Rule Library
The Rule Library APIs enable retrieval of threat detection rule categories and rules.
End Points
Get rule library categories
Get rules
Get rule library categories
Retrieves the list of rule categories from the rule library, optionally filtered by a specified category name, including total rule counts, installed rule counts, and auto-install settings.
Use this endpoint to review available rule categories, such as when browsing the rule library or assessing detection coverage across different platforms.
Rate limit: 50 requests per minute per organization.
OAuth Scope : logs360cloud.rulelibrary.READ
Role : Administrator, Operator
Query Parameters
category
string
Rule category name (optional). When omitted, returns all categories.
Max length: 50
Max length: 50
Headers
account_id
string
(Required)
Your Log360 Cloud Account ID.
headers_data = Map();
headers_data.put("account_id", "18XXXXX4");
headers_data.put("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f");
response = invokeUrl
[
url: "https://log360cloud.manageengine.com/api/v2/rule-library/categories"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("https://log360cloud.manageengine.com/api/v2/rule-library/categories")
.get()
.addHeader("account_id", "18XXXXX4")
.addHeader("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'GET',
headers: {
account_id: '18XXXXX4',
Authorization: 'Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f'
}
};
fetch('https://log360cloud.manageengine.com/api/v2/rule-library/categories', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPSConnection("log360cloud.manageengine.com")
headers = {
'account_id': "18XXXXX4",
'Authorization': "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
conn.request("GET", "/api/v2/rule-library/categories", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("https");
const options = {
"method": "GET",
"hostname": "log360cloud.manageengine.com",
"port": null,
"path": "/api/v2/rule-library/categories",
"headers": {
"account_id": "18XXXXX4",
"Authorization": "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url https://log360cloud.manageengine.com/api/v2/rule-library/categories \
--header 'Authorization: Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f' \
--header 'account_id: 18XXXXX4'
{
"data": {
"categories": [
{
"category": "windows",
"display_name": "Windows",
"image_path": "https://static.localzohocdn.com/log360library/v2/images/windows.png",
"total_rules": 1724,
"installed_rules": 152,
"auto_install": {
"severity_levels": [
"attention",
"critical"
]
}
},
{
"category": "active_directory",
"display_name": "Active Directory",
"image_path": "https://static.localzohocdn.com/log360library/v2/images/active_directory.png",
"total_rules": 112,
"installed_rules": 4,
"auto_install": {
"severity_levels": [
"critical"
]
}
}
]
}
}
{
"error": {
"code": "07001111",
"title": "Bad Request",
"detail": "Required parameter is missing in the request."
}
}
{
"error": {
"code": "00000101",
"title": "Unauthorized",
"detail": "Invalid OAuth Token"
}
}
{
"error": {
"code": "2dcaaa",
"title": "This feature is not available in your current license plan. Please upgrade your license to access it."
}
}
{
"error": {
"code": "00000109",
"detail": "Request throttling limit reached",
"title": "Too Many Requests"
}
}
{
"error": {
"code": "10001005",
"title": "Internal Server Error"
}
}
Get rules
Retrieves the list of rules for a specified category from the rule library with pagination support, filterable by severity, status, and search keyword.
Use this endpoint to browse and search rules within a category, such as when selecting rules to install, reviewing available detections, or assessing rule coverage.
Rate limit: 50 requests per minute per organization.
OAuth Scope : logs360cloud.rulelibrary.READ
Role : Administrator, Operator
Query Parameters
category
string
(Required)
Rule category name. Use the Get Rule Library Categories API to retrieve valid values.
Max length: 50
Max length: 50
severity
string
Filter by severity level.
Allowed values: attention, trouble, critical
Allowed values: attention, trouble, critical
status
string
Filter by installation status.
Allowed values: installed, available
Allowed values: installed, available
rule_name
string
Search by rule name (case-insensitive partial match).
Max length: 200
Max length: 200
rule_type
string
Filter by rule type.
Allowed values: standard, anomaly, advanced
Allowed values: standard, anomaly, advanced
is_new
boolean
Filter by new rules label.
When set to true, returns only recently added rules.
When set to true, returns only recently added rules.
complexity
string
Filter by rule complexity level.
Allowed values: low, high
Allowed values: low, high
mitre_id
string
Filter rules by MITRE ATT&CK technique or tactic ID.
Accepts a technique ID (e.g., T1197) or tactic ID (e.g., TA0005).
Use the Get MITRE Catalog endpoint to retrieve valid IDs.
Max length: 20
Accepts a technique ID (e.g., T1197) or tactic ID (e.g., TA0005).
Use the Get MITRE Catalog endpoint to retrieve valid IDs.
Max length: 20
from
integer
Starting point for the results.
Default value: 1
Maximum: 10000
Default value: 1
Maximum: 10000
limit
integer
Number of results per page.
Default value: 10
Maximum: 100
Default value: 10
Maximum: 100
Headers
account_id
string
(Required)
Your Log360 Cloud Account ID.
headers_data = Map();
headers_data.put("account_id", "18XXXXX4");
headers_data.put("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f");
response = invokeUrl
[
url: "https://log360cloud.manageengine.com/api/v2/rule-library/rules?category=windows"
type: GET
headers: headers_data
connection: <connection_name>
];
info response;
OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder()
.url("https://log360cloud.manageengine.com/api/v2/rule-library/rules?category=windows")
.get()
.addHeader("account_id", "18XXXXX4")
.addHeader("Authorization", "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f")
.build();
Response response = client.newCall(request).execute();
const options = {
method: 'GET',
headers: {
account_id: '18XXXXX4',
Authorization: 'Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f'
}
};
fetch('https://log360cloud.manageengine.com/api/v2/rule-library/rules?category=windows', options)
.then(response => response.json())
.then(response => console.log(response))
.catch(err => console.error(err));
import http.client
conn = http.client.HTTPSConnection("log360cloud.manageengine.com")
headers = {
'account_id': "18XXXXX4",
'Authorization': "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
conn.request("GET", "/api/v2/rule-library/rules?category=windows", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
const http = require("https");
const options = {
"method": "GET",
"hostname": "log360cloud.manageengine.com",
"port": null,
"path": "/api/v2/rule-library/rules?category=windows",
"headers": {
"account_id": "18XXXXX4",
"Authorization": "Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f"
}
};
const req = http.request(options, function (res) {
const chunks = [];
res.on("data", function (chunk) {
chunks.push(chunk);
});
res.on("end", function () {
const body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
curl --request GET \
--url 'https://log360cloud.manageengine.com/api/v2/rule-library/rules?category=windows' \
--header 'Authorization: Zoho-oauthtoken 1000.41d9xxxxxxxxxxxxxxxxxxxxxxxxc2d1.8fccxxxxxxxxxxxxxxxxxxxxxxxx125f' \
--header 'account_id: 18XXXXX4'
{
"data": {
"rules": [
{
"profile_id": 3222,
"name": "SYSTEM Privileged Net Command Detected",
"description": "Identifies the SYSTEM account using the Net utility.",
"severity": "attention",
"complexity": "low",
"rule_type": "standard",
"is_new": false,
"status": "available",
"mitre_mapping": [],
"custom_tags": []
},
{
"profile_id": 3237,
"name": "AmsiEnable Registry Key tampered",
"description": "An attempt was detected to tamper with AMSI.",
"severity": "critical",
"complexity": "low",
"rule_type": "standard",
"is_new": false,
"status": "available",
"mitre_mapping": [],
"custom_tags": []
}
]
},
"meta": {
"total_items": 1757,
"from": 1,
"limit": 10
}
}
{
"error": {
"code": "07001111",
"title": "Bad Request",
"detail": "Required parameter is missing in the request."
}
}
{
"error": {
"code": "00000101",
"title": "Unauthorized",
"detail": "Invalid OAuth Token"
}
}
{
"error": {
"code": "2dcaaa",
"title": "This feature is not available in your current license plan. Please upgrade your license to access it."
}
}
{
"error": {
"code": "00000109",
"detail": "Request throttling limit reached",
"title": "Too Many Requests"
}
}
{
"error": {
"code": "10001005",
"title": "Internal Server Error"
}
}