Use cases and sample payloads

Assuming the default action is to ACCEPT an audit and the user wants to discard the audits conditionally, you must understand the rules payload for some of the common use case scenarios.

Discard temporary and test hive_table audits (Nested rules example)

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"hive_table",
         "condition":"AND",
         "criterion":[
            {
               "operator":"==",
               "attributeName":"temporary",
               "attributeValue":"false"
            },
            {
               "condition":"OR",
               "criterion":[
                  {
                     "operator":"==",
                     "attributeName":"name",
                     "attributeValue":"tmp"
                  },
                  {
                     "operator":"==",
                     "attributeName":"qualifiedName",
                     "attributeValue":"tmp"
                  }
               ]
            }
         ]
      }
   ]
}

Discard all audits of a type

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"hive_table"
      }
   ]
}

Discard all update audits for all entities

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"”_ALL_ENTITY_TYPES”",
         "operator":"==",
         "attributeName":"operationType",
         "attributeValue":"ENTITY_UPDATE"
      }
   ]
}

Discard all CLASSIFICATION_ADD audits for all entities

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"_ALL_ENTITY_TYPES",
         "operator":"==",
         "attributeName":"operationType",
         "attributeValue":"CLASSIFICATION_ADD"
      }
   ]
}
Discard audits for entity DELETE operation types such as ENTITY_DELETE, ENTITY_IMPORT_DELETE, CLASSIFICATION_DELETE, PROPAGATED_CLASSIFICATION_DELETE, and LABEL_DELETE.
{
   "desc":"test3",
   "action":"DISCARD",
   "ruleName":"rule123",
   "ruleExpr":{
      "ruleExprObjList":[
         {
            "typeName":"hive_table",
            "condition":"AND",
            "criterion":[
               {
                  "operator":"contains",
                  "attributeName":"operationType",
                  "attributeValue":"DELETE"
               }
            ]
         }
      ]
   }
Usage of DELETE API for multiple rules: specify array of guids using comma separator in payload
URL: api/atlas/admin/audits/rules
          Payload : ["477d8fcd-3d89-4c4c-bb91-9586c49fbd19","8b2b37a8-30eb-4510-b19a-589816e45b80"]
       
Usage of DELETE API to delete all rules
URL: api/atlas/admin/audits/rules/all
          Payload : not required

Discard audits for hive tables where description is null

"Payload":{
   "action":"DISCARD",
   "ruleName":"hiverule3",
   "ruleExpr":{
      "ruleExprObjList":[
         {
            "typeName":"hive_table",
            "includeSubTypes":"false",
            "attributeName":"description",
            "operator":"isNull"
         }
      ]
   }

Discard audits of event for a specific type based on attribute value

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"hive_table",
         "condition":"AND",
         "criterion":[
            {
               "operator":"==",
               "attributeName":"operationType",
               "attributeValue":"ENTITY_UPDATE"
            },
            {
               "operator":"==",
               "attributeName":"name",
               "attributeValue":"employee"
            }
         ]
      }
   ]
}

Discard audits for all types under a hook type (Regex supported with wildcard character *)

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"hive*",
         "operator":"==",
         "attributeName":"operationType",
         "attributeValue":"CLASSIFICATION_ADD"
      }
   ]
}

Discard all audits of a type and its sub types

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"Asset",
         "includeSubTypes":true
      }
   ]
}

CSV of type-names is supported

"action":"DISCARD",
"ruleName":"test_rule_1",
"ruleExpr":{
   "ruleExprObjList":[
      {
         "typeName":"hive_table,hbase_table",
         "attributeName":"name",
         "operator":"contains",
         "attributeValue":"test1"
      }
   ]
}