Log Inspection Rules

List Log Inspection Rules

get/loginspectionrules

Lists all log inspection rules.

Related SDK Methods:
Java

LogInspectionRulesApi.listLogInspectionRules([param1, param2, ...])

Python

LogInspectionRulesApi.list_log_inspection_rules([param1, param2, ...])

JavaScript

LogInspectionRulesApi.listLogInspectionRules([param1, param2, ...])

Request
header Parameters
api-version
required
string

The version of the api being called.

Example: YOUR VERSION
Responses
200

successful operation

403

Not authorized to view log inspection rules.

Request samples
import com.trendmicro.deepsecurity.ApiClient;
import com.trendmicro.deepsecurity.Configuration;
import com.trendmicro.deepsecurity.auth.ApiKeyAuth;
import com.trendmicro.deepsecurity.ApiException;
import com.trendmicro.deepsecurity.api.LogInspectionRulesApi;
import com.trendmicro.deepsecurity.model.LogInspectionRules;


public class ListLogInspectionRulesExample {
	
	public static void main(String[] args) {
		// Setup
		ApiClient defaultClient = Configuration.getDefaultApiClient();
		defaultClient.setBasePath("YOUR HOST");

		// Authentication
		ApiKeyAuth DefaultAuthentication = (ApiKeyAuth) defaultClient.getAuthentication("DefaultAuthentication");
		DefaultAuthentication.setApiKey("YOUR API KEY");
		try {
			defaultClient.trustAllCertificates(false);
		} catch (Exception e) {
			System.err.println("An exception occurred when calling ApiClient.trustAllCertificates");
			e.printStackTrace();
		}
		
		// Initialization
		// Set Any Required Values
		LogInspectionRulesApi instance = new LogInspectionRulesApi();
		String apiVersion = "YOUR VERSION";
		try {
			// Please replace the parameter values with yours
			LogInspectionRules result = instance.listLogInspectionRules(apiVersion);
			System.out.println(result);
		} catch (ApiException e) {
			System.err.println("An exception occurred when calling LogInspectionRulesApi.listLogInspectionRules");
			e.printStackTrace();
		}
	}
}

Response samples
application/json
{
  • "logInspectionRules": [
    ]
}

Create a Log Inspection Rule

post/loginspectionrules

Create a new log inspection rule.

Related SDK Methods:
Java

LogInspectionRulesApi.createLogInspectionRule([param1, param2, ...])

Python

LogInspectionRulesApi.create_log_inspection_rule([param1, param2, ...])

JavaScript

LogInspectionRulesApi.createLogInspectionRule([param1, param2, ...])

Request
header Parameters
api-version
required
string

The version of the api being called.

Example: YOUR VERSION
Request Body schema: application/json

The settings of the new log inspection rule.

alertEnabled
boolean

Controls whether to raise an alert when a LogInspectionRule logs an event. Use true to raise an alert. Searchable as Boolean.

alertMinimumSeverity
integer <int32>

Severity level that will trigger an alert. Ignored unless ruleXML contains multiple rules with different severities, and so you must indicate which severity level to use. Searchable as Numeric.

dependency
string

Indicates if a dependant rule or dependency group is set or not. If set, the LogInspectionRule will only log an event if the dependency is triggered. Available for user-defined rules.

Enum: "none" "rule" "group"
dependencyGroup
string

If dependency is configured, the dependancy groups that this rule is dependant on.

dependencyRuleID
integer <int32>

If dependency is configured, the ID of the rule that this rule is dependant on. Ignored if the rule is from Trend Micro, which uses dependsOnRuleIDs instead.

description
string

Description of the LogInspectionRule that appears in search results, and on the General tab in the Deep Security Manager user interface. Searchable as String.

frequency
integer <int32>

Number of times the dependant rule has to match within a specific time frame before the rule is triggered.

groups
Array of strings

Groups that the LogInspectionRule is assigned to, separated by commas. Useful when dependency is used as it's possible to create a LogInspectionRule that fires when another LogInspectionRule belonging to a specific group fires.

identifier
string

Indentifier of the LogInspectionRule used in the Deep Security Manager user interface. Searchable as String.

lastUpdated
integer <int64>

Update timestamp of the LogInspectionRule, measured in milliseconds since epoch. Searchable as Date.

level
integer <int32>

Log level of the LogInspectionRule indicates severity of attack. Level 0 is the least severe and will not log an event. Level 15 is the most severe.

object (LogFiles)
minimumAgentVersion
string

Minimum Deep Security Agent version required by the LogInspectionRule. Searchable as String.

minimumManagerVersion
string

Minimumn Deep Security Manager version required by the LogInspectionRule. Searchable as String.

name
string

Name of the LogInspectionRule. Searchable as String.

originalIssue
integer <int64>

Creation timestamp of the LogInspectionRule, measured in milliseconds since epoch. Searchable as Date.

pattern
string

Regular expression pattern the LogInspectionRule will look for in the logs. The rule will be triggered on a match. Open Source HIDS SEcurity (OSSEC) regular expression syntax is supported, see http://www.ossec.net/docs/syntax/regex.html.

patternType
string

Pattern the LogInspectionRule will look for in the logs. The string matching pattern is faster than the regex pattern.

Enum: "string" "regex"
recommendationsMode
string

Indicates whether recommendation scans consider the LogInspectionRule. Can be set to enabled or ignored. Custom rules cannot be recommended. Searchable as Choice.

Enum: "enabled" "ignored" "unknown" "disabled"
ruleDescription
string

Description of the LogInspectionRule that appears on events and the Content tab in the Deep Security Manager user interface. Alternatively, you can configure this by inserting a description in 'ruleXML'.

ruleID
integer <int32>

ID of the LogInspectionRule sent to the Deep Security Agent. The values 100000 - 109999 are reserved for user-definded rules.

ruleXML
string

LogInspectionRule in an XML format. For information on the XML format, see http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html

sortOrder
integer <int32>

Order in which LogInspectionRules are sent to the Deep Security Agent. Log inspeciton rules are sent in ascending order. Valid values are between 10000 and 20000.

template
string

Template used to create this rule.

Enum: "basic-rule" "custom"
timeFrame
integer <int32>

Time period for the frequency of LogInspectionRule triggers that will generate an event, in seconds.

type
string

Type of the LogInspectionRule. The value 'Defined' is used for LogInspectionRules provided by Trend Micro. Searchable as String.

Responses
200

successful operation

403

Not authorized to create log inspection rules.

Request samples
application/json
{
  • "name": "string",
  • "description": "string",
  • "minimumAgentVersion": "string",
  • "minimumManagerVersion": "string",
  • "type": "string",
  • "originalIssue": 0,
  • "lastUpdated": 0,
  • "identifier": "string",
  • "template": "basic-rule",
  • "ruleID": 0,
  • "level": 0,
  • "groups": [
    ],
  • "ruleDescription": "string",
  • "pattern": "string",
  • "patternType": "string",
  • "dependency": "none",
  • "dependencyRuleID": 0,
  • "dependencyGroup": "string",
  • "frequency": 0,
  • "timeFrame": 0,
  • "ruleXML": "string",
  • "logFiles": {
    },
  • "alertEnabled": true,
  • "alertMinimumSeverity": 0,
  • "recommendationsMode": "enabled",
  • "sortOrder": 0
}
Response samples
application/json
{
  • "name": "string",
  • "description": "string",
  • "minimumAgentVersion": "string",
  • "minimumManagerVersion": "string",
  • "type": "string",
  • "originalIssue": 0,
  • "lastUpdated": 0,
  • "identifier": "string",
  • "template": "basic-rule",
  • "ruleID": 0,
  • "level": 0,
  • "groups": [
    ],
  • "ruleDescription": "string",
  • "pattern": "string",
  • "patternType": "string",
  • "dependency": "none",
  • "dependencyRuleID": 0,
  • "dependencyGroup": "string",
  • "frequency": 0,
  • "timeFrame": 0,
  • "ruleXML": "string",
  • "logFiles": {
    },
  • "alertEnabled": true,
  • "alertMinimumSeverity": 0,
  • "recommendationsMode": "enabled",
  • "sortOrder": 0,
  • "canBeAssignedAlone": true,
  • "dependsOnRuleIDs": [
    ],
  • "ID": 0
}

Describe a Log Inspection Rule

get/loginspectionrules/{logInspectionRuleID}

Describe a log inspection rule by ID.

Related SDK Methods:
Java

LogInspectionRulesApi.describeLogInspectionRule([param1, param2, ...])

Python

LogInspectionRulesApi.describe_log_inspection_rule([param1, param2, ...])

JavaScript

LogInspectionRulesApi.describeLogInspectionRule([param1, param2, ...])

Request
path Parameters
logInspectionRuleID
required
integer <int32> \d+

The ID number of the log inspection rule to describe.

Example: 1
header Parameters
api-version
required
string

The version of the api being called.

Example: YOUR VERSION
Responses
200

successful operation

403

Not authorized to view log inspection rules.

404

The log inspection rule does not exist.

Request samples
import com.trendmicro.deepsecurity.ApiClient;
import com.trendmicro.deepsecurity.Configuration;
import com.trendmicro.deepsecurity.auth.ApiKeyAuth;
import com.trendmicro.deepsecurity.ApiException;
import com.trendmicro.deepsecurity.api.LogInspectionRulesApi;
import com.trendmicro.deepsecurity.model.LogInspectionRule;


public class DescribeLogInspectionRuleExample {
	
	public static void main(String[] args) {
		// Setup
		ApiClient defaultClient = Configuration.getDefaultApiClient();
		defaultClient.setBasePath("YOUR HOST");

		// Authentication
		ApiKeyAuth DefaultAuthentication = (ApiKeyAuth) defaultClient.getAuthentication("DefaultAuthentication");
		DefaultAuthentication.setApiKey("YOUR API KEY");
		try {
			defaultClient.trustAllCertificates(false);
		} catch (Exception e) {
			System.err.println("An exception occurred when calling ApiClient.trustAllCertificates");
			e.printStackTrace();
		}
		
		// Initialization
		// Set Any Required Values
		LogInspectionRulesApi instance = new LogInspectionRulesApi();
		Integer logInspectionRuleID = 1;
		String apiVersion = "YOUR VERSION";
		try {
			// Please replace the parameter values with yours
			LogInspectionRule result = instance.describeLogInspectionRule(logInspectionRuleID, apiVersion);
			System.out.println(result);
		} catch (ApiException e) {
			System.err.println("An exception occurred when calling LogInspectionRulesApi.describeLogInspectionRule");
			e.printStackTrace();
		}
	}
}

Response samples
application/json
{
  • "name": "string",
  • "description": "string",
  • "minimumAgentVersion": "string",
  • "minimumManagerVersion": "string",
  • "type": "string",
  • "originalIssue": 0,
  • "lastUpdated": 0,
  • "identifier": "string",
  • "template": "basic-rule",
  • "ruleID": 0,
  • "level": 0,
  • "groups": [
    ],
  • "ruleDescription": "string",
  • "pattern": "string",
  • "patternType": "string",
  • "dependency": "none",
  • "dependencyRuleID": 0,
  • "dependencyGroup": "string",
  • "frequency": 0,
  • "timeFrame": 0,
  • "ruleXML": "string",
  • "logFiles": {
    },
  • "alertEnabled": true,
  • "alertMinimumSeverity": 0,
  • "recommendationsMode": "enabled",
  • "sortOrder": 0,
  • "canBeAssignedAlone": true,
  • "dependsOnRuleIDs": [
    ],
  • "ID": 0
}

Modify a Log Inspection Rule

post/loginspectionrules/{logInspectionRuleID}

Modify a log inspection rule by ID. Any unset elements will be left unchanged.

Related SDK Methods:
Java

LogInspectionRulesApi.modifyLogInspectionRule([param1, param2, ...])

Python

LogInspectionRulesApi.modify_log_inspection_rule([param1, param2, ...])

JavaScript

LogInspectionRulesApi.modifyLogInspectionRule([param1, param2, ...])

Request
path Parameters
logInspectionRuleID
required
integer <int32> \d+

The ID number of the log inspection rule to modify.

Example: 1
header Parameters
api-version
required
string

The version of the api being called.

Example: YOUR VERSION
Request Body schema: application/json

The settings of the log inspection rule to modify.

alertEnabled
boolean

Controls whether to raise an alert when a LogInspectionRule logs an event. Use true to raise an alert. Searchable as Boolean.

alertMinimumSeverity
integer <int32>

Severity level that will trigger an alert. Ignored unless ruleXML contains multiple rules with different severities, and so you must indicate which severity level to use. Searchable as Numeric.

dependency
string

Indicates if a dependant rule or dependency group is set or not. If set, the LogInspectionRule will only log an event if the dependency is triggered. Available for user-defined rules.

Enum: "none" "rule" "group"
dependencyGroup
string

If dependency is configured, the dependancy groups that this rule is dependant on.

dependencyRuleID
integer <int32>

If dependency is configured, the ID of the rule that this rule is dependant on. Ignored if the rule is from Trend Micro, which uses dependsOnRuleIDs instead.

description
string

Description of the LogInspectionRule that appears in search results, and on the General tab in the Deep Security Manager user interface. Searchable as String.

frequency
integer <int32>

Number of times the dependant rule has to match within a specific time frame before the rule is triggered.

groups
Array of strings

Groups that the LogInspectionRule is assigned to, separated by commas. Useful when dependency is used as it's possible to create a LogInspectionRule that fires when another LogInspectionRule belonging to a specific group fires.

identifier
string

Indentifier of the LogInspectionRule used in the Deep Security Manager user interface. Searchable as String.

lastUpdated
integer <int64>

Update timestamp of the LogInspectionRule, measured in milliseconds since epoch. Searchable as Date.

level
integer <int32>

Log level of the LogInspectionRule indicates severity of attack. Level 0 is the least severe and will not log an event. Level 15 is the most severe.

object (LogFiles)
minimumAgentVersion
string

Minimum Deep Security Agent version required by the LogInspectionRule. Searchable as String.

minimumManagerVersion
string

Minimumn Deep Security Manager version required by the LogInspectionRule. Searchable as String.

name
string

Name of the LogInspectionRule. Searchable as String.

originalIssue
integer <int64>

Creation timestamp of the LogInspectionRule, measured in milliseconds since epoch. Searchable as Date.

pattern
string

Regular expression pattern the LogInspectionRule will look for in the logs. The rule will be triggered on a match. Open Source HIDS SEcurity (OSSEC) regular expression syntax is supported, see http://www.ossec.net/docs/syntax/regex.html.

patternType
string

Pattern the LogInspectionRule will look for in the logs. The string matching pattern is faster than the regex pattern.

Enum: "string" "regex"
recommendationsMode
string

Indicates whether recommendation scans consider the LogInspectionRule. Can be set to enabled or ignored. Custom rules cannot be recommended. Searchable as Choice.

Enum: "enabled" "ignored" "unknown" "disabled"
ruleDescription
string

Description of the LogInspectionRule that appears on events and the Content tab in the Deep Security Manager user interface. Alternatively, you can configure this by inserting a description in 'ruleXML'.

ruleID
integer <int32>

ID of the LogInspectionRule sent to the Deep Security Agent. The values 100000 - 109999 are reserved for user-definded rules.

ruleXML
string

LogInspectionRule in an XML format. For information on the XML format, see http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html

sortOrder
integer <int32>

Order in which LogInspectionRules are sent to the Deep Security Agent. Log inspeciton rules are sent in ascending order. Valid values are between 10000 and 20000.

template
string

Template used to create this rule.

Enum: "basic-rule" "custom"
timeFrame
integer <int32>

Time period for the frequency of LogInspectionRule triggers that will generate an event, in seconds.

type
string

Type of the LogInspectionRule. The value 'Defined' is used for LogInspectionRules provided by Trend Micro. Searchable as String.

Responses
200

successful operation

403

Not authorized to modify log inspection rules or the requested modification is not permitted.

404

The log inspection rule does not exist.

Request samples
application/json
{
  • "name": "string",
  • "description": "string",
  • "minimumAgentVersion": "string",
  • "minimumManagerVersion": "string",
  • "type": "string",
  • "originalIssue": 0,
  • "lastUpdated": 0,
  • "identifier": "string",
  • "template": "basic-rule",
  • "ruleID": 0,
  • "level": 0,
  • "groups": [
    ],
  • "ruleDescription": "string",
  • "pattern": "string",
  • "patternType": "string",
  • "dependency": "none",
  • "dependencyRuleID": 0,
  • "dependencyGroup": "string",
  • "frequency": 0,
  • "timeFrame": 0,
  • "ruleXML": "string",
  • "logFiles": {
    },
  • "alertEnabled": true,
  • "alertMinimumSeverity": 0,
  • "recommendationsMode": "enabled",
  • "sortOrder": 0
}
Response samples
application/json
{
  • "name": "string",
  • "description": "string",
  • "minimumAgentVersion": "string",
  • "minimumManagerVersion": "string",
  • "type": "string",
  • "originalIssue": 0,
  • "lastUpdated": 0,
  • "identifier": "string",
  • "template": "basic-rule",
  • "ruleID": 0,
  • "level": 0,
  • "groups": [
    ],
  • "ruleDescription": "string",
  • "pattern": "string",
  • "patternType": "string",
  • "dependency": "none",
  • "dependencyRuleID": 0,
  • "dependencyGroup": "string",
  • "frequency": 0,
  • "timeFrame": 0,
  • "ruleXML": "string",
  • "logFiles": {
    },
  • "alertEnabled": true,
  • "alertMinimumSeverity": 0,
  • "recommendationsMode": "enabled",
  • "sortOrder": 0,
  • "canBeAssignedAlone": true,
  • "dependsOnRuleIDs": [
    ],
  • "ID": 0
}

Delete a Log Inspection Rule

delete/loginspectionrules/{logInspectionRuleID}

Delete a log inspection rule by ID.

Related SDK Methods:
Java

LogInspectionRulesApi.deleteLogInspectionRule([param1, param2, ...])

Python

LogInspectionRulesApi.delete_log_inspection_rule([param1, param2, ...])

JavaScript

LogInspectionRulesApi.deleteLogInspectionRule([param1, param2, ...])

Request
path Parameters
logInspectionRuleID
required
integer <int32> \d+

The ID number of the log inspection rule to delete.

Example: 1
header Parameters
api-version
required
string

The version of the api being called.

Example: YOUR VERSION
Responses
200

Request is successful.

403

Not authorized to delete log inspection rules.

Request samples
import com.trendmicro.deepsecurity.ApiClient;
import com.trendmicro.deepsecurity.Configuration;
import com.trendmicro.deepsecurity.auth.ApiKeyAuth;
import com.trendmicro.deepsecurity.ApiException;
import com.trendmicro.deepsecurity.api.LogInspectionRulesApi;


public class DeleteLogInspectionRuleExample {
	
	public static void main(String[] args) {
		// Setup
		ApiClient defaultClient = Configuration.getDefaultApiClient();
		defaultClient.setBasePath("YOUR HOST");

		// Authentication
		ApiKeyAuth DefaultAuthentication = (ApiKeyAuth) defaultClient.getAuthentication("DefaultAuthentication");
		DefaultAuthentication.setApiKey("YOUR API KEY");
		try {
			defaultClient.trustAllCertificates(false);
		} catch (Exception e) {
			System.err.println("An exception occurred when calling ApiClient.trustAllCertificates");
			e.printStackTrace();
		}
		
		// Initialization
		// Set Any Required Values
		LogInspectionRulesApi instance = new LogInspectionRulesApi();
		Integer logInspectionRuleID = 1;
		String apiVersion = "YOUR VERSION";
		try {
			// Please replace the parameter values with yours
			instance.deleteLogInspectionRule(logInspectionRuleID, apiVersion);
		} catch (ApiException e) {
			System.err.println("An exception occurred when calling LogInspectionRulesApi.deleteLogInspectionRule");
			e.printStackTrace();
		}
	}
}

Search Log Inspection Rules

post/loginspectionrules/search

Search for log inspection rules using optional filters.

Related SDK Methods:
Java

LogInspectionRulesApi.searchLogInspectionRules([param1, param2, ...])

Python

LogInspectionRulesApi.search_log_inspection_rules([param1, param2, ...])

JavaScript

LogInspectionRulesApi.searchLogInspectionRules([param1, param2, ...])

Request
header Parameters
api-version
required
string

The version of the api being called.

Example: YOUR VERSION
Request Body schema: application/json

A collection of options used to filter the search results.

maxItems
integer <int32>

Limits the number of objects returned. Default 5000.

Array of objects (searchCriteria)

Array of search critiera used to filter objects. Searching with multiple criteria returns results that satisfy all of the criteria. Searching with no criteria returns all objects.

sortByObjectID
boolean

If true, forces the response objects to be sorted by ID, overriding the default sort order. Default "false".

Responses
200

successful operation

403

Not authorized to view log inspection rules.

Request samples
application/json
{
  • "maxItems": 0,
  • "searchCriteria": [
    ],
  • "sortByObjectID": true
}
Response samples
application/json
{
  • "logInspectionRules": [
    ]
}