Skip to main content

Update Rule

Update an existing detection rule. Creates a new version.

Endpoint

PUT /api/rules/{id}

Authentication

Requires JWT token with Analyst or Admin role.

Path Parameters

ParameterTypeDescription
idstringRule UUID

Request Body

{
  "yaml_content": "title: Updated Rule\n...",
  "redeploy": true
}

Fields

FieldTypeDescription
yaml_contentstringUpdated Sigma YAML
redeploybooleanRedeploy if currently deployed
webhook_enabledbooleanEnable/disable webhooks
jira_enabledbooleanEnable/disable Jira

Example Request

curl -X PUT \
  -H "Authorization: Bearer eyJ..." \
  -H "Content-Type: application/json" \
  -H "X-CSRF-Token: abc123..." \
  -d '{
    "yaml_content": "title: Updated Rule\nstatus: stable\nlogsource:\n  product: windows\n  service: security\ndetection:\n  selection:\n    EventID: 4625\n  condition: selection\nlevel: high",
    "redeploy": true
  }' \
  https://chad.example.com/api/rules/abc-123

Response

{
  "id": "abc-123",
  "title": "Updated Rule",
  "yaml_content": "title: Updated Rule\n...",
  "status": "deployed",
  "severity": "high",
  "version": 4,
  "updated_at": "2024-01-15T15:00:00Z",
  "updated_by": "analyst@example.com"
}

Version History

Every update creates a new version:
  • Previous YAML content preserved
  • Version number incremented
  • Change attributed to user
  • Rollback possible via versions API

Redeploy Behavior

Current Statusredeploy: trueredeploy: false
DeployedUpdate percolatorUpdate only DB, percolator unchanged
UndeployedNo effectNo effect
SnoozedNo effect (stays snoozed)No effect

Partial Updates

Update specific settings without changing YAML: 
{
  "webhook_enabled": false,
  "jira_enabled": false
}
Only specified fields are updated.

Error Responses

404 Not Found

{
  "detail": "Rule not found"
}

400 Bad Request

{
  "detail": "Invalid YAML syntax"
}

422 Validation Error

{
  "detail": "Validation failed",
  "errors": [
    {
      "field": "level",
      "message": "Invalid severity value"
    }
  ]
}

403 Forbidden

{
  "detail": "Not enough permissions"
}

Code Examples

Python

import requests

updated_yaml = """
title: Enhanced Failed Login Detection
status: stable
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4625
  filter:
    User: 'ANONYMOUS LOGON'
  condition: selection and not filter
level: high
tags:
  - attack.credential_access
  - attack.t1110
"""

response = requests.put(
    f"{BASE_URL}/api/rules/abc-123",
    headers={
        "Authorization": f"Bearer {JWT_TOKEN}",
        "X-CSRF-Token": csrf_token
    },
    json={
        "yaml_content": updated_yaml,
        "redeploy": True
    }
)

if response.ok:
    rule = response.json()
    print(f"Updated to version {rule['version']}")

JavaScript

const response = await fetch(
  'https://chad.example.com/api/rules/abc-123',
  {
    method: 'PUT',
    headers: {
      'Authorization': `Bearer ${jwtToken}`,
      'Content-Type': 'application/json',
      'X-CSRF-Token': csrfToken
    },
    body: JSON.stringify({
      yaml_content: updatedYaml,
      redeploy: true
    })
  }
);

const rule = await response.json();
console.log(`Updated to version ${rule.version}`);