Creating an Alert Rule
Function
Create alert rule
Calling Method
For details, see Calling APIs.
URI
POST /v1/{project_id}/workspaces/{workspace_id}/siem/alert-rules
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
project_id |
Yes |
String |
Project ID. Project ID. |
|
workspace_id |
Yes |
String |
Workspace ID. Workspace ID. |
Request Parameters
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
X-Auth-Token |
Yes |
String |
User token. You can obtain the token by calling the IAM API used to obtain a user token. Token of an IAM user. To obtain it, call the corresponding IAM API. |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
pipe_id |
Yes |
String |
Pipeline ID.Pipe ID. |
|
rule_name |
Yes |
String |
Alert rule name. Alert rule name. |
|
description |
No |
String |
Link description.Description. |
|
query |
Yes |
String |
Query statement. Query. |
|
query_type |
No |
String |
SQL query syntax. Query type. SQL. |
|
status |
No |
String |
Status. The options are as follows - Enabled - Disabled |
|
severity |
No |
String |
Severity. The options are as follows - Tips - Low - Medium - High - FATAL. |
|
custom_properties |
No |
Map<String,String> |
Custom extension information. Custom properties. |
|
alert_type |
No |
Map<String,String> |
Alert type. Alert type. |
|
event_grouping |
No |
Boolean |
Alert group. Alert group. |
|
suspression |
No |
Boolean |
Alert containment. Suppression. |
|
simulation |
No |
Boolean |
Simulated alerts. Simulation. |
|
schedule |
Yes |
Schedule object |
|
|
triggers |
Yes |
Array of AlertRuleTrigger objects |
Alert triggering rules. Alert triggers. |
|
pipe_name |
Yes |
String |
pipe name |
|
alert_name |
Yes |
String |
alert name |
|
alert_description |
No |
String |
alert description |
|
alert_remediation |
No |
String |
alert remediation |
|
accumulated_times |
No |
Integer |
accumulated times |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
frequency_interval |
Yes |
Integer |
Scheduling interval. Frequency interval. |
|
frequency_unit |
Yes |
String |
The unit of the scheduling interval. The value can be minute, hour, or day. Frequency unit. MINUTE, HOUR, DAY. |
|
period_interval |
Yes |
Integer |
Time window interval. Period interval. |
|
period_unit |
Yes |
String |
Time Window unit. The value can be minute, hour, or day. Period unit. MINUTE, HOUR, DAY. |
|
delay_interval |
No |
Integer |
The delay interval. Delay interval |
|
overtime_interval |
No |
Integer |
Timeout interval. Overtime interval |
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
mode |
No |
String |
Number of modes. Mode. COUNT. |
|
operator |
No |
String |
Operator, which can be equal to, not equal to, greater than, or less than. operator. EQ equal, NE not equal, GT greater than, LT less than. |
|
expression |
Yes |
String |
expression |
|
severity |
No |
String |
Severity. The options are as follows - Tips - Low - Medium - High - FATAL. |
|
accumulated_times |
No |
Integer |
accumulated_times |
Response Parameters
Status code: 200
|
Parameter |
Type |
Description |
|---|---|---|
|
X-request-id |
String |
This field is the request ID number for task tracking. Format is request_uuid-timestamp-hostname. |
|
Parameter |
Type |
Description |
|---|---|---|
|
rule_id |
String |
Alert rule ID. |
|
pipe_id |
String |
Pipeline ID.Pipe ID. |
|
pipe_name |
String |
Data pipeline name.Pipe name. |
|
create_by |
String |
Created by. Created by. |
|
create_time |
Long |
Creation time. Create time. |
|
update_by |
String |
Updated by. Update by. |
|
update_time |
Long |
Update time. Update time. |
|
delete_time |
Long |
The deletion time. Delete time. |
|
rule_name |
String |
Alert rule name. |
|
query |
String |
Query. |
|
query_type |
String |
SQL query syntax. Query type. SQL. |
|
status |
String |
Status. The options are as follows - Enabled - Disabled |
|
severity |
String |
Severity. The options are as follows - Tips - Low - Medium - High - FATAL. |
|
custom_properties |
Map<String,String> |
Custom extension information. Custom properties. |
|
event_grouping |
Boolean |
Alert group. Alert group. |
|
schedule |
Schedule object |
Schedule Rule. |
|
triggers |
Array of AlertRuleTrigger objects |
Alert triggering rules. Alert triggers. |
|
Parameter |
Type |
Description |
|---|---|---|
|
frequency_interval |
Integer |
Scheduling interval. Frequency interval. |
|
frequency_unit |
String |
The unit of the scheduling interval. The value can be minute, hour, or day. Frequency unit. MINUTE, HOUR, DAY. |
|
period_interval |
Integer |
Time window interval. Period interval. |
|
period_unit |
String |
Time Window unit. The value can be minute, hour, or day. Period unit. MINUTE, HOUR, DAY. |
|
delay_interval |
Integer |
The delay interval. Delay interval |
|
overtime_interval |
Integer |
Timeout interval. Overtime interval |
|
Parameter |
Type |
Description |
|---|---|---|
|
mode |
String |
Number of modes. Mode. COUNT. |
|
operator |
String |
Operator, which can be equal to, not equal to, greater than, or less than. operator. EQ equal, NE not equal, GT greater than, LT less than. |
|
expression |
String |
expression |
|
severity |
String |
Severity. The options are as follows - Tips - Low - Medium - High - FATAL. |
|
accumulated_times |
Integer |
accumulated_times |
Status code: 400
|
Parameter |
Type |
Description |
|---|---|---|
|
X-request-id |
String |
This field is the request ID number for task tracking. Format is request_uuid-timestamp-hostname. |
Example Requests
Create an alarm rule whose ID is 772fb35b-83bc-46c9-a0b1-ebe31070a889, Name is Alert rule, Query type is SQL, and Status is Enabled.D331
{
"pipe_id" : "772fb35b-83bc-46c9-a0b1-ebe31070a889",
"pipe_name" : "sec-hss-alarm",
"rule_name" : "Alert rule",
"description" : "An alert rule",
"query" : "* | select status, count(*) as count group by status",
"query_type" : "SQL",
"status" : "ENABLED",
"severity" : "TIPS",
"alert_name" : "test",
"custom_properties" : {
"references" : "https://localhost/references",
"maintainer" : "isap"
},
"event_grouping" : false,
"suspression" : false,
"simulation" : false,
"accumulated_times" : 1,
"schedule" : {
"frequency_interval" : 5,
"frequency_unit" : "MINUTE",
"period_interval" : 5,
"period_unit" : "MINUTE",
"delay_interval" : 2,
"overtime_interval" : 10
},
"triggers" : [ {
"mode" : "COUNT",
"operator" : "GT",
"expression" : 10,
"severity" : "TIPS",
"accumulated_times" : 1
} ]
}
Example Responses
Status code: 200
Success
{
"rule_id" : "443a0117-1aa4-4595-ad4a-796fad4d4950",
"pipe_id" : "772fb35b-83bc-46c9-a0b1-ebe31070a889",
"create_by" : "582dd19dd99d4505a1d7929dc943b169",
"create_time" : 1665221214,
"update_by" : "582dd19dd99d4505a1d7929dc943b169",
"update_time" : 1665221214,
"delete_time" : 0,
"rule_name" : "Alert rule",
"query" : "* | select status, count(*) as count group by status",
"query_type" : "SQL",
"status" : "ENABLED",
"severity" : "TIPS",
"custom_properties" : {
"references" : "https://localhost/references",
"maintainer" : "isap"
},
"event_grouping" : true,
"schedule" : {
"frequency_interval" : 5,
"frequency_unit" : "MINUTE",
"period_interval" : 5,
"period_unit" : "MINUTE",
"delay_interval" : 2,
"overtime_interval" : 10
},
"triggers" : [ {
"mode" : "COUNT",
"operator" : "GT",
"expression" : 10,
"severity" : "TIPS"
} ]
}
Status Codes
|
Status Code |
Description |
|---|---|
|
200 |
Success |
|
400 |
Bad Request |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
