Skip to main content

Get Rule

Retrieve detailed information about a specific rule.

Endpoint

GET /api/rules/{id}

Authentication

Requires JWT token or API key with read permissions.

Path Parameters

ParameterTypeDescription
idstringRule UUID

Example Request

curl -H "Authorization: Bearer chad_ak_xxxxx..." \
  https://chad.example.com/api/external/rules/abc-123

Response

{
  "id": "abc-123",
  "title": "Failed Login Attempt",
  "yaml_content": "title: Failed Login Attempt\nstatus: test\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4625\n  condition: selection\nlevel: medium\ntags:\n  - attack.credential_access\n  - attack.t1110",
  "status": "deployed",
  "severity": "medium",
  "tags": ["attack.credential_access", "attack.t1110"],
  "source": "custom",
  "threshold_enabled": false,
  "threshold_count": null,
  "threshold_window_minutes": null,
  "threshold_group_by": null,
  "snooze_until": null,
  "snooze_indefinite": false,
  "webhook_enabled": true,
  "jira_enabled": true,
  "created_at": "2024-01-10T10:00:00Z",
  "updated_at": "2024-01-15T14:32:17Z",
  "created_by": "admin@example.com",
  "updated_by": "analyst@example.com",
  "version": 3,
  "alert_count": 42
}

Response Fields

FieldTypeDescription
idstringUnique identifier
titlestringRule title
yaml_contentstringFull Sigma YAML
statusstringdeployed, undeployed, snoozed
severitystringAlert severity
tagsarrayMITRE ATT&CK and custom tags
sourcestringcustom or sigmahq
threshold_enabledbooleanThreshold alerting enabled
threshold_countintegerThreshold count
threshold_window_minutesintegerThreshold time window
threshold_group_bystringThreshold grouping field
snooze_untildatetimeSnooze expiration (null if not snoozed)
snooze_indefinitebooleanIndefinitely snoozed
webhook_enabledbooleanSend to webhooks
jira_enabledbooleanCreate Jira tickets
created_atdatetimeCreation timestamp
updated_atdatetimeLast update
created_bystringCreator username
updated_bystringLast updater
versionintegerVersion number
alert_countintegerTotal alerts generated

Include Versions

Get rule with version history: 
GET /api/rules/{id}?include_versions=true
Additional response field: 
{
  "versions": [
    {
      "version": 3,
      "yaml_content": "...",
      "changed_by": "analyst@example.com",
      "created_at": "2024-01-15T14:32:17Z"
    },
    {
      "version": 2,
      "yaml_content": "...",
      "changed_by": "admin@example.com",
      "created_at": "2024-01-12T09:00:00Z"
    }
  ]
}

Error Responses

404 Not Found

{
  "detail": "Rule not found"
}

401 Unauthorized

{
  "detail": "Could not validate credentials"
}

Code Examples

Python

import requests

response = requests.get(
    f"{BASE_URL}/api/external/rules/abc-123",
    headers={"Authorization": f"Bearer {API_KEY}"}
)

if response.status_code == 200:
    rule = response.json()
    print(f"Rule: {rule['title']}")
    print(f"Status: {rule['status']}")
    print(f"Alerts: {rule['alert_count']}")
else:
    print(f"Error: {response.json()['detail']}")

JavaScript

const response = await fetch(
  'https://chad.example.com/api/external/rules/abc-123',
  {
    headers: {
      'Authorization': 'Bearer chad_ak_xxxxx...'
    }
  }
);

if (response.ok) {
  const rule = await response.json();
  console.log(`Rule: ${rule.title}`);
} else {
  const error = await response.json();
  console.error(`Error: ${error.detail}`);
}