-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DOCS] Create rule updates - 7.10 #336
Conversation
Co-authored-by: Ryland Herrick <[email protected]>
`destination.ip` field values in the `logs-*` or `packetbeat-*` {es-sec} indices | ||
are identical to the corresponding field values in the `ip-threat-list` threat | ||
index, enter the rule parameters seen in the following image: | ||
+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Relaying a suggestion from @aarju here.
It would also help a lot if there was an example of how to format an index to be used as a threat index. For example, if I have a list of 10 domains and their IP addresses that I want to monitor, how do I add those to Elastic to be used as a thread index
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@peluja1012 I think this is a good idea, but I probably won't have time to incorporate it before tomorrow unless it's a simple process. This might be best as a separate topic since this one is already pretty long as is. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it makes sense to include it in a separate topic. We could link to it from this page. 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few comments! The rule creation page is very noisy right now due to all the different formatting; anything we can do to normalize that would be a big win!
Be careful when adding exceptions to EQL sequence rules. Exceptions are | ||
evaluated against every event in the sequence, and when the exception matches any | ||
event(s) in the sequence, alerts are not generated. To exclude values from a | ||
specific event in the sequence, update the rule's EQL statement. For example: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is perfect, and even an example too -- thank you @jmikell821! 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couple nits, but looks like you've already got them! Thank you much for the detailed and thorough docs here @jmikell821! Our users will be quite happy! 🙂
* Adds EQL and threat-match rule types * updates terminology * adds warning about eql seq exceptions * Update docs/detections/detections-ui-exceptions.asciidoc Co-authored-by: Ryland Herrick <[email protected]> * Testing addition of preview rule. * comitting so I don't lose. * Committing rule updates so I don't lose. * Merging feedback and testing formatting. * Fixing build error, updating image * formatting changes and updates. * Fix build error. * Attempt build error fix. * Fix missing anchor link * small fixes. * merging feedback. * build fix * and...another build fix. * [DOCS] Terminates important admonition block * merging feedback. Co-authored-by: Ben Skelker <[email protected]> Co-authored-by: Nate Archer <[email protected]> Co-authored-by: Ryland Herrick <[email protected]> Co-authored-by: DonNateR <[email protected]> Co-authored-by: lcawl <[email protected]>
* Adds EQL and threat-match rule types * updates terminology * adds warning about eql seq exceptions * Update docs/detections/detections-ui-exceptions.asciidoc Co-authored-by: Ryland Herrick <[email protected]> * Testing addition of preview rule. * comitting so I don't lose. * Committing rule updates so I don't lose. * Merging feedback and testing formatting. * Fixing build error, updating image * formatting changes and updates. * Fix build error. * Attempt build error fix. * Fix missing anchor link * small fixes. * merging feedback. * build fix * and...another build fix. * [DOCS] Terminates important admonition block * merging feedback. Co-authored-by: Ben Skelker <[email protected]> Co-authored-by: Nate Archer <[email protected]> Co-authored-by: Ryland Herrick <[email protected]> Co-authored-by: DonNateR <[email protected]> Co-authored-by: lcawl <[email protected]>
* Adds EQL and threat-match rule types * updates terminology * adds warning about eql seq exceptions * Update docs/detections/detections-ui-exceptions.asciidoc Co-authored-by: Ryland Herrick <[email protected]> * Testing addition of preview rule. * comitting so I don't lose. * Committing rule updates so I don't lose. * Merging feedback and testing formatting. * Fixing build error, updating image * formatting changes and updates. * Fix build error. * Attempt build error fix. * Fix missing anchor link * small fixes. * merging feedback. * build fix * and...another build fix. * [DOCS] Terminates important admonition block * merging feedback. Co-authored-by: Ben Skelker <[email protected]> Co-authored-by: Nate Archer <[email protected]> Co-authored-by: Ryland Herrick <[email protected]> Co-authored-by: DonNateR <[email protected]> Co-authored-by: lcawl <[email protected]> Co-authored-by: Ben Skelker <[email protected]> Co-authored-by: Nate Archer <[email protected]> Co-authored-by: Ryland Herrick <[email protected]> Co-authored-by: DonNateR <[email protected]> Co-authored-by: lcawl <[email protected]>
* Adds EQL and threat-match rule types * updates terminology * adds warning about eql seq exceptions * Update docs/detections/detections-ui-exceptions.asciidoc Co-authored-by: Ryland Herrick <[email protected]> * Testing addition of preview rule. * comitting so I don't lose. * Committing rule updates so I don't lose. * Merging feedback and testing formatting. * Fixing build error, updating image * formatting changes and updates. * Fix build error. * Attempt build error fix. * Fix missing anchor link * small fixes. * merging feedback. * build fix * and...another build fix. * [DOCS] Terminates important admonition block * merging feedback. Co-authored-by: Ben Skelker <[email protected]> Co-authored-by: Nate Archer <[email protected]> Co-authored-by: Ryland Herrick <[email protected]> Co-authored-by: DonNateR <[email protected]> Co-authored-by: lcawl <[email protected]> Co-authored-by: Ben Skelker <[email protected]> Co-authored-by: Nate Archer <[email protected]> Co-authored-by: Ryland Herrick <[email protected]> Co-authored-by: DonNateR <[email protected]> Co-authored-by: lcawl <[email protected]>
Updated links as of 11/10/20:
Create Detection Rules Preview.
Detections and Alerts Intro.
Replaces #272.