Ctrlk

Detect and Respond Context Creation Models

List Context Creation Models

get

Returns an array of Context Creation Models.

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Responses
200

List of Requested Context Creation Models

application/json
get
/api/v1/rule-engine/ccms

Create Context Creation Model

post

Creates a context creation model from the data that's been supplied. Do not provide an id. IDs are auto generated

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Body

Context Creation Model Create or Update Config

bypassdisplaybooleanOptional

If true, portal and API will not display new events

Example: false
bypassrulebooleanOptional

If true, alerts will not be processed by policies and integrations

Example: false
categoriesstring[]Optional

Categories for the context model

Example: ["system"]
descriptionstringRequired

Context model description

Example: context model description
discardsstring[]Optional

Discard lists are NQL statements that if matched do not get processed through the event. It enables skipping certain combinations without disabling the context model

Example: ["bits > 10000"]
enabledbooleanOptional

If true, the context model is enabled

Example: true
expirationintegerRequired

Number of seconds the context creation model will remain active

Example: 3600
factorsstring[]Optional

Factors for the context model

Example: ["srcip"]
namestringRequired

Name of the context model

Example: new_ndm_name
rollupperiodintegerRequired

The lookback period for the context model. Min 15 seconds. Max 1 hour (3600)

Example: 300
updateintervalintegerOptional

When ongoing updates should be sent. Max 6 hours (21600). 0 for disabled

Example: 0
algo_record_typestring · enumRequired

The context of record to be used for the context model

Example: flowPossible values:
Responses
post
/api/v1/rule-engine/ccm

Fetch Context Creation Model

get

Fetches a specific context creation model from the ID supplied in the path.

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
idstringRequired

The ID of the context creation model to be returned.

Responses
200

Requested Context Creation Model

application/json
get
/api/v1/rule-engine/ccm/{id}

Update Context Creation Model

put

Update a context creation model given the provided object. This does not do a diff. You must send the complete object.

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
idstringRequired

The ID of the context creation model to be updated

Body

Context Creation Model Create or Update Config

bypassdisplaybooleanOptional

If true, portal and API will not display new events

Example: false
bypassrulebooleanOptional

If true, alerts will not be processed by policies and integrations

Example: false
categoriesstring[]Optional

Categories for the context model

Example: ["system"]
descriptionstringRequired

Context model description

Example: context model description
discardsstring[]Optional

Discard lists are NQL statements that if matched do not get processed through the event. It enables skipping certain combinations without disabling the context model

Example: ["bits > 10000"]
enabledbooleanOptional

If true, the context model is enabled

Example: true
expirationintegerRequired

Number of seconds the context creation model will remain active

Example: 3600
factorsstring[]Optional

Factors for the context model

Example: ["srcip"]
namestringRequired

Name of the context model

Example: new_ndm_name
rollupperiodintegerRequired

The lookback period for the context model. Min 15 seconds. Max 1 hour (3600)

Example: 300
updateintervalintegerOptional

When ongoing updates should be sent. Max 6 hours (21600). 0 for disabled

Example: 0
algo_record_typestring · enumRequired

The context of record to be used for the context model

Example: flowPossible values:
Responses
200

Requested Context Creation Model

application/json
put
/api/v1/rule-engine/ccm/{id}

Delete Context Creation Model

delete

Deletes a context creation model

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
idstringRequired

The ID of the context creation model to be deleted

Responses
delete
/api/v1/rule-engine/ccm/{id}
No content

Enable Context Creation Model

put

Enables a context creation model

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
idstringRequired

The ID of the context creation model to be enabled

Responses
200

Requested Context Creation Model

application/json
put
/api/v1/rule-engine/ccm/{id}/enable

Disable Context Creation Model

put

Disables a context creation model

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
idstringRequired

The ID of the context creation model to be disabled

Responses
200

Requested Context Creation Model

application/json
put
/api/v1/rule-engine/ccm/{id}/disable

Reset Context Creation Model

put

Resets a customized system context creation model

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
idstringRequired

The ID of the context creation model to be reseted

Responses
200

Requested Context Creation Model

application/json
put
/api/v1/rule-engine/ccm/{id}/reset
PreviousDetect and Respond Traffic Detection ModelsNextDetect and Respond Response Policies

Last updated