Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SecuritySolution][Detections] Update Create Rule API docs #91965

Closed
spong opened this issue Feb 19, 2021 · 1 comment · Fixed by elastic/security-docs#522
Closed

[SecuritySolution][Detections] Update Create Rule API docs #91965

spong opened this issue Feb 19, 2021 · 1 comment · Fixed by elastic/security-docs#522
Labels
docs Feature:Detection Rules Anything related to Security Solution's Detection Rules Team:Detections and Resp Security Detection Response Team

Comments

@spong
Copy link
Member

spong commented Feb 19, 2021

Our API docs are manually maintained and so need love as we continue to add features. With all the recent changes around indicator match and threshold rules for 7.12, let's review and make updates as needed. Thanks for raising this @jmikell821! 🙂

While our talks to streamline API doc generation (#81964 / #82587) appear to have stalled, we can at least streamline this process to keep things easier on all of us and allow more time for the @elastic/security-docs folks to focus on content. 🙌

The Create Rule Docs covers the API for creating a single rule, and the requirements around all the different rule types. Bulk operations have dedicated documentation.

The rules schema can be found referenced in the body validation of the create_rules_route, and is made up of commonParams across all rule types, and typeSpecificParams for each individual rule type.

Note: The below is relevant as of 7.11, but is really only to tie these docs to source to streamline this process while we work towards generating docs.

cc @madirey @rylnd @FrankHassanabad

Common Params (source)
const commonParams = {
  required: {
    name,
    description,
    risk_score,
    severity,
  },
  optional: {
    building_block_type,
    note,
    license,
    output_index,
    timeline_id,
    timeline_title,
    meta,
    rule_name_override,
    timestamp_override,
  },
  defaultable: {
    tags,
    interval,
    enabled,
    throttle: throttleOrNull,
    actions,
    author,
    false_positives,
    from,
    rule_id,
    // maxSignals not used in ML rules but probably should be used
    max_signals,
    risk_score_mapping,
    severity_mapping,
    threat: threats,
    to,
    references,
    version,
    exceptions_list: listArray,
  },
};
eqlCreateParams (source)
const eqlRuleParams = {
  required: {
    type: t.literal('eql'),
    language: t.literal('eql'),
    query,
  },
  optional: {
    index,
    filters,
    event_category_override,
  },
  defaultable: {},
};
threatMatchCreateParams (source)
const threatMatchRuleParams = {
  required: {
    type: t.literal('threat_match'),
    query,
    threat_query,
    threat_mapping,
    threat_index,
  },
  optional: {
    index,
    filters,
    saved_id,
    threat_filters,
    threat_indicator_path,
    threat_language: t.keyof({ kuery: null, lucene: null }),
    concurrent_searches,
    items_per_search,
  },
  defaultable: {
    language: t.keyof({ kuery: null, lucene: null }),
  },
};
queryCreateParams (source)
const queryRuleParams = {
  required: {
    type: t.literal('query'),
  },
  optional: {
    index,
    filters,
    saved_id,
  },
  defaultable: {
    query,
    language: t.keyof({ kuery: null, lucene: null }),
  },
};
savedQueryCreateParams (source)
const savedQueryRuleParams = {
  required: {
    type: t.literal('saved_query'),
    saved_id,
  },
  optional: {
    // Having language, query, and filters possibly defined adds more code confusion and probably user confusion
    // if the saved object gets deleted for some reason
    index,
    query,
    filters,
  },
  defaultable: {
    language: t.keyof({ kuery: null, lucene: null }),
  },
};
thresholdCreateParams (source)
const thresholdRuleParams = {
  required: {
    type: t.literal('threshold'),
    query,
    threshold,
  },
  optional: {
    index,
    filters,
    saved_id,
  },
  defaultable: {
    language: t.keyof({ kuery: null, lucene: null }),
  },
};
machineLearningCreateParams (source)
const machineLearningRuleParams = {
  required: {
    type: t.literal('machine_learning'),
    anomaly_threshold,
    machine_learning_job_id,
  },
  optional: {},
  defaultable: {},
};
@spong spong added Feature:Detection Rules Anything related to Security Solution's Detection Rules docs Team:Detections and Resp Security Detection Response Team labels Feb 19, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@spong spong mentioned this issue Feb 19, 2021
Merged
spong added a commit to elastic/security-docs that referenced this issue Mar 9, 2021
@spong
[DOCS] Updates Create Rule API docs for Threshold and Indicator Match…
a14da4e 
… Rules (#522)

This is a rough pass at updating the [Create Rule API docs](https://www.elastic.co/guide/en/security/current/rules-api-create.html#_request_body) for the recent changes surrounding `Threshold` and `Indicator Match` rules. @madirey and @rylnd if you could verify these changes and if any additional fields should be documented that would be greatly appreciated. 🙂 

Resolves: elastic/kibana#91965

Note: The grouping of optional fields per rule type makes these docs difficult to maintain (for me at least 😅), as you need to cross reference each optional field from each type, plus I'd bargain our users might find it useful to be able to look at all fields per each rule type independently. Something to verify with users/discuss, but would be a nice add for maintaining these docs (outside of writing scripts to generate the groupings).


##### Threshold Rules:
For more details on `cardinality_field` and `cardinality_value` see: elastic/kibana#90826


##### Indicator Match Rules:

For more details on `threat_filters` see: elastic/kibana#91260
spong added a commit to spong/security-docs that referenced this issue Mar 9, 2021
@spong
[DOCS] Updates Create Rule API docs for Threshold and Indicator Match…
ef66ee0 
… Rules (elastic#522)

This is a rough pass at updating the [Create Rule API docs](https://www.elastic.co/guide/en/security/current/rules-api-create.html#_request_body) for the recent changes surrounding `Threshold` and `Indicator Match` rules. @madirey and @rylnd if you could verify these changes and if any additional fields should be documented that would be greatly appreciated. 🙂 

Resolves: elastic/kibana#91965

Note: The grouping of optional fields per rule type makes these docs difficult to maintain (for me at least 😅), as you need to cross reference each optional field from each type, plus I'd bargain our users might find it useful to be able to look at all fields per each rule type independently. Something to verify with users/discuss, but would be a nice add for maintaining these docs (outside of writing scripts to generate the groupings).


##### Threshold Rules:
For more details on `cardinality_field` and `cardinality_value` see: elastic/kibana#90826


##### Indicator Match Rules:

For more details on `threat_filters` see: elastic/kibana#91260
spong added a commit to spong/security-docs that referenced this issue Mar 9, 2021
@spong
[DOCS] Updates Create Rule API docs for Threshold and Indicator Match…
527f093 
… Rules (elastic#522)

This is a rough pass at updating the [Create Rule API docs](https://www.elastic.co/guide/en/security/current/rules-api-create.html#_request_body) for the recent changes surrounding `Threshold` and `Indicator Match` rules. @madirey and @rylnd if you could verify these changes and if any additional fields should be documented that would be greatly appreciated. 🙂 

Resolves: elastic/kibana#91965

Note: The grouping of optional fields per rule type makes these docs difficult to maintain (for me at least 😅), as you need to cross reference each optional field from each type, plus I'd bargain our users might find it useful to be able to look at all fields per each rule type independently. Something to verify with users/discuss, but would be a nice add for maintaining these docs (outside of writing scripts to generate the groupings).


##### Threshold Rules:
For more details on `cardinality_field` and `cardinality_value` see: elastic/kibana#90826


##### Indicator Match Rules:

For more details on `threat_filters` see: elastic/kibana#91260
spong added a commit to elastic/security-docs that referenced this issue Mar 9, 2021
@spong
[DOCS] Updates Create Rule API docs for Threshold and Indicator Match…
a302dd7 
… Rules (#522) (#540)

This is a rough pass at updating the [Create Rule API docs](https://www.elastic.co/guide/en/security/current/rules-api-create.html#_request_body) for the recent changes surrounding `Threshold` and `Indicator Match` rules. @madirey and @rylnd if you could verify these changes and if any additional fields should be documented that would be greatly appreciated. 🙂 

Resolves: elastic/kibana#91965

Note: The grouping of optional fields per rule type makes these docs difficult to maintain (for me at least 😅), as you need to cross reference each optional field from each type, plus I'd bargain our users might find it useful to be able to look at all fields per each rule type independently. Something to verify with users/discuss, but would be a nice add for maintaining these docs (outside of writing scripts to generate the groupings).


##### Threshold Rules:
For more details on `cardinality_field` and `cardinality_value` see: elastic/kibana#90826


##### Indicator Match Rules:

For more details on `threat_filters` see: elastic/kibana#91260
spong added a commit to elastic/security-docs that referenced this issue Mar 9, 2021
@spong
[DOCS] Updates Create Rule API docs for Threshold and Indicator Match…
65491c0 
… Rules (#522) (#539)

This is a rough pass at updating the [Create Rule API docs](https://www.elastic.co/guide/en/security/current/rules-api-create.html#_request_body) for the recent changes surrounding `Threshold` and `Indicator Match` rules. @madirey and @rylnd if you could verify these changes and if any additional fields should be documented that would be greatly appreciated. 🙂 

Resolves: elastic/kibana#91965

Note: The grouping of optional fields per rule type makes these docs difficult to maintain (for me at least 😅), as you need to cross reference each optional field from each type, plus I'd bargain our users might find it useful to be able to look at all fields per each rule type independently. Something to verify with users/discuss, but would be a nice add for maintaining these docs (outside of writing scripts to generate the groupings).


##### Threshold Rules:
For more details on `cardinality_field` and `cardinality_value` see: elastic/kibana#90826


##### Indicator Match Rules:

For more details on `threat_filters` see: elastic/kibana#91260
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs Feature:Detection Rules Anything related to Security Solution's Detection Rules Team:Detections and Resp Security Detection Response Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[DOCS] Updates Create Rule API docs for Threshold and Indicator Match Rules elastic/security-docs
2 participants
@spong @elasticmachine