Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] Create rule updates - 7.10 #336

Merged
merged 19 commits into from
Nov 10, 2020
Merged

[DOCS] Create rule updates - 7.10 #336

merged 19 commits into from
Nov 10, 2020

Conversation

jmikell821
Copy link
Contributor

@jmikell821 jmikell821 commented Oct 22, 2020

Updated links as of 11/10/20:

Create Detection Rules Preview.
Detections and Alerts Intro.
Replaces #272.

`destination.ip` field values in the `logs-*` or `packetbeat-*` {es-sec} indices
are identical to the corresponding field values in the `ip-threat-list` threat
index, enter the rule parameters seen in the following image:
+
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Relaying a suggestion from @aarju here.

It would also help a lot if there was an example of how to format an index to be used as a threat index. For example, if I have a list of 10 domains and their IP addresses that I want to monitor, how do I add those to Elastic to be used as a thread index

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@peluja1012 I think this is a good idea, but I probably won't have time to incorporate it before tomorrow unless it's a simple process. This might be best as a separate topic since this one is already pretty long as is. WDYT?

Copy link
Contributor

@peluja1012 peluja1012 Nov 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense to include it in a separate topic. We could link to it from this page. 👍

Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few comments! The rule creation page is very noisy right now due to all the different formatting; anything we can do to normalize that would be a big win!

docs/detections/rules-ui-create.asciidoc Show resolved Hide resolved
docs/detections/detection-engine-intro.asciidoc Outdated Show resolved Hide resolved
docs/detections/detection-engine-intro.asciidoc Outdated Show resolved Hide resolved
Comment on lines +76 to +79
Be careful when adding exceptions to EQL sequence rules. Exceptions are
evaluated against every event in the sequence, and when the exception matches any
event(s) in the sequence, alerts are not generated. To exclude values from a
specific event in the sequence, update the rule's EQL statement. For example:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is perfect, and even an example too -- thank you @jmikell821! 🙂

Copy link
Member

@spong spong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple nits, but looks like you've already got them! Thank you much for the detailed and thorough docs here @jmikell821! Our users will be quite happy! 🙂

@jmikell821 jmikell821 merged commit 8254566 into master Nov 10, 2020
jmikell821 added a commit to jmikell821/security-docs that referenced this pull request Nov 10, 2020
* Adds EQL and threat-match rule types

* updates terminology

* adds warning about eql seq exceptions

* Update docs/detections/detections-ui-exceptions.asciidoc

Co-authored-by: Ryland Herrick <[email protected]>

* Testing addition of preview rule.

* comitting so I don't lose.

* Committing rule updates so I don't lose.

* Merging feedback and testing formatting.

* Fixing build error, updating image

* formatting changes and updates.

* Fix build error.

* Attempt build error fix.

* Fix missing anchor link

* small fixes.

* merging feedback.

* build fix

* and...another build fix.

* [DOCS] Terminates important admonition block

* merging feedback.

Co-authored-by: Ben Skelker <[email protected]>
Co-authored-by: Nate Archer <[email protected]>
Co-authored-by: Ryland Herrick <[email protected]>
Co-authored-by: DonNateR <[email protected]>
Co-authored-by: lcawl <[email protected]>
jmikell821 added a commit to jmikell821/security-docs that referenced this pull request Nov 10, 2020
* Adds EQL and threat-match rule types

* updates terminology

* adds warning about eql seq exceptions

* Update docs/detections/detections-ui-exceptions.asciidoc

Co-authored-by: Ryland Herrick <[email protected]>

* Testing addition of preview rule.

* comitting so I don't lose.

* Committing rule updates so I don't lose.

* Merging feedback and testing formatting.

* Fixing build error, updating image

* formatting changes and updates.

* Fix build error.

* Attempt build error fix.

* Fix missing anchor link

* small fixes.

* merging feedback.

* build fix

* and...another build fix.

* [DOCS] Terminates important admonition block

* merging feedback.

Co-authored-by: Ben Skelker <[email protected]>
Co-authored-by: Nate Archer <[email protected]>
Co-authored-by: Ryland Herrick <[email protected]>
Co-authored-by: DonNateR <[email protected]>
Co-authored-by: lcawl <[email protected]>
jmikell821 added a commit that referenced this pull request Nov 10, 2020
* Adds EQL and threat-match rule types

* updates terminology

* adds warning about eql seq exceptions

* Update docs/detections/detections-ui-exceptions.asciidoc

Co-authored-by: Ryland Herrick <[email protected]>

* Testing addition of preview rule.

* comitting so I don't lose.

* Committing rule updates so I don't lose.

* Merging feedback and testing formatting.

* Fixing build error, updating image

* formatting changes and updates.

* Fix build error.

* Attempt build error fix.

* Fix missing anchor link

* small fixes.

* merging feedback.

* build fix

* and...another build fix.

* [DOCS] Terminates important admonition block

* merging feedback.

Co-authored-by: Ben Skelker <[email protected]>
Co-authored-by: Nate Archer <[email protected]>
Co-authored-by: Ryland Herrick <[email protected]>
Co-authored-by: DonNateR <[email protected]>
Co-authored-by: lcawl <[email protected]>

Co-authored-by: Ben Skelker <[email protected]>
Co-authored-by: Nate Archer <[email protected]>
Co-authored-by: Ryland Herrick <[email protected]>
Co-authored-by: DonNateR <[email protected]>
Co-authored-by: lcawl <[email protected]>
jmikell821 added a commit that referenced this pull request Nov 10, 2020
* Adds EQL and threat-match rule types

* updates terminology

* adds warning about eql seq exceptions

* Update docs/detections/detections-ui-exceptions.asciidoc

Co-authored-by: Ryland Herrick <[email protected]>

* Testing addition of preview rule.

* comitting so I don't lose.

* Committing rule updates so I don't lose.

* Merging feedback and testing formatting.

* Fixing build error, updating image

* formatting changes and updates.

* Fix build error.

* Attempt build error fix.

* Fix missing anchor link

* small fixes.

* merging feedback.

* build fix

* and...another build fix.

* [DOCS] Terminates important admonition block

* merging feedback.

Co-authored-by: Ben Skelker <[email protected]>
Co-authored-by: Nate Archer <[email protected]>
Co-authored-by: Ryland Herrick <[email protected]>
Co-authored-by: DonNateR <[email protected]>
Co-authored-by: lcawl <[email protected]>

Co-authored-by: Ben Skelker <[email protected]>
Co-authored-by: Nate Archer <[email protected]>
Co-authored-by: Ryland Herrick <[email protected]>
Co-authored-by: DonNateR <[email protected]>
Co-authored-by: lcawl <[email protected]>
@nastasha-solomon nastasha-solomon deleted the create-rule-7.10 branch July 18, 2022 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants