Templates endpoints

Read access to the curated template catalog — ready-to-use XML snippets as a starting point for creating rules/decoders.

The catalog is static (maintained in the backend repo) and read-only.

Endpoint table

Method	Path	Auth
GET	/templates	Session
GET	/templates/{template_id}	Session

---

GET /templates

Lists the full catalog + per-category counts.

Response 200 (TemplateCatalogResponse):

{
  "templates": [
    {
      "id": "ssh-brute-force",
      "title": "SSH brute force detection",
      "description": "Detects multiple failed SSH login attempts in a short window.",
      "category": "authentication",
      "kind": "rule",
      "platform": ["linux", "macos"],
      "mitre_ids": ["T1110"],
      "tags": ["sshd", "brute-force"],
      "xml": "<group name=\"authentication_failures\">\n  <rule id=\"100010\" level=\"10\">\n    <if_matched_sid>5716</if_matched_sid>\n    <same_source_ip/>\n    <frequency>5</frequency>\n    <timeframe>120</timeframe>\n    <description>SSH: multiple failed logins.</description>\n  </rule>\n</group>",
      "tips": [
        "Tune `frequency` and `timeframe` according to your security policy.",
        "Consider adding `<options>no_full_log</options>` if volume gets too high."
      ]
    }
  ],
  "categories": [
    { "id": "authentication", "count": 12 },
    { "id": "network", "count": 8 },
    { "id": "malware", "count": 5 }
  ],
  "total": 25
}

Relevant fields:

• category — authentication, network, malware, compliance, ids, cloud, endpoint, generic.
• kind — rule, decoder, or mixed.
• platform[] — platforms the template was tested against.
• mitre_ids[] — MITRE ATT&CK references.
• tips[] — contextual tips for the user to tune the template.

GET /templates/{template_id}

Returns a single template.

Response 200: TemplateRecord (same structure as shown in templates[] above).

Errors:

• 404 not_found — template doesn't exist (body: {"detail": "template_not_found"}).

Typical usage

Scenario: editor integration that wants to offer examples to the user.

# List
curl -s "$RF_BASE/templates" \
  -H "Authorization: Bearer $JWT" | jq '.templates[] | {id, title, category}'

# Fetch a specific one and use the xml in a workspace
TEMPLATE_XML=$(curl -s "$RF_BASE/templates/ssh-brute-force" \
  -H "Authorization: Bearer $JWT" | jq -r .xml)

curl -X POST "$RF_BASE/platform/projects/$PRJ/workspaces" \
  -H "Authorization: Bearer $JWT" \
  -H "Content-Type: application/json" \
  -d "{\"name\":\"From template\",\"rules_xml\":$(jq -Rs <<<"$TEMPLATE_XML"),\"decoders_xml\":\"<decoders></decoders>\",\"event_text\":\"…\"}"

Full TemplateRecord structure

{
  "id": "string",
  "title": "string",
  "description": "string",
  "category": "authentication|network|malware|compliance|ids|cloud|endpoint|generic",
  "kind": "rule|decoder|mixed",
  "platform": ["string"],
  "mitre_ids": ["string"],
  "tags": ["string"],
  "xml": "string",
  "tips": ["string"]
}

Related links

• Analysis endpoints — validate the template before using.
• Projects endpoints — attach the XML to a workspace or version.
• AI assistant endpoints — complements curated templates with auto-generated test cases.