disabled

Get context

Get reports from a specific term

Arguments

Name Type Description
sort string
term string

Outputs

Name Type Description
items array
has_more boolean

Get Entity

Retrieve an entity

Arguments

Name Type Description
uuid string

Outputs

Name Type Description
uuid string The UUID of the entity
name string The name of the entity
entity_id string The chosen ID of the entity
community_uuid string The UUID of the community the entity belongs to
description string The description of the entity
alerts_generation string Whether alerts generated for this entity require analyst approval
number_of_intakes number The number of configured intakes for this entity

Get Event Field Common Values

Get the most common values of fields observed under a specific query

Arguments

Name Type Description
query string Event search query
earliest_time string The earliest time of the time range of the search
latest_time string The latest time of the time range of the search
fields string Fields to compute the most common values (use a coma between fields)
limit number Maximum number of events to retrieve

Outputs

Name Type Description
fields array

Get Events

Query events

Arguments

Name Type Description
query string Event search query
earliest_time string The earliest time of the time range of the search
latest_time string The latest time of the time range of the search
limit number Maximum number of events to retrieve

Outputs

Name Type Description
events array

Get Intake

Retrieve an intake

Arguments

Name Type Description
uuid string

Outputs

Name Type Description
uuid string The UUID of the intake
name string The name of the intake
community_uuid string The UUID of the community the intake belongs to
format_uuid string The UUID of the format of the intake
intake_key string The key to use to send events to the intake
created_at string The date and time the intake was created
created_by string The user who created the intake
created_by_type string The type of user who created the intake
updated_at string The date and time the intake was last updated
updated_by string The user who last updated the intake
updated_by_type string The type of user who last updated the intake
is_custom_format boolean Whether the format is custom (not maintained by Sekoia)
connector_configuration_uuid string The UUID of the connector configuration, for pulling intakes
status string A string representation of the status of the intake (mainly for pulling intakes)
entity ``

Get rule

Get a rule

Arguments

Name Type Description
uuid string

Outputs

Name Type Description
uuid string The identifier of the rule
enabled boolean Is the rule enabled ?
community_uuid string The community uuid if the rule is attached to one
parameters array The parameters of the rule
all_entities boolean Should the rule be applied on all entities ?
entities array The list of entities the rule should be applied on
all_assets boolean Should the rule be applied on all assets ?
assets array The list of assets identifiers the rule should be applied on
last_compilation_success boolean Did the last compilation succeed ?
last_compilation_message string The message of the last compilation
last_compilation_at string The last compilation date of the rule
name string The name of the rule
type `` The type of the rule
private boolean Is the rule available only for the community ?
is_private boolean Is the rule available only for the community ?
description string The descrition of the rule
payload string The payload of the rule
severity integer The severity of the rule
effort integer The effort of the rule
alert_type object The alert type associated to the rule
alert_category object The alert category associated to the rule
tags array The list of tags associated to the rule
source string The source of the rule
verified boolean Is the rule verified ?
related_object_refs array The list of reference of objects related to the rule
datasources array The list of datasources of the rule
event_fields array The list of fields to show when displaying a matched event
similarity_strategy array Similarity Strategy used by this rule
created_at string The creation date of the rule
created_by string The profile who created the rule
created_by_type string The profile type who created the rule can be 'avatar', 'application', 'apikey'
updated_at string The modification date of the rule
updated_by string The profile who updated the rule
updated_by_type string The profile type who updated the rule can be 'rule', 'application', 'apikey'
goal string A high-level description explaining the contribution of the rule
false_positives string A possible legitimate usage which can raise a false alert
references string Details on what led to write this rule
available_for_subcommunities boolean Is the rule available for subcommunities (if applicable) ?
instance_uuid string The identifier of the instance of the rule

Create Content Proposal

Create Content Proposal

Arguments

Name Type Description
bundle object STIX Bundle to upload
bundle_path string Path of the STIX Bundle to upload
auto_merge boolean Whether or not the uploaded bundle can automatically be merged to the consolidated database
enrich boolean Whether or not the uploaded bundle should be enriched
name string Name to use for the new content proposal
assigned_to string Avatar assigned to the content proposal

Outputs

Name Type Description
file_name string
content_proposal_id string

Upload Observables

Upload observables to inthreat

Arguments

Name Type Description
observables array List of observables or bundle to upload to inThreat
observables_path string Path of the observables file to upload inThreat

Search Alerts

find alerts that match your filters

Arguments

Name Type Description
match[community_uuid] string
match[entity_name] string
match[entity_uuid] string
match[status_uuid] string
match[status_name] string
match[type_category] string
match[type_value] string
match[source] string
match[target] string
match[node] string
match[stix_object] string
match[rule_uuid] string
match[rule_name] string
match[short_id] string
match[uuid] string
match[title] string
date[created_at] string
date[updated_at] string
range[urgency] string
range[similar] string
visible boolean
limit integer
offset integer
stix boolean
sort string
direction string
with_count boolean

Outputs

Name Type Description
total integer
has_more boolean
items array

List Assets

Return a list of assets according to the filters

Arguments

Name Type Description
limit integer The number of assets to return
offset integer The position of the first asset to return
match[uuid] string Filter assets according to their identifier
match[name] string Filter assets according to their name
match[category_name] string Filter assets according to their category
match[category_uuid] string Filter assets according to their category
match[type_name] string Filter assets according to their type
match[type_uuid] string Filter assets according to their type
range[criticality] string Filter assets according to their criticality
date[created_at] string Filter assets according to their creation date
date[updated_at] string Filter assets according to their modification date
sort string The field to use to sort the list
direction string The direction to sort the list

Outputs

Name Type Description
items array
total integer

Edit Alert

Edit the details of an alert

Arguments

Name Type Description
uuid string
alert_type_category string Category of the alert type
alert_type_value string Name of the alert type, required if alert_type_category is present
details string Description of the alert
urgency integer The urgency of the alert
kill_chain_short_id string The ID of the kill chain step this alert denotes
title string Title of the alert

Outputs

Name Type Description
urgency object
is_incident boolean
assets array
updated_at integer
ttps array
number_of_unseen_comments integer
status object
created_by string
updated_by string
source string
community_uuid string
number_of_total_comments integer
uuid string
rule object
adversaries array
short_id string
first_seen_at string
last_seen_at string
event_uuids array
kill_chain_short_id string
similar integer
alert_type object
details string
stix object
created_by_type string
entity object
created_at integer
updated_by_type string
title string
target string

Comment Alert

Attach a new comment on an Alert

Arguments

Name Type Description
uuid string
content string Content of the comment
author string Author of the comment

Outputs

Name Type Description
created_by string The identifier of the creator of the comment
content string Content of the comment
author string Author of the comment
unseen boolean
date integer
created_by_type string The type of the creator of the comment
uuid string Identifier of the comment

Create Content Proposal from PDF

Creates a content proposal with the content extracted from the specified PDF

Arguments

Name Type Description
name string
file string
source_ref string

Outputs

Name Type Description
data object

Create Content Proposal from URL

Creates a content proposal with the content extracted from the specified URL

Arguments

Name Type Description
url string
source_ref string

Outputs

Name Type Description
data object

Predict Alert State

Predict the state of an alert

Arguments

Name Type Description
alert object

Outputs

Name Type Description
worth_human_attention boolean

Push Events to Intake

Arguments

Name Type Description
intake_key string Intake Key
intake_server string Server of the intake server (e.g. 'https://intake.sekoia.io')
event object Event to push on Intake
event_path string File path to the event to push on Intake
events array Events to push on Intake
events_path string File path to the events to push on Intake
keep_file_after_push boolean If set and if the events are supplied through a file, this option keeps the file after the events were sent to the intake

Outputs

Name Type Description
event_ids array

Get CTI Report

Retrieve the details of a report

Arguments

Name Type Description
uuid string

Outputs

Name Type Description
data string

Get Asset

Return an asset according its identifier

Arguments

Name Type Description
uuid string The identifier of the asset

Outputs

Name Type Description
keys array The keys of the asset
attributes array The attributes of the asset
uuid string
name string
created_at string
criticity object The criticality associated with the asset
asset_type object
updated_at string
description string
owners array
community_uuid string
category object

Update Alert Status

Triggers an action on an alert to update its status

Arguments

Name Type Description
uuid string
action_uuid string UUID of the action to trigger
comment string a comment to describe why the alert status has changed

Outputs

Name Type Description
actions array

Update rule

Update a rule

Arguments

Name Type Description
uuid string
community_uuid string
name string
type string
description string
payload string
severity integer
effort integer
alert_type_uuid string
tags array
related_object_refs array
datasources array
event_fields array
enabled boolean
parameters array
all_entities boolean
entities array
all_assets boolean
assets array
goal string
false_positives string
similarity_strategy array
available_for_subcommunities boolean

Outputs

Name Type Description
uuid string The identifier of the rule
enabled boolean Is the rule enabled ?
community_uuid string The community uuid if the rule is attached to one
parameters array The parameters of the rule
all_entities boolean Should the rule be applied on all entities ?
entities array The list of entities the rule should be applied on
all_assets boolean Should the rule be applied on all assets ?
assets array The list of assets identifiers the rule should be applied on
last_compilation_success boolean Did the last compilation succeed ?
last_compilation_message string The message of the last compilation
last_compilation_at string The last compilation date of the rule
name string The name of the rule
type `` The type of the rule
private boolean Is the rule available only for the community ?
is_private boolean Is the rule available only for the community ?
description string The descrition of the rule
payload string The payload of the rule
severity integer The severity of the rule
effort integer The effort of the rule
alert_type object The alert type associated to the rule
alert_category object The alert category associated to the rule
tags array The list of tags associated to the rule
source string The source of the rule
verified boolean Is the rule verified ?
related_object_refs array The list of reference of objects related to the rule
datasources array The list of datasources of the rule
event_fields array The list of fields to show when displaying a matched event
similarity_strategy array Similarity Strategy used by this rule
created_at string The creation date of the rule
created_by string The profile who created the rule
created_by_type string The profile type who created the rule can be 'avatar', 'application', 'apikey'
updated_at string The modification date of the rule
updated_by string The profile who updated the rule
updated_by_type string The profile type who updated the rule can be 'rule', 'application', 'apikey'
goal string A high-level description explaining the contribution of the rule
false_positives string A possible legitimate usage which can raise a false alert
references string Details on what led to write this rule
available_for_subcommunities boolean Is the rule available for subcommunities (if applicable) ?
instance_uuid string The identifier of the instance of the rule

Extra

Module Sekoia.io v2.64.4