Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] Adds conceptual content to API docs #202305

Merged
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 65 additions & 3 deletions oas_docs/output/kibana.serverless.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,12 @@ tags:
- description: Manage and interact with Security Assistant resources.
name: Security AI Assistant API
x-displayName: Security AI assistant
- description: You can create rules that automatically turn events and external alerts sent to Elastic Security into detection alerts. These alerts are displayed on the Detections page.
- description: |-
You can create rules that automatically turn events and external alerts sent to Elastic Security into detection alerts. These alerts are displayed on the Detections page.
natasha-moore-elastic marked this conversation as resolved.
Show resolved Hide resolved
> warn
> If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change.

> If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running.
name: Security Detections API
x-displayName: Security detections
- description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.
Expand All @@ -125,10 +130,67 @@ tags:
- description: ''
name: Security Entity Analytics API
x-displayName: Security entity analytics
- description: Exceptions API allows you to manage detection rule exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.
- description: |-
Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts.

Exceptions are made up of:

* **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules.
* **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert.

For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated.
> info
> You cannot use lists with endpoint rule exceptions.

> info
> Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container.

## Exceptions requirements

Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui).
name: Security Exceptions API
x-displayName: Security exceptions
- description: Lists API allows you to manage lists of keywords, IPs or IP ranges items.
- description: |-
Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.

Lists are made up of:

* **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used:
* `boolean`
* `byte`
* `date`
* `date_nanos`
* `date_range`
* `double`
* `double_range`
* `float`
* `float_range`
* `half_float`
* `integer`
* `integer_range`
* `ip`
* `ip_range`
* `keyword`
* `long`
* `long_range`
* `short`
* `text`
* **List items**: The values used to determine whether the exception prevents an alert from being generated.

All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address:
1. `192.168.1.1`
2. `192.168.1.3`
3. `192.168.1.18`
4. `192.168.1.12`
5. `192.168.1.7`

To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to create an exception item that references the `internal-ip-addresses-southport` list.
> info
> Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an exception container. You can then add the exception container to a rule's `exceptions_list` object.

## Lists requirements

Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui) for a complete list of requirements.
name: Security Lists API
x-displayName: Security lists
- description: Run live queries, manage packs and saved queries.
Expand Down
68 changes: 65 additions & 3 deletions oas_docs/output/kibana.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,12 @@ tags:
- description: Manage and interact with Security Assistant resources.
name: Security AI Assistant API
x-displayName: Security AI assistant
- description: You can create rules that automatically turn events and external alerts sent to Elastic Security into detection alerts. These alerts are displayed on the Detections page.
- description: |-
You can create rules that automatically turn events and external alerts sent to Elastic Security into detection alerts. These alerts are displayed on the **Detections** page.
> warn
> If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change.

> If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running.
name: Security Detections API
x-displayName: Security detections
- description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.
Expand All @@ -141,10 +146,67 @@ tags:
- description: ''
name: Security Entity Analytics API
x-displayName: Security entity analytics
- description: Exceptions API allows you to manage detection rule exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.
- description: |-
Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts.

Exceptions are made up of:

* **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules.
* **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert.

For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated.
> info
> You cannot use lists with endpoint rule exceptions.

> info
> Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container.

## Exceptions requirements

Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/security/master/detections-permissions-section.html#enable-detections-ui).
name: Security Exceptions API
x-displayName: Security exceptions
- description: Lists API allows you to manage lists of keywords, IPs or IP ranges items.
- description: |-
Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.

Lists are made up of:

* **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used:
* `boolean`
* `byte`
* `date`
* `date_nanos`
* `date_range`
* `double`
* `double_range`
* `float`
* `float_range`
* `half_float`
* `integer`
* `integer_range`
* `ip`
* `ip_range`
* `keyword`
* `long`
* `long_range`
* `short`
* `text`
* **List items**: The values used to determine whether the exception prevents an alert from being generated.

All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address:
1. `192.168.1.1`
2. `192.168.1.3`
3. `192.168.1.18`
4. `192.168.1.12`
5. `192.168.1.7`

To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to create an exception item that references the `internal-ip-addresses-southport` list.
> info
> Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an exception container. You can then add the exception container to a rule's `exceptions_list` object.

## Lists requirements

Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/master/detections-permissions-section.html#enable-detections-ui) for a complete list of requirements.
name: Security Lists API
x-displayName: Security lists
- description: Run live queries, manage packs and saved queries.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1900,8 +1900,53 @@ security:
- BasicAuth: []
tags:
- description: >-
Exceptions API allows you to manage detection rule exceptions to prevent a
rule from generating an alert from incoming events even when the rule's
other criteria are met.
Exceptions are associated with detection and endpoint rules, and are used
to prevent a rule from generating an alert from incoming events, even when
the rule's other criteria are met. They can help reduce the number of
false positives and prevent trusted processes and network activity from
generating unnecessary alerts.


Exceptions are made up of:


* **Exception containers**: A container for related exceptions. Generally,
a single exception container contains all the exception items relevant for
a subset of rules. For example, a container can be used to group together
network-related exceptions that are relevant for a large number of network
rules. The container can then be associated with all the relevant rules.

* **Exception items**: The query (fields, values, and logic) used to
prevent rules from generating alerts. When an exception item's query
evaluates to `true`, the rule does not generate an alert.


For detection rules, you can also use lists to define rule exceptions. A
list holds multiple values of the same Elasticsearch data type, such as IP
addresses. These values are used to determine when an exception prevents
an alert from being generated.

> info

> You cannot use lists with endpoint rule exceptions.


> info

> Only exception containers can be associated with rules. You cannot
directly associate an exception item or a list container with a rule. To
use list exceptions, create an exception item that references the relevant
list container.


## Exceptions requirements


Before you can start working with exceptions that use value lists, you
must create the `.lists` and `.items` data streams for the relevant Kibana
space. To do this, use the Create list data streams endpoint. Once these
data streams are created, your role needs privileges to manage rules. For
a complete list of requirements, refer to [Enable and access
detections](https://www.elastic.co/guide/en/security/master/detections-permissions-section.html#enable-detections-ui).
name: Security Exceptions API
x-displayName: Security exceptions
Original file line number Diff line number Diff line change
Expand Up @@ -1900,8 +1900,53 @@ security:
- BasicAuth: []
tags:
- description: >-
Exceptions API allows you to manage detection rule exceptions to prevent a
rule from generating an alert from incoming events even when the rule's
other criteria are met.
Exceptions are associated with detection and endpoint rules, and are used
to prevent a rule from generating an alert from incoming events, even when
the rule's other criteria are met. They can help reduce the number of
false positives and prevent trusted processes and network activity from
generating unnecessary alerts.


Exceptions are made up of:


* **Exception containers**: A container for related exceptions. Generally,
a single exception container contains all the exception items relevant for
a subset of rules. For example, a container can be used to group together
network-related exceptions that are relevant for a large number of network
rules. The container can then be associated with all the relevant rules.

* **Exception items**: The query (fields, values, and logic) used to
prevent rules from generating alerts. When an exception item's query
evaluates to `true`, the rule does not generate an alert.


For detection rules, you can also use lists to define rule exceptions. A
list holds multiple values of the same Elasticsearch data type, such as IP
addresses. These values are used to determine when an exception prevents
an alert from being generated.

> info

> You cannot use lists with endpoint rule exceptions.


> info

> Only exception containers can be associated with rules. You cannot
directly associate an exception item or a list container with a rule. To
use list exceptions, create an exception item that references the relevant
list container.


## Exceptions requirements


Before you can start working with exceptions that use value lists, you
must create the `.lists` and `.items` data streams for the relevant Kibana
space. To do this, use the Create list data streams endpoint. Once these
data streams are created, your role needs privileges to manage rules. For
a complete list of requirements, refer to [Enable and access
detections](https://www.elastic.co/guide/en/serverless/current/security-detections-requirements.html#enable-detections-ui).
name: Security Exceptions API
x-displayName: Security exceptions
Loading