REST Aggregation Rules
Create or update an aggregation rule.
/rest/aggregation_rule
Create an aggregation rule.
Syntax
https://<username>:<password>@<host>/rest/aggregation_rule
POST
Create an aggregation rule.
Request string
An argument string must include the following fields.
Field | Required | Type | Description |
---|---|---|---|
rule | required | JSON object | This contains the main body of the aggregation rule, with 'name', and 'group' as top level keys. In 'group' each key is a CEF field which will be checked for matches, within this there is method and the may-be-required regex. If method is set to "Exact" then no regex value is required, and the aggregation will be done on exact match. If method is set to "Regex" the 'regex' value will be required to specify the regex pattern to be matched on, please see https://pypi.org/project/regex/ for more information on allowed regex patterns. |
label | required | string | Only artifacts coming in with this label will be checked for aggregation rule matches. This field must be different than the destination label. |
destination_label | required | string | Once a match has been found the artifact will be added to a container with this label. This field must be different than label. |
tenants | optional | JSON array of integers | If applicable, the list of tenant ids which should use this rule to aggregate incoming data. |
Example request
You can add an exact method by supplying a JSON formatted body.
curl -k -u admin:changeme https://localhost/rest/aggregation_rule \ -d '{ "rule": { "name": "test rule exact", "group": { "destinationAddress": { "method": "Exact" } } }, "label": "phishing", "destination_label": "spear_phishing" }'
Example request
You can add a regex method by supplying a JSON formatted body.
curl -k -u admin:changeme https://localhost/rest/aggregation_rule \ -d '{ "rule": { "name": "test rule regex", "group": { "sourceAddress": { "method": "Exact" }, "destinationAddress": { "method": "Regex", "regex": "10\.10\.6.*" } } }, "label": "phishing", "destination_label": "spear_phishing", "tenants": [12, 43] }'
/rest/aggregation_rule/<aggregation_rule_id>
Update an existing aggregation rule.
Syntax
https://<username>:<password>@<host>/rest/aggregation_rule/<aggregation_rule_id>
Usage details
Optionally, you can leave off the aggregation_rule_id, but then it must be included in the request body. This facilitates bulk updates, passing a list of JSON objects each containing the appropriate Id. Special fields used for update are included below.
POST
Update an existing aggregation rule.
Request string
An argument string must include the following fields.
Field | Required | Type | Description |
---|---|---|---|
add_tenants | optional | JSON array of integers | Used in the same way as the 'tenants' field, however this will not remove any tenants which do not appear in the list. |
remove_tenants | optional | JSON array of integers | The opposite of the 'add_tenants' field listed above, instead of replacing tenants with the tenant list, this will only remove those in the list. |
Example request
Update tenant Ids 6 and 34.
curl -k -u admin:changeme https://localhost/rest/aggregation_rule \ -d '{ "id": 100, "add_tenants": [6, 34] }'
Example request
Remove tenant Ids 6 and 201
curl -k -u admin:changeme https://localhost/rest/aggregation_rule \ -d '{ "id": 100, "remove_tenants": [6, 201] }'
Example response
A successful POST will return back a success indicator and the ID of the newly created rule.
{ "id": 100, "success": true }
REST administration | REST App |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!