Create Rule
Create a new Sigma detection rule.
Endpoint
Authentication
Requires JWT token with Analyst or Admin role.
API keys cannot create rules (read-only by default).
Request Body
{
"title": "Failed Login Attempt",
"yaml_content": "title: Failed Login Attempt\nstatus: test\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 4625\n condition: selection\nlevel: medium"
}
Required Fields
| Field | Type | Description |
|---|
yaml_content | string | Complete Sigma rule in YAML |
Optional Fields
| Field | Type | Description |
|---|
title | string | Override title from YAML |
deploy | boolean | Deploy immediately after creation |
Example Request
curl -X POST \
-H "Authorization: Bearer eyJ..." \
-H "Content-Type: application/json" \
-H "X-CSRF-Token: abc123..." \
-d '{
"yaml_content": "title: Failed Login Attempt\nstatus: test\nlogsource:\n product: windows\n service: security\ndetection:\n selection:\n EventID: 4625\n condition: selection\nlevel: medium"
}' \
https://chad.example.com/api/rules
Response
{
"id": "abc-123",
"title": "Failed Login Attempt",
"yaml_content": "title: Failed Login Attempt\n...",
"status": "undeployed",
"severity": "medium",
"tags": [],
"created_at": "2024-01-15T14:32:17Z",
"updated_at": "2024-01-15T14:32:17Z",
"version": 1,
"created_by": "user@example.com"
}
Validation
CHAD validates the rule before creation:
- YAML syntax - Must be valid YAML
- Sigma schema - Must follow Sigma specification
- Required fields -
title, logsource, detection, level
- Field mapping - Fields must exist in configured mappings
Validation Error
{
"detail": "Validation failed",
"errors": [
{
"field": "detection",
"message": "Required field missing"
}
]
}
Auto-Deploy
Create and deploy in one request:
{
"yaml_content": "...",
"deploy": true
}
status: "deployed".
Error Responses
400 Bad Request
{
"detail": "Invalid YAML syntax"
}
401 Unauthorized
{
"detail": "Could not validate credentials"
}
403 Forbidden
{
"detail": "Not enough permissions"
}
422 Validation Error
{
"detail": "Validation failed",
"errors": [...]
}
Code Examples
Python
import requests
rule_yaml = """
title: Suspicious PowerShell Download
status: test
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'powershell'
- 'downloadstring'
condition: selection
level: high
tags:
- attack.execution
- attack.t1059.001
"""
response = requests.post(
f"{BASE_URL}/api/rules",
headers={
"Authorization": f"Bearer {JWT_TOKEN}",
"X-CSRF-Token": csrf_token
},
json={"yaml_content": rule_yaml, "deploy": True}
)
rule = response.json()
print(f"Created rule: {rule['id']}")
JavaScript
const ruleYaml = `
title: Suspicious PowerShell Download
status: test
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'powershell'
- 'downloadstring'
condition: selection
level: high
`;
const response = await fetch('https://chad.example.com/api/rules', {
method: 'POST',
headers: {
'Authorization': `Bearer ${jwtToken}`,
'Content-Type': 'application/json',
'X-CSRF-Token': csrfToken
},
body: JSON.stringify({
yaml_content: ruleYaml,
deploy: true
})
});
const rule = await response.json();
