Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Detection Engine][Exceptions] - Update docs for single and shared exceptions #4021

Open
wants to merge 42 commits into
base: main
Choose a base branch
from
Open

[Detection Engine][Exceptions] - Update docs for single and shared exceptions #4021

wants to merge 42 commits into from
+343 −33

Conversation

nastasha-solomon
Copy link
Contributor

@nastasha-solomon nastasha-solomon commented Oct 9, 2023
edited
Loading

Fixes #3491.

Previews:

  • Elastic Security APIs: Refreshed the description for the Detections API since it technically allows users to manage rule exceptions for individual rules
  • Detections API: Added endpoints for creating a default exception list and creating exception items for a single rule
  • Create a default exception list for a rule: New page that shows how to create an exception list for a single rule (a default exception list)
  • Create exceptions for individual rules: New page that shows how to create exception items that you can add to a default exception list
  • Create exception container | Request body: Added the rule_default value to the type parameter description. Users would enter this value if they wanted the exception container to hold single-rule exception lists (i.e., the default exception list for a rule).
  • Create exceptions used by multiple rules: Made several changes:
    • Updated the title and intro para to show that this endpoint should be used to create exception items that are shared between multiple rules.
    • Added note to the intro that allows users to find docs for creating single rule exception items and exception items created from lists.
    • Fixed or refreshed docs for the following request params: comments, namespace_type, os_types, tags, and list

@nastasha-solomon nastasha-solomon self-assigned this Oct 9, 2023
@github-actions
Copy link

github-actions bot commented Oct 9, 2023

Documentation previews:

@nastasha-solomon
Copy link
Contributor Author

nastasha-solomon commented Apr 3, 2024
edited
Loading

Hey, @yctercero! These docs are ready for your review when you have a chance. As you're reviewing the docs, there are questions for you here about finding rule IDs and here about an example request. I was also hoping you could tell me whether the following endpoints could also be used to manage exception items added to rule default lists:

If they can, I might need to tweak their intros, plus the descriptions for the detections and exception APIs here.

@nastasha-solomon nastasha-solomon marked this pull request as ready for review April 3, 2024 21:33
@nastasha-solomon nastasha-solomon requested a review from a team as a code owner April 3, 2024 21:33
yctercero
yctercero reviewed Apr 12, 2024
View reviewed changes
docs/detections/api/exceptions/api-create-exception-item.asciidoc
* `process.entity_id`
* `process.parent.entity_id`
* `process.ancestry`
** `file.Ext.quarantine_path`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@caitlinbetz is this still accurate? I know we opened endpoint exceptions up to have less field restrictions, not sure if these still hold.

yctercero
yctercero reviewed Apr 14, 2024
View reviewed changes
docs/siem-apis.asciidoc Outdated Show resolved Hide resolved
@benironside benironside force-pushed the issue-3491-exception-item-list branch from 7d01e2c to bf3a09f Compare November 19, 2024 19:11
yctercero
yctercero previously approved these changes Jan 13, 2025
View reviewed changes
Copy link
Contributor

@yctercero yctercero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks so much for these updates - this is great. Left a super minor comment.

docs/detections/api/exceptions/api-create-exception-container.asciidoc Outdated Show resolved Hide resolved
benironside
benironside reviewed Jan 14, 2025
View reviewed changes
Copy link
Contributor

@benironside benironside left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work on the new pages. I left a few comments, hope they're helpful. Let me know if you'd like me to take another look.

docs/detections/api/exceptions/api-update-exception-container.asciidoc Outdated Show resolved Hide resolved
docs/detections/api/rules/rules-api-create-rule-default-exception-list.asciidoc Outdated Show resolved Hide resolved
docs/detections/api/rules/rules-api-create-rule-default-exception-list.asciidoc Outdated Show resolved Hide resolved
docs/detections/api/rules/rules-api-create-rule-default-exception-list.asciidoc Show resolved Hide resolved
docs/detections/api/rules/rules-api-create-rule-default-exception-list.asciidoc Outdated Show resolved Hide resolved
docs/detections/api/rules/rules-api-create-rule-default-exception-list.asciidoc Outdated Show resolved Hide resolved
docs/detections/api/rules/rules-api-overview.asciidoc Outdated Show resolved Hide resolved
docs/detections/api/rules/rules-api-create-single-rule-exception-item.asciidoc Show resolved Hide resolved
docs/detections/api/rules/rules-api-create-single-rule-exception-item.asciidoc Outdated Show resolved Hide resolved
nastasha-solomon and others added 6 commits January 14, 2025 09:22
@nastasha-solomon
Update docs/detections/api/exceptions/api-update-exception-container.…
f952986 
…asciidoc
@nastasha-solomon @benironside
Update docs/detections/api/rules/rules-api-create-rule-default-except…
4b45ed1 
…ion-list.asciidoc

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
@nastasha-solomon @benironside
Update docs/detections/api/rules/rules-api-create-rule-default-except…
8275775 
…ion-list.asciidoc

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
@nastasha-solomon
Ben's suggestion
2b85ddb
@nastasha-solomon
Update docs/detections/api/rules/rules-api-overview.asciidoc
404bc9d
@nastasha-solomon @benironside
Update docs/detections/api/rules/rules-api-create-single-rule-excepti…
af5b351 
…on-item.asciidoc

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
yctercero
yctercero previously approved these changes Jan 14, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yctercero yctercero yctercero left review comments

@benironside benironside Awaiting requested review from benironside

At least 1 approving review is required to merge this pull request.

Assignees

@nastasha-solomon nastasha-solomon

Labels
API Effort: Medium Issues that take moderate but not substantial time to complete Feature: Exceptions Priority: Medium Issues that have relevance, but aren't urgent Team: Detection Engine v8.7.0 v8.8.0 v8.9.0 v8.10.0 v8.11.0 v8.12.0 v8.13.0 v8.14.0 v8.15.0 v8.16.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Detection Engine][Exceptions] - Document exception item list types API side
4 participants
@nastasha-solomon @yctercero @benironside @jmikell821