List Rules

Retrieve a paginated list of detection rules with optional filtering.

Endpoint

GET /api/rules

Authentication

Requires JWT token or API key with read permissions.

Query Parameters

Parameter	Type	Description	Default
`page`	integer	Page number	1
`page_size`	integer	Items per page (max 100)	20
`status`	string	Filter by status	-
`severity`	string	Filter by severity	-
`search`	string	Search in title/content	-
`sort_by`	string	Sort field	`created_at`
`sort_order`	string	`asc` or `desc`	`desc`

Status Values

deployed - Active rules
undeployed - Inactive rules
snoozed - Temporarily disabled

Severity Values

critical
high
medium
low
informational

Example Request

curl -H "Authorization: Bearer chad_ak_xxxxx..." \
  "https://chad.example.com/api/external/rules?status=deployed&page_size=50"

Response

{
  "items": [
    {
      "id": "abc-123",
      "title": "Failed Login Attempt",
      "status": "deployed",
      "severity": "medium",
      "tags": ["attack.credential_access", "attack.t1110"],
      "created_at": "2024-01-10T10:00:00Z",
      "updated_at": "2024-01-15T14:32:17Z",
      "version": 3
    },
    {
      "id": "def-456",
      "title": "Suspicious PowerShell",
      "status": "deployed",
      "severity": "high",
      "tags": ["attack.execution", "attack.t1059.001"],
      "created_at": "2024-01-12T09:00:00Z",
      "updated_at": "2024-01-12T09:00:00Z",
      "version": 1
    }
  ],
  "total": 150,
  "page": 1,
  "page_size": 50,
  "pages": 3
}

Response Fields

Field	Type	Description
`id`	string	Unique rule identifier
`title`	string	Rule title
`status`	string	Deployment status
`severity`	string	Alert severity level
`tags`	array	MITRE ATT&CK and custom tags
`created_at`	datetime	Creation timestamp
`updated_at`	datetime	Last update timestamp
`version`	integer	Current version number

Error Responses

401 Unauthorized

{
  "detail": "Could not validate credentials"
}

400 Bad Request

{
  "detail": "Invalid status value"
}

Code Examples

Python

import requests

API_KEY = "chad_ak_xxxxx..."
BASE_URL = "https://chad.example.com"

response = requests.get(
    f"{BASE_URL}/api/external/rules",
    headers={"Authorization": f"Bearer {API_KEY}"},
    params={"status": "deployed", "page_size": 100}
)

rules = response.json()
for rule in rules["items"]:
    print(f"{rule['title']} - {rule['severity']}")

JavaScript

const response = await fetch(
  'https://chad.example.com/api/external/rules?status=deployed',
  {
    headers: {
      'Authorization': 'Bearer chad_ak_xxxxx...'
    }
  }
);

const { items, total } = await response.json();
console.log(`Found ${total} rules`);

API Reference

Rules

Alerts

List Rules

List Rules

Endpoint

Authentication

Query Parameters

Status Values

Severity Values

Example Request

Response

Response Fields

Error Responses

401 Unauthorized

400 Bad Request

Code Examples

Python

JavaScript

API Reference

Rules

Alerts

​List Rules

​Endpoint

​Authentication

​Query Parameters

​Status Values

​Severity Values

​Example Request

​Response

​Response Fields

​Error Responses

​401 Unauthorized

​400 Bad Request

​Code Examples

​Python

​JavaScript

List Rules

Endpoint

Authentication

Query Parameters

Status Values

Severity Values

Example Request

Response

Response Fields

Error Responses

401 Unauthorized

400 Bad Request

Code Examples

Python

JavaScript