Validate rule

post {scheme}://{server}/v0/rules/validate

Validate a rule (MQL, YAML fields, etc). When run against the sandbox or analyzer, no auth is needed but custom lists etc will not be available.

Body Params

action_ids

array of strings

IDs of actions to run when the rule is triggered

action_ids

active

boolean

Activate the rule immediately

attack_types

array of strings

Rule attack types

attack_types

authors

array of objects

Rule authors. Defaults to the user that made the request

authors

auto_review_auto_share

boolean

Whether auto-reviewed messages will be shared

auto_review_classification

string | null

The classification auto-reviewed messages will have, when an auto-review action is associated with the rule

description

string

Description of rule

detection_methods

array of strings

Rule detection technologies

detection_methods

false_positives

array of strings

Descriptions of known false positives that could occur

false_positives

label

string | null

Rule label

maturity

string | null

Rule maturity

name

string

required

Rule name

no_phase_two

boolean

For internal usage only

references

array of strings

URL references

references

severity

string | null

Rule severity

source

string

required

Source

tactics_and_techniques

array of strings

Rule tactics and techniques

tactics_and_techniques

tags

triage_abuse_reports

boolean | null

For Triage rules only, whether this rule will run for reported messages. For triage rules, one triage_ field must be true.

triage_asa_complete

boolean | null

For Triage rules only, whether this rule will run for messages when ASA finishes processing on them. For triage rules, one triage_ field must be true.

triage_classification_changes

boolean | null

For Triage rules only, whether this rule will run for messages whose classification has just changed. For triage rules, one triage_ field must be true.

triage_flagged_messages

boolean | null

For Triage rules only, whether this rule will run for messages which flagged. For triage rules, one triage_ field must be true.

type

string

Type of the rule

user_provided_tags

array of strings

User-provided tags

user_provided_tags

Response

Language

Credentials

Bearer

URL


xxxxxxxxxx
1
curl --request POST \
2
     --url https://platform.sublime.security/v0/rules/validate \
3
     --header 'accept: application/json' \
4
     --header 'content-type: application/json'

Choose an example:

application/json

200OK