add_threshold_to_rule
You can use your policies' rules to create active threat analytics case types, by setting a threshold on specific violation policy rules that have a severity of high in the rule definition, and the rule action is Alert per match.
When the rule threshold is exceeded in any 1 hour, a case is created. The case type is the name of the rule. Cases that are created from a policy rule threshold appear in the active threat analytics cases table, and are treated like any other case.
Changes to installed policies are applied according to the policy schedule. When adding a threshold to a rule in an installed policy, cases are created for violations (according to the threshold) only after the policy is reinstalled.
You cannot define thresholds in the GUI.
This API is available in Guardium V11.2 and later.
REST API syntax
PUT
method. Call this API as follows:
PUT https://[Guardium hostname or IP address]:8443/restAPI/add_threshold_to_rule
GuardAPI syntax
add_threshold_to_rule parameter=value
Parameters
Parameter | Value type | Description |
---|---|---|
policy_name | String | The policy that has the rule you want to add a threshold to. Use the API list_policy to view policies. |
rule_name | String | The rule you want to add a threshold to. Use the API list_policy_rules to view rules. |
threshold_value | Integer | The threshold at which a case is created. |
Examples
grdapi add_threshold_to_rule policy_name=policyAAA rule_name=ruleNNN threshold=25