Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new terms rule type to Detections API create/update rule docs #3914

Merged
merged 7 commits into from
Sep 20, 2023
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 22 additions & 4 deletions docs/detections/api/rules/rules-api-create.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ A JSON object that defines the rule's values:
* <<req-fields-eql>>
* <<req-fields-ml>>
* <<req-fields-threat-match>>
* <<req-fields-new-terms>>
* <<opt-fields-all>>
* <<opt-fields-query-eql>>
* <<opt-fields-threat-match>>
Expand Down Expand Up @@ -145,11 +146,12 @@ occurred
{es} index.
* `threshold`: rule based on the number of times a `query` matches the
specified field.
* `new_terms`: rule that alerts on values that have not been seen before

|==============================================

[[req-fields-query-threshold]]
===== Required field for query, indicator match and threshold rules
===== Required field for query, indicator match, threshold, and new terms rules

[width="100%",options="header"]
|==============================================
Expand Down Expand Up @@ -250,6 +252,22 @@ uses both `and` and `or` logic.

|==============================================

[[req-fields-new-terms]]
===== Required fields for new terms rules

[width="100%",options="header"]
|==============================================
|Name |Type |Description

|new_terms_fields |String[] |Fields to monitor for new values. Must contain 1–3 field names.

|history_window_start |String |Start date to use when checking if a term has been seen before.
Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term
marshallmain marked this conversation as resolved.
Show resolved Hide resolved
is new. We do not recommend using absolute dates, which can cause issues with rule performance
due to querying increasing amounts of data over time.

|==============================================

[[opt-fields-all]]
===== Optional fields for all rule types

Expand Down Expand Up @@ -336,7 +354,7 @@ Required when `actions` are used to send notifications.
|==============================================

[[opt-fields-query-eql]]
===== Optional fields for query, indicator match, and event correlation rules
===== Optional fields for query, indicator match, event correlation, and new terms rules

[width="100%",options="header"]
|==============================================
Expand Down Expand Up @@ -372,7 +390,7 @@ documents from the {es} index containing the threat values.
|==============================================

[[opt-fields-query-threshold]]
===== Optional fields for query, indicator match, and threshold rules
===== Optional fields for query, indicator match, threshold, and new terms rules

[width="100%",options="header"]
|==============================================
Expand All @@ -383,7 +401,7 @@ documents from the {es} index containing the threat values.
|==============================================

[[opt-fields-eql-query-threshold]]
===== Optional fields for event correlation, query, and threshold rules
===== Optional fields for event correlation, query, threshold, and new terms rules

[width="100%",options="header"]
|==============================================
Expand Down
24 changes: 20 additions & 4 deletions docs/detections/api/rules/rules-api-update.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -67,10 +67,11 @@ occurred
{es} index.
* `threshold`: rule based on the number of times a `query` matches the
specified field.
* `new_terms`: rule that alerts on values that have not been seen before

|==============================================

===== Field required for query, threat-match and threshold rules `PUT` calls
===== Field required for query, threat-match, threshold, and new terms rules `PUT` calls

[width="100%",options="header"]
|==============================================
Expand Down Expand Up @@ -166,6 +167,21 @@ uses both `and` and `or` logic.

|==============================================

===== Fields required for new terms rules `PUT` calls

[width="100%",options="header"]
|==============================================
|Name |Type |Description

|new_terms_fields |String[] |Fields to monitor for new values. Must contain 1–3 field names.

|history_window_start |String |Start date to use when checking if a term has been seen before.
Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term
marshallmain marked this conversation as resolved.
Show resolved Hide resolved
is new. We do not recommend using absolute dates, which can cause issues with rule performance
due to querying increasing amounts of data over time.

|==============================================

===== Optional fields for all rule types

[width="100%",options="header"]
Expand Down Expand Up @@ -244,7 +260,7 @@ number.

|==============================================

===== Optional fields for query, threat-match and EQL rules
===== Optional fields for query, threat-match, EQL, and new terms rules

[width="100%",options="header"]
|==============================================
Expand Down Expand Up @@ -278,7 +294,7 @@ documents from the {es} index containing the threat values.
|Much like an ingest processor, users can use this field to define where their threat indicator can be found on their indicator documents. Defaults to `threatintel.indicator`.
|==============================================

===== Optional fields for query, threat-match and threshold rules
===== Optional fields for query, threat-match, threshold, and new terms rules

[width="100%",options="header"]
|==============================================
Expand All @@ -288,7 +304,7 @@ documents from the {es} index containing the threat values.
`kuery` or `lucene`. Defaults to `kuery`.
|==============================================

===== Optional fields for EQL, query and threshold rules
===== Optional fields for EQL, query, threshold, and new terms rules

[width="100%",options="header"]
|==============================================
Expand Down