From 28586893a2547a6f16bef00635683923e266baf0 Mon Sep 17 00:00:00 2001 From: Davis Plumlee Date: Mon, 15 Apr 2024 23:44:16 -0400 Subject: [PATCH 1/2] updates create and update api docs --- .../api/rules/rules-api-create.asciidoc | 33 +++++++++++-------- .../api/rules/rules-api-update.asciidoc | 8 +++-- 2 files changed, 25 insertions(+), 16 deletions(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 7da03b3009..81f50130a1 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -348,6 +348,10 @@ relevant information about the rule. Defaults to an empty array. is converted from a third-party security solution. Automatically created when it is not provided. +|setup |String |Instructions on rule prerequisites such as required +integrations, configuration steps, and anything else needed for the rule to +work correctly. + |tags |String[] |String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. @@ -914,6 +918,7 @@ POST api/detection_engine/rules "interval": "5m", "name": "Anomalous Linux network activity", "note": "Shut down the internet.", + "setup": "This rule requires data coming in from Elastic Defend." "severity": "high", "tags": [ "machine learning", @@ -1178,10 +1183,10 @@ Example response for a query rule: "language": "kuery", "related_integrations": [], <1> "required_fields": [], <1> - "setup": "" <1> + "setup": "" } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`. +<1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`. Example response for a {ml} job rule: @@ -1236,10 +1241,10 @@ Example response for a {ml} job rule: "machine_learning_job_id": "linux_anomalous_network_activity_ecs", "related_integrations": [], <1> "required_fields": [], <1> - "setup": "" <1> + "setup": "" } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`. +<1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`. Example response for a threshold rule: @@ -1317,10 +1322,10 @@ Example response for a threshold rule: }, "related_integrations": [], <1> "required_fields": [], <1> - "setup": "" <1> + "setup": "" } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`. +<1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`. Example response for an EQL rule: @@ -1362,10 +1367,10 @@ Example response for an EQL rule: "language": "eql", "related_integrations": [], <1> "required_fields": [], <1> - "setup": "" <1> + "setup": "" } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`. +<1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`. Example response for an indicator match rule: @@ -1434,10 +1439,10 @@ Example response for an indicator match rule: ], "related_integrations": [], <1> "required_fields": [], <1> - "setup": "" <1> + "setup": "" } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`. +<1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`. Example response for a new terms rule: @@ -1479,10 +1484,10 @@ Example response for a new terms rule: "history_window_start": "now-30d", "related_integrations": [], <1> "required_fields": [], <1> - "setup": "" <1> + "setup": "" } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`. +<1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`. Example response for an {esql} rule: @@ -1519,10 +1524,10 @@ Example response for an {esql} rule: "immutable": false, "related_integrations": [], <1> "required_fields": [], <1> - "setup": "", <1> + "setup": "", "type": "esql", "language": "esql", "query": "from auditbeat-8.10.2 [metadata _id] | where process.parent.name == \"EXCEL.EXE\"" } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`. +<1> dev:[] These fields are under development and their usage may change: `related_integrations` and `required_fields`. diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index 7e8242e201..f63f74f1c0 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -244,6 +244,10 @@ single execution. Defaults to `100`. |references |String[] |Array containing notes about or references to relevant information about the rule. Defaults to an empty array. +|setup |String |Instructions on rule prerequisites such as required +integrations, configuration steps, and anything else needed for the rule to +work correctly. + |tags |String[] |String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. @@ -629,7 +633,7 @@ Example response: ], "related_integrations": [], <1> "required_fields": [], <1> - "setup": "", <1> + "setup": "", "type": "query", "threat": [ { @@ -665,4 +669,4 @@ Example response: } -------------------------------------------------- -<1> dev:[] These fields are under development and their usage or schema may change: `related_integrations`, `required_fields`, `setup`, and `execution_summary`. +<1> dev:[] These fields are under development and their usage or schema may change: `related_integrations`, `required_fields`, and `execution_summary`. From b8106b94fd03865895c1fa61960e2926e891af9e Mon Sep 17 00:00:00 2001 From: Davis Plumlee Date: Tue, 16 Apr 2024 11:07:18 -0400 Subject: [PATCH 2/2] addresses comments --- docs/detections/api/rules/rules-api-create.asciidoc | 6 +++--- docs/detections/api/rules/rules-api-update.asciidoc | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 81f50130a1..1a27e02c7a 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -348,9 +348,9 @@ relevant information about the rule. Defaults to an empty array. is converted from a third-party security solution. Automatically created when it is not provided. -|setup |String |Instructions on rule prerequisites such as required -integrations, configuration steps, and anything else needed for the rule to -work correctly. +|setup |String |Populates the rule's setup guide with instructions on rule +prerequisites such as required integrations, configuration steps, and anything +else needed for the rule to work correctly. |tags |String[] |String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index f63f74f1c0..2df5d1d2d5 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -244,9 +244,9 @@ single execution. Defaults to `100`. |references |String[] |Array containing notes about or references to relevant information about the rule. Defaults to an empty array. -|setup |String |Instructions on rule prerequisites such as required -integrations, configuration steps, and anything else needed for the rule to -work correctly. +|setup |String |Populates the rule's setup guide with instructions on rule +prerequisites such as required integrations, configuration steps, and anything +else needed for the rule to work correctly. |tags |String[] |String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.