diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.schema.yaml index 739386d637abd..b4b5e858672dd 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/alert_assignees/set_alert_assignees_route.schema.yaml @@ -4,12 +4,15 @@ info: version: '2023-10-31' paths: /api/detection_engine/signals/assignees: - summary: Assigns users to alerts post: x-labels: [ess, serverless] x-codegen-enabled: true operationId: SetAlertAssignees - description: Assigns users to alerts. + summary: Assign and unassign users from detection alerts + description: | + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. requestBody: required: true content: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/alert_tags/set_alert_tags/set_alert_tags.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/alert_tags/set_alert_tags/set_alert_tags.schema.yaml index ca2c93b88b25e..97833e368ab16 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/alert_tags/set_alert_tags/set_alert_tags.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/alert_tags/set_alert_tags/set_alert_tags.schema.yaml @@ -8,7 +8,11 @@ paths: x-labels: [serverless, ess] operationId: ManageAlertTags x-codegen-enabled: true - summary: Manage alert tags for a one or more alerts + summary: Add and remove detection alert tags + description: | + And tags to detection alerts, and remove them from alerts. + > info + > You cannot add and remove the same alert tag in the same request. tags: - Alerts API requestBody: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_response_actions/response_actions.gen.ts b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_response_actions/response_actions.gen.ts index d9bed47ea7766..234b90373f5b5 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_response_actions/response_actions.gen.ts +++ b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_response_actions/response_actions.gen.ts @@ -36,7 +36,7 @@ export const OsqueryQuery = z.object({ */ id: z.string(), /** - * Query to execute + * Query to run */ query: z.string(), ecs_mapping: EcsMapping.optional(), diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_response_actions/response_actions.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_response_actions/response_actions.schema.yaml index 751a1efee8fa8..3666b9e4e063b 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_response_actions/response_actions.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_response_actions/response_actions.schema.yaml @@ -34,7 +34,7 @@ components: description: Query ID query: type: string - description: Query to execute + description: Query to run ecs_mapping: $ref: '#/components/schemas/EcsMapping' version: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.gen.ts b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.gen.ts index dadb6bfa4165d..1573d58965db6 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.gen.ts +++ b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.gen.ts @@ -99,7 +99,7 @@ export type RuleInterval = z.infer; export const RuleInterval = z.string(); /** - * Time from which data is analyzed each time the rule executes, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). + * Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). */ export type RuleIntervalFrom = z.infer; export const RuleIntervalFrom = z.string().superRefine(isValidDateMath); @@ -454,7 +454,7 @@ export const InvestigationFields = z.object({ }); /** - * Defines the interval on which a rule's actions are executed. + * Defines how often rule actions are taken. */ export type RuleActionThrottle = z.infer; export const RuleActionThrottle = z.union([ diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml index b2d72a561e46c..795ed2d22da17 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml @@ -92,7 +92,7 @@ components: RuleIntervalFrom: type: string - description: Time from which data is analyzed each time the rule executes, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). + description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). format: date-math RuleIntervalTo: @@ -470,7 +470,7 @@ components: - field_names RuleActionThrottle: - description: Defines the interval on which a rule's actions are executed. + description: Defines how often rule actions are taken. oneOf: - type: string enum: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/specific_attributes/threat_match_attributes.gen.ts b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/specific_attributes/threat_match_attributes.gen.ts index c58382964eae9..32d0c6e2e68b4 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/specific_attributes/threat_match_attributes.gen.ts +++ b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/specific_attributes/threat_match_attributes.gen.ts @@ -19,7 +19,7 @@ import { z } from 'zod'; import { NonEmptyString } from '../../../../model/primitives.gen'; /** - * Query to execute + * Query to run */ export type ThreatQuery = z.infer; export const ThreatQuery = z.string(); diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/specific_attributes/threat_match_attributes.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/specific_attributes/threat_match_attributes.schema.yaml index de43ecfeb073d..6b9f8805d5782 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/specific_attributes/threat_match_attributes.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/specific_attributes/threat_match_attributes.schema.yaml @@ -8,7 +8,7 @@ components: schemas: ThreatQuery: type: string - description: Query to execute + description: Query to run ThreatMapping: type: array diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/prebuilt_rules/get_prebuilt_rules_and_timelines_status/get_prebuilt_rules_and_timelines_status_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/prebuilt_rules/get_prebuilt_rules_and_timelines_status/get_prebuilt_rules_and_timelines_status_route.schema.yaml index 92b82e9d1e849..bc44026806f6f 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/prebuilt_rules/get_prebuilt_rules_and_timelines_status/get_prebuilt_rules_and_timelines_status_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/prebuilt_rules/get_prebuilt_rules_and_timelines_status/get_prebuilt_rules_and_timelines_status_route.schema.yaml @@ -8,7 +8,8 @@ paths: x-labels: [ess] x-codegen-enabled: true operationId: GetPrebuiltRulesAndTimelinesStatus - summary: Get the status of Elastic prebuilt rules + summary: Retrieve the status of prebuilt detection rules and Timelines + description: Retrieve the status of all Elastic prebuilt detection rules and Timelines. tags: - Prebuilt Rules API responses: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/prebuilt_rules/install_prebuilt_rules_and_timelines/install_prebuilt_rules_and_timelines_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/prebuilt_rules/install_prebuilt_rules_and_timelines/install_prebuilt_rules_and_timelines_route.schema.yaml index ab27c71c4ef33..171070aa5e2d9 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/prebuilt_rules/install_prebuilt_rules_and_timelines/install_prebuilt_rules_and_timelines_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/prebuilt_rules/install_prebuilt_rules_and_timelines/install_prebuilt_rules_and_timelines_route.schema.yaml @@ -8,7 +8,8 @@ paths: x-labels: [ess] x-codegen-enabled: true operationId: InstallPrebuiltRulesAndTimelines - summary: Installs all Elastic prebuilt rules and timelines + summary: Install prebuilt detection rules and Timelines + description: Install and update all Elastic prebuilt detection rules and Timelines. tags: - Prebuilt Rules API responses: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.gen.ts b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.gen.ts index b9750fd7eb06d..ff503d0b0d4e7 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.gen.ts +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.gen.ts @@ -241,7 +241,7 @@ export const BulkActionEditPayloadSchedule = z.object({ type: z.literal('set_schedule'), value: z.object({ /** - * Interval in which the rule is executed + * Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. */ interval: z.string().regex(/^[1-9]\d*[smh]$/), /** diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml index 184f4ec9825b6..2df8c770546e8 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml @@ -8,8 +8,8 @@ paths: x-labels: [ess, serverless] x-codegen-enabled: true operationId: PerformBulkAction - summary: Applies a bulk action to multiple rules - description: The bulk action is applied to all rules that match the filter or to the list of rules by their IDs. + summary: Apply a bulk action to detection rules + description: Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. tags: - Bulk API parameters: @@ -366,7 +366,7 @@ components: properties: interval: type: string - description: Interval in which the rule is executed + description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. pattern: '^[1-9]\d*[smh]$' # any number except zero followed by one of the suffixes 's', 'm', 'h' example: '1h' lookback: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_create_rules/bulk_create_rules_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_create_rules/bulk_create_rules_route.schema.yaml index 127ad9784988d..8b024946bc220 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_create_rules/bulk_create_rules_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_create_rules/bulk_create_rules_route.schema.yaml @@ -9,7 +9,8 @@ paths: x-codegen-enabled: true operationId: BulkCreateRules deprecated: true - description: Creates new detection rules in bulk. + summary: Create multiple detection rules + description: Create new detection rules in bulk. tags: - Bulk API requestBody: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_delete_rules/bulk_delete_rules_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_delete_rules/bulk_delete_rules_route.schema.yaml index fd441941d52e7..2a7ac4cf1d1e1 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_delete_rules/bulk_delete_rules_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_delete_rules/bulk_delete_rules_route.schema.yaml @@ -9,7 +9,8 @@ paths: x-codegen-enabled: true operationId: BulkDeleteRules deprecated: true - description: Deletes multiple rules. + summary: Delete multiple detection rules + description: Delete detection rules in bulk. tags: - Bulk API requestBody: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_patch_rules/bulk_patch_rules_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_patch_rules/bulk_patch_rules_route.schema.yaml index 65bd0e1a4ac36..8c414965385f4 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_patch_rules/bulk_patch_rules_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_patch_rules/bulk_patch_rules_route.schema.yaml @@ -7,9 +7,10 @@ paths: patch: x-labels: [ess] x-codegen-enabled: true + summary: Patch multiple detection rules operationId: BulkPatchRules deprecated: true - description: Updates multiple rules using the `PATCH` method. + description: Update specific fields of existing detection rules using the `rule_id` or `id` field. tags: - Bulk API requestBody: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_update_rules/bulk_update_rules_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_update_rules/bulk_update_rules_route.schema.yaml index 37241035439d3..841abbaea8fcd 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_update_rules/bulk_update_rules_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_update_rules/bulk_update_rules_route.schema.yaml @@ -9,7 +9,11 @@ paths: x-codegen-enabled: true operationId: BulkUpdateRules deprecated: true - description: Updates multiple rules using the `PUT` method. + summary: Update multiple detection rules + description: | + Update multiple detection rules using the `rule_id` or `id` field. The original rules are replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` or `rule_id` values. tags: - Bulk API requestBody: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/create_rule/create_rule_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/create_rule/create_rule_route.schema.yaml index a5071837af2cf..d3e3dca94d004 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/create_rule/create_rule_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/create_rule/create_rule_route.schema.yaml @@ -8,7 +8,8 @@ paths: x-labels: [ess, serverless] x-codegen-enabled: true operationId: CreateRule - description: Create a single detection rule + summary: Create a detection rule + description: Create a new detection rule. tags: - Rules API requestBody: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/delete_rule/delete_rule_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/delete_rule/delete_rule_route.schema.yaml index b6ef8a444eb55..78d34bc2c5699 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/delete_rule/delete_rule_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/delete_rule/delete_rule_route.schema.yaml @@ -8,7 +8,8 @@ paths: x-labels: [ess, serverless] x-codegen-enabled: true operationId: DeleteRule - description: Deletes a single rule using the `rule_id` or `id` field. + summary: Delete a detection rule + description: Delete a detection rule using the `rule_id` or `id` field. tags: - Rules API parameters: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/patch_rule/patch_rule_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/patch_rule/patch_rule_route.schema.yaml index aec02102bcca4..1ef40635f3305 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/patch_rule/patch_rule_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/patch_rule/patch_rule_route.schema.yaml @@ -8,7 +8,8 @@ paths: x-labels: [ess, serverless] x-codegen-enabled: true operationId: PatchRule - description: Patch a single rule + summary: Patch a detection rule + description: Update specific fields of an existing detection rule using the `rule_id` or `id` field. tags: - Rules API requestBody: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/read_rule/read_rule_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/read_rule/read_rule_route.schema.yaml index 817579eb8c27e..b22de6af6a9b8 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/read_rule/read_rule_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/read_rule/read_rule_route.schema.yaml @@ -8,7 +8,8 @@ paths: x-labels: [ess, serverless] x-codegen-enabled: true operationId: ReadRule - description: Read a single rule + summary: Retrieve a detection rule + description: Retrieve a detection rule using the `rule_id` or `id` field. tags: - Rules API parameters: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/update_rule/update_rule_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/update_rule/update_rule_route.schema.yaml index de82265ca3379..4450b0ec1f7dc 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/update_rule/update_rule_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/crud/update_rule/update_rule_route.schema.yaml @@ -8,7 +8,11 @@ paths: x-labels: [ess, serverless] x-codegen-enabled: true operationId: UpdateRule - description: Update a single rule + summary: Update a detection rule + description: | + Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` or `rule_id` values. tags: - Rules API requestBody: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/export_rules/export_rules_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/export_rules/export_rules_route.schema.yaml index 0a88075abb158..cae20f30e2c73 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/export_rules/export_rules_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/export_rules/export_rules_route.schema.yaml @@ -4,13 +4,17 @@ info: version: '2023-10-31' paths: /api/detection_engine/rules/_export: - summary: Exports rules to an `.ndjson` file post: x-labels: [ess, serverless] x-codegen-enabled: true operationId: ExportRules - summary: Export rules - description: Exports rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file - Actions, Exception lists. Prebuilt rules cannot be exported. + summary: Export detection rules + description: | + Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: + - Actions + - Exception lists + > info + > You cannot export prebuilt rules. tags: - Import/Export API parameters: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/find_rules/find_rules_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/find_rules/find_rules_route.schema.yaml index 4f27662e37bfd..3be5404bae74f 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/find_rules/find_rules_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/find_rules/find_rules_route.schema.yaml @@ -8,7 +8,8 @@ paths: x-labels: [ess, serverless] x-codegen-enabled: true operationId: FindRules - description: Finds rules that match the given query. + summary: List all detection rules + description: Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. tags: - Rules API parameters: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/import_rules/import_rules_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/import_rules/import_rules_route.schema.yaml index 9056fcea04bca..5d0b0c9d857bd 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/import_rules/import_rules_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/import_rules/import_rules_route.schema.yaml @@ -4,13 +4,15 @@ info: version: '2023-10-31' paths: /api/detection_engine/rules/_import: - summary: Imports rules from an `.ndjson` file post: x-labels: [ess, serverless] x-codegen-enabled: true operationId: ImportRules - summary: Import rules - description: Imports rules from an `.ndjson` file, including actions and exception lists. + summary: Import detection rules + description: | + Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: + - The `Content-Type: multipart/form-data` HTTP header. + - A link to the `.ndjson` file containing the rules. tags: - Import/Export API requestBody: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/read_tags/read_tags_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/read_tags/read_tags_route.schema.yaml index 0a9d622dd2d4a..84ebd06052054 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/read_tags/read_tags_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/read_tags/read_tags_route.schema.yaml @@ -4,12 +4,12 @@ info: version: '2023-10-31' paths: /api/detection_engine/tags: - summary: Aggregates and returns rule tags get: x-labels: [ess, serverless] x-codegen-enabled: true operationId: ReadTags - summary: Aggregates and returns all unique tags from all rules + summary: List all detection rule tags + description: List all unique tags from all detection rules. tags: - Tags API responses: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/signals/query_signals/query_signals_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/signals/query_signals/query_signals_route.schema.yaml index cd70e4b0c4071..00061cf50c60d 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/signals/query_signals/query_signals_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/signals/query_signals/query_signals_route.schema.yaml @@ -8,7 +8,8 @@ paths: x-labels: [serverless, ess] operationId: SearchAlerts x-codegen-enabled: true - summary: Find and/or aggregate detection alerts that match the given query + summary: Find and/or aggregate detection alerts + description: Find and/or aggregate detection alerts that match the given query. tags: - Alerts API requestBody: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/signals/set_signal_status/set_signals_status_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/signals/set_signal_status/set_signals_status_route.schema.yaml index 29ee065c77e6b..fe514c4dafe2e 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/signals/set_signal_status/set_signals_status_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/signals/set_signal_status/set_signals_status_route.schema.yaml @@ -8,7 +8,8 @@ paths: x-labels: [serverless, ess] operationId: SetAlertsStatus x-codegen-enabled: true - summary: Sets the status of one or more alerts + summary: Set a detection alert status + description: Set the status of one or more detection alerts. tags: - Alerts API requestBody: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/create_signals_migration/create_signals_migration.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/create_signals_migration/create_signals_migration.schema.yaml index 26204ea0d6195..52178537d6363 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/create_signals_migration/create_signals_migration.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/create_signals_migration/create_signals_migration.schema.yaml @@ -8,7 +8,10 @@ paths: x-labels: [ess] operationId: CreateAlertsMigration x-codegen-enabled: true - summary: Initiates an alerts migration + summary: Initiate a detection alert migration + description: | + Initiate a migration of detection alerts. + Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly. tags: - Alerts migration API requestBody: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/delete_signals_migration/delete_signals_migration.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/delete_signals_migration/delete_signals_migration.schema.yaml index 7b8136f3702cf..8aa36d8496d09 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/delete_signals_migration/delete_signals_migration.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/delete_signals_migration/delete_signals_migration.schema.yaml @@ -8,11 +8,13 @@ paths: x-labels: [ess] operationId: AlertsMigrationCleanup x-codegen-enabled: true - summary: Performs alerts migration(s) cleanup + summary: Clean up detection alert migrations description: | Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of the migration process. A successful migration will result in both the old and new indices being present. - As such, the old, orphaned index can (and likely should) be deleted. While you can delete these indices manually, + As such, the old, orphaned index can (and likely should) be deleted. + + While you can delete these indices manually, the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted after 30 days. It also deletes other artifacts specific to the migration implementation. tags: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/finalize_signals_migration/finalize_signals_migration.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/finalize_signals_migration/finalize_signals_migration.schema.yaml index 3654973f9de7e..d36df73832530 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/finalize_signals_migration/finalize_signals_migration.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/finalize_signals_migration/finalize_signals_migration.schema.yaml @@ -8,9 +8,9 @@ paths: x-labels: [ess] operationId: FinalizeAlertsMigration x-codegen-enabled: true - summary: Finalizes alerts migration(s) + summary: Finalize detection alert migrations description: | - The finalization endpoint replaces the original index's alias with the successfully migrated index's alias. + Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, finalize it. tags: diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/get_signals_migration_status/get_signals_migration_status.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/get_signals_migration_status/get_signals_migration_status.schema.yaml index b480b4374498b..64eafd09f65d7 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/get_signals_migration_status/get_signals_migration_status.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/signals_migration/get_signals_migration_status/get_signals_migration_status.schema.yaml @@ -8,7 +8,8 @@ paths: x-labels: [ess] operationId: GetAlertsMigrationStatus x-codegen-enabled: true - summary: Returns an alerts migration status + summary: Retrieve the status of detection alert migrations + description: Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices. tags: - Alerts migration API parameters: diff --git a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml index 2a239497d896e..9a6ff48ba394e 100644 --- a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -184,7 +184,7 @@ paths: - Privileges API /api/detection_engine/rules: delete: - description: Deletes a single rule using the `rule_id` or `id` field. + description: Delete a detection rule using the `rule_id` or `id` field. operationId: DeleteRule parameters: - description: The rule's `id` value. @@ -206,10 +206,11 @@ paths: schema: $ref: '#/components/schemas/RuleResponse' description: Indicates a successful call. + summary: Delete a detection rule tags: - Rules API get: - description: Read a single rule + description: Retrieve a detection rule using the `rule_id` or `id` field. operationId: ReadRule parameters: - description: The rule's `id` value. @@ -231,10 +232,13 @@ paths: schema: $ref: '#/components/schemas/RuleResponse' description: Indicates a successful call. + summary: Retrieve a detection rule tags: - Rules API patch: - description: Patch a single rule + description: >- + Update specific fields of an existing detection rule using the `rule_id` + or `id` field. operationId: PatchRule requestBody: content: @@ -249,10 +253,11 @@ paths: schema: $ref: '#/components/schemas/RuleResponse' description: Indicates a successful call. + summary: Patch a detection rule tags: - Rules API post: - description: Create a single detection rule + description: Create a new detection rule. operationId: CreateRule requestBody: content: @@ -267,10 +272,17 @@ paths: schema: $ref: '#/components/schemas/RuleResponse' description: Indicates a successful call. + summary: Create a detection rule tags: - Rules API put: - description: Update a single rule + description: > + Update a detection rule using the `rule_id` or `id` field. The original + rule is replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` or `rule_id` values. operationId: UpdateRule requestBody: content: @@ -285,13 +297,15 @@ paths: schema: $ref: '#/components/schemas/RuleResponse' description: Indicates a successful call. + summary: Update a detection rule tags: - Rules API /api/detection_engine/rules/_bulk_action: post: description: >- - The bulk action is applied to all rules that match the filter or to the - list of rules by their IDs. + Apply a bulk action, such as bulk edit, duplicate, or delete, to + multiple detection rules. The bulk action is applied to all rules that + match the query or to the rules listed by their IDs. operationId: PerformBulkAction parameters: - description: Enables dry run mode for the request call. @@ -321,13 +335,13 @@ paths: - $ref: '#/components/schemas/BulkEditActionResponse' - $ref: '#/components/schemas/BulkExportActionResponse' description: OK - summary: Applies a bulk action to multiple rules + summary: Apply a bulk action to detection rules tags: - Bulk API /api/detection_engine/rules/_bulk_create: post: deprecated: true - description: Creates new detection rules in bulk. + description: Create new detection rules in bulk. operationId: BulkCreateRules requestBody: content: @@ -345,12 +359,13 @@ paths: schema: $ref: '#/components/schemas/BulkCrudRulesResponse' description: Indicates a successful call. + summary: Create multiple detection rules tags: - Bulk API /api/detection_engine/rules/_bulk_delete: delete: deprecated: true - description: Deletes multiple rules. + description: Delete detection rules in bulk. operationId: BulkDeleteRules requestBody: content: @@ -395,6 +410,7 @@ paths: schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response + summary: Delete multiple detection rules tags: - Bulk API post: @@ -449,7 +465,9 @@ paths: /api/detection_engine/rules/_bulk_update: patch: deprecated: true - description: Updates multiple rules using the `PATCH` method. + description: >- + Update specific fields of existing detection rules using the `rule_id` + or `id` field. operationId: BulkPatchRules requestBody: content: @@ -467,11 +485,18 @@ paths: schema: $ref: '#/components/schemas/BulkCrudRulesResponse' description: Indicates a successful call. + summary: Patch multiple detection rules tags: - Bulk API put: deprecated: true - description: Updates multiple rules using the `PUT` method. + description: > + Update multiple detection rules using the `rule_id` or `id` field. The + original rules are replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` or `rule_id` values. operationId: BulkUpdateRules requestBody: content: @@ -491,14 +516,22 @@ paths: schema: $ref: '#/components/schemas/BulkCrudRulesResponse' description: Indicates a successful call. + summary: Update multiple detection rules tags: - Bulk API /api/detection_engine/rules/_export: post: - description: >- - Exports rules to an `.ndjson` file. The following configuration items - are also included in the `.ndjson` file - Actions, Exception lists. - Prebuilt rules cannot be exported. + description: > + Export detection rules to an `.ndjson` file. The following configuration + items are also included in the `.ndjson` file: + + - Actions + + - Exception lists + + > info + + > You cannot export prebuilt rules. operationId: ExportRules parameters: - description: Determines whether a summary of the exported rules is returned. @@ -546,13 +579,14 @@ paths: format: binary type: string description: Indicates a successful call. - summary: Export rules + summary: Export detection rules tags: - Import/Export API - summary: Exports rules to an `.ndjson` file /api/detection_engine/rules/_find: get: - description: Finds rules that match the given query. + description: >- + Retrieve a paginated list of detection rules. By default, the first page + is returned, with 20 results per page. operationId: FindRules parameters: - in: query @@ -619,13 +653,18 @@ paths: - total - data description: Successful response + summary: List all detection rules tags: - Rules API /api/detection_engine/rules/_import: post: - description: >- - Imports rules from an `.ndjson` file, including actions and exception - lists. + description: > + Import detection rules from an `.ndjson` file, including actions and + exception lists. The request must include: + + - The `Content-Type: multipart/form-data` HTTP header. + + - A link to the `.ndjson` file containing the rules. operationId: ImportRules parameters: - description: >- @@ -728,12 +767,12 @@ paths: - action_connectors_success - action_connectors_success_count description: Indicates a successful call. - summary: Import rules + summary: Import detection rules tags: - Import/Export API - summary: Imports rules from an `.ndjson` file /api/detection_engine/rules/prepackaged: put: + description: Install and update all Elastic prebuilt detection rules and Timelines. operationId: InstallPrebuiltRulesAndTimelines responses: '200': @@ -765,11 +804,14 @@ paths: - timelines_installed - timelines_updated description: Indicates a successful call - summary: Installs all Elastic prebuilt rules and timelines + summary: Install prebuilt detection rules and Timelines tags: - Prebuilt Rules API /api/detection_engine/rules/prepackaged/_status: get: + description: >- + Retrieve the status of all Elastic prebuilt detection rules and + Timelines. operationId: GetPrebuiltRulesAndTimelinesStatus responses: '200': @@ -820,7 +862,7 @@ paths: - timelines_not_installed - timelines_not_updated description: Indicates a successful call - summary: Get the status of Elastic prebuilt rules + summary: Retrieve the status of prebuilt detection rules and Timelines tags: - Prebuilt Rules API /api/detection_engine/rules/preview: @@ -904,7 +946,10 @@ paths: - Rule preview API /api/detection_engine/signals/assignees: post: - description: Assigns users to alerts. + description: | + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. operationId: SetAlertAssignees requestBody: content: @@ -927,12 +972,12 @@ paths: description: Indicates a successful call. '400': description: Invalid request. - summary: Assigns users to alerts + summary: Assign and unassign users from detection alerts /api/detection_engine/signals/finalize_migration: post: description: > - The finalization endpoint replaces the original index's alias with the - successfully migrated index's alias. + Finalize successful migrations of detection alerts. This replaces the + original index's alias with the successfully migrated index's alias. The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, @@ -983,7 +1028,7 @@ paths: schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response - summary: Finalizes alerts migration(s) + summary: Finalize detection alert migrations tags: - Alerts migration API /api/detection_engine/signals/migration: @@ -996,6 +1041,8 @@ paths: old and new indices being present. As such, the old, orphaned index can (and likely should) be deleted. + + While you can delete these indices manually, the endpoint accomplishes this task by applying a deletion policy to the @@ -1048,10 +1095,17 @@ paths: schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response - summary: Performs alerts migration(s) cleanup + summary: Clean up detection alert migrations tags: - Alerts migration API post: + description: > + Initiate a migration of detection alerts. + + Migrations are initiated per index. While the process is neither + destructive nor interferes with existing data, it may be + resource-intensive. As such, it is recommended that you plan your + migrations accordingly. operationId: CreateAlertsMigration requestBody: content: @@ -1107,11 +1161,14 @@ paths: schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response - summary: Initiates an alerts migration + summary: Initiate a detection alert migration tags: - Alerts migration API /api/detection_engine/signals/migration_status: post: + description: >- + Retrieve indices that contain detection alerts of a particular age, + along with migration information for each of those indices. operationId: GetAlertsMigrationStatus parameters: - description: Maximum age of qualifying detection alerts @@ -1161,11 +1218,12 @@ paths: schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response - summary: Returns an alerts migration status + summary: Retrieve the status of detection alert migrations tags: - Alerts migration API /api/detection_engine/signals/search: post: + description: Find and/or aggregate detection alerts that match the given query. operationId: SearchAlerts requestBody: content: @@ -1232,11 +1290,12 @@ paths: schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response - summary: Find and/or aggregate detection alerts that match the given query + summary: Find and/or aggregate detection alerts tags: - Alerts API /api/detection_engine/signals/status: post: + description: Set the status of one or more detection alerts. operationId: SetAlertsStatus requestBody: content: @@ -1278,11 +1337,15 @@ paths: schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response - summary: Sets the status of one or more alerts + summary: Set a detection alert status tags: - Alerts API /api/detection_engine/signals/tags: post: + description: | + And tags to detection alerts, and remove them from alerts. + > info + > You cannot add and remove the same alert tag in the same request. operationId: ManageAlertTags requestBody: content: @@ -1330,11 +1393,12 @@ paths: schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response - summary: Manage alert tags for a one or more alerts + summary: Add and remove detection alert tags tags: - Alerts API /api/detection_engine/tags: get: + description: List all unique tags from all detection rules. operationId: ReadTags responses: '200': @@ -1343,10 +1407,9 @@ paths: schema: $ref: '#/components/schemas/RuleTagArray' description: Indicates a successful call - summary: Aggregates and returns all unique tags from all rules + summary: List all detection rule tags tags: - Tags API - summary: Aggregates and returns rule tags components: schemas: AlertAssignees: @@ -1581,7 +1644,9 @@ components: type: object properties: interval: - description: Interval in which the rule is executed + description: >- + Interval in which the rule runs. For example, `"1h"` means the + rule runs every hour. example: 1h pattern: '^[1-9]\d*[smh]$' type: string @@ -4086,7 +4151,7 @@ components: platform: type: string query: - description: Query to execute + description: Query to run type: string removed: type: boolean @@ -4886,7 +4951,7 @@ components: to the connector type. type: object RuleActionThrottle: - description: Defines the interval on which a rule's actions are executed. + description: Defines how often rule actions are taken. oneOf: - enum: - no_actions @@ -5048,10 +5113,10 @@ components: type: string RuleIntervalFrom: description: >- - Time from which data is analyzed each time the rule executes, using a - date math range. For example, now-4200s means the rule analyzes data - from 70 minutes before its start time. Defaults to now-6m (analyzes data - from 6 minutes before the start time). + Time from which data is analyzed each time the rule runs, using a date + math range. For example, now-4200s means the rule analyzes data from 70 + minutes before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). format: date-math type: string RuleIntervalTo: @@ -6255,7 +6320,7 @@ components: - severity - $ref: '#/components/schemas/ThreatMatchRuleCreateFields' ThreatQuery: - description: Query to execute + description: Query to run type: string ThreatSubtechnique: type: object diff --git a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml index e39ba6065675a..b19ec98384303 100644 --- a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -58,7 +58,7 @@ paths: - Privileges API /api/detection_engine/rules: delete: - description: Deletes a single rule using the `rule_id` or `id` field. + description: Delete a detection rule using the `rule_id` or `id` field. operationId: DeleteRule parameters: - description: The rule's `id` value. @@ -80,10 +80,11 @@ paths: schema: $ref: '#/components/schemas/RuleResponse' description: Indicates a successful call. + summary: Delete a detection rule tags: - Rules API get: - description: Read a single rule + description: Retrieve a detection rule using the `rule_id` or `id` field. operationId: ReadRule parameters: - description: The rule's `id` value. @@ -105,10 +106,13 @@ paths: schema: $ref: '#/components/schemas/RuleResponse' description: Indicates a successful call. + summary: Retrieve a detection rule tags: - Rules API patch: - description: Patch a single rule + description: >- + Update specific fields of an existing detection rule using the `rule_id` + or `id` field. operationId: PatchRule requestBody: content: @@ -123,10 +127,11 @@ paths: schema: $ref: '#/components/schemas/RuleResponse' description: Indicates a successful call. + summary: Patch a detection rule tags: - Rules API post: - description: Create a single detection rule + description: Create a new detection rule. operationId: CreateRule requestBody: content: @@ -141,10 +146,17 @@ paths: schema: $ref: '#/components/schemas/RuleResponse' description: Indicates a successful call. + summary: Create a detection rule tags: - Rules API put: - description: Update a single rule + description: > + Update a detection rule using the `rule_id` or `id` field. The original + rule is replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` or `rule_id` values. operationId: UpdateRule requestBody: content: @@ -159,13 +171,15 @@ paths: schema: $ref: '#/components/schemas/RuleResponse' description: Indicates a successful call. + summary: Update a detection rule tags: - Rules API /api/detection_engine/rules/_bulk_action: post: description: >- - The bulk action is applied to all rules that match the filter or to the - list of rules by their IDs. + Apply a bulk action, such as bulk edit, duplicate, or delete, to + multiple detection rules. The bulk action is applied to all rules that + match the query or to the rules listed by their IDs. operationId: PerformBulkAction parameters: - description: Enables dry run mode for the request call. @@ -195,15 +209,22 @@ paths: - $ref: '#/components/schemas/BulkEditActionResponse' - $ref: '#/components/schemas/BulkExportActionResponse' description: OK - summary: Applies a bulk action to multiple rules + summary: Apply a bulk action to detection rules tags: - Bulk API /api/detection_engine/rules/_export: post: - description: >- - Exports rules to an `.ndjson` file. The following configuration items - are also included in the `.ndjson` file - Actions, Exception lists. - Prebuilt rules cannot be exported. + description: > + Export detection rules to an `.ndjson` file. The following configuration + items are also included in the `.ndjson` file: + + - Actions + + - Exception lists + + > info + + > You cannot export prebuilt rules. operationId: ExportRules parameters: - description: Determines whether a summary of the exported rules is returned. @@ -251,13 +272,14 @@ paths: format: binary type: string description: Indicates a successful call. - summary: Export rules + summary: Export detection rules tags: - Import/Export API - summary: Exports rules to an `.ndjson` file /api/detection_engine/rules/_find: get: - description: Finds rules that match the given query. + description: >- + Retrieve a paginated list of detection rules. By default, the first page + is returned, with 20 results per page. operationId: FindRules parameters: - in: query @@ -324,13 +346,18 @@ paths: - total - data description: Successful response + summary: List all detection rules tags: - Rules API /api/detection_engine/rules/_import: post: - description: >- - Imports rules from an `.ndjson` file, including actions and exception - lists. + description: > + Import detection rules from an `.ndjson` file, including actions and + exception lists. The request must include: + + - The `Content-Type: multipart/form-data` HTTP header. + + - A link to the `.ndjson` file containing the rules. operationId: ImportRules parameters: - description: >- @@ -433,10 +460,9 @@ paths: - action_connectors_success - action_connectors_success_count description: Indicates a successful call. - summary: Import rules + summary: Import detection rules tags: - Import/Export API - summary: Imports rules from an `.ndjson` file /api/detection_engine/rules/preview: post: operationId: RulePreview @@ -518,7 +544,10 @@ paths: - Rule preview API /api/detection_engine/signals/assignees: post: - description: Assigns users to alerts. + description: | + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. operationId: SetAlertAssignees requestBody: content: @@ -541,9 +570,10 @@ paths: description: Indicates a successful call. '400': description: Invalid request. - summary: Assigns users to alerts + summary: Assign and unassign users from detection alerts /api/detection_engine/signals/search: post: + description: Find and/or aggregate detection alerts that match the given query. operationId: SearchAlerts requestBody: content: @@ -610,11 +640,12 @@ paths: schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response - summary: Find and/or aggregate detection alerts that match the given query + summary: Find and/or aggregate detection alerts tags: - Alerts API /api/detection_engine/signals/status: post: + description: Set the status of one or more detection alerts. operationId: SetAlertsStatus requestBody: content: @@ -656,11 +687,15 @@ paths: schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response - summary: Sets the status of one or more alerts + summary: Set a detection alert status tags: - Alerts API /api/detection_engine/signals/tags: post: + description: | + And tags to detection alerts, and remove them from alerts. + > info + > You cannot add and remove the same alert tag in the same request. operationId: ManageAlertTags requestBody: content: @@ -708,11 +743,12 @@ paths: schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response - summary: Manage alert tags for a one or more alerts + summary: Add and remove detection alert tags tags: - Alerts API /api/detection_engine/tags: get: + description: List all unique tags from all detection rules. operationId: ReadTags responses: '200': @@ -721,10 +757,9 @@ paths: schema: $ref: '#/components/schemas/RuleTagArray' description: Indicates a successful call - summary: Aggregates and returns all unique tags from all rules + summary: List all detection rule tags tags: - Tags API - summary: Aggregates and returns rule tags components: schemas: AlertAssignees: @@ -906,7 +941,9 @@ components: type: object properties: interval: - description: Interval in which the rule is executed + description: >- + Interval in which the rule runs. For example, `"1h"` means the + rule runs every hour. example: 1h pattern: '^[1-9]\d*[smh]$' type: string @@ -3284,7 +3321,7 @@ components: platform: type: string query: - description: Query to execute + description: Query to run type: string removed: type: boolean @@ -4084,7 +4121,7 @@ components: to the connector type. type: object RuleActionThrottle: - description: Defines the interval on which a rule's actions are executed. + description: Defines how often rule actions are taken. oneOf: - enum: - no_actions @@ -4246,10 +4283,10 @@ components: type: string RuleIntervalFrom: description: >- - Time from which data is analyzed each time the rule executes, using a - date math range. For example, now-4200s means the rule analyzes data - from 70 minutes before its start time. Defaults to now-6m (analyzes data - from 6 minutes before the start time). + Time from which data is analyzed each time the rule runs, using a date + math range. For example, now-4200s means the rule analyzes data from 70 + minutes before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). format: date-math type: string RuleIntervalTo: @@ -5446,7 +5483,7 @@ components: - severity - $ref: '#/components/schemas/ThreatMatchRuleCreateFields' ThreatQuery: - description: Query to execute + description: Query to run type: string ThreatSubtechnique: type: object diff --git a/x-pack/test/api_integration/services/security_solution_api.gen.ts b/x-pack/test/api_integration/services/security_solution_api.gen.ts index bc080f46906e9..f5089b489a617 100644 --- a/x-pack/test/api_integration/services/security_solution_api.gen.ts +++ b/x-pack/test/api_integration/services/security_solution_api.gen.ts @@ -80,7 +80,9 @@ export function SecuritySolutionApiProvider({ getService }: FtrProviderContext) /** * Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of the migration process. A successful migration will result in both the old and new indices being present. -As such, the old, orphaned index can (and likely should) be deleted. While you can delete these indices manually, +As such, the old, orphaned index can (and likely should) be deleted. + +While you can delete these indices manually, the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted after 30 days. It also deletes other artifacts specific to the migration implementation. @@ -94,7 +96,7 @@ after 30 days. It also deletes other artifacts specific to the migration impleme .send(props.body as object); }, /** - * Creates new detection rules in bulk. + * Create new detection rules in bulk. */ bulkCreateRules(props: BulkCreateRulesProps) { return supertest @@ -105,7 +107,7 @@ after 30 days. It also deletes other artifacts specific to the migration impleme .send(props.body as object); }, /** - * Deletes multiple rules. + * Delete detection rules in bulk. */ bulkDeleteRules(props: BulkDeleteRulesProps) { return supertest @@ -127,7 +129,7 @@ after 30 days. It also deletes other artifacts specific to the migration impleme .send(props.body as object); }, /** - * Updates multiple rules using the `PATCH` method. + * Update specific fields of existing detection rules using the `rule_id` or `id` field. */ bulkPatchRules(props: BulkPatchRulesProps) { return supertest @@ -138,8 +140,11 @@ after 30 days. It also deletes other artifacts specific to the migration impleme .send(props.body as object); }, /** - * Updates multiple rules using the `PUT` method. - */ + * Update multiple detection rules using the `rule_id` or `id` field. The original rules are replaced, and all unspecified fields are deleted. +> info +> You cannot modify the `id` or `rule_id` values. + + */ bulkUpdateRules(props: BulkUpdateRulesProps) { return supertest .put('/api/detection_engine/rules/_bulk_update') @@ -155,6 +160,11 @@ after 30 days. It also deletes other artifacts specific to the migration impleme .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana'); }, + /** + * Initiate a migration of detection alerts. +Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly. + + */ createAlertsMigration(props: CreateAlertsMigrationProps) { return supertest .post('/api/detection_engine/signals/migration') @@ -164,7 +174,7 @@ after 30 days. It also deletes other artifacts specific to the migration impleme .send(props.body as object); }, /** - * Create a single detection rule + * Create a new detection rule. */ createRule(props: CreateRuleProps) { return supertest @@ -192,7 +202,7 @@ after 30 days. It also deletes other artifacts specific to the migration impleme .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana'); }, /** - * Deletes a single rule using the `rule_id` or `id` field. + * Delete a detection rule using the `rule_id` or `id` field. */ deleteRule(props: DeleteRuleProps) { return supertest @@ -219,8 +229,13 @@ after 30 days. It also deletes other artifacts specific to the migration impleme .send(props.body as object); }, /** - * Exports rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file - Actions, Exception lists. Prebuilt rules cannot be exported. - */ + * Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: +- Actions +- Exception lists +> info +> You cannot export prebuilt rules. + + */ exportRules(props: ExportRulesProps) { return supertest .post('/api/detection_engine/rules/_export') @@ -231,7 +246,7 @@ after 30 days. It also deletes other artifacts specific to the migration impleme .query(props.query); }, /** - * The finalization endpoint replaces the original index's alias with the successfully migrated index's alias. + * Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, finalize it. @@ -245,7 +260,7 @@ finalize it. .send(props.body as object); }, /** - * Finds rules that match the given query. + * Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. */ findRules(props: FindRulesProps) { return supertest @@ -270,6 +285,9 @@ finalize it. .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana'); }, + /** + * Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices. + */ getAlertsMigrationStatus(props: GetAlertsMigrationStatusProps) { return supertest .post('/api/detection_engine/signals/migration_status') @@ -294,6 +312,9 @@ finalize it. .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana') .query(props.query); }, + /** + * Retrieve the status of all Elastic prebuilt detection rules and Timelines. + */ getPrebuiltRulesAndTimelinesStatus() { return supertest .get('/api/detection_engine/rules/prepackaged/_status') @@ -345,8 +366,11 @@ detection engine rules. .query(props.query); }, /** - * Imports rules from an `.ndjson` file, including actions and exception lists. - */ + * Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: +- The `Content-Type: multipart/form-data` HTTP header. +- A link to the `.ndjson` file containing the rules. + + */ importRules(props: ImportRulesProps) { return supertest .post('/api/detection_engine/rules/_import') @@ -355,6 +379,9 @@ detection engine rules. .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana') .query(props.query); }, + /** + * Install and update all Elastic prebuilt detection rules and Timelines. + */ installPrebuiltRulesAndTimelines() { return supertest .put('/api/detection_engine/rules/prepackaged') @@ -362,6 +389,12 @@ detection engine rules. .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana'); }, + /** + * And tags to detection alerts, and remove them from alerts. +> info +> You cannot add and remove the same alert tag in the same request. + + */ manageAlertTags(props: ManageAlertTagsProps) { return supertest .post('/api/detection_engine/signals/tags') @@ -371,7 +404,7 @@ detection engine rules. .send(props.body as object); }, /** - * Patch a single rule + * Update specific fields of an existing detection rule using the `rule_id` or `id` field. */ patchRule(props: PatchRuleProps) { return supertest @@ -382,7 +415,7 @@ detection engine rules. .send(props.body as object); }, /** - * The bulk action is applied to all rules that match the filter or to the list of rules by their IDs. + * Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. */ performBulkAction(props: PerformBulkActionProps) { return supertest @@ -394,7 +427,7 @@ detection engine rules. .query(props.query); }, /** - * Read a single rule + * Retrieve a detection rule using the `rule_id` or `id` field. */ readRule(props: ReadRuleProps) { return supertest @@ -404,6 +437,9 @@ detection engine rules. .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana') .query(props.query); }, + /** + * List all unique tags from all detection rules. + */ readTags() { return supertest .get('/api/detection_engine/tags') @@ -419,6 +455,9 @@ detection engine rules. .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana') .send(props.body as object); }, + /** + * Find and/or aggregate detection alerts that match the given query. + */ searchAlerts(props: SearchAlertsProps) { return supertest .post('/api/detection_engine/signals/search') @@ -428,8 +467,11 @@ detection engine rules. .send(props.body as object); }, /** - * Assigns users to alerts. - */ + * Assign users to detection alerts, and unassign them from alerts. +> info +> You cannot add and remove the same assignee in the same request. + + */ setAlertAssignees(props: SetAlertAssigneesProps) { return supertest .post('/api/detection_engine/signals/assignees') @@ -438,6 +480,9 @@ detection engine rules. .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana') .send(props.body as object); }, + /** + * Set the status of one or more detection alerts. + */ setAlertsStatus(props: SetAlertsStatusProps) { return supertest .post('/api/detection_engine/signals/status') @@ -458,8 +503,11 @@ detection engine rules. .query(props.query); }, /** - * Update a single rule - */ + * Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. +> info +> You cannot modify the `id` or `rule_id` values. + + */ updateRule(props: UpdateRuleProps) { return supertest .put('/api/detection_engine/rules')