Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bulk actions have been updated over time to have more capabilities, docs still have a select few. #3004

Closed
jamster10 opened this issue Feb 21, 2023 · 4 comments · Fixed by #4935
Closed

Bulk actions have been updated over time to have more capabilities, docs still have a select few. #3004

jamster10 opened this issue Feb 21, 2023 · 4 comments · Fixed by #4935
Assignees
@nastasha-solomon
Labels
Feature: Connectors Feature: Rules Team: ResponseOps v8.12.0 v8.13.0

Comments

@jamster10
Copy link

jamster10 commented Feb 21, 2023
edited
Loading

Description

Our documentation notes that

    .slack
    .email
    .pagerduty
    .webhook

are acceptable connectors for bulk actions but overttime we have increased its capability to:

Slack
Email
PagerDuty
Webhook
Microsoft Teams
IBM Resilient
Jira
ServiceNow
Swimlane

with new action_type_ids including:
.index
.jira
.resilient
.servicenow
.servicenow-itom
.servicenow-sir (ServiceNow SecOps)
.swimlane
.teams (Microsoft Teams)

Most of these are noted here: https://www.elastic.co/guide/en/security/current/rules-api-create.html#rules-api-create

But can we update the docs to provide the comprehensive list to our users.

Here is an image denoting the offerings the users currently have:
image

This is related to this SDH: https://github.com/elastic/sdh-security-team/issues/534
@nastasha-solomon nastasha-solomon self-assigned this Feb 22, 2023
@lcawl
Copy link
Contributor

lcawl commented Feb 22, 2023

This might be a good opportunity to talk about moving to open API specifications as the source of truth for API docs. I've been working through the responseOps API specs per elastic/kibana#137240 and am happy to chat further if the security dev teams are ready to begin down that path.

@nastasha-solomon
Copy link
Contributor

@e40pud would you mind providing a list of accepted values for the action_type_id parameter that's available for the following endpoints:

Thank you!

@e40pud
Copy link
Contributor

e40pud commented Mar 14, 2024

From what I can see in code, we have next connectors which are available for rule actions:

Name ID
Slack Webhook .slack
Slack Web API .slack_api
Email .email
Index .index
PagerDuty .pagerduty
Swimlane .swimlane
Webhook .webhook
ServiceNow ITSM .servicenow
ServiceNow ITOM .servicenow-itom
ServiceNow SecOps .servicenow-sir
Jira .jira
IBM Resilient .resilient
Opsgenie .opsgenie
Microsoft Teams .teams
Torq .torq
Tines .tines
D3 Security .d3security

There are few more connectors which are either experimental (Sentinel One, Case Management) or GenAI related (OpenAI, Amazon Bedrock). Also, I do not see Server Log (.server-log) and xMatters (.xmatters) being used within actions UI, but still available as connectors. @ymao1 @stephmilovic can you confirm that those are not used for rule actions at the moment?

@ymao1
Copy link

ymao1 commented Mar 14, 2024

Yea, that list looks correct. Connectors available to the security form are registered with SecurityConnectorFeatureId and it looks like server log and xMatters are not registered with that feature ID.

@nastasha-solomon nastasha-solomon mentioned this issue Mar 19, 2024
Merged
This was referenced Mar 20, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nastasha-solomon nastasha-solomon

Labels
Feature: Connectors Feature: Rules Team: ResponseOps v8.12.0 v8.13.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[ESS][8.12&8.13] Updating list of available rule actions elastic/security-docs
5 participants
@e40pud @ymao1 @lcawl @jamster10 @nastasha-solomon