PostCustomizeRule - Security Center - Alibaba Cloud Documentation Center

Adds or updates a custom rule.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-sas:PostCustomizeRule

create

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
Id	integer	No	The ID of the custom rule.	123456789
RuleName	string	No	The name of the rule.	waf_scan
RuleDesc	string	No	The description of the rule.	this rule is for waf scan
ThreatLevel	string	No	The threat level. Valid values: serious: high suspicious: medium remind: low	remind
AttCk	string	No	The ATT&CK technique.	T1595.002 Vulnerability Scanning
AlertType	string	No	The threat type.	WEBSHELL
AlertTypeMds	string	No	The Medusa code of the threat type.	${siem_rule_type_process_abnormal_command}
LogType	string	No	The log type of the rule.	ALERT_ACTIVITY
LogTypeMds	string	No	The Medusa code of the log type.	${security_event_config.event_name.webshellName_clientav}
LogSource	string	No	The log source of the rule.	cloud_siem_aegis_sas_alert
LogSourceMds	string	No	The Medusa code of the log source.	${sas.cloudsiem.prod.cloud_siem_aegis_sas_alert}
RuleCondition	string	No	The query condition of the rule. The value is a JSON string.	[[{"not":false,"left":"alert_name","operator":"=","right":"WEBSHELL"}]]
RuleGroup	string	No	The fields that are used to group logs. The value is a JSON array.	["asset_id"]
RuleThreshold	string	No	The threshold configuration of the rule. The value is a JSON string.	{"aggregateFunction":"count","aggregateFunctionName":"count","field":"activity_name","operator":"<=","value":1}
QueryCycle	string	No	The length of the rule window.	{"time":"1","unit":"HOUR"}
EventTransferSwitch	integer	No	Specifies whether to convert alerts into events. Valid values: 0: no 1: yes	1
EventTransferType	string	No	The event generation method. Valid values: default: the default method singleToSingle: An event is generated for each alert. allToSingle: An event is generated for all alerts in a period.	allToSingle
EventTransferExt	string	No	The extended information for event generation. This parameter is returned only when EventTransferType is set to allToSingle. The value indicates the length and unit of the alert aggregation window.	{"time":"1","unit":"MINUTE"}
RoleType	integer	No	The view type. 0: the view of the current Alibaba Cloud account. 1: the view of all accounts that are managed by the administrator.	1
RoleFor	integer	No	The user ID that is used to switch the administrator's perspective to a member's perspective.	113091674488****
RegionId	string	No	The region where the data management center of Threat Analysis is located. Select the region where your assets are located. Valid values: cn-hangzhou: assets in the Chinese mainland and China (Hong Kong) ap-southeast-1: assets outside China	cn-hangzhou

Response elements

Element	Type	Description	Example
	object	BaseResponse
Data	object	The data returned.	123456
Id	integer	The ID of the custom rule.	123456789
GmtCreate	string	The time when the custom rule was created.	2021-01-06 16:37:29
GmtModified	string	The time when the custom rule was last updated.	2021-01-06 16:37:29
Aliuid	integer	The ID of the Alibaba Cloud account that is used to purchase Threat Analysis.	127608589417****
RuleName	string	The name of the rule.	waf_scan
RuleDesc	string	The description of the rule.	this rule is for waf scan
RuleType	string	The rule type. Valid values: predefine: predefined customize: custom	customize
ThreatLevel	string	The threat level. Valid values: serious: high suspicious: medium remind: low	remind
AlertType	string	The threat type.	WEBSHELL
AlertTypeMds	string	The Medusa code of the threat type.	${siem_rule_type_process_abnormal_command}
LogType	string	The log type of the rule.	ALERT_ACTIVITY
LogTypeMds	string	The Medusa code of the log type.	${security_event_config.event_name.webshellName_clientav}
LogSource	string	The log source of the rule.	cloud_siem_aegis_sas_alert
LogSourceMds	string	The Medusa code of the log source.	${sas.cloudsiem.prod.cloud_siem_aegis_sas_alert}
RuleCondition	string	The query condition of the rule in the JSON format. You must unescape the HTML escape characters.	[[{"not":false,"left":"alert_name","operator":"=","right":"WEBSHELL"}]]
RuleGroup	string	The fields that are used to group logs. The value is a JSON array. You must unescape the HTML escape characters.	["asset_id"]
RuleThreshold	string	The threshold configuration of the rule in the JSON format. You must unescape the HTML escape characters.	{"aggregateFunction":"count","aggregateFunctionName":"count","field":"activity_name","operator":"<=","value":1}
QueryCycle	string	The length of the rule window. You must unescape the HTML escape characters.	{"time":"1","unit":"HOUR"}
AttCk	string	The ATT&CK attack technique.	T1595.002 Vulnerability Scanning
EventTransferSwitch	integer	Indicates whether alerts are converted into events. Valid values: 0: no 1: yes	1
EventTransferType	string	The event generation method. Valid values: default: the default method singleToSingle: An event is generated for each alert. allToSingle: An event is generated for all alerts in a period.	allToSingle
EventTransferExt	string	The extended information for event generation. This parameter is returned only when EventTransferType is set to allToSingle. The value indicates the length and unit of the alert aggregation window. You must unescape the HTML escape characters.	{"time":"1","unit":"MINUTE"}
Status	integer	The status of the rule. Valid values: 0: initial 10: testing with simulated data 15: testing with business data 20: test with business data ends 100: published	0
DataType	integer	The data type of the condition field in the automated response rule.	varchar
Success	boolean	Indicates whether the request was successful. Valid values: true: The request was successful. false: The request failed.	true
Code	integer	The HTTP status code.	200
Message	string	The returned message.	success
RequestId	string	The request ID.	9AAA9ED9-78F4-5021-86DC-D51C7511****

Examples

Success response

JSON format

{
  "Data": {
    "Id": 123456789,
    "GmtCreate": "2021-01-06 16:37:29",
    "GmtModified": "2021-01-06 16:37:29",
    "Aliuid": 0,
    "RuleName": "waf_scan",
    "RuleDesc": "this rule is for waf scan",
    "RuleType": "customize",
    "ThreatLevel": "remind",
    "AlertType": "WEBSHELL",
    "AlertTypeMds": "${siem_rule_type_process_abnormal_command}",
    "LogType": "ALERT_ACTIVITY",
    "LogTypeMds": "${security_event_config.event_name.webshellName_clientav}",
    "LogSource": "cloud_siem_aegis_sas_alert",
    "LogSourceMds": "${sas.cloudsiem.prod.cloud_siem_aegis_sas_alert}",
    "RuleCondition": "[[{"not":false,"left":"alert_name","operator":"=","right":"WEBSHELL"}]]",
    "RuleGroup": "["asset_id"]",
    "RuleThreshold": "{"aggregateFunction":"count","aggregateFunctionName":"count","field":"activity_name","operator":"<=","value":1}",
    "QueryCycle": "{"time":"1","unit":"HOUR"}",
    "AttCk": "T1595.002 Vulnerability Scanning",
    "EventTransferSwitch": 1,
    "EventTransferType": "allToSingle",
    "EventTransferExt": "{"time":"1","unit":"MINUTE"}",
    "Status": 0,
    "DataType": 0
  },
  "Success": true,
  "Code": 200,
  "Message": "success",
  "RequestId": "9AAA9ED9-78F4-5021-86DC-D51C7511****"
}

Error codes

HTTP status code	Error code	Error message
400	CloudSiemCustomizeRuleUpdateExcepiton	this customize rule can only update in init status.
400	CloudSiemCustomizeRuleConditionExceedExcepiton	the number of rule conditions cannot exceed 100.
400	CloudSiemCustomizeRuleDuplicateRuleNameExcepiton	the rule name is duplicated.
500	InternalError	The request processing has failed due to some unknown error.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.