创建告警规则
功能介绍
Create alert rule
调用方法
请参见如何调用API。
URI
POST /v1/{project_id}/workspaces/{workspace_id}/siem/alert-rules
| 参数 | 是否必选 | 参数类型 | 描述 |
|---|---|---|---|
| project_id | 是 | String | 项目 ID。Project ID. |
| workspace_id | 是 | String | 工作空间 ID。Workspace ID. |
请求参数
| 参数 | 是否必选 | 参数类型 | 描述 |
|---|---|---|---|
| X-Auth-Token | 是 | String | 用户Token,通过调用IAM服务获取用户Token接口获取。 IAM user token, fetch from IAM api. |
| 参数 | 是否必选 | 参数类型 | 描述 |
|---|---|---|---|
| pipe_id | 是 | String | 数据管道 ID。Pipe ID. |
| rule_name | 是 | String | 告警规则名称。Alert rule name. |
| description | 否 | String | 描述。Description. |
| query | 是 | String | 查询语句。Query. |
| query_type | 否 | String | 查询语法,SQL。Query type. SQL. |
| status | 否 | String | 启用状态,启用、停用。Status, enabled, disabled. |
| severity | 否 | String | 严重程度,提示、低危、中危、高危、致命。Severity. TIPS, LOW, MEDIUM, HIGH, FATAL |
| custom_properties | 否 | Map<String,String> | 自定义扩展信息。Custom properties. |
| alert_type | 否 | Map<String,String> | 告警类型。Alert type. |
| event_grouping | 否 | Boolean | 告警分组。Event grouping. |
| suspression | 否 | Boolean | 告警抑制。Suspression. |
| simulation | 否 | Boolean | 模拟告警。Simulation. |
| schedule | 是 | Schedule object | 告警规则的调度周期。Schedule |
| triggers | 是 | Array of AlertRuleTrigger objects | 告警触发规则。Alert triggers. |
| pipe_name | 是 | String | 管道名称 |
| alert_name | 是 | String | 告警名称 |
| alert_description | 否 | String | 告警描述 |
| alert_remediation | 否 | String | 修复建议 |
| accumulated_times | 否 | Integer | 执行次数 |
| 参数 | 是否必选 | 参数类型 | 描述 |
|---|---|---|---|
| frequency_interval | 是 | Integer | 调度间隔。Frequency interval. |
| frequency_unit | 是 | String | 调度间隔单位,分钟、小时、天。Frequency unit. MINUTE, HOUR, DAY. |
| period_interval | 是 | Integer | 时间窗口间隔。Period interval. |
| period_unit | 是 | String | 时间窗口单位,分钟、小时、天。Period unit. MINUTE, HOUR, DAY. |
| delay_interval | 否 | Integer | 延迟间隔。Delay interval |
| overtime_interval | 否 | Integer | 超时间隔。Overtime interval |
| 参数 | 是否必选 | 参数类型 | 描述 |
|---|---|---|---|
| mode | 否 | String | 模式,数量。Mode. COUNT. |
| operator | 否 | String | 操作符,等于、不等于、大于、小于。 operator. EQ equal, NE not equal, GT greater than, LT less than. |
| expression | 是 | String | expression |
| severity | 否 | String | 严重程度,提示、低危、中危、高危、致命。Severity. TIPS, LOW, MEDIUM, HIGH, FATAL |
| accumulated_times | 否 | Integer | accumulated_times |
响应参数
状态码:200
| 参数 | 参数类型 | 描述 |
|---|---|---|
| X-request-id | String | This field is the request ID number for task tracking. Format is request_uuid-timestamp-hostname. |
| 参数 | 参数类型 | 描述 |
|---|---|---|
| rule_id | String | 告警规则 ID。Alert rule ID. |
| pipe_id | String | 数据管道 ID。Pipe ID. |
| pipe_name | String | 数据管道名称。Pipe name. |
| create_by | String | 创建人。Create by. |
| create_time | Long | 创建时间。Create time. |
| update_by | String | 更新人。Update by. |
| update_time | Long | 更新时间。Update time. |
| delete_time | Long | 删除时间。Delete time. |
| rule_name | String | 告警规则名称。Alert rule name. |
| query | String | 查询语句。Query. |
| query_type | String | 查询语法,SQL。Query type. SQL. |
| status | String | 启用状态,启用、停用。Status, enabled, disabled. |
| severity | String | 严重程度,提示、低危、中危、高危、致命。Severity. TIPS, LOW, MEDIUM, HIGH, FATAL |
| custom_properties | Map<String,String> | 自定义扩展信息。Custom properties. |
| event_grouping | Boolean | 告警分组。Event grouping. |
| schedule | Schedule object | 调度规则。Schedule Rule. |
| triggers | Array of AlertRuleTrigger objects | 告警触发规则。Alert triggers. |
| 参数 | 参数类型 | 描述 |
|---|---|---|
| frequency_interval | Integer | 调度间隔。Frequency interval. |
| frequency_unit | String | 调度间隔单位,分钟、小时、天。Frequency unit. MINUTE, HOUR, DAY. |
| period_interval | Integer | 时间窗口间隔。Period interval. |
| period_unit | String | 时间窗口单位,分钟、小时、天。Period unit. MINUTE, HOUR, DAY. |
| delay_interval | Integer | 延迟间隔。Delay interval |
| overtime_interval | Integer | 超时间隔。Overtime interval |
| 参数 | 参数类型 | 描述 |
|---|---|---|
| mode | String | 模式,数量。Mode. COUNT. |
| operator | String | 操作符,等于、不等于、大于、小于。 operator. EQ equal, NE not equal, GT greater than, LT less than. |
| expression | String | expression |
| severity | String | 严重程度,提示、低危、中危、高危、致命。Severity. TIPS, LOW, MEDIUM, HIGH, FATAL |
| accumulated_times | Integer | accumulated_times |
状态码:400
| 参数 | 参数类型 | 描述 |
|---|---|---|
| X-request-id | String | This field is the request ID number for task tracking. Format is request_uuid-timestamp-hostname. |
请求示例
创建一条告警规则,告警规则所属的管道ID为772fb35b-83bc-46c9-a0b1-ebe31070a889,告警规则名称为Alert rule,查询类型为SQL,状态为启用。
{
"pipe_id" : "772fb35b-83bc-46c9-a0b1-ebe31070a889",
"pipe_name" : "sec-hss-alarm",
"rule_name" : "Alert rule",
"description" : "An alert rule",
"query" : "* | select status, count(*) as count group by status",
"query_type" : "SQL",
"status" : "ENABLED",
"severity" : "TIPS",
"alert_name" : "test",
"custom_properties" : {
"references" : "https://localhost/references",
"maintainer" : "isap"
},
"event_grouping" : false,
"suspression" : false,
"simulation" : false,
"accumulated_times" : 1,
"schedule" : {
"frequency_interval" : 5,
"frequency_unit" : "MINUTE",
"period_interval" : 5,
"period_unit" : "MINUTE",
"delay_interval" : 2,
"overtime_interval" : 10
},
"triggers" : [ {
"mode" : "COUNT",
"operator" : "GT",
"expression" : 10,
"severity" : "TIPS",
"accumulated_times" : 1
} ]
} 响应示例
状态码:200
请求成功
{
"rule_id" : "443a0117-1aa4-4595-ad4a-796fad4d4950",
"pipe_id" : "772fb35b-83bc-46c9-a0b1-ebe31070a889",
"create_by" : "582dd19dd99d4505a1d7929dc943b169",
"create_time" : 1665221214,
"update_by" : "582dd19dd99d4505a1d7929dc943b169",
"update_time" : 1665221214,
"delete_time" : 0,
"rule_name" : "Alert rule",
"query" : "* | select status, count(*) as count group by status",
"query_type" : "SQL",
"status" : "ENABLED",
"severity" : "TIPS",
"custom_properties" : {
"references" : "https://localhost/references",
"maintainer" : "isap"
},
"event_grouping" : true,
"schedule" : {
"frequency_interval" : 5,
"frequency_unit" : "MINUTE",
"period_interval" : 5,
"period_unit" : "MINUTE",
"delay_interval" : 2,
"overtime_interval" : 10
},
"triggers" : [ {
"mode" : "COUNT",
"operator" : "GT",
"expression" : 10,
"severity" : "TIPS"
} ]
} 状态码
| 状态码 | 描述 |
|---|---|
| 200 | 请求成功 |
| 400 | 请求失败 |
错误码
请参见错误码。
