Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


POST /config/event_sources/custom_properties/property_leef_expressions/{expression_id}

SUMMARY Updates an existing LEEF Expression.

Updates an existing LEEF Expression.

Table 1: POST /config/event_sources/custom_properties/property_leef_expressions/{expression_id} resource details:

POST /config/event_sources/custom_properties/property_leef_expressions/{expression_id} resource details



Table 2: POST /config/event_sources/custom_properties/property_leef_expressions/{expression_id} request parameter details:

POST /config/event_sources/custom_properties/property_leef_expressions/{expression_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description






Required - The identifier of the LEEF Expression.






Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 3: POST /config/event_sources/custom_properties/property_leef_expressions/{expression_id} request body details:

POST /config/event_sources/custom_properties/property_leef_expressions/{expression_id} request body details

Parameter Data Type MIME Type Description Sample




Required - A JSON representation of the LEEF Expression object.
  • regex_property_identifier - Required - String - The identifier of the event regex property to which this expression belongs.
  • enabled - Optional - Boolean - Flag that indicates whether this expression is enabled. It defaults to true if not provided.
  • expression - Required - String - The key of the corresponding property value from the LEEF payload.
  • payload - Optional - String - Test payload. This parameter is only used in the UI so that you can verify that your expression matches the expected payload.
  • log_source_type_id - Required - Integer - Optional field. If provided, this restricts the LEEF Expression to only evaluate against events for this log source type. Must be the id of an existing log source type.
  • log_source_id - Optional - Integer - Optional field. If provided, this restricts the LEEF Expression to only evaluate against events for this log source. Must be the id of an existing log source.
  • qid - Optional - Integer - The expression is only applied to events associated with this QID record.
  • low_level_category_id - Optional - Integer - Optional field. If provided, this restricts the LEEF Expression to only evaluate against events for this log source type. Must be the id of an existing log source type.
  • username - Optional - String - The owner of the LEEF Expression. If the input username is an authorized service, the prefix "API_token: " is required.

{ "creation_date": 42, "enabled": true, "expression": "String", "id": 42, "identifier": "String", "log_source_id": 42, "log_source_type_id": 42, "low_level_category_id": 42, "modification_date": 42, "payload": "String", "qid": 42, "regex_property_identifier": "String", "username": "String" }

Table 4: POST /config/event_sources/custom_properties/property_leef_expressions/{expression_id} response codes:

POST /config/event_sources/custom_properties/property_leef_expressions/{expression_id} response codes

HTTP Response Code Unique Code Description


The LEEF Expression was updated.



The user cannot update the resource because it only can be updated by the owner or admin user.



The requested LEEF Expression cannot be found.



One or more parameters are invalid in request.



An error occurred during the attempt to update a LEEF Expression.

Response Description

The updated LEEF Expression object contains the following fields:
  • id - Integer - The sequence ID of the LEEF Expression.
  • identifier - String - The unique ID of the LEEF expression. This value is in the form of a UUID.
  • regex_property_identifier - String - The identifier of the event regex property to which this expression belongs.
  • enabled - Boolean - Flag that indicates whether this expression is enabled.
  • expression - String - The key of the corresponding property value from the LEEF payload.
  • creation_date - Long - The epoch timestamp in milliseconds of the time the property was created.
  • modification_date - Long - The epoch timestamp in milliseconds of the time the property was last modified.
  • payload - String - Test payload. This parameter is only used in the UI so that you can verify that your expression matches the expected payload.
  • log_source_type_id - Integer - Optional field. If provided, this restricts the LEEF Expression to only evaluate against events for this log source type. Must be the id of an existing log source type.
  • log_source_id - Integer - Optional field. If provided, this restricts the LEEF Expression to only evaluate against events for this log source. Must be the id of an existing log source.
  • qid - Integer - Optional field. If provided, this restricts the LEEF Expression to only evaluate against events for this log source type. Must be the id of an existing log source type.
  • low_level_category_id - Short - The expression is only applied to events with this low level category.
  • username - String - The owner of the LEEF expression.

Response Sample