REST Resource: projects.locations.instances.rules

Resource: Rule

The Rule resource represents a user-created rule.

JSON representation
{
  "name": string,
  "revision_id": string,
  "display_name": string,
  "text": string,
  "author": string,
  "severity": {
    object (Severity)
  },
  "metadata": {
    string: string,
    ...
  },
  "create_time": string,
  "revision_create_time": string,
  "compilation_state": enum (CompilationState),
  "type": enum (RuleType),
  "reference_lists": [
    string
  ],
  "allowed_run_frequencies": [
    enum (RunFrequency)
  ],
  "etag": string,
  "scope": string,
  "compilation_diagnostics": [
    {
      object (CompilationDiagnostic)
    }
  ],
  "near_real_time_live_rule_eligible": boolean
}
Fields
name

string

Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}

revision_id

string

Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view.

display_name

string

Output only. Display name of the rule. Populated in BASIC view and FULL view.

text

string

The YARA-L content of the rule. Populated in FULL view.

author

string

Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view.

severity

object (Severity)

Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view.

metadata

map (key: string, value: string)

Output only. Additional metadata specified in the meta section of text. Populated in FULL view.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

create_time

string (Timestamp format)

Output only. The timestamp of when the rule was created. Populated in FULL view.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

revision_create_time

string (Timestamp format)

Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

compilation_state

enum (CompilationState)

Output only. The current compilation state of the rule. Populated in FULL view.

type

enum (RuleType)

Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view.

reference_lists[]

string

Output only. Resource names of the reference lists used in this rule. Populated in FULL view.

allowed_run_frequencies[]

enum (RunFrequency)

Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view.

etag

string

The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view.

scope

string

Output only. Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations are performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".

compilation_diagnostics[]

object (CompilationDiagnostic)

Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view.

near_real_time_live_rule_eligible

boolean

Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE.

CompilationState

The current compilation state of the rule.

Enums
COMPILATION_STATE_UNSPECIFIED The compilation state is unspecified/unknown.
SUCCEEDED The Rule can successfully compile.
FAILED The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler.

RunFrequency

LINT.IfChange(run_frequency_enum) RunFrequency indicates the run frequency at which a YARA-L 2 rule will run if enabled.

Enums
RUN_FREQUENCY_UNSPECIFIED The run frequency is unspecified/unknown.
LIVE Executes in real time.
HOURLY Executes once per hour.
DAILY Executes once per day.

CompilationDiagnostic

CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning.

JSON representation
{
  "message": string,
  "position": {
    object (CompilationPosition)
  },
  "severity": enum (Severity),
  "uri": string
}
Fields
message

string

Output only. The diagnostic message.

position

object (CompilationPosition)

Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty.

severity

enum (Severity)

Output only. The severity of a rule's compilation diagnostic.

uri

string

Output only. Link to documentation that describes a diagnostic in more detail.

CompilationPosition

CompilationPosition represents the location of a compilation diagnostic in rule text.

JSON representation
{
  "start_line": integer,
  "start_column": integer,
  "end_line": integer,
  "end_column": integer
}
Fields
start_line

integer

Output only. Start line number, beginning at 1.

start_column

integer

Output only. Start column number, beginning at 1.

end_line

integer

Output only. End line number, beginning at 1.

end_column

integer

Output only. End column number, beginning at 1.

Severity

The severity level of the compilation diagnostic.

Enums
SEVERITY_UNSPECIFIED An unspecified severity level.
WARNING A compilation warning.
ERROR A compilation error.

Methods

create

Creates a new Rule.

delete

Deletes a Rule.

get

Gets a Rule.

getDeployment

Gets a RuleDeployment.

list

Lists Rules.

listRevisions

Lists all revisions of the rule.

patch

Updates a Rule.

updateDeployment

Updates a RuleDeployment.