Intrusion Prevention Rules

Describe an Intrusion Prevention Rule

get/intrusionpreventionrules/{intrusionPreventionRuleID}

Describe an intrusion prevention rule by ID.

Related SDK Methods:
Java

IntrusionPreventionRulesApi.describeIntrusionPreventionRule([param1, param2, ...])

Python

IntrusionPreventionRulesApi.describe_intrusion_prevention_rule([param1, param2, ...])

JavaScript

IntrusionPreventionRulesApi.describeIntrusionPreventionRule([param1, param2, ...])

SecurityTrend_Micro_Cloud_One_API_Key or Legacy_API_Key
Request
path Parameters
intrusionPreventionRuleID
required
integer <int32> \d+

The ID number of the intrusion prevention rule to describe.

Example: 1
header Parameters
api-version
required
string

The version of the api being called.

Example: YOUR VERSION
Responses
200

successful operation

403

Not authorized to view intrusion prevention rules.

404

The intrusion prevention rule does not exist.

Request samples
import com.trendmicro.deepsecurity.ApiClient;
import com.trendmicro.deepsecurity.Configuration;
import com.trendmicro.deepsecurity.auth.ApiKeyAuth;
import com.trendmicro.deepsecurity.auth.ApiKeyAuth;
import com.trendmicro.deepsecurity.ApiException;
import com.trendmicro.deepsecurity.api.IntrusionPreventionRulesApi;
import com.trendmicro.deepsecurity.model.IntrusionPreventionRule;


public class DescribeIntrusionPreventionRuleExample {
	
	public static void main(String[] args) {
		// Setup
		ApiClient defaultClient = Configuration.getDefaultApiClient();
		defaultClient.setBasePath("YOUR HOST");

		// Authentication
		ApiKeyAuth Legacy API Key = (ApiKeyAuth) defaultClient.getAuthentication("Legacy API Key");
		Legacy API Key.setApiKey("YOUR API KEY");
		try {
			defaultClient.trustAllCertificates(false);
		} catch (Exception e) {
			System.err.println("An exception occurred when calling ApiClient.trustAllCertificates");
			e.printStackTrace();
		}
		ApiKeyAuth Trend Micro Cloud One API Key = (ApiKeyAuth) defaultClient.getAuthentication("Trend Micro Cloud One API Key");
		Trend Micro Cloud One API Key.setApiKey("YOUR API KEY");
		try {
			defaultClient.trustAllCertificates(false);
		} catch (Exception e) {
			System.err.println("An exception occurred when calling ApiClient.trustAllCertificates");
			e.printStackTrace();
		}
		
		// Initialization
		// Set Any Required Values
		IntrusionPreventionRulesApi instance = new IntrusionPreventionRulesApi();
		Integer intrusionPreventionRuleID = 1;
		String apiVersion = "YOUR VERSION";
		try {
			// Please replace the parameter values with yours
			IntrusionPreventionRule result = instance.describeIntrusionPreventionRule(intrusionPreventionRuleID, apiVersion);
			System.out.println(result);
		} catch (ApiException e) {
			System.err.println("An exception occurred when calling IntrusionPreventionRulesApi.describeIntrusionPreventionRule");
			e.printStackTrace();
		}
	}
}

Response samples
application/json
{
  • "name": "string",
  • "description": "string",
  • "minimumAgentVersion": "string",
  • "applicationTypeID": 0,
  • "priority": "lowest",
  • "ruleAvailability": "endpoint-and-workload",
  • "severity": "low",
  • "detectOnly": true,
  • "eventLoggingDisabled": true,
  • "generateEventOnPacketDrop": true,
  • "alwaysIncludePacketData": true,
  • "debugModeEnabled": true,
  • "type": "custom",
  • "originalIssue": 0,
  • "lastUpdated": 0,
  • "identifier": "string",
  • "template": "signature",
  • "signature": "string",
  • "start": "string",
  • "patterns": [
    ],
  • "end": "string",
  • "caseSensitive": true,
  • "condition": "all",
  • "action": "drop",
  • "customXML": "string",
  • "alertEnabled": true,
  • "scheduleID": 0,
  • "contextID": 0,
  • "recommendationsMode": "enabled",
  • "canBeAssignedAlone": true,
  • "dependsOnRuleIDs": [
    ],
  • "ID": 0,
  • "CVSSScore": "string",
  • "CVE": [
    ]
}

Modify an Intrusion Prevention Rule

post/intrusionpreventionrules/{intrusionPreventionRuleID}

Modify an intrusion prevention rule by ID. Any unset elements will be left unchanged.

Related SDK Methods:
Java

IntrusionPreventionRulesApi.modifyIntrusionPreventionRule([param1, param2, ...])

Python

IntrusionPreventionRulesApi.modify_intrusion_prevention_rule([param1, param2, ...])

JavaScript

IntrusionPreventionRulesApi.modifyIntrusionPreventionRule([param1, param2, ...])

SecurityTrend_Micro_Cloud_One_API_Key or Legacy_API_Key
Request
path Parameters
intrusionPreventionRuleID
required
integer <int32> \d+

The ID number of the intrusion prevention rule to modify.

Example: 1
header Parameters
api-version
required
string

The version of the api being called.

Example: YOUR VERSION
Request Body schema: application/json

The settings of the intrusion prevention rules to modify.

action
string

Action to apply if the rule is triggered. Applicable to custom rules with template type signature or start-end-patterns.

Enum: "drop" "log-only"
alertEnabled
boolean

Enable to raise an alert when the rule logs an event. Searchable as Boolean.

alwaysIncludePacketData
boolean

Enabled to include package data in the event logs. Not available if eventLoggingDisabled is true. Searchable as Boolean.

applicationTypeID
integer <int32>

ID of the application type for the IntrusionPreventionRule. Searchable as Numeric.

caseSensitive
boolean

Enable to make signatures and patterns case sensitive. Applicable to custom rules with template type signature or start-end-patterns.

condition
string

Condition to determine if the rule is triggered. Applicable to custom rules with template type start-end-patterns.

Enum: "all" "any" "none"
contextID
integer <int32>

ID of the context in which the rule is applied. Set to 0 to remove any assignment. Searchable as Numeric.

customXML
string

The custom XML used to define the rule. Applicable to custom rules with template type custom.

CVE
Array of strings

List of CVEs associated with the IntrusionPreventionRule. Searchable as String.

CVSSScore
string

A measure of the severity of the vulnerability according the National Vulnerability Database. Searchable as String or as Numeric.

debugModeEnabled
boolean

Enable to log additional packets preceeding and following the packet that the rule detected. Not available if eventLoggingDisabled is true. Searchable as Boolean.

dependsOnRuleIDs
Array of integers <int32>

IDs of intrusion prevention rules the rule depends on, which will be automatically assigned if this rule is assigned.

description
string

Description of the IntrusionPreventionRule. Searchable as String.

detectOnly
boolean

In detect mode, the rule creates an event log and does not interfere with traffic.

end
string

End pattern of the rule. Applicable to custom rules with template type start-end-patterns.

eventLoggingDisabled
boolean

Enable to prevent event logs from being created when the rule is triggered. Not available if detectOnly is true. Searchable as Boolean.

generateEventOnPacketDrop
boolean

Generate an event every time a packet is dropped for the rule. Not available if eventLoggingDisabled is true. Searchable as Boolean.

lastUpdated
integer <int64>

Timestamp of the last rule modification, in milliseconds since epoch. Searchable as Date.

minimumAgentVersion
string

Version of the Deep Security agent or appliance required to support the rule. Searchable as String.

name
string

Name of the IntrusionPreventionRule. Searchable as String.

originalIssue
integer <int64>

Timestamp of the date the rule was released, in milliseconds since epoch. Searchable as Date.

patterns
Array of strings

Body patterns of the rule, which must be found between start and end patterns. Applicable to custom rules with template type start-end-patterns.

priority
string

Priority level of the rule. Higher priority rules are applied before lower priority rules. Searchable as Choice.

Enum: "lowest" "low" "normal" "high" "highest"
recommendationsMode
string

Indicates whether recommendation scans consider the IntrusionPreventionRule. Can be set to enabled or ignored. Custom rules cannot be recommended. Searchable as Choice.

Enum: "enabled" "ignored" "unknown" "disabled"
scheduleID
integer <int32>

ID of the schedule which defines times during which the rule is active. Set to 0 to remove any assignment. Searchable as Numeric.

severity
string

Severity level of the rule. Severity levels can be used as sorting criteria and affect event rankings. Searchable as Choice.

Enum: "low" "medium" "high" "critical"
signature
string

Signature of the rule. Applicable to custom rules with template type signature.

start
string

Start pattern of the rule. Applicable to custom rules with template type start-end-patterns.

template
string

Type of template for the IntrusionPreventionRule. Applicable only to custom rules.

Enum: "signature" "start-end-patterns" "custom"
type
string

Type of IntrusionPreventionRule. Searchable as Choice.

Enum: "custom" "smart" "vulnerability" "exploit" "hidden" "policy" "info"
Responses
200

successful operation

403

Not authorized to modify prevention rule or the requested modification is not permitted.

404

The intrusion prevention rule does not exist.

Request samples
application/json
{
  • "name": "string",
  • "description": "string",
  • "minimumAgentVersion": "string",
  • "applicationTypeID": 0,
  • "priority": "lowest",
  • "severity": "low",
  • "detectOnly": true,
  • "eventLoggingDisabled": true,
  • "generateEventOnPacketDrop": true,
  • "alwaysIncludePacketData": true,
  • "debugModeEnabled": true,
  • "type": "custom",
  • "originalIssue": 0,
  • "lastUpdated": 0,
  • "template": "signature",
  • "signature": "string",
  • "start": "string",
  • "patterns": [
    ],
  • "end": "string",
  • "caseSensitive": true,
  • "condition": "all",
  • "action": "drop",
  • "customXML": "string",
  • "alertEnabled": true,
  • "scheduleID": 0,
  • "contextID": 0,
  • "recommendationsMode": "enabled",
  • "dependsOnRuleIDs": [
    ],
  • "CVSSScore": "string",
  • "CVE": [
    ]
}
Response samples
application/json
{
  • "name": "string",
  • "description": "string",
  • "minimumAgentVersion": "string",
  • "applicationTypeID": 0,
  • "priority": "lowest",
  • "ruleAvailability": "endpoint-and-workload",
  • "severity": "low",
  • "detectOnly": true,
  • "eventLoggingDisabled": true,
  • "generateEventOnPacketDrop": true,
  • "alwaysIncludePacketData": true,
  • "debugModeEnabled": true,
  • "type": "custom",
  • "originalIssue": 0,
  • "lastUpdated": 0,
  • "identifier": "string",
  • "template": "signature",
  • "signature": "string",
  • "start": "string",
  • "patterns": [
    ],
  • "end": "string",
  • "caseSensitive": true,
  • "condition": "all",
  • "action": "drop",
  • "customXML": "string",
  • "alertEnabled": true,
  • "scheduleID": 0,
  • "contextID": 0,
  • "recommendationsMode": "enabled",
  • "canBeAssignedAlone": true,
  • "dependsOnRuleIDs": [
    ],
  • "ID": 0,
  • "CVSSScore": "string",
  • "CVE": [
    ]
}

Delete an Intrusion Prevention Rule

delete/intrusionpreventionrules/{intrusionPreventionRuleID}

Delete an intrusion prevention rule by ID.

Related SDK Methods:
Java

IntrusionPreventionRulesApi.deleteIntrusionPreventionRule([param1, param2, ...])

Python

IntrusionPreventionRulesApi.delete_intrusion_prevention_rule([param1, param2, ...])

JavaScript

IntrusionPreventionRulesApi.deleteIntrusionPreventionRule([param1, param2, ...])

SecurityTrend_Micro_Cloud_One_API_Key or Legacy_API_Key
Request
path Parameters
intrusionPreventionRuleID
required
integer <int32> \d+

The ID number of the intrusion prevention rule to delete.

Example: 1
header Parameters
api-version
required
string

The version of the api being called.

Example: YOUR VERSION
Responses
200

Request is successful.

403

Not authorized to delete intrusion prevention rules.

Request samples
import com.trendmicro.deepsecurity.ApiClient;
import com.trendmicro.deepsecurity.Configuration;
import com.trendmicro.deepsecurity.auth.ApiKeyAuth;
import com.trendmicro.deepsecurity.auth.ApiKeyAuth;
import com.trendmicro.deepsecurity.ApiException;
import com.trendmicro.deepsecurity.api.IntrusionPreventionRulesApi;


public class DeleteIntrusionPreventionRuleExample {
	
	public static void main(String[] args) {
		// Setup
		ApiClient defaultClient = Configuration.getDefaultApiClient();
		defaultClient.setBasePath("YOUR HOST");

		// Authentication
		ApiKeyAuth Legacy API Key = (ApiKeyAuth) defaultClient.getAuthentication("Legacy API Key");
		Legacy API Key.setApiKey("YOUR API KEY");
		try {
			defaultClient.trustAllCertificates(false);
		} catch (Exception e) {
			System.err.println("An exception occurred when calling ApiClient.trustAllCertificates");
			e.printStackTrace();
		}
		ApiKeyAuth Trend Micro Cloud One API Key = (ApiKeyAuth) defaultClient.getAuthentication("Trend Micro Cloud One API Key");
		Trend Micro Cloud One API Key.setApiKey("YOUR API KEY");
		try {
			defaultClient.trustAllCertificates(false);
		} catch (Exception e) {
			System.err.println("An exception occurred when calling ApiClient.trustAllCertificates");
			e.printStackTrace();
		}
		
		// Initialization
		// Set Any Required Values
		IntrusionPreventionRulesApi instance = new IntrusionPreventionRulesApi();
		Integer intrusionPreventionRuleID = 1;
		String apiVersion = "YOUR VERSION";
		try {
			// Please replace the parameter values with yours
			instance.deleteIntrusionPreventionRule(intrusionPreventionRuleID, apiVersion);
		} catch (ApiException e) {
			System.err.println("An exception occurred when calling IntrusionPreventionRulesApi.deleteIntrusionPreventionRule");
			e.printStackTrace();
		}
	}
}

List Intrusion Prevention Rules

get/intrusionpreventionrules

Lists all intrusion prevention rules.

Related SDK Methods:
Java

IntrusionPreventionRulesApi.listIntrusionPreventionRules([param1, param2, ...])

Python

IntrusionPreventionRulesApi.list_intrusion_prevention_rules([param1, param2, ...])

JavaScript

IntrusionPreventionRulesApi.listIntrusionPreventionRules([param1, param2, ...])

SecurityTrend_Micro_Cloud_One_API_Key or Legacy_API_Key
Request
header Parameters
api-version
required
string

The version of the api being called.

Example: YOUR VERSION
Responses
200

successful operation

403

Not authorized to view intrusion prevention rules.

Request samples
import com.trendmicro.deepsecurity.ApiClient;
import com.trendmicro.deepsecurity.Configuration;
import com.trendmicro.deepsecurity.auth.ApiKeyAuth;
import com.trendmicro.deepsecurity.auth.ApiKeyAuth;
import com.trendmicro.deepsecurity.ApiException;
import com.trendmicro.deepsecurity.api.IntrusionPreventionRulesApi;
import com.trendmicro.deepsecurity.model.IntrusionPreventionRules;


public class ListIntrusionPreventionRulesExample {
	
	public static void main(String[] args) {
		// Setup
		ApiClient defaultClient = Configuration.getDefaultApiClient();
		defaultClient.setBasePath("YOUR HOST");

		// Authentication
		ApiKeyAuth Legacy API Key = (ApiKeyAuth) defaultClient.getAuthentication("Legacy API Key");
		Legacy API Key.setApiKey("YOUR API KEY");
		try {
			defaultClient.trustAllCertificates(false);
		} catch (Exception e) {
			System.err.println("An exception occurred when calling ApiClient.trustAllCertificates");
			e.printStackTrace();
		}
		ApiKeyAuth Trend Micro Cloud One API Key = (ApiKeyAuth) defaultClient.getAuthentication("Trend Micro Cloud One API Key");
		Trend Micro Cloud One API Key.setApiKey("YOUR API KEY");
		try {
			defaultClient.trustAllCertificates(false);
		} catch (Exception e) {
			System.err.println("An exception occurred when calling ApiClient.trustAllCertificates");
			e.printStackTrace();
		}
		
		// Initialization
		// Set Any Required Values
		IntrusionPreventionRulesApi instance = new IntrusionPreventionRulesApi();
		String apiVersion = "YOUR VERSION";
		try {
			// Please replace the parameter values with yours
			IntrusionPreventionRules result = instance.listIntrusionPreventionRules(apiVersion);
			System.out.println(result);
		} catch (ApiException e) {
			System.err.println("An exception occurred when calling IntrusionPreventionRulesApi.listIntrusionPreventionRules");
			e.printStackTrace();
		}
	}
}

Response samples
application/json
{
  • "intrusionPreventionRules": [
    ]
}

Create an Intrusion Prevention Rule

post/intrusionpreventionrules

Create a new intrusion prevention rule.

Related SDK Methods:
Java

IntrusionPreventionRulesApi.createIntrusionPreventionRule([param1, param2, ...])

Python

IntrusionPreventionRulesApi.create_intrusion_prevention_rule([param1, param2, ...])

JavaScript

IntrusionPreventionRulesApi.createIntrusionPreventionRule([param1, param2, ...])

SecurityTrend_Micro_Cloud_One_API_Key or Legacy_API_Key
Request
header Parameters
api-version
required
string

The version of the api being called.

Example: YOUR VERSION
Request Body schema: application/json

The settings of the new intrusion prevention rule.

action
string

Action to apply if the rule is triggered. Applicable to custom rules with template type signature or start-end-patterns.

Enum: "drop" "log-only"
alertEnabled
boolean

Enable to raise an alert when the rule logs an event. Searchable as Boolean.

alwaysIncludePacketData
boolean

Enabled to include package data in the event logs. Not available if eventLoggingDisabled is true. Searchable as Boolean.

applicationTypeID
integer <int32>

ID of the application type for the IntrusionPreventionRule. Searchable as Numeric.

caseSensitive
boolean

Enable to make signatures and patterns case sensitive. Applicable to custom rules with template type signature or start-end-patterns.

condition
string

Condition to determine if the rule is triggered. Applicable to custom rules with template type start-end-patterns.

Enum: "all" "any" "none"
contextID
integer <int32>

ID of the context in which the rule is applied. Set to 0 to remove any assignment. Searchable as Numeric.

customXML
string

The custom XML used to define the rule. Applicable to custom rules with template type custom.

CVE
Array of strings

List of CVEs associated with the IntrusionPreventionRule. Searchable as String.

CVSSScore
string

A measure of the severity of the vulnerability according the National Vulnerability Database. Searchable as String or as Numeric.

debugModeEnabled
boolean

Enable to log additional packets preceeding and following the packet that the rule detected. Not available if eventLoggingDisabled is true. Searchable as Boolean.

dependsOnRuleIDs
Array of integers <int32>

IDs of intrusion prevention rules the rule depends on, which will be automatically assigned if this rule is assigned.

description
string

Description of the IntrusionPreventionRule. Searchable as String.

detectOnly
boolean

In detect mode, the rule creates an event log and does not interfere with traffic.

end
string

End pattern of the rule. Applicable to custom rules with template type start-end-patterns.

eventLoggingDisabled
boolean

Enable to prevent event logs from being created when the rule is triggered. Not available if detectOnly is true. Searchable as Boolean.

generateEventOnPacketDrop
boolean

Generate an event every time a packet is dropped for the rule. Not available if eventLoggingDisabled is true. Searchable as Boolean.

lastUpdated
integer <int64>

Timestamp of the last rule modification, in milliseconds since epoch. Searchable as Date.

minimumAgentVersion
string

Version of the Deep Security agent or appliance required to support the rule. Searchable as String.

name
string

Name of the IntrusionPreventionRule. Searchable as String.

originalIssue
integer <int64>

Timestamp of the date the rule was released, in milliseconds since epoch. Searchable as Date.

patterns
Array of strings

Body patterns of the rule, which must be found between start and end patterns. Applicable to custom rules with template type start-end-patterns.

priority
string

Priority level of the rule. Higher priority rules are applied before lower priority rules. Searchable as Choice.

Enum: "lowest" "low" "normal" "high" "highest"
recommendationsMode
string

Indicates whether recommendation scans consider the IntrusionPreventionRule. Can be set to enabled or ignored. Custom rules cannot be recommended. Searchable as Choice.

Enum: "enabled" "ignored" "unknown" "disabled"
scheduleID
integer <int32>

ID of the schedule which defines times during which the rule is active. Set to 0 to remove any assignment. Searchable as Numeric.

severity
string

Severity level of the rule. Severity levels can be used as sorting criteria and affect event rankings. Searchable as Choice.

Enum: "low" "medium" "high" "critical"
signature
string

Signature of the rule. Applicable to custom rules with template type signature.

start
string

Start pattern of the rule. Applicable to custom rules with template type start-end-patterns.

template
string

Type of template for the IntrusionPreventionRule. Applicable only to custom rules.

Enum: "signature" "start-end-patterns" "custom"
type
string

Type of IntrusionPreventionRule. Searchable as Choice.

Enum: "custom" "smart" "vulnerability" "exploit" "hidden" "policy" "info"
Responses
200

successful operation

403

Not authorized to create intrusion prevention rules.

Request samples
application/json
{
  • "name": "string",
  • "description": "string",
  • "minimumAgentVersion": "string",
  • "applicationTypeID": 0,
  • "priority": "lowest",
  • "severity": "low",
  • "detectOnly": true,
  • "eventLoggingDisabled": true,
  • "generateEventOnPacketDrop": true,
  • "alwaysIncludePacketData": true,
  • "debugModeEnabled": true,
  • "type": "custom",
  • "originalIssue": 0,
  • "lastUpdated": 0,
  • "template": "signature",
  • "signature": "string",
  • "start": "string",
  • "patterns": [
    ],
  • "end": "string",
  • "caseSensitive": true,
  • "condition": "all",
  • "action": "drop",
  • "customXML": "string",
  • "alertEnabled": true,
  • "scheduleID": 0,
  • "contextID": 0,
  • "recommendationsMode": "enabled",
  • "dependsOnRuleIDs": [
    ],
  • "CVSSScore": "string",
  • "CVE": [
    ]
}
Response samples
application/json
{
  • "name": "string",
  • "description": "string",
  • "minimumAgentVersion": "string",
  • "applicationTypeID": 0,
  • "priority": "lowest",
  • "ruleAvailability": "endpoint-and-workload",
  • "severity": "low",
  • "detectOnly": true,
  • "eventLoggingDisabled": true,
  • "generateEventOnPacketDrop": true,
  • "alwaysIncludePacketData": true,
  • "debugModeEnabled": true,
  • "type": "custom",
  • "originalIssue": 0,
  • "lastUpdated": 0,
  • "identifier": "string",
  • "template": "signature",
  • "signature": "string",
  • "start": "string",
  • "patterns": [
    ],
  • "end": "string",
  • "caseSensitive": true,
  • "condition": "all",
  • "action": "drop",
  • "customXML": "string",
  • "alertEnabled": true,
  • "scheduleID": 0,
  • "contextID": 0,
  • "recommendationsMode": "enabled",
  • "canBeAssignedAlone": true,
  • "dependsOnRuleIDs": [
    ],
  • "ID": 0,
  • "CVSSScore": "string",
  • "CVE": [
    ]
}

Search Intrusion Prevention Rules

post/intrusionpreventionrules/search

Search for intrusion prevention rules using optional filters.

Related SDK Methods:
Java

IntrusionPreventionRulesApi.searchIntrusionPreventionRules([param1, param2, ...])

Python

IntrusionPreventionRulesApi.search_intrusion_prevention_rules([param1, param2, ...])

JavaScript

IntrusionPreventionRulesApi.searchIntrusionPreventionRules([param1, param2, ...])

SecurityTrend_Micro_Cloud_One_API_Key or Legacy_API_Key
Request
header Parameters
api-version
required
string

The version of the api being called.

Example: YOUR VERSION
Request Body schema: application/json

A collection of options used to filter the search results.

maxItems
integer <int32>

Limits the number of objects returned. Default 5000.

Array of objects (searchCriteria)

Array of search critiera used to filter objects. Searching with multiple criteria returns results that satisfy all of the criteria. Searching with no criteria returns all objects.

sortByObjectID
boolean

If true, forces the response objects to be sorted by ID, overriding the default sort order. Default "false".

Responses
200

successful operation

403

Not authorized to view intrusion prevention rules.

Request samples
application/json
{
  • "maxItems": 0,
  • "searchCriteria": [
    ],
  • "sortByObjectID": true
}
Response samples
application/json
{
  • "intrusionPreventionRules": [
    ]
}