diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 7da03b3009..1a27e02c7a 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -348,6 +348,10 @@ relevant information about the rule. Defaults to an empty array. is converted from a third-party security solution. Automatically created when it is not provided. +|setup |String |Populates the rule's setup guide with instructions on rule +prerequisites such as required integrations, configuration steps, and anything +else needed for the rule to work correctly. + |tags |String[] |String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. @@ -914,6 +918,7 @@ POST api/detection_engine/rules "interval": "5m", "name": "Anomalous Linux network activity", "note": "Shut down the internet.", + "setup": "This rule requires data coming in from Elastic Defend." "severity": "high", "tags": [ "machine learning", @@ -1178,10 +1183,10 @@ Example response for a query rule: "language": "kuery", "related_integrations": [], <1> "required_fields": [], <1> - "setup": "" <1> + "setup": "" } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`. +<1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`. Example response for a {ml} job rule: @@ -1236,10 +1241,10 @@ Example response for a {ml} job rule: "machine_learning_job_id": "linux_anomalous_network_activity_ecs", "related_integrations": [], <1> "required_fields": [], <1> - "setup": "" <1> + "setup": "" } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`. +<1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`. Example response for a threshold rule: @@ -1317,10 +1322,10 @@ Example response for a threshold rule: }, "related_integrations": [], <1> "required_fields": [], <1> - "setup": "" <1> + "setup": "" } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`. +<1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`. Example response for an EQL rule: @@ -1362,10 +1367,10 @@ Example response for an EQL rule: "language": "eql", "related_integrations": [], <1> "required_fields": [], <1> - "setup": "" <1> + "setup": "" } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`. +<1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`. Example response for an indicator match rule: @@ -1434,10 +1439,10 @@ Example response for an indicator match rule: ], "related_integrations": [], <1> "required_fields": [], <1> - "setup": "" <1> + "setup": "" } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`. +<1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`. Example response for a new terms rule: @@ -1479,10 +1484,10 @@ Example response for a new terms rule: "history_window_start": "now-30d", "related_integrations": [], <1> "required_fields": [], <1> - "setup": "" <1> + "setup": "" } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`. +<1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`. Example response for an {esql} rule: @@ -1519,10 +1524,10 @@ Example response for an {esql} rule: "immutable": false, "related_integrations": [], <1> "required_fields": [], <1> - "setup": "", <1> + "setup": "", "type": "esql", "language": "esql", "query": "from auditbeat-8.10.2 [metadata _id] | where process.parent.name == \"EXCEL.EXE\"" } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`. +<1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`. diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index 7e8242e201..2df5d1d2d5 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -244,6 +244,10 @@ single execution. Defaults to `100`. |references |String[] |Array containing notes about or references to relevant information about the rule. Defaults to an empty array. +|setup |String |Populates the rule's setup guide with instructions on rule +prerequisites such as required integrations, configuration steps, and anything +else needed for the rule to work correctly. + |tags |String[] |String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. @@ -629,7 +633,7 @@ Example response: ], "related_integrations": [], <1> "required_fields": [], <1> - "setup": "", <1> + "setup": "", "type": "query", "threat": [ { @@ -665,4 +669,4 @@ Example response: } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage or schema may change: `related_integrations`, `required_fields`, `setup`, and `execution_summary`. +<1> dev:[] These fields are under development and their usage or schema may change: `related_integrations`, `required_fields`, and `execution_summary`.