Skip to main content

Deploy Rule

Deploy a rule to activate real-time detection. Creates percolator in OpenSearch.

Endpoint

POST /api/rules/{id}/deploy

Authentication

Requires JWT token with Analyst or Admin role.

Path Parameters

ParameterTypeDescription
idstringRule UUID

Example Request

curl -X POST \
  -H "Authorization: Bearer eyJ..." \
  -H "X-CSRF-Token: abc123..." \
  https://chad.example.com/api/rules/abc-123/deploy

Response

{
  "id": "abc-123",
  "title": "Failed Login Attempt",
  "status": "deployed",
  "deployed_at": "2024-01-15T14:32:17Z",
  "percolator_id": "perc-xyz-789"
}

What Happens

  1. Rule YAML translated to OpenSearch query via pySigma
  2. Field mappings applied
  3. Percolator document created in chad-percolator-{index}
  4. Rule status updated to deployed

Prerequisites

Before deploying:
  • Rule must pass validation
  • Field mappings must exist for all fields
  • Index pattern must be configured
  • OpenSearch must be connected

Already Deployed

Deploying an already-deployed rule redeploys it:
  • Updates percolator with current YAML
  • Useful after editing deployed rules

Bulk Deploy

Deploy multiple rules: 
POST /api/rules/bulk/deploy
Content-Type: application/json

{
  "ids": ["abc-123", "def-456", "ghi-789"]
}
Response: 
{
  "deployed": 3,
  "failed": [],
  "skipped": []
}
Failed deployments include error details: 
{
  "deployed": 2,
  "failed": [
    {
      "id": "ghi-789",
      "error": "Field 'CustomField' not mapped"
    }
  ]
}

Undeploy

To stop detection: 
POST /api/rules/{id}/undeploy
Response: 
{
  "id": "abc-123",
  "status": "undeployed"
}

Error Responses

404 Not Found

{
  "detail": "Rule not found"
}

400 Bad Request

{
  "detail": "Validation failed: Field 'CustomField' not mapped"
}

503 Service Unavailable

{
  "detail": "OpenSearch connection failed"
}

Code Examples

Python

import requests

# Deploy single rule
response = requests.post(
    f"{BASE_URL}/api/rules/abc-123/deploy",
    headers={
        "Authorization": f"Bearer {JWT_TOKEN}",
        "X-CSRF-Token": csrf_token
    }
)

if response.ok:
    result = response.json()
    print(f"Rule deployed: {result['status']}")

# Bulk deploy
response = requests.post(
    f"{BASE_URL}/api/rules/bulk/deploy",
    headers={
        "Authorization": f"Bearer {JWT_TOKEN}",
        "X-CSRF-Token": csrf_token
    },
    json={"ids": ["abc-123", "def-456"]}
)

result = response.json()
print(f"Deployed: {result['deployed']}, Failed: {len(result['failed'])}")

JavaScript

// Deploy single rule
const response = await fetch(
  'https://chad.example.com/api/rules/abc-123/deploy',
  {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${jwtToken}`,
      'X-CSRF-Token': csrfToken
    }
  }
);

const result = await response.json();
console.log(`Status: ${result.status}`);