GET /config/event_sources/custom_properties/property_leef_expressions

Retrieves the list of LEEF Expressions.

Retrieves the list of LEEF Expressions.

Table 1. GET /config/event_sources/custom_properties/property_leef_expressions resource details
MIME Type

application/json

Table 2. GET /config/event_sources/custom_properties/property_leef_expressions request parameter details
Parameter Type Optionality Data Type MIME Type Description

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.
Table 3. GET /config/event_sources/custom_properties/property_leef_expressions response codes
HTTP Response Code Unique Code Description

200

The requested list of LEEF Expressions was retrieved.

422

1010

An error occurred while building the filter.

500

1020

An error occurred during the attempt to retrieve the list of LEEF Expressions.

Response Description

A list of LEEF expressions. Each LEEF Expression contains the following fields:
  • id - Integer - The sequence ID of the LEEF Expression.
  • identifier - String - The unique ID of the LEEF expression. This value is in the form of a UUID.
  • regex_property_identifier - String - The identifier of the event regex property to which this expression belongs.
  • enabled - Boolean - Flag that indicates whether this expression is enabled.
  • expression - String - The key of the corresponding property value from the LEEF payload.
  • creation_date - Long - The epoch timestamp in milliseconds of the time the property was created.
  • modification_date - Long - The epoch timestamp in milliseconds of the time the property was last modified.
  • payload - String - Test payload. This parameter is only used in the UI so that you can verify that your expression matches the expected payload.
  • log_source_type_id - Integer - Optional field. If provided, this restricts the LEEF Expression to only evaluate against events for this log source type. Must be the id of an existing log source type.
  • log_source_id - Integer - Optional field. If provided, this restricts the LEEF Expression to only evaluate against events for this log source. Must be the id of an existing log source.
  • qid - Integer - Optional field. If provided, this restricts the LEEF Expression to only evaluate against events for this log source type. Must be the id of an existing log source type.
  • low_level_category_id - Short - The expression is only applied to events with this low level category.
  • username - String - The owner of the LEEF expression.

Response Sample


[
    {
        "creation_date": 42,
        "enabled": true,
        "expression": "String",
        "id": 42,
        "identifier": "String",
        "log_source_id": 42,
        "log_source_type_id": 42,
        "low_level_category_id": 42,
        "modification_date": 42,
        "payload": "String",
        "qid": 42,
        "regex_property_identifier": "String",
        "username": "String"
    }
]