From 8113e4dc4471c8ec21defdb01b3920b403fdfe69 Mon Sep 17 00:00:00 2001 From: Jacek Kolezynski Date: Wed, 2 Apr 2025 11:24:39 +0200 Subject: [PATCH 1/8] Improving documentations for bulk_actions --- .../rule_schema/common_attributes.schema.yaml | 6 +- .../bulk_actions_route.schema.yaml | 774 ++++++++++++++- ...ections_api_2023_10_31.bundled.schema.yaml | 899 +++++++++++++++++- ...ections_api_2023_10_31.bundled.schema.yaml | 899 +++++++++++++++++- 4 files changed, 2459 insertions(+), 119 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml index 1080c39e0c248..20e8801ad562a 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml @@ -600,9 +600,9 @@ components: For PagerDuty: - - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. - - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `severity` (string, required): Severity of on the alert notification, can be: `critical`, `error`, `warning` or `info`. + - `event_action` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedup_key` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml index 6808f48ce858d..db4147c2d36e5 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml @@ -11,6 +11,9 @@ paths: summary: Apply a bulk action to detection rules description: | Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. + + The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. + The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. @@ -45,53 +48,27 @@ paths: - $ref: '#/components/schemas/BulkEditRules' examples: example1: - summary: Enable all rules with the test tag - description: The following request activates all rules with the test tag + summary: Enable - Enable all rules with the test tag + description: The following request activates all rules with the test tag. value: query: 'alert.attributes.tags: "test"' action: 'enable' example2: - summary: Enable a specific rule by ID + summary: Enable - Enable a specific rule by ID. description: The following request enables the rule with the specified ID. value: action: 'enable' ids: - '748694f0-6977-4ea5-8384-cd2e39730779' example3: - summary: Disable a specific rule by ID + summary: Disable - Disable a specific rule by ID description: The following request disables the rule with the specified ID. value: action: 'disable' ids: - '748694f0-6977-4ea5-8384-cd2e39730779' example4: - summary: Add tags to rules - description: The following request adds tags tag-1 and tag-2 to the rules that have the IDs sent in the payload - value: - ids: - - '8bc7dad0-9320-11ec-9265-8b772383a08d' - - '8e5c1a40-9320-11ec-9265-8b772383a08d' - action: 'edit' - edit: - - type: 'add_tags' - value: - - 'tag-1' - - 'tag-2' - example5: - summary: Dry run - Validate add_index_patterns bulk action - description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true - value: - action: 'edit' - edit: - - value: - - 'test-*' - type: 'add_index_patterns' - ids: - - '81aa0480-06af-11ed-94fb-dd1a0597d8d2' - - 'dc015d10-0831-11ed-ac8b-05a222bd8d4a' - - 'de8f5af0-0831-11ed-ac8b-05a222bd8d4a' - example6: - summary: Duplicate rules with specific IDs + summary: Duplicate - Duplicate rules with specific IDs description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. value: action: 'duplicate' @@ -101,15 +78,15 @@ paths: duplicate: include_exceptions: true include_expired_exceptions: false - example7: - summary: Delete a specific rule by ID + example5: + summary: Delete - Delete a specific rule by ID description: The following request deletes the rule with the specified ID. value: action: 'delete' ids: - 'cf4abfd1-7c37-4519-ab0f-5ea5c75fac60' - example8: - summary: Run a specific rule by ID + example6: + summary: Run - Run a specific rule by ID description: The following request runs the rule with the specified ID within the given date range. value: action: 'run' @@ -118,15 +95,270 @@ paths: run: start_date: '2025-03-01T00:00:00.000Z' end_date: '2025-03-10T23:59:59.999Z' - example9: - summary: Export specific rules by ID + example7: + summary: Export - Export specific rules by ID description: The following request exports the rules with the specified IDs. value: action: 'export' ids: - '748694f0-6977-4ea5-8384-cd2e39730779' - - '13199674-aff1-418a-9e93-04f585fe36d1' - + example8: + summary: Edit - dry run - Validate add_index_patterns bulk action + description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true + value: + action: 'edit' + edit: + - value: + - 'test-*' + type: 'add_index_patterns' + ids: + - '81aa0480-06af-11ed-94fb-dd1a0597d8d2' + - 'dc015d10-0831-11ed-ac8b-05a222bd8d4a' + - 'de8f5af0-0831-11ed-ac8b-05a222bd8d4a' + example9: + summary: Edit - Add a tag to rules (idempotent) + description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. + value: + ids: + - '8bc7dad0-9320-11ec-9265-8b772383a08d' + - '8e5c1a40-9320-11ec-9265-8b772383a08d' + action: 'edit' + edit: + - type: 'add_tags' + value: + - 'tag-1' + example10: + summary: Edit - Add two tags to rules (idempotent) + description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. + value: + ids: + - '8bc7dad0-9320-11ec-9265-8b772383a08d' + - '8e5c1a40-9320-11ec-9265-8b772383a08d' + action: 'edit' + edit: + - type: 'add_tags' + value: + - 'tag-1' + - 'tag-2' + example11: + summary: Edit - Delete a tag from rules (idempotent) + description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. + value: + ids: + - '8bc7dad0-9320-11ec-9265-8b772383a08d' + - '8e5c1a40-9320-11ec-9265-8b772383a08d' + action: 'edit' + edit: + - type: 'delete_tags' + value: + - 'tag-1' + example12: + summary: Edit - Set (overwrite existing) tags for rules (idempotent) + description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + value: + ids: + - '8bc7dad0-9320-11ec-9265-8b772383a08d' + - '8e5c1a40-9320-11ec-9265-8b772383a08d' + action: 'edit' + edit: + - type: 'set_tags' + value: + - 'tag-1' + - 'tag-2' + example13: + summary: Edit - Add index patterns to rules (idempotent) + description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. + value: + ids: + - '81aa0480-06af-11ed-94fb-dd1a0597d8d2' + - 'dc015d10-0831-11ed-ac8b-05a222bd8d4a' + action: 'edit' + edit: + - type: 'add_index_patterns' + value: + - 'test-*' + example14: + summary: Edit - Remove index patterns from rules (idempotent) + description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. + value: + ids: + - '81aa0480-06af-11ed-94fb-dd1a0597d8d2' + - 'dc015d10-0831-11ed-ac8b-05a222bd8d4a' + action: 'edit' + edit: + - type: 'delete_index_patterns' + value: + - 'test-*' + example15: + summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) + description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. + value: + ids: + - '81aa0480-06af-11ed-94fb-dd1a0597d8d2' + - 'dc015d10-0831-11ed-ac8b-05a222bd8d4a' + action: 'edit' + edit: + - type: 'set_index_patterns' + value: + - 'test-*' + example16: + summary: Edit - Add investigation field to rules + description: The following request adds investigation field to the rules with the specified IDs. + value: + ids: + - '12345678-1234-1234-1234-1234567890ab' + - '87654321-4321-4321-4321-0987654321ba' + action: 'edit' + edit: + - type: 'add_investigation_fields' + value: + field_names: + - 'alert.status' + example17: + summary: Edit - Delete investigation fields from rules (idempotent) + description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. + value: + ids: + - '12345678-1234-1234-1234-1234567890ab' + - '87654321-4321-4321-4321-0987654321ba' + action: 'edit' + edit: + - type: 'delete_investigation_fields' + value: + - 'field1' + - 'field2' + example18: + summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) + description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + value: + ids: + - '12345678-1234-1234-1234-1234567890ab' + - '87654321-4321-4321-4321-0987654321ba' + action: 'edit' + edit: + - type: 'set_investigation_fields' + value: + - 'field1' + - 'field2' + example19: + summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) + description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. + value: + action: edit + ids: + - eacdfc95-e007-41c9-986e-4b2cbdfdc71b + edit: + - type: set_timeline + value: + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + example20: + summary: Edit - Set (overwrite existing) schedule for rules (idempotent) + description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. + value: + ids: + - '99887766-5544-3322-1100-aabbccddeeff' + action: 'edit' + edit: + - type: 'set_schedule' + value: + interval: '1h' + lookback: '30m' + example21: + summary: Edit - Add rule actions to rules (non-idempotent) + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + value: + action: edit + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + edit: + - type: add_rule_actions + value: + actions: + - id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + group: default + example22: + summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) + description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. + value: + action: edit + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + edit: + - type: set_rule_actions + value: + actions: + - id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + group: default + example23: + summary: Edit - Add rule actions to rules for a webhook connector + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + value: + action: edit + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + edit: + - type: add_rule_actions + value: + actions: + - id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + group: default3 + example24: + summary: Edit - Add rule actions to rules for an email connector + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + value: + action: edit + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + edit: + - type: add_rule_actions + value: + actions: + - id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + to: address@domain.com + subject: Subject + message: The message body + group: default3 + example25: + summary: Edit - Add rule actions to rules for a slack connector + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + value: + action: edit + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + edit: + - type: add_rule_actions + value: + actions: + - id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The content of the message + group: default3 + example26: + summary: Edit - Add rule actions to rules for a PagerDuty connector + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + value: + action: edit + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + edit: + - type: add_rule_actions + value: + actions: + - id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + severity: critical + summary: The message body + event_action: trigger + timestamp: 2023-10-31T00:00:00Z + group: default3 responses: 200: description: OK @@ -343,6 +575,431 @@ paths: succeeded: 1 skipped: 0 total: 3 + example4: + summary: Set tags successsully for 2 rules + description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. + value: + success: true + rules_count: 2 + attributes: + results: + updated: + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + updated_at: '2025-03-25T11:47:11.350Z' + updated_by: elastic + created_at: '2025-03-25T11:46:41.899Z' + created_by: elastic + name: Rule 1 + tags: + - tag-1 + - tag-2 + interval: 5m + enabled: false + revision: 1 + description: test + risk_score: 21 + severity: low + license: '' + output_index: '' + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + author: [] + false_positives: [] + from: now-6m + rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e + max_signals: 100 + risk_score_mapping: [] + severity_mapping: [] + threat: [] + to: now + references: [] + version: 2 + exceptions_list: [] + immutable: false + rule_source: + type: internal + related_integrations: [] + required_fields: [] + setup: '' + type: query + language: kuery + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + query: '*' + filters: [] + actions: [] + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + updated_at: '2025-03-25T11:47:11.357Z' + updated_by: elastic + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + name: Rule 2 + tags: + - tag-1 + - tag-2 + interval: 3m + enabled: false + revision: 33 + description: test + risk_score: 21 + severity: low + license: '' + output_index: '' + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + from: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + author: [] + false_positives: [] + from: now-360s + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + max_signals: 100 + risk_score_mapping: [] + severity_mapping: [] + threat: [] + to: now + references: [] + version: 24 + exceptions_list: [] + immutable: false + rule_source: + type: internal + related_integrations: [] + required_fields: [] + setup: '' + type: query + language: kuery + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + query: '*' + filters: [] + actions: + - id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + action_type_id: '.webhook' + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + frequency: + summary: true + notifyWhen: onActiveAlert + throttle: + group: default + created: [] + deleted: [] + skipped: [] + summary: + failed: 0 + succeeded: 2 + skipped: 0 + total: 2 + example5: + summary: Idempotent behavior of set_tags + description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. + value: + success: true + rules_count: 2 + attributes: + results: + updated: [] + created: [] + deleted: [] + skipped: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + name: Rule 1 + skip_reason: RULE_NOT_MODIFIED + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Rule 2 + skip_reason: RULE_NOT_MODIFIED + summary: + failed: 0 + succeeded: 0 + skipped: 2 + total: 2 + example6: + summary: Idempotent behavior of add_tags + description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. + value: + success: true + rules_count: 2 + attributes: + results: + updated: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + updated_at: '2025-03-25T11:55:12.752Z' + updated_by: elastic + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + name: Test rule + tags: + - tag-1 + - tag-2 + - tag-4 + interval: 3m + enabled: false + revision: 34 + description: test + risk_score: 21 + severity: low + license: '' + output_index: '' + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + from: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + author: [] + false_positives: [] + from: now-360s + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + max_signals: 100 + risk_score_mapping: [] + severity_mapping: [] + threat: [] + to: now + references: [] + version: 25 + exceptions_list: [] + immutable: false + rule_source: + type: internal + related_integrations: [] + required_fields: [] + setup: '' + type: query + language: kuery + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + query: '*' + filters: [] + actions: + - id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + action_type_id: '.webhook' + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + frequency: + summary: true + notifyWhen: onActiveAlert + throttle: + group: default + created: [] + deleted: [] + skipped: + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Test Rule 2 + skip_reason: RULE_NOT_MODIFIED + summary: + failed: 0 + succeeded: 1 + skipped: 1 + total: 2 + example7: + summary: Non-idempotent behavior for set_rule_actions + description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. + value: + success: true + rules_count: 1 + attributes: + results: + updated: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + updated_at: '2025-03-25T12:17:40.528Z' + updated_by: elastic + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + name: Test rule + tags: + - tag-1 + - tag-2 + - tag-4 + interval: 3m + enabled: false + revision: 39 + description: test + risk_score: 21 + severity: low + license: '' + output_index: '' + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + from: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + author: [] + false_positives: [] + from: now-360s + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + max_signals: 100 + risk_score_mapping: [] + severity_mapping: [] + threat: [] + to: now + references: [] + version: 30 + exceptions_list: [] + immutable: false + rule_source: + type: internal + related_integrations: [] + required_fields: [] + setup: '' + type: query + language: kuery + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + query: '*' + filters: [] + actions: + - id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + action_type_id: '.webhook' + uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 + frequency: + summary: true + notifyWhen: onActiveAlert + throttle: + group: default + created: [] + deleted: [] + skipped: [] + summary: + failed: 0 + succeeded: 1 + skipped: 0 + total: 1 + example8: + summary: Non-idempotent behavior for add_rule_actions + description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. + value: + success: true + rules_count: 1 + attributes: + results: + updated: + - id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 + updated_at: '2025-04-02T12:51:40.215Z' + updated_by: elastic + created_at: '2025-04-02T12:42:03.400Z' + created_by: elastic + name: Jacek test rule + tags: [] + interval: 5m + enabled: false + revision: 2 + description: test + risk_score: 21 + severity: low + license: '' + output_index: '' + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + author: [] + false_positives: [] + from: now-6m + rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 + max_signals: 100 + risk_score_mapping: [] + severity_mapping: [] + threat: [] + to: now + references: [] + version: 2 + exceptions_list: [] + immutable: false + rule_source: + type: internal + related_integrations: [] + required_fields: [] + setup: '' + type: query + language: kuery + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + query: '*' + filters: [] + actions: + - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + action_type_id: '.webhook' + uuid: '0309347e-3954-429c-9168-5da2663389af' + frequency: + summary: true + notifyWhen: onActiveAlert + throttle: + group: default + - id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + action_type_id: '.webhook' + uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd + frequency: + summary: true + notifyWhen: onActiveAlert + throttle: + group: default + created: [] + deleted: [] + skipped: [] + summary: + failed: 0 + succeeded: 1 + skipped: 0 + total: 1 components: schemas: BulkEditSkipReason: @@ -644,6 +1301,11 @@ components: BulkActionEditPayloadRuleActions: type: object + description: | + Edits rule actions of rules. + + - `add_rule_actions` adds rule actions to rules. If a rule action already exists for a rule, no changes are made. + - `set_rule_actions` sets rule actions for rules. If the set of rule actions is the same as the existing rule actions, no changes are made. properties: type: type: string @@ -665,6 +1327,12 @@ components: BulkActionEditPayloadSchedule: type: object + description: | + Overwrites schedule of rules. + + - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. + + Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" properties: type: type: string @@ -679,7 +1347,10 @@ components: example: '1h' lookback: type: string - description: Lookback time for the rule + description: | + Lookback time for the rules. + + Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. pattern: '^[1-9]\d*[smh]$' # any number except zero followed by one of the suffixes 's', 'm', 'h' example: '1h' required: @@ -691,6 +1362,12 @@ components: BulkActionEditPayloadIndexPatterns: type: object + description: | + Edits index patterns of rulesClient. + + - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. + - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. + - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. properties: type: type: string @@ -702,12 +1379,19 @@ components: $ref: '../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/IndexPatternArray' overwrite_data_views: type: boolean + description: Resets the data view for the rule. required: - type - value BulkActionEditPayloadTags: type: object + description: | + Edits tags of rules. + + - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. + - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. + - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. properties: type: type: string @@ -723,6 +1407,12 @@ components: BulkActionEditPayloadInvestigationFields: type: object + description: | + Edits investigation fields of rules. + + - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. + - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. + - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. properties: type: type: string @@ -738,6 +1428,10 @@ components: BulkActionEditPayloadTimeline: type: object + description: | + Edits timeline of rules. + + - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. properties: type: type: string diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml index 4e0dd2d9a69f1..cadf0fe9629ff 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -1616,6 +1616,20 @@ paths: multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. + + The edit action allows you to add, delete, or set tags, index patterns, + investigation fields, rule actions and schedules for multiple rules at + once. + + The edit action is idempotent, meaning that if you add a tag to a rule + that already has that tag, no changes are made. The same is true for + other edit actions, for example removing an index pattern that is not + specified in a rule will not result in any changes. The only exception + is the `add_rule_actions` and `set_rule_actions` action, which is + non-idempotent. This means that if you add or set a rule action to a + rule that already has that action, a new action is created with a new + unique ID. + > warn > When used with [API @@ -1660,48 +1674,65 @@ paths: application/json: examples: example1: - description: The following request activates all rules with the test tag - summary: Enable all rules with the test tag + description: The following request activates all rules with the test tag. + summary: Enable - Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' - example2: - description: The following request enables the rule with the specified ID. - summary: Enable a specific rule by ID + example10: + description: >- + The following request adds two tags at the same time, tag-1 + and tag-2, to the rules that have the IDs sent in the payload. + If the tags already exist for a rule, no changes are made. + summary: Edit - Add two tags to rules (idempotent) value: - action: enable + action: edit + edit: + - type: add_tags + value: + - tag-1 + - tag-2 ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example3: - description: The following request disables the rule with the specified ID. - summary: Disable a specific rule by ID + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example11: + description: >- + The following request removes the tag "tag-1" from the rules + with the specified IDs. If the tag does not exist for a rule, + no changes are made. + summary: Edit - Delete a tag from rules (idempotent) value: - action: disable + action: edit + edit: + - type: delete_tags + value: + - tag-1 ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example4: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example12: description: >- - The following request adds tags tag-1 and tag-2 to the rules - that have the IDs sent in the payload - summary: Add tags to rules + The following request sets the tags "tag-1" and "tag-2" for + the rules with the specified IDs, overwriting any existing + tags. If the set of tags is the same as the existing tags, no + changes are made. + summary: Edit - Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: - - type: add_tags + - type: set_tags value: - tag-1 - tag-2 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d - example5: + example13: description: >- - The following request will validate that the - add_index_patterns bulk action can be successfully applied to - three rules. The dry_run parameter is specified in query - parameters, e.g. POST - api/detection_engine/rules/_bulk_action?dry_run=true - summary: Dry run - Validate add_index_patterns bulk action + The following request adds the index pattern "test-*" to the + rules with the specified IDs. If the index pattern already + exists for a rule, no changes are made. + summary: Edit - Add index patterns to rules (idempotent) value: action: edit edit: @@ -1711,12 +1742,251 @@ paths: ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example6: + example14: + description: >- + The following request removes the index pattern "test-*" from + the rules with the specified IDs. If the index pattern does + not exist for a rule, no changes are made. + summary: Edit - Remove index patterns from rules (idempotent) + value: + action: edit + edit: + - type: delete_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example15: + description: >- + The following request sets the index patterns "test-*" and + "prod-*" for the rules with the specified IDs, overwriting any + existing index patterns. If the set of index patterns is the + same as the existing index patterns, no changes are made. + summary: >- + Edit - Set (overwrite existing) index patterns for rules + patterns (idempotent) + value: + action: edit + edit: + - type: set_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example16: + description: >- + The following request adds investigation field to the rules + with the specified IDs. + summary: Edit - Add investigation field to rules + value: + action: edit + edit: + - type: add_investigation_fields + value: + field_names: + - alert.status + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example17: + description: >- + The following request deletes investigation fields from the + rules with the specified IDs. If the field does not exist for + a rule, no changes are made. + summary: Edit - Delete investigation fields from rules (idempotent) + value: + action: edit + edit: + - type: delete_investigation_fields + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + value: + - field1 + - field2 + example18: + description: >- + The following request sets investigation fields for the rules + with the specified IDs, overwriting any existing investigation + fields. If the set of investigation fields is the same as the + existing investigation fields, no changes are made. + summary: >- + Edit - Set (overwrite existing) investigation fields for rules + (idempotent) + value: + action: edit + edit: + - type: set_investigation_fields + value: + - field1 + - field2 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example19: + description: >- + The following request sets a timeline template for the rules + with the specified IDs. If the same timeline template is + already set for a rule, no changes are made. + summary: >- + Edit - Set (overwrite existing) timeline template for rules + (idempotent) + value: + action: edit + edit: + - type: set_timeline + value: + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + ids: + - eacdfc95-e007-41c9-986e-4b2cbdfdc71b + example2: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example20: + description: >- + The following request sets a schedule for the rules with the + specified IDs. If the same schedule is already set for a rule, + no changes are made. + summary: >- + Edit - Set (overwrite existing) schedule for rules + (idempotent) + value: + action: edit + edit: + - type: set_schedule + value: + interval: 1h + lookback: 30m + ids: + - 99887766-5544-3322-1100-aabbccddeeff + example21: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules (non-idempotent) + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example22: + description: >- + The following request sets rule actions for the rules with the + specified IDs. Each action receives its own unique ID. + summary: >- + Edit - Set (overwrite existing) rule actions for rules + (non-idempotent) + value: + action: edit + edit: + - type: set_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example23: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a webhook connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example24: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for an email connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The message body + subject: Subject + to: address@domain.com + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example25: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a slack connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The content of the message + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example26: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a PagerDuty connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + event_action: trigger + severity: critical + summary: The message body + timestamp: 2023-10-31T00:00:00.000Z + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example3: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example4: description: >- The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. - summary: Duplicate rules with specific IDs + summary: Duplicate - Duplicate rules with specific IDs value: action: duplicate duplicate: @@ -1725,18 +1995,18 @@ paths: ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - 461a4c22-416e-4009-a9a7-cf79656454bf - example7: + example5: description: The following request deletes the rule with the specified ID. - summary: Delete a specific rule by ID + summary: Delete - Delete a specific rule by ID value: action: delete ids: - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example8: + example6: description: >- The following request runs the rule with the specified ID within the given date range. - summary: Run a specific rule by ID + summary: Run - Run a specific rule by ID value: action: run ids: @@ -1744,16 +2014,48 @@ paths: run: end_date: '2025-03-10T23:59:59.999Z' start_date: '2025-03-01T00:00:00.000Z' - example9: + example7: description: >- The following request exports the rules with the specified IDs. - summary: Export specific rules by ID + summary: Export - Export specific rules by ID value: action: export ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - - 13199674-aff1-418a-9e93-04f585fe36d1 + example8: + description: >- + The following request will validate that the + add_index_patterns bulk action can be successfully applied to + three rules. The dry_run parameter is specified in query + parameters, e.g. POST + api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example9: + description: >- + The following request adds the tag "tag-1" to the rules with + the specified IDs. If the tag already exists for a rule, no + changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d schema: oneOf: - $ref: '#/components/schemas/BulkDeleteRules' @@ -2018,6 +2320,454 @@ paths: total: 3 message: Bulk edit partially failed status_code: 500 + example4: + description: >- + This example presents the successful setting of tags for 2 + rules. There was a difference between the set of tags that + were being added and the tags that were already set in the + rules, that's why the rules were updated. + summary: Set tags successsully for 2 rules + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: [] + created_at: '2025-03-25T11:46:41.899Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 738112cd-6cfa-414a-8457-2a658845d6ba + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 1 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 1 + risk_score: 21 + risk_score_mapping: [] + rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + to: now + type: query + updated_at: '2025-03-25T11:47:11.350Z' + updated_by: elastic + version: 2 + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - >- + Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 2 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 33 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:47:11.357Z' + updated_by: elastic + version: 24 + summary: + failed: 0 + skipped: 0 + succeeded: 2 + total: 2 + rules_count: 2 + success: true + example5: + description: >- + This example presents the idempotent behavior of the edit + action with set_tags request. Both rules already had exactly + the same tags that were being added, so no changes were made + in any of them. + summary: Idempotent behavior of set_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + name: Rule 1 + skip_reason: RULE_NOT_MODIFIED + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: [] + summary: + failed: 0 + skipped: 2 + succeeded: 0 + total: 2 + rules_count: 2 + success: true + example6: + description: >- + This example presents the idempotent behavior of the edit + action with add_tags request. One rule was updated and one + was skipped. The rule that was skipped already had all the + tags that were being added. + summary: Idempotent behavior of add_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Test Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - >- + Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 34 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:55:12.752Z' + updated_by: elastic + version: 25 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 2 + success: true + example7: + description: >- + This example shows a non-idempotent nature of the + set_rule_actions requests. Regardless if the actions are the + same as the existing actions for a rule, the actions are + always set in the rule and receive a new unique ID. + summary: Non-idempotent behavior for set_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - >- + Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 39 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T12:17:40.528Z' + updated_by: elastic + version: 30 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + example8: + description: >- + This example shows a non-idempotent nature of the + add_rule_actions requests. Regardless if the added action is + the same as another existing action for a rule, the new + action is added to the rule and receives a new unique ID. + summary: Non-idempotent behavior for add_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 0309347e-3954-429c-9168-5da2663389af + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd + author: [] + created_at: '2025-04-02T12:42:03.400Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Jacek test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 2 + risk_score: 21 + risk_score_mapping: [] + rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: query + updated_at: '2025-04-02T12:51:40.215Z' + updated_by: elastic + version: 2 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true schema: oneOf: - $ref: '#/components/schemas/BulkEditActionResponse' @@ -3728,9 +4478,23 @@ components: - $ref: '#/components/schemas/BulkActionEditPayloadRuleActions' - $ref: '#/components/schemas/BulkActionEditPayloadSchedule' BulkActionEditPayloadIndexPatterns: + description: > + Edits index patterns of rulesClient. + + + - `add_index_patterns` adds index patterns to rules. If an index pattern + already exists for a rule, no changes are made. + + - `delete_index_patterns` removes index patterns from rules. If an index + pattern does not exist for a rule, no changes are made. + + - `set_index_patterns` sets index patterns for rules, overwriting any + existing index patterns. If the set of index patterns is the same as the + existing index patterns, no changes are made. type: object properties: overwrite_data_views: + description: Resets the data view for the rule. type: boolean type: enum: @@ -3744,6 +4508,20 @@ components: - type - value BulkActionEditPayloadInvestigationFields: + description: > + Edits investigation fields of rules. + + + - `add_investigation_fields` adds investigation fields to rules. If an + investigation field already exists for a rule, no changes are made. + + - `delete_investigation_fields` removes investigation fields from rules. + If an investigation field does not exist for a rule, no changes are + made. + + - `set_investigation_fields` sets investigation fields for rules. If the + set of investigation fields is the same as the existing investigation + fields, no changes are made. type: object properties: type: @@ -3758,6 +4536,15 @@ components: - type - value BulkActionEditPayloadRuleActions: + description: > + Edits rule actions of rules. + + + - `add_rule_actions` adds rule actions to rules. If a rule action + already exists for a rule, no changes are made. + + - `set_rule_actions` sets rule actions for rules. If the set of rule + actions is the same as the existing rule actions, no changes are made. type: object properties: type: @@ -3780,6 +4567,18 @@ components: - type - value BulkActionEditPayloadSchedule: + description: > + Overwrites schedule of rules. + + + - `set_schedule` sets a schedule for rules. If the same schedule already + exists for a rule, no changes are made. + + + Both `interval` and `lookback` have a format of "{integer}{time_unit}", + where accepted time units are `s` for seconds, `m` for minutes, and `h` + for hours. The integer must be positive and larger than 0. Examples: + "45s", "30m", "6h" type: object properties: type: @@ -3797,7 +4596,13 @@ components: pattern: ^[1-9]\d*[smh]$ type: string lookback: - description: Lookback time for the rule + description: > + Lookback time for the rules. + + + Additional look-back time that the rule analyzes. For example, + "10m" means the rule analyzes the last 10 minutes of data in + addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -3808,6 +4613,18 @@ components: - type - value BulkActionEditPayloadTags: + description: > + Edits tags of rules. + + + - `add_tags` adds tags to rules. If a tag already exists for a rule, no + changes are made. + + - `delete_tags` removes tags from rules. If a tag does not exist for a + rule, no changes are made. + + - `set_tags` sets tags for rules, overwriting any existing tags. If the + set of tags is the same as the existing tags, no changes are made. type: object properties: type: @@ -3822,6 +4639,12 @@ components: - type - value BulkActionEditPayloadTimeline: + description: > + Edits timeline of rules. + + + - `set_timeline` sets a timeline for rules. If the same timeline already + exists for a rule, no changes are made. type: object properties: type: @@ -7543,9 +8366,9 @@ components: For PagerDuty: - - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. - - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `severity` (string, required): Severity of on the alert notification, can be: `critical`, `error`, `warning` or `info`. + - `event_action` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedup_key` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml index fbbd912407edb..5ebef30bc7d33 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -1480,6 +1480,20 @@ paths: multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. + + The edit action allows you to add, delete, or set tags, index patterns, + investigation fields, rule actions and schedules for multiple rules at + once. + + The edit action is idempotent, meaning that if you add a tag to a rule + that already has that tag, no changes are made. The same is true for + other edit actions, for example removing an index pattern that is not + specified in a rule will not result in any changes. The only exception + is the `add_rule_actions` and `set_rule_actions` action, which is + non-idempotent. This means that if you add or set a rule action to a + rule that already has that action, a new action is created with a new + unique ID. + > warn > When used with [API @@ -1524,48 +1538,65 @@ paths: application/json: examples: example1: - description: The following request activates all rules with the test tag - summary: Enable all rules with the test tag + description: The following request activates all rules with the test tag. + summary: Enable - Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' - example2: - description: The following request enables the rule with the specified ID. - summary: Enable a specific rule by ID + example10: + description: >- + The following request adds two tags at the same time, tag-1 + and tag-2, to the rules that have the IDs sent in the payload. + If the tags already exist for a rule, no changes are made. + summary: Edit - Add two tags to rules (idempotent) value: - action: enable + action: edit + edit: + - type: add_tags + value: + - tag-1 + - tag-2 ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example3: - description: The following request disables the rule with the specified ID. - summary: Disable a specific rule by ID + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example11: + description: >- + The following request removes the tag "tag-1" from the rules + with the specified IDs. If the tag does not exist for a rule, + no changes are made. + summary: Edit - Delete a tag from rules (idempotent) value: - action: disable + action: edit + edit: + - type: delete_tags + value: + - tag-1 ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example4: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example12: description: >- - The following request adds tags tag-1 and tag-2 to the rules - that have the IDs sent in the payload - summary: Add tags to rules + The following request sets the tags "tag-1" and "tag-2" for + the rules with the specified IDs, overwriting any existing + tags. If the set of tags is the same as the existing tags, no + changes are made. + summary: Edit - Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: - - type: add_tags + - type: set_tags value: - tag-1 - tag-2 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d - example5: + example13: description: >- - The following request will validate that the - add_index_patterns bulk action can be successfully applied to - three rules. The dry_run parameter is specified in query - parameters, e.g. POST - api/detection_engine/rules/_bulk_action?dry_run=true - summary: Dry run - Validate add_index_patterns bulk action + The following request adds the index pattern "test-*" to the + rules with the specified IDs. If the index pattern already + exists for a rule, no changes are made. + summary: Edit - Add index patterns to rules (idempotent) value: action: edit edit: @@ -1575,12 +1606,251 @@ paths: ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example6: + example14: + description: >- + The following request removes the index pattern "test-*" from + the rules with the specified IDs. If the index pattern does + not exist for a rule, no changes are made. + summary: Edit - Remove index patterns from rules (idempotent) + value: + action: edit + edit: + - type: delete_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example15: + description: >- + The following request sets the index patterns "test-*" and + "prod-*" for the rules with the specified IDs, overwriting any + existing index patterns. If the set of index patterns is the + same as the existing index patterns, no changes are made. + summary: >- + Edit - Set (overwrite existing) index patterns for rules + patterns (idempotent) + value: + action: edit + edit: + - type: set_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example16: + description: >- + The following request adds investigation field to the rules + with the specified IDs. + summary: Edit - Add investigation field to rules + value: + action: edit + edit: + - type: add_investigation_fields + value: + field_names: + - alert.status + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example17: + description: >- + The following request deletes investigation fields from the + rules with the specified IDs. If the field does not exist for + a rule, no changes are made. + summary: Edit - Delete investigation fields from rules (idempotent) + value: + action: edit + edit: + - type: delete_investigation_fields + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + value: + - field1 + - field2 + example18: + description: >- + The following request sets investigation fields for the rules + with the specified IDs, overwriting any existing investigation + fields. If the set of investigation fields is the same as the + existing investigation fields, no changes are made. + summary: >- + Edit - Set (overwrite existing) investigation fields for rules + (idempotent) + value: + action: edit + edit: + - type: set_investigation_fields + value: + - field1 + - field2 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example19: + description: >- + The following request sets a timeline template for the rules + with the specified IDs. If the same timeline template is + already set for a rule, no changes are made. + summary: >- + Edit - Set (overwrite existing) timeline template for rules + (idempotent) + value: + action: edit + edit: + - type: set_timeline + value: + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + ids: + - eacdfc95-e007-41c9-986e-4b2cbdfdc71b + example2: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example20: + description: >- + The following request sets a schedule for the rules with the + specified IDs. If the same schedule is already set for a rule, + no changes are made. + summary: >- + Edit - Set (overwrite existing) schedule for rules + (idempotent) + value: + action: edit + edit: + - type: set_schedule + value: + interval: 1h + lookback: 30m + ids: + - 99887766-5544-3322-1100-aabbccddeeff + example21: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules (non-idempotent) + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example22: + description: >- + The following request sets rule actions for the rules with the + specified IDs. Each action receives its own unique ID. + summary: >- + Edit - Set (overwrite existing) rule actions for rules + (non-idempotent) + value: + action: edit + edit: + - type: set_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example23: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a webhook connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example24: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for an email connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The message body + subject: Subject + to: address@domain.com + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example25: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a slack connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The content of the message + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example26: + description: >- + The following request adds rule actions to the rules with the + specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a PagerDuty connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + event_action: trigger + severity: critical + summary: The message body + timestamp: 2023-10-31T00:00:00.000Z + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example3: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example4: description: >- The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. - summary: Duplicate rules with specific IDs + summary: Duplicate - Duplicate rules with specific IDs value: action: duplicate duplicate: @@ -1589,18 +1859,18 @@ paths: ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - 461a4c22-416e-4009-a9a7-cf79656454bf - example7: + example5: description: The following request deletes the rule with the specified ID. - summary: Delete a specific rule by ID + summary: Delete - Delete a specific rule by ID value: action: delete ids: - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example8: + example6: description: >- The following request runs the rule with the specified ID within the given date range. - summary: Run a specific rule by ID + summary: Run - Run a specific rule by ID value: action: run ids: @@ -1608,16 +1878,48 @@ paths: run: end_date: '2025-03-10T23:59:59.999Z' start_date: '2025-03-01T00:00:00.000Z' - example9: + example7: description: >- The following request exports the rules with the specified IDs. - summary: Export specific rules by ID + summary: Export - Export specific rules by ID value: action: export ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - - 13199674-aff1-418a-9e93-04f585fe36d1 + example8: + description: >- + The following request will validate that the + add_index_patterns bulk action can be successfully applied to + three rules. The dry_run parameter is specified in query + parameters, e.g. POST + api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example9: + description: >- + The following request adds the tag "tag-1" to the rules with + the specified IDs. If the tag already exists for a rule, no + changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d schema: oneOf: - $ref: '#/components/schemas/BulkDeleteRules' @@ -1882,6 +2184,454 @@ paths: total: 3 message: Bulk edit partially failed status_code: 500 + example4: + description: >- + This example presents the successful setting of tags for 2 + rules. There was a difference between the set of tags that + were being added and the tags that were already set in the + rules, that's why the rules were updated. + summary: Set tags successsully for 2 rules + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: [] + created_at: '2025-03-25T11:46:41.899Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 738112cd-6cfa-414a-8457-2a658845d6ba + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 1 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 1 + risk_score: 21 + risk_score_mapping: [] + rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + to: now + type: query + updated_at: '2025-03-25T11:47:11.350Z' + updated_by: elastic + version: 2 + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - >- + Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 2 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 33 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:47:11.357Z' + updated_by: elastic + version: 24 + summary: + failed: 0 + skipped: 0 + succeeded: 2 + total: 2 + rules_count: 2 + success: true + example5: + description: >- + This example presents the idempotent behavior of the edit + action with set_tags request. Both rules already had exactly + the same tags that were being added, so no changes were made + in any of them. + summary: Idempotent behavior of set_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + name: Rule 1 + skip_reason: RULE_NOT_MODIFIED + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: [] + summary: + failed: 0 + skipped: 2 + succeeded: 0 + total: 2 + rules_count: 2 + success: true + example6: + description: >- + This example presents the idempotent behavior of the edit + action with add_tags request. One rule was updated and one + was skipped. The rule that was skipped already had all the + tags that were being added. + summary: Idempotent behavior of add_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Test Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - >- + Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 34 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:55:12.752Z' + updated_by: elastic + version: 25 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 2 + success: true + example7: + description: >- + This example shows a non-idempotent nature of the + set_rule_actions requests. Regardless if the actions are the + same as the existing actions for a rule, the actions are + always set in the rule and receive a new unique ID. + summary: Non-idempotent behavior for set_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - >- + Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 39 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T12:17:40.528Z' + updated_by: elastic + version: 30 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + example8: + description: >- + This example shows a non-idempotent nature of the + add_rule_actions requests. Regardless if the added action is + the same as another existing action for a rule, the new + action is added to the rule and receives a new unique ID. + summary: Non-idempotent behavior for add_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 0309347e-3954-429c-9168-5da2663389af + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd + author: [] + created_at: '2025-04-02T12:42:03.400Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Jacek test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 2 + risk_score: 21 + risk_score_mapping: [] + rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: query + updated_at: '2025-04-02T12:51:40.215Z' + updated_by: elastic + version: 2 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true schema: oneOf: - $ref: '#/components/schemas/BulkEditActionResponse' @@ -3058,9 +3808,23 @@ components: - $ref: '#/components/schemas/BulkActionEditPayloadRuleActions' - $ref: '#/components/schemas/BulkActionEditPayloadSchedule' BulkActionEditPayloadIndexPatterns: + description: > + Edits index patterns of rulesClient. + + + - `add_index_patterns` adds index patterns to rules. If an index pattern + already exists for a rule, no changes are made. + + - `delete_index_patterns` removes index patterns from rules. If an index + pattern does not exist for a rule, no changes are made. + + - `set_index_patterns` sets index patterns for rules, overwriting any + existing index patterns. If the set of index patterns is the same as the + existing index patterns, no changes are made. type: object properties: overwrite_data_views: + description: Resets the data view for the rule. type: boolean type: enum: @@ -3074,6 +3838,20 @@ components: - type - value BulkActionEditPayloadInvestigationFields: + description: > + Edits investigation fields of rules. + + + - `add_investigation_fields` adds investigation fields to rules. If an + investigation field already exists for a rule, no changes are made. + + - `delete_investigation_fields` removes investigation fields from rules. + If an investigation field does not exist for a rule, no changes are + made. + + - `set_investigation_fields` sets investigation fields for rules. If the + set of investigation fields is the same as the existing investigation + fields, no changes are made. type: object properties: type: @@ -3088,6 +3866,15 @@ components: - type - value BulkActionEditPayloadRuleActions: + description: > + Edits rule actions of rules. + + + - `add_rule_actions` adds rule actions to rules. If a rule action + already exists for a rule, no changes are made. + + - `set_rule_actions` sets rule actions for rules. If the set of rule + actions is the same as the existing rule actions, no changes are made. type: object properties: type: @@ -3110,6 +3897,18 @@ components: - type - value BulkActionEditPayloadSchedule: + description: > + Overwrites schedule of rules. + + + - `set_schedule` sets a schedule for rules. If the same schedule already + exists for a rule, no changes are made. + + + Both `interval` and `lookback` have a format of "{integer}{time_unit}", + where accepted time units are `s` for seconds, `m` for minutes, and `h` + for hours. The integer must be positive and larger than 0. Examples: + "45s", "30m", "6h" type: object properties: type: @@ -3127,7 +3926,13 @@ components: pattern: ^[1-9]\d*[smh]$ type: string lookback: - description: Lookback time for the rule + description: > + Lookback time for the rules. + + + Additional look-back time that the rule analyzes. For example, + "10m" means the rule analyzes the last 10 minutes of data in + addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -3138,6 +3943,18 @@ components: - type - value BulkActionEditPayloadTags: + description: > + Edits tags of rules. + + + - `add_tags` adds tags to rules. If a tag already exists for a rule, no + changes are made. + + - `delete_tags` removes tags from rules. If a tag does not exist for a + rule, no changes are made. + + - `set_tags` sets tags for rules, overwriting any existing tags. If the + set of tags is the same as the existing tags, no changes are made. type: object properties: type: @@ -3152,6 +3969,12 @@ components: - type - value BulkActionEditPayloadTimeline: + description: > + Edits timeline of rules. + + + - `set_timeline` sets a timeline for rules. If the same timeline already + exists for a rule, no changes are made. type: object properties: type: @@ -6752,9 +7575,9 @@ components: For PagerDuty: - - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. - - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `severity` (string, required): Severity of on the alert notification, can be: `critical`, `error`, `warning` or `info`. + - `event_action` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedup_key` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. From ed890f34eb181e1976f238b4ee7369d4e422e893 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 3 Apr 2025 08:37:44 +0000 Subject: [PATCH 2/8] [CI] Auto-commit changed files from 'make api-docs' --- oas_docs/output/kibana.serverless.yaml | 761 +++++++++++++++++++++++-- oas_docs/output/kibana.yaml | 761 +++++++++++++++++++++++-- 2 files changed, 1456 insertions(+), 66 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index ba32ad8c225d4..7c1bd71c14ee1 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -10162,6 +10162,9 @@ paths: post: description: | Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. + + The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. + The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. @@ -10186,41 +10189,52 @@ paths: application/json: examples: example1: - description: The following request activates all rules with the test tag - summary: Enable all rules with the test tag + description: The following request activates all rules with the test tag. + summary: Enable - Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' - example2: - description: The following request enables the rule with the specified ID. - summary: Enable a specific rule by ID + example10: + description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. + summary: Edit - Add two tags to rules (idempotent) value: - action: enable + action: edit + edit: + - type: add_tags + value: + - tag-1 + - tag-2 ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example3: - description: The following request disables the rule with the specified ID. - summary: Disable a specific rule by ID + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example11: + description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. + summary: Edit - Delete a tag from rules (idempotent) value: - action: disable + action: edit + edit: + - type: delete_tags + value: + - tag-1 ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example4: - description: The following request adds tags tag-1 and tag-2 to the rules that have the IDs sent in the payload - summary: Add tags to rules + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example12: + description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + summary: Edit - Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: - - type: add_tags + - type: set_tags value: - tag-1 - tag-2 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d - example5: - description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true - summary: Dry run - Validate add_index_patterns bulk action + example13: + description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. + summary: Edit - Add index patterns to rules (idempotent) value: action: edit edit: @@ -10230,10 +10244,205 @@ paths: ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example6: + example14: + description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. + summary: Edit - Remove index patterns from rules (idempotent) + value: + action: edit + edit: + - type: delete_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example15: + description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. + summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) + value: + action: edit + edit: + - type: set_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example16: + description: The following request adds investigation field to the rules with the specified IDs. + summary: Edit - Add investigation field to rules + value: + action: edit + edit: + - type: add_investigation_fields + value: + field_names: + - alert.status + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example17: + description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. + summary: Edit - Delete investigation fields from rules (idempotent) + value: + action: edit + edit: + - type: delete_investigation_fields + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + value: + - field1 + - field2 + example18: + description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) + value: + action: edit + edit: + - type: set_investigation_fields + value: + - field1 + - field2 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example19: + description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) + value: + action: edit + edit: + - type: set_timeline + value: + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + ids: + - eacdfc95-e007-41c9-986e-4b2cbdfdc71b + example2: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example20: + description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) schedule for rules (idempotent) + value: + action: edit + edit: + - type: set_schedule + value: + interval: 1h + lookback: 30m + ids: + - 99887766-5544-3322-1100-aabbccddeeff + example21: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules (non-idempotent) + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example22: + description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. + summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) + value: + action: edit + edit: + - type: set_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example23: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a webhook connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example24: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for an email connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The message body + subject: Subject + to: address@domain.com + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example25: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a slack connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The content of the message + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example26: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a PagerDuty connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + event_action: trigger + severity: critical + summary: The message body + timestamp: '2023-10-31T00:00:00.000Z' + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example3: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example4: description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. - summary: Duplicate rules with specific IDs + summary: Duplicate - Duplicate rules with specific IDs value: action: duplicate duplicate: @@ -10242,16 +10451,16 @@ paths: ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - 461a4c22-416e-4009-a9a7-cf79656454bf - example7: + example5: description: The following request deletes the rule with the specified ID. - summary: Delete a specific rule by ID + summary: Delete - Delete a specific rule by ID value: action: delete ids: - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example8: + example6: description: The following request runs the rule with the specified ID within the given date range. - summary: Run a specific rule by ID + summary: Run - Run a specific rule by ID value: action: run ids: @@ -10259,14 +10468,38 @@ paths: run: end_date: '2025-03-10T23:59:59.999Z' start_date: '2025-03-01T00:00:00.000Z' - example9: + example7: description: The following request exports the rules with the specified IDs. - summary: Export specific rules by ID + summary: Export - Export specific rules by ID value: action: export ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - - 13199674-aff1-418a-9e93-04f585fe36d1 + example8: + description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example9: + description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' @@ -10488,6 +10721,431 @@ paths: total: 3 message: Bulk edit partially failed status_code: 500 + example4: + description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. + summary: Set tags successsully for 2 rules + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: [] + created_at: '2025-03-25T11:46:41.899Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 738112cd-6cfa-414a-8457-2a658845d6ba + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 1 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 1 + risk_score: 21 + risk_score_mapping: [] + rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + to: now + type: query + updated_at: '2025-03-25T11:47:11.350Z' + updated_by: elastic + version: 2 + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 2 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 33 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:47:11.357Z' + updated_by: elastic + version: 24 + summary: + failed: 0 + skipped: 0 + succeeded: 2 + total: 2 + rules_count: 2 + success: true + example5: + description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. + summary: Idempotent behavior of set_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + name: Rule 1 + skip_reason: RULE_NOT_MODIFIED + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: [] + summary: + failed: 0 + skipped: 2 + succeeded: 0 + total: 2 + rules_count: 2 + success: true + example6: + description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. + summary: Idempotent behavior of add_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Test Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 34 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:55:12.752Z' + updated_by: elastic + version: 25 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 2 + success: true + example7: + description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. + summary: Non-idempotent behavior for set_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 39 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T12:17:40.528Z' + updated_by: elastic + version: 30 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + example8: + description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. + summary: Non-idempotent behavior for add_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 0309347e-3954-429c-9168-5da2663389af + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd + author: [] + created_at: '2025-04-02T12:42:03.400Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Jacek test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 2 + risk_score: 21 + risk_score_mapping: [] + rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: query + updated_at: '2025-04-02T12:51:40.215Z' + updated_by: elastic + version: 2 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' @@ -53552,9 +54210,16 @@ components: - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' Security_Detections_API_BulkActionEditPayloadIndexPatterns: + description: | + Edits index patterns of rulesClient. + + - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. + - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. + - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. type: object properties: overwrite_data_views: + description: Resets the data view for the rule. type: boolean type: enum: @@ -53568,6 +54233,12 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadInvestigationFields: + description: | + Edits investigation fields of rules. + + - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. + - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. + - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. type: object properties: type: @@ -53582,6 +54253,11 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadRuleActions: + description: | + Edits rule actions of rules. + + - `add_rule_actions` adds rule actions to rules. If a rule action already exists for a rule, no changes are made. + - `set_rule_actions` sets rule actions for rules. If the set of rule actions is the same as the existing rule actions, no changes are made. type: object properties: type: @@ -53604,6 +54280,12 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadSchedule: + description: | + Overwrites schedule of rules. + + - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. + + Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" type: object properties: type: @@ -53619,7 +54301,10 @@ components: pattern: ^[1-9]\d*[smh]$ type: string lookback: - description: Lookback time for the rule + description: | + Lookback time for the rules. + + Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -53630,6 +54315,12 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadTags: + description: | + Edits tags of rules. + + - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. + - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. + - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. type: object properties: type: @@ -53644,6 +54335,10 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadTimeline: + description: | + Edits timeline of rules. + + - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. type: object properties: type: @@ -56941,9 +57636,9 @@ components: For PagerDuty: - - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. - - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `severity` (string, required): Severity of on the alert notification, can be: `critical`, `error`, `warning` or `info`. + - `event_action` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedup_key` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 26480a0a0ed74..99dfe1b056a46 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -11830,6 +11830,9 @@ paths: post: description: | Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. + + The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. + The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. @@ -11854,41 +11857,52 @@ paths: application/json: examples: example1: - description: The following request activates all rules with the test tag - summary: Enable all rules with the test tag + description: The following request activates all rules with the test tag. + summary: Enable - Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' - example2: - description: The following request enables the rule with the specified ID. - summary: Enable a specific rule by ID + example10: + description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. + summary: Edit - Add two tags to rules (idempotent) value: - action: enable + action: edit + edit: + - type: add_tags + value: + - tag-1 + - tag-2 ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example3: - description: The following request disables the rule with the specified ID. - summary: Disable a specific rule by ID + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example11: + description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. + summary: Edit - Delete a tag from rules (idempotent) value: - action: disable + action: edit + edit: + - type: delete_tags + value: + - tag-1 ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example4: - description: The following request adds tags tag-1 and tag-2 to the rules that have the IDs sent in the payload - summary: Add tags to rules + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d + example12: + description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + summary: Edit - Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: - - type: add_tags + - type: set_tags value: - tag-1 - tag-2 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d - example5: - description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true - summary: Dry run - Validate add_index_patterns bulk action + example13: + description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. + summary: Edit - Add index patterns to rules (idempotent) value: action: edit edit: @@ -11898,10 +11912,205 @@ paths: ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example6: + example14: + description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. + summary: Edit - Remove index patterns from rules (idempotent) + value: + action: edit + edit: + - type: delete_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example15: + description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. + summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) + value: + action: edit + edit: + - type: set_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + example16: + description: The following request adds investigation field to the rules with the specified IDs. + summary: Edit - Add investigation field to rules + value: + action: edit + edit: + - type: add_investigation_fields + value: + field_names: + - alert.status + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example17: + description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. + summary: Edit - Delete investigation fields from rules (idempotent) + value: + action: edit + edit: + - type: delete_investigation_fields + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + value: + - field1 + - field2 + example18: + description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) + value: + action: edit + edit: + - type: set_investigation_fields + value: + - field1 + - field2 + ids: + - 12345678-1234-1234-1234-1234567890ab + - 87654321-4321-4321-4321-0987654321ba + example19: + description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) + value: + action: edit + edit: + - type: set_timeline + value: + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + ids: + - eacdfc95-e007-41c9-986e-4b2cbdfdc71b + example2: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example20: + description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. + summary: Edit - Set (overwrite existing) schedule for rules (idempotent) + value: + action: edit + edit: + - type: set_schedule + value: + interval: 1h + lookback: 30m + ids: + - 99887766-5544-3322-1100-aabbccddeeff + example21: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules (non-idempotent) + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example22: + description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. + summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) + value: + action: edit + edit: + - type: set_rule_actions + value: + actions: + - group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191928 + example23: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a webhook connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: The message body + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example24: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for an email connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The message body + subject: Subject + to: address@domain.com + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example25: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a slack connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + message: The content of the message + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example26: + description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. + summary: Edit - Add rule actions to rules for a PagerDuty connector + value: + action: edit + edit: + - type: add_rule_actions + value: + actions: + - group: default3 + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + event_action: trigger + severity: critical + summary: The message body + timestamp: '2023-10-31T00:00:00.000Z' + ids: + - 9e946bfc-3118-4c77-bb25-67d781191921 + example3: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example4: description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. - summary: Duplicate rules with specific IDs + summary: Duplicate - Duplicate rules with specific IDs value: action: duplicate duplicate: @@ -11910,16 +12119,16 @@ paths: ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - 461a4c22-416e-4009-a9a7-cf79656454bf - example7: + example5: description: The following request deletes the rule with the specified ID. - summary: Delete a specific rule by ID + summary: Delete - Delete a specific rule by ID value: action: delete ids: - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example8: + example6: description: The following request runs the rule with the specified ID within the given date range. - summary: Run a specific rule by ID + summary: Run - Run a specific rule by ID value: action: run ids: @@ -11927,14 +12136,38 @@ paths: run: end_date: '2025-03-10T23:59:59.999Z' start_date: '2025-03-01T00:00:00.000Z' - example9: + example7: description: The following request exports the rules with the specified IDs. - summary: Export specific rules by ID + summary: Export - Export specific rules by ID value: action: export ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - - 13199674-aff1-418a-9e93-04f585fe36d1 + example8: + description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example9: + description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' @@ -12156,6 +12389,431 @@ paths: total: 3 message: Bulk edit partially failed status_code: 500 + example4: + description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. + summary: Set tags successsully for 2 rules + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: [] + author: [] + created_at: '2025-03-25T11:46:41.899Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 738112cd-6cfa-414a-8457-2a658845d6ba + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 1 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 1 + risk_score: 21 + risk_score_mapping: [] + rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + to: now + type: query + updated_at: '2025-03-25T11:47:11.350Z' + updated_by: elastic + version: 2 + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Rule 2 + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 33 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:47:11.357Z' + updated_by: elastic + version: 24 + summary: + failed: 0 + skipped: 0 + succeeded: 2 + total: 2 + rules_count: 2 + success: true + example5: + description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. + summary: Idempotent behavior of set_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + name: Rule 1 + skip_reason: RULE_NOT_MODIFIED + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: [] + summary: + failed: 0 + skipped: 2 + succeeded: 0 + total: 2 + rules_count: 2 + success: true + example6: + description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. + summary: Idempotent behavior of add_tags + value: + attributes: + results: + created: [] + deleted: [] + skipped: + - id: 738112cd-6cfa-414a-8457-2a658845d6ba + name: Test Rule 2 + skip_reason: RULE_NOT_MODIFIED + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 34 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T11:55:12.752Z' + updated_by: elastic + version: 25 + summary: + failed: 0 + skipped: 1 + succeeded: 1 + total: 2 + rules_count: 2 + success: true + example7: + description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. + summary: Non-idempotent behavior for set_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 20fbf986-a270-460e-80f3-7b83c08b430f + params: + body: Hello + uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 + author: [] + created_at: '2025-03-25T09:49:08.343Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-360s + id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 3m + investigation_fields: + field_names: + - alert.status + - Endpoint.policy.applied.artifacts.global.channel + language: kuery + license: '' + max_signals: 100 + meta: + from: 3m + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 39 + risk_score: 21 + risk_score_mapping: [] + rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: + - tag-1 + - tag-2 + - tag-4 + threat: [] + timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd + timeline_title: Alerts Involving a Single User Timeline + to: now + type: query + updated_at: '2025-03-25T12:17:40.528Z' + updated_by: elastic + version: 30 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true + example8: + description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. + summary: Non-idempotent behavior for add_rule_actions + value: + attributes: + results: + created: [] + deleted: [] + skipped: [] + updated: + - actions: + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 0309347e-3954-429c-9168-5da2663389af + - action_type_id: .webhook + frequency: + notifyWhen: onActiveAlert + summary: true + throttle: null + group: default + id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 + params: + body: Message body + uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd + author: [] + created_at: '2025-04-02T12:42:03.400Z' + created_by: elastic + description: test + enabled: false + exceptions_list: [] + false_positives: [] + filters: [] + from: now-6m + id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 + immutable: false + index: + - apm-*-transaction* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - traces-apm* + - winlogbeat-* + - '-*elastic-cloud-logs-*' + interval: 5m + language: kuery + license: '' + max_signals: 100 + meta: + kibana_siem_app_url: http://localhost:5601/kbn/app/security + name: Jacek test rule + output_index: '' + query: '*' + references: [] + related_integrations: [] + required_fields: [] + revision: 2 + risk_score: 21 + risk_score_mapping: [] + rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 + rule_source: + type: internal + setup: '' + severity: low + severity_mapping: [] + tags: [] + threat: [] + to: now + type: query + updated_at: '2025-04-02T12:51:40.215Z' + updated_by: elastic + version: 2 + summary: + failed: 0 + skipped: 0 + succeeded: 1 + total: 1 + rules_count: 1 + success: true schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' @@ -62306,9 +62964,16 @@ components: - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' Security_Detections_API_BulkActionEditPayloadIndexPatterns: + description: | + Edits index patterns of rulesClient. + + - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. + - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. + - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. type: object properties: overwrite_data_views: + description: Resets the data view for the rule. type: boolean type: enum: @@ -62322,6 +62987,12 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadInvestigationFields: + description: | + Edits investigation fields of rules. + + - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. + - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. + - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. type: object properties: type: @@ -62336,6 +63007,11 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadRuleActions: + description: | + Edits rule actions of rules. + + - `add_rule_actions` adds rule actions to rules. If a rule action already exists for a rule, no changes are made. + - `set_rule_actions` sets rule actions for rules. If the set of rule actions is the same as the existing rule actions, no changes are made. type: object properties: type: @@ -62358,6 +63034,12 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadSchedule: + description: | + Overwrites schedule of rules. + + - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. + + Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" type: object properties: type: @@ -62373,7 +63055,10 @@ components: pattern: ^[1-9]\d*[smh]$ type: string lookback: - description: Lookback time for the rule + description: | + Lookback time for the rules. + + Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string @@ -62384,6 +63069,12 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadTags: + description: | + Edits tags of rules. + + - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. + - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. + - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. type: object properties: type: @@ -62398,6 +63089,10 @@ components: - type - value Security_Detections_API_BulkActionEditPayloadTimeline: + description: | + Edits timeline of rules. + + - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. type: object properties: type: @@ -65816,9 +66511,9 @@ components: For PagerDuty: - - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. - - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `severity` (string, required): Severity of on the alert notification, can be: `critical`, `error`, `warning` or `info`. + - `event_action` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedup_key` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. From 915a0f4c86763964e2d20bfb81bb209b77a9c249 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 3 Apr 2025 14:12:41 +0000 Subject: [PATCH 3/8] [CI] Auto-commit changed files from 'yarn openapi:generate' --- .../rule_schema/common_attributes.gen.ts | 6 +- .../bulk_actions/bulk_actions_route.gen.ts | 57 ++++++++++++++++++- .../common/api/quickstart_client.gen.ts | 3 + .../services/security_solution_api.gen.ts | 3 + 4 files changed, 63 insertions(+), 6 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.gen.ts index 51f63b8326fa1..88b41af67857b 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.gen.ts @@ -601,9 +601,9 @@ For Webhook: For PagerDuty: - - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. - - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `severity` (string, required): Severity of on the alert notification, can be: `critical`, `error`, `warning` or `info`. + - `event_action` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedup_key` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.gen.ts index 6108cf2bcfdea..d437d1a204d46 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.gen.ts @@ -240,6 +240,13 @@ export const NormalizedRuleAction = z }) .strict(); +/** + * Edits rule actions of rules. + +- `add_rule_actions` adds rule actions to rules. If a rule action already exists for a rule, no changes are made. +- `set_rule_actions` sets rule actions for rules. If the set of rule actions is the same as the existing rule actions, no changes are made. + + */ export type BulkActionEditPayloadRuleActions = z.infer; export const BulkActionEditPayloadRuleActions = z.object({ type: z.enum(['add_rule_actions', 'set_rule_actions']), @@ -249,6 +256,14 @@ export const BulkActionEditPayloadRuleActions = z.object({ }), }); +/** + * Overwrites schedule of rules. + +- `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. + +Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" + + */ export type BulkActionEditPayloadSchedule = z.infer; export const BulkActionEditPayloadSchedule = z.object({ type: z.literal('set_schedule'), @@ -257,26 +272,56 @@ export const BulkActionEditPayloadSchedule = z.object({ * Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. */ interval: z.string().regex(/^[1-9]\d*[smh]$/), - /** - * Lookback time for the rule - */ + /** + * Lookback time for the rules. + +Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. + + */ lookback: z.string().regex(/^[1-9]\d*[smh]$/), }), }); +/** + * Edits index patterns of rulesClient. + +- `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. +- `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. +- `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. + + */ export type BulkActionEditPayloadIndexPatterns = z.infer; export const BulkActionEditPayloadIndexPatterns = z.object({ type: z.enum(['add_index_patterns', 'delete_index_patterns', 'set_index_patterns']), value: IndexPatternArray, + /** + * Resets the data view for the rule. + */ overwrite_data_views: z.boolean().optional(), }); +/** + * Edits tags of rules. + +- `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. +- `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. +- `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + + */ export type BulkActionEditPayloadTags = z.infer; export const BulkActionEditPayloadTags = z.object({ type: z.enum(['add_tags', 'delete_tags', 'set_tags']), value: RuleTagArray, }); +/** + * Edits investigation fields of rules. + +- `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. +- `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. +- `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + + */ export type BulkActionEditPayloadInvestigationFields = z.infer< typeof BulkActionEditPayloadInvestigationFields >; @@ -289,6 +334,12 @@ export const BulkActionEditPayloadInvestigationFields = z.object({ value: InvestigationFields, }); +/** + * Edits timeline of rules. + +- `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. + + */ export type BulkActionEditPayloadTimeline = z.infer; export const BulkActionEditPayloadTimeline = z.object({ type: z.literal('set_timeline'), diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts index fd4bae303ed1e..3368a9df12d0a 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts @@ -1820,6 +1820,9 @@ The difference between the `id` and `rule_id` is that the `id` is a unique rule } /** * Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. + +The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. +The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. diff --git a/x-pack/test/api_integration/services/security_solution_api.gen.ts b/x-pack/test/api_integration/services/security_solution_api.gen.ts index f027bea09dd85..9f63bb7de437c 100644 --- a/x-pack/test/api_integration/services/security_solution_api.gen.ts +++ b/x-pack/test/api_integration/services/security_solution_api.gen.ts @@ -1301,6 +1301,9 @@ The difference between the `id` and `rule_id` is that the `id` is a unique rule }, /** * Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. + +The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. +The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. From d5399840a1d6671fada5c3506a52fa6675527115 Mon Sep 17 00:00:00 2001 From: Jacek Kolezynski Date: Wed, 9 Apr 2025 10:32:33 +0200 Subject: [PATCH 4/8] Fixes from review --- .../rule_schema/common_attributes.schema.yaml | 6 +- .../bulk_actions_route.schema.yaml | 72 +++++++-------- ...ections_api_2023_10_31.bundled.schema.yaml | 89 ++++++++++--------- ...ections_api_2023_10_31.bundled.schema.yaml | 89 ++++++++++--------- 4 files changed, 129 insertions(+), 127 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml index 20e8801ad562a..1080c39e0c248 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.schema.yaml @@ -600,9 +600,9 @@ components: For PagerDuty: - - `severity` (string, required): Severity of on the alert notification, can be: `critical`, `error`, `warning` or `info`. - - `event_action` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - - `dedup_key` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. + - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml index db4147c2d36e5..03d83e7b6ed9b 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml @@ -48,27 +48,27 @@ paths: - $ref: '#/components/schemas/BulkEditRules' examples: example1: - summary: Enable - Enable all rules with the test tag + summary: 1. Enable all rules with the test tag description: The following request activates all rules with the test tag. value: query: 'alert.attributes.tags: "test"' action: 'enable' example2: - summary: Enable - Enable a specific rule by ID. + summary: 2. Enable a specific rule by ID. description: The following request enables the rule with the specified ID. value: action: 'enable' ids: - '748694f0-6977-4ea5-8384-cd2e39730779' example3: - summary: Disable - Disable a specific rule by ID + summary: 3. Disable a specific rule by ID description: The following request disables the rule with the specified ID. value: action: 'disable' ids: - '748694f0-6977-4ea5-8384-cd2e39730779' example4: - summary: Duplicate - Duplicate rules with specific IDs + summary: 4. Duplicate rules with specific IDs description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. value: action: 'duplicate' @@ -79,14 +79,14 @@ paths: include_exceptions: true include_expired_exceptions: false example5: - summary: Delete - Delete a specific rule by ID + summary: 5. Delete a specific rule by ID description: The following request deletes the rule with the specified ID. value: action: 'delete' ids: - 'cf4abfd1-7c37-4519-ab0f-5ea5c75fac60' example6: - summary: Run - Run a specific rule by ID + summary: 6. Run a specific rule by ID description: The following request runs the rule with the specified ID within the given date range. value: action: 'run' @@ -96,14 +96,14 @@ paths: start_date: '2025-03-01T00:00:00.000Z' end_date: '2025-03-10T23:59:59.999Z' example7: - summary: Export - Export specific rules by ID + summary: 7. Export specific rules by ID description: The following request exports the rules with the specified IDs. value: action: 'export' ids: - '748694f0-6977-4ea5-8384-cd2e39730779' example8: - summary: Edit - dry run - Validate add_index_patterns bulk action + summary: 8. dry run - Validate add_index_patterns bulk action description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true value: action: 'edit' @@ -116,7 +116,7 @@ paths: - 'dc015d10-0831-11ed-ac8b-05a222bd8d4a' - 'de8f5af0-0831-11ed-ac8b-05a222bd8d4a' example9: - summary: Edit - Add a tag to rules (idempotent) + summary: 9. Add a tag to rules (idempotent) description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. value: ids: @@ -128,7 +128,7 @@ paths: value: - 'tag-1' example10: - summary: Edit - Add two tags to rules (idempotent) + summary: 10. Add two tags to rules (idempotent) description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. value: ids: @@ -141,7 +141,7 @@ paths: - 'tag-1' - 'tag-2' example11: - summary: Edit - Delete a tag from rules (idempotent) + summary: 11. Delete a tag from rules (idempotent) description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. value: ids: @@ -153,7 +153,7 @@ paths: value: - 'tag-1' example12: - summary: Edit - Set (overwrite existing) tags for rules (idempotent) + summary: 12. Set (overwrite existing) tags for rules (idempotent) description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. value: ids: @@ -166,7 +166,7 @@ paths: - 'tag-1' - 'tag-2' example13: - summary: Edit - Add index patterns to rules (idempotent) + summary: 13. Add index patterns to rules (idempotent) description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. value: ids: @@ -178,7 +178,7 @@ paths: value: - 'test-*' example14: - summary: Edit - Remove index patterns from rules (idempotent) + summary: 14. Remove index patterns from rules (idempotent) description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. value: ids: @@ -190,7 +190,7 @@ paths: value: - 'test-*' example15: - summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) + summary: 15. Set (overwrite existing) index patterns for rules patterns (idempotent) description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. value: ids: @@ -202,7 +202,7 @@ paths: value: - 'test-*' example16: - summary: Edit - Add investigation field to rules + summary: 16. Add investigation field to rules description: The following request adds investigation field to the rules with the specified IDs. value: ids: @@ -215,7 +215,7 @@ paths: field_names: - 'alert.status' example17: - summary: Edit - Delete investigation fields from rules (idempotent) + summary: 17. Delete investigation fields from rules (idempotent) description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. value: ids: @@ -228,7 +228,7 @@ paths: - 'field1' - 'field2' example18: - summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) + summary: 18. Set (overwrite existing) investigation fields for rules (idempotent) description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. value: ids: @@ -241,7 +241,7 @@ paths: - 'field1' - 'field2' example19: - summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) + summary: 19. Set (overwrite existing) timeline template for rules (idempotent) description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. value: action: edit @@ -253,7 +253,7 @@ paths: timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline example20: - summary: Edit - Set (overwrite existing) schedule for rules (idempotent) + summary: 20. Set (overwrite existing) schedule for rules (idempotent) description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. value: ids: @@ -265,7 +265,7 @@ paths: interval: '1h' lookback: '30m' example21: - summary: Edit - Add rule actions to rules (non-idempotent) + summary: 21. Add rule actions to rules (non-idempotent) description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. value: action: edit @@ -280,7 +280,7 @@ paths: body: The message body group: default example22: - summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) + summary: 22. Set (overwrite existing) rule actions for rules (non-idempotent) description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. value: action: edit @@ -295,7 +295,7 @@ paths: body: The message body group: default example23: - summary: Edit - Add rule actions to rules for a webhook connector + summary: 23. Add rule actions to rules for a webhook connector description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. value: action: edit @@ -310,7 +310,7 @@ paths: body: The message body group: default3 example24: - summary: Edit - Add rule actions to rules for an email connector + summary: 24. Add rule actions to rules for an email connector description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. value: action: edit @@ -327,7 +327,7 @@ paths: message: The message body group: default3 example25: - summary: Edit - Add rule actions to rules for a slack connector + summary: 25. Add rule actions to rules for a slack connector description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. value: action: edit @@ -342,7 +342,7 @@ paths: message: The content of the message group: default3 example26: - summary: Edit - Add rule actions to rules for a PagerDuty connector + summary: 26. Add rule actions to rules for a PagerDuty connector description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. value: action: edit @@ -370,7 +370,7 @@ paths: - $ref: '#/components/schemas/BulkExportActionResponse' examples: example1: - summary: Successful response + summary: 1. Successful response description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. value: success: true @@ -440,7 +440,7 @@ paths: succeeded: 1 total: 2 example2: - summary: Partial failure + summary: 2. Partial failure description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). value: value: @@ -546,7 +546,7 @@ paths: - id: '8bc7dad0-9320-11ec-9265-8b772383a08d' name: 'DNS Tunneling [Duplicate]' example3: - summary: Dry run + summary: 3. Dry run description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. value: message: 'Bulk edit partially failed' @@ -576,7 +576,7 @@ paths: skipped: 0 total: 3 example4: - summary: Set tags successsully for 2 rules + summary: 4. Set tags successsully for 2 rules description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. value: success: true @@ -714,7 +714,7 @@ paths: skipped: 0 total: 2 example5: - summary: Idempotent behavior of set_tags + summary: 5. Idempotent behavior of set_tags description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. value: success: true @@ -737,7 +737,7 @@ paths: skipped: 2 total: 2 example6: - summary: Idempotent behavior of add_tags + summary: 6. Idempotent behavior of add_tags description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. value: success: true @@ -827,7 +827,7 @@ paths: skipped: 1 total: 2 example7: - summary: Non-idempotent behavior for set_rule_actions + summary: 7. Non-idempotent behavior for set_rule_actions description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. value: success: true @@ -914,7 +914,7 @@ paths: skipped: 0 total: 1 example8: - summary: Non-idempotent behavior for add_rule_actions + summary: 8. Non-idempotent behavior for add_rule_actions description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. value: success: true @@ -1304,8 +1304,8 @@ components: description: | Edits rule actions of rules. - - `add_rule_actions` adds rule actions to rules. If a rule action already exists for a rule, no changes are made. - - `set_rule_actions` sets rule actions for rules. If the set of rule actions is the same as the existing rule actions, no changes are made. + - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. + - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. properties: type: type: string diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml index cadf0fe9629ff..f3aba6f998962 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -1675,7 +1675,7 @@ paths: examples: example1: description: The following request activates all rules with the test tag. - summary: Enable - Enable all rules with the test tag + summary: 1. Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' @@ -1684,7 +1684,7 @@ paths: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. - summary: Edit - Add two tags to rules (idempotent) + summary: 10. Add two tags to rules (idempotent) value: action: edit edit: @@ -1700,7 +1700,7 @@ paths: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. - summary: Edit - Delete a tag from rules (idempotent) + summary: 11. Delete a tag from rules (idempotent) value: action: edit edit: @@ -1716,7 +1716,7 @@ paths: the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. - summary: Edit - Set (overwrite existing) tags for rules (idempotent) + summary: 12. Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: @@ -1732,7 +1732,7 @@ paths: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. - summary: Edit - Add index patterns to rules (idempotent) + summary: 13. Add index patterns to rules (idempotent) value: action: edit edit: @@ -1747,7 +1747,7 @@ paths: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. - summary: Edit - Remove index patterns from rules (idempotent) + summary: 14. Remove index patterns from rules (idempotent) value: action: edit edit: @@ -1764,8 +1764,8 @@ paths: existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. summary: >- - Edit - Set (overwrite existing) index patterns for rules - patterns (idempotent) + 15. Set (overwrite existing) index patterns for rules patterns + (idempotent) value: action: edit edit: @@ -1779,7 +1779,7 @@ paths: description: >- The following request adds investigation field to the rules with the specified IDs. - summary: Edit - Add investigation field to rules + summary: 16. Add investigation field to rules value: action: edit edit: @@ -1795,7 +1795,7 @@ paths: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. - summary: Edit - Delete investigation fields from rules (idempotent) + summary: 17. Delete investigation fields from rules (idempotent) value: action: edit edit: @@ -1813,7 +1813,7 @@ paths: fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. summary: >- - Edit - Set (overwrite existing) investigation fields for rules + 18. Set (overwrite existing) investigation fields for rules (idempotent) value: action: edit @@ -1831,7 +1831,7 @@ paths: with the specified IDs. If the same timeline template is already set for a rule, no changes are made. summary: >- - Edit - Set (overwrite existing) timeline template for rules + 19. Set (overwrite existing) timeline template for rules (idempotent) value: action: edit @@ -1844,7 +1844,7 @@ paths: - eacdfc95-e007-41c9-986e-4b2cbdfdc71b example2: description: The following request enables the rule with the specified ID. - summary: Enable - Enable a specific rule by ID. + summary: 2. Enable a specific rule by ID. value: action: enable ids: @@ -1854,9 +1854,7 @@ paths: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. - summary: >- - Edit - Set (overwrite existing) schedule for rules - (idempotent) + summary: 20. Set (overwrite existing) schedule for rules (idempotent) value: action: edit edit: @@ -1870,7 +1868,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules (non-idempotent) + summary: 21. Add rule actions to rules (non-idempotent) value: action: edit edit: @@ -1888,7 +1886,7 @@ paths: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. summary: >- - Edit - Set (overwrite existing) rule actions for rules + 22. Set (overwrite existing) rule actions for rules (non-idempotent) value: action: edit @@ -1906,7 +1904,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a webhook connector + summary: 23. Add rule actions to rules for a webhook connector value: action: edit edit: @@ -1923,7 +1921,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for an email connector + summary: 24. Add rule actions to rules for an email connector value: action: edit edit: @@ -1942,7 +1940,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a slack connector + summary: 25. Add rule actions to rules for a slack connector value: action: edit edit: @@ -1959,7 +1957,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a PagerDuty connector + summary: 26. Add rule actions to rules for a PagerDuty connector value: action: edit edit: @@ -1977,7 +1975,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example3: description: The following request disables the rule with the specified ID. - summary: Disable - Disable a specific rule by ID + summary: 3. Disable a specific rule by ID value: action: disable ids: @@ -1986,7 +1984,7 @@ paths: description: >- The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. - summary: Duplicate - Duplicate rules with specific IDs + summary: 4. Duplicate rules with specific IDs value: action: duplicate duplicate: @@ -1997,7 +1995,7 @@ paths: - 461a4c22-416e-4009-a9a7-cf79656454bf example5: description: The following request deletes the rule with the specified ID. - summary: Delete - Delete a specific rule by ID + summary: 5. Delete a specific rule by ID value: action: delete ids: @@ -2006,7 +2004,7 @@ paths: description: >- The following request runs the rule with the specified ID within the given date range. - summary: Run - Run a specific rule by ID + summary: 6. Run a specific rule by ID value: action: run ids: @@ -2018,7 +2016,7 @@ paths: description: >- The following request exports the rules with the specified IDs. - summary: Export - Export specific rules by ID + summary: 7. Export specific rules by ID value: action: export ids: @@ -2030,7 +2028,7 @@ paths: three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true - summary: Edit - dry run - Validate add_index_patterns bulk action + summary: 8. dry run - Validate add_index_patterns bulk action value: action: edit edit: @@ -2046,7 +2044,7 @@ paths: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. - summary: Edit - Add a tag to rules (idempotent) + summary: 9. Add a tag to rules (idempotent) value: action: edit edit: @@ -2075,7 +2073,7 @@ paths: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. - summary: Successful response + summary: 1. Successful response value: attributes: results: @@ -2166,7 +2164,7 @@ paths: ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). - summary: Partial failure + summary: 2. Partial failure value: value: attributes: @@ -2292,7 +2290,7 @@ paths: applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. - summary: Dry run + summary: 3. Dry run value: attributes: errors: @@ -2326,7 +2324,7 @@ paths: rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. - summary: Set tags successsully for 2 rules + summary: 4. Set tags successsully for 2 rules value: attributes: results: @@ -2469,7 +2467,7 @@ paths: action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. - summary: Idempotent behavior of set_tags + summary: 5. Idempotent behavior of set_tags value: attributes: results: @@ -2496,7 +2494,7 @@ paths: action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. - summary: Idempotent behavior of add_tags + summary: 6. Idempotent behavior of add_tags value: attributes: results: @@ -2591,7 +2589,7 @@ paths: set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. - summary: Non-idempotent behavior for set_rule_actions + summary: 7. Non-idempotent behavior for set_rule_actions value: attributes: results: @@ -2683,7 +2681,7 @@ paths: add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. - summary: Non-idempotent behavior for add_rule_actions + summary: 8. Non-idempotent behavior for add_rule_actions value: attributes: results: @@ -4540,11 +4538,14 @@ components: Edits rule actions of rules. - - `add_rule_actions` adds rule actions to rules. If a rule action - already exists for a rule, no changes are made. + - `add_rule_actions` adds rule actions to rules. This action is + non-idempotent, meaning that even if the same rule action already exists + for a rule, it will be added again with a new unique ID. - - `set_rule_actions` sets rule actions for rules. If the set of rule - actions is the same as the existing rule actions, no changes are made. + - `set_rule_actions` sets rule actions for rules. This action is + non-idempotent, meaning that even if the same set of rule actions + already exists for a rule, it will be set again and the actions will + receive new unique IDs. type: object properties: type: @@ -8366,9 +8367,9 @@ components: For PagerDuty: - - `severity` (string, required): Severity of on the alert notification, can be: `critical`, `error`, `warning` or `info`. - - `event_action` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - - `dedup_key` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. + - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml index 5ebef30bc7d33..3b2c9e9abe733 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -1539,7 +1539,7 @@ paths: examples: example1: description: The following request activates all rules with the test tag. - summary: Enable - Enable all rules with the test tag + summary: 1. Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' @@ -1548,7 +1548,7 @@ paths: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. - summary: Edit - Add two tags to rules (idempotent) + summary: 10. Add two tags to rules (idempotent) value: action: edit edit: @@ -1564,7 +1564,7 @@ paths: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. - summary: Edit - Delete a tag from rules (idempotent) + summary: 11. Delete a tag from rules (idempotent) value: action: edit edit: @@ -1580,7 +1580,7 @@ paths: the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. - summary: Edit - Set (overwrite existing) tags for rules (idempotent) + summary: 12. Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: @@ -1596,7 +1596,7 @@ paths: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. - summary: Edit - Add index patterns to rules (idempotent) + summary: 13. Add index patterns to rules (idempotent) value: action: edit edit: @@ -1611,7 +1611,7 @@ paths: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. - summary: Edit - Remove index patterns from rules (idempotent) + summary: 14. Remove index patterns from rules (idempotent) value: action: edit edit: @@ -1628,8 +1628,8 @@ paths: existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. summary: >- - Edit - Set (overwrite existing) index patterns for rules - patterns (idempotent) + 15. Set (overwrite existing) index patterns for rules patterns + (idempotent) value: action: edit edit: @@ -1643,7 +1643,7 @@ paths: description: >- The following request adds investigation field to the rules with the specified IDs. - summary: Edit - Add investigation field to rules + summary: 16. Add investigation field to rules value: action: edit edit: @@ -1659,7 +1659,7 @@ paths: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. - summary: Edit - Delete investigation fields from rules (idempotent) + summary: 17. Delete investigation fields from rules (idempotent) value: action: edit edit: @@ -1677,7 +1677,7 @@ paths: fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. summary: >- - Edit - Set (overwrite existing) investigation fields for rules + 18. Set (overwrite existing) investigation fields for rules (idempotent) value: action: edit @@ -1695,7 +1695,7 @@ paths: with the specified IDs. If the same timeline template is already set for a rule, no changes are made. summary: >- - Edit - Set (overwrite existing) timeline template for rules + 19. Set (overwrite existing) timeline template for rules (idempotent) value: action: edit @@ -1708,7 +1708,7 @@ paths: - eacdfc95-e007-41c9-986e-4b2cbdfdc71b example2: description: The following request enables the rule with the specified ID. - summary: Enable - Enable a specific rule by ID. + summary: 2. Enable a specific rule by ID. value: action: enable ids: @@ -1718,9 +1718,7 @@ paths: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. - summary: >- - Edit - Set (overwrite existing) schedule for rules - (idempotent) + summary: 20. Set (overwrite existing) schedule for rules (idempotent) value: action: edit edit: @@ -1734,7 +1732,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules (non-idempotent) + summary: 21. Add rule actions to rules (non-idempotent) value: action: edit edit: @@ -1752,7 +1750,7 @@ paths: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. summary: >- - Edit - Set (overwrite existing) rule actions for rules + 22. Set (overwrite existing) rule actions for rules (non-idempotent) value: action: edit @@ -1770,7 +1768,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a webhook connector + summary: 23. Add rule actions to rules for a webhook connector value: action: edit edit: @@ -1787,7 +1785,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for an email connector + summary: 24. Add rule actions to rules for an email connector value: action: edit edit: @@ -1806,7 +1804,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a slack connector + summary: 25. Add rule actions to rules for a slack connector value: action: edit edit: @@ -1823,7 +1821,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a PagerDuty connector + summary: 26. Add rule actions to rules for a PagerDuty connector value: action: edit edit: @@ -1841,7 +1839,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example3: description: The following request disables the rule with the specified ID. - summary: Disable - Disable a specific rule by ID + summary: 3. Disable a specific rule by ID value: action: disable ids: @@ -1850,7 +1848,7 @@ paths: description: >- The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. - summary: Duplicate - Duplicate rules with specific IDs + summary: 4. Duplicate rules with specific IDs value: action: duplicate duplicate: @@ -1861,7 +1859,7 @@ paths: - 461a4c22-416e-4009-a9a7-cf79656454bf example5: description: The following request deletes the rule with the specified ID. - summary: Delete - Delete a specific rule by ID + summary: 5. Delete a specific rule by ID value: action: delete ids: @@ -1870,7 +1868,7 @@ paths: description: >- The following request runs the rule with the specified ID within the given date range. - summary: Run - Run a specific rule by ID + summary: 6. Run a specific rule by ID value: action: run ids: @@ -1882,7 +1880,7 @@ paths: description: >- The following request exports the rules with the specified IDs. - summary: Export - Export specific rules by ID + summary: 7. Export specific rules by ID value: action: export ids: @@ -1894,7 +1892,7 @@ paths: three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true - summary: Edit - dry run - Validate add_index_patterns bulk action + summary: 8. dry run - Validate add_index_patterns bulk action value: action: edit edit: @@ -1910,7 +1908,7 @@ paths: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. - summary: Edit - Add a tag to rules (idempotent) + summary: 9. Add a tag to rules (idempotent) value: action: edit edit: @@ -1939,7 +1937,7 @@ paths: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. - summary: Successful response + summary: 1. Successful response value: attributes: results: @@ -2030,7 +2028,7 @@ paths: ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). - summary: Partial failure + summary: 2. Partial failure value: value: attributes: @@ -2156,7 +2154,7 @@ paths: applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. - summary: Dry run + summary: 3. Dry run value: attributes: errors: @@ -2190,7 +2188,7 @@ paths: rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. - summary: Set tags successsully for 2 rules + summary: 4. Set tags successsully for 2 rules value: attributes: results: @@ -2333,7 +2331,7 @@ paths: action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. - summary: Idempotent behavior of set_tags + summary: 5. Idempotent behavior of set_tags value: attributes: results: @@ -2360,7 +2358,7 @@ paths: action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. - summary: Idempotent behavior of add_tags + summary: 6. Idempotent behavior of add_tags value: attributes: results: @@ -2455,7 +2453,7 @@ paths: set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. - summary: Non-idempotent behavior for set_rule_actions + summary: 7. Non-idempotent behavior for set_rule_actions value: attributes: results: @@ -2547,7 +2545,7 @@ paths: add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. - summary: Non-idempotent behavior for add_rule_actions + summary: 8. Non-idempotent behavior for add_rule_actions value: attributes: results: @@ -3870,11 +3868,14 @@ components: Edits rule actions of rules. - - `add_rule_actions` adds rule actions to rules. If a rule action - already exists for a rule, no changes are made. + - `add_rule_actions` adds rule actions to rules. This action is + non-idempotent, meaning that even if the same rule action already exists + for a rule, it will be added again with a new unique ID. - - `set_rule_actions` sets rule actions for rules. If the set of rule - actions is the same as the existing rule actions, no changes are made. + - `set_rule_actions` sets rule actions for rules. This action is + non-idempotent, meaning that even if the same set of rule actions + already exists for a rule, it will be set again and the actions will + receive new unique IDs. type: object properties: type: @@ -7575,9 +7576,9 @@ components: For PagerDuty: - - `severity` (string, required): Severity of on the alert notification, can be: `critical`, `error`, `warning` or `info`. - - `event_action` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - - `dedup_key` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. + - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. From 7889138f73717371d35c2fc051ae33336823c818 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Wed, 9 Apr 2025 08:49:07 +0000 Subject: [PATCH 5/8] [CI] Auto-commit changed files from 'make api-docs' --- oas_docs/output/kibana.serverless.yaml | 78 +++++++++++++------------- oas_docs/output/kibana.yaml | 78 +++++++++++++------------- 2 files changed, 78 insertions(+), 78 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index ed935150afbe1..d96f349b79120 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -10188,13 +10188,13 @@ paths: examples: example1: description: The following request activates all rules with the test tag. - summary: Enable - Enable all rules with the test tag + summary: 1. Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' example10: description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. - summary: Edit - Add two tags to rules (idempotent) + summary: 10. Add two tags to rules (idempotent) value: action: edit edit: @@ -10207,7 +10207,7 @@ paths: - 8e5c1a40-9320-11ec-9265-8b772383a08d example11: description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. - summary: Edit - Delete a tag from rules (idempotent) + summary: 11. Delete a tag from rules (idempotent) value: action: edit edit: @@ -10219,7 +10219,7 @@ paths: - 8e5c1a40-9320-11ec-9265-8b772383a08d example12: description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. - summary: Edit - Set (overwrite existing) tags for rules (idempotent) + summary: 12. Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: @@ -10232,7 +10232,7 @@ paths: - 8e5c1a40-9320-11ec-9265-8b772383a08d example13: description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. - summary: Edit - Add index patterns to rules (idempotent) + summary: 13. Add index patterns to rules (idempotent) value: action: edit edit: @@ -10244,7 +10244,7 @@ paths: - dc015d10-0831-11ed-ac8b-05a222bd8d4a example14: description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. - summary: Edit - Remove index patterns from rules (idempotent) + summary: 14. Remove index patterns from rules (idempotent) value: action: edit edit: @@ -10256,7 +10256,7 @@ paths: - dc015d10-0831-11ed-ac8b-05a222bd8d4a example15: description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. - summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) + summary: 15. Set (overwrite existing) index patterns for rules patterns (idempotent) value: action: edit edit: @@ -10268,7 +10268,7 @@ paths: - dc015d10-0831-11ed-ac8b-05a222bd8d4a example16: description: The following request adds investigation field to the rules with the specified IDs. - summary: Edit - Add investigation field to rules + summary: 16. Add investigation field to rules value: action: edit edit: @@ -10281,7 +10281,7 @@ paths: - 87654321-4321-4321-4321-0987654321ba example17: description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. - summary: Edit - Delete investigation fields from rules (idempotent) + summary: 17. Delete investigation fields from rules (idempotent) value: action: edit edit: @@ -10294,7 +10294,7 @@ paths: - field2 example18: description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. - summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) + summary: 18. Set (overwrite existing) investigation fields for rules (idempotent) value: action: edit edit: @@ -10307,7 +10307,7 @@ paths: - 87654321-4321-4321-4321-0987654321ba example19: description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. - summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) + summary: 19. Set (overwrite existing) timeline template for rules (idempotent) value: action: edit edit: @@ -10319,14 +10319,14 @@ paths: - eacdfc95-e007-41c9-986e-4b2cbdfdc71b example2: description: The following request enables the rule with the specified ID. - summary: Enable - Enable a specific rule by ID. + summary: 2. Enable a specific rule by ID. value: action: enable ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example20: description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. - summary: Edit - Set (overwrite existing) schedule for rules (idempotent) + summary: 20. Set (overwrite existing) schedule for rules (idempotent) value: action: edit edit: @@ -10338,7 +10338,7 @@ paths: - 99887766-5544-3322-1100-aabbccddeeff example21: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules (non-idempotent) + summary: 21. Add rule actions to rules (non-idempotent) value: action: edit edit: @@ -10353,7 +10353,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191928 example22: description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. - summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) + summary: 22. Set (overwrite existing) rule actions for rules (non-idempotent) value: action: edit edit: @@ -10368,7 +10368,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191928 example23: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a webhook connector + summary: 23. Add rule actions to rules for a webhook connector value: action: edit edit: @@ -10383,7 +10383,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example24: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for an email connector + summary: 24. Add rule actions to rules for an email connector value: action: edit edit: @@ -10400,7 +10400,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example25: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a slack connector + summary: 25. Add rule actions to rules for a slack connector value: action: edit edit: @@ -10415,7 +10415,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example26: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a PagerDuty connector + summary: 26. Add rule actions to rules for a PagerDuty connector value: action: edit edit: @@ -10433,14 +10433,14 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example3: description: The following request disables the rule with the specified ID. - summary: Disable - Disable a specific rule by ID + summary: 3. Disable a specific rule by ID value: action: disable ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example4: description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. - summary: Duplicate - Duplicate rules with specific IDs + summary: 4. Duplicate rules with specific IDs value: action: duplicate duplicate: @@ -10451,14 +10451,14 @@ paths: - 461a4c22-416e-4009-a9a7-cf79656454bf example5: description: The following request deletes the rule with the specified ID. - summary: Delete - Delete a specific rule by ID + summary: 5. Delete a specific rule by ID value: action: delete ids: - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 example6: description: The following request runs the rule with the specified ID within the given date range. - summary: Run - Run a specific rule by ID + summary: 6. Run a specific rule by ID value: action: run ids: @@ -10468,14 +10468,14 @@ paths: start_date: '2025-03-01T00:00:00.000Z' example7: description: The following request exports the rules with the specified IDs. - summary: Export - Export specific rules by ID + summary: 7. Export specific rules by ID value: action: export ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example8: description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true - summary: Edit - dry run - Validate add_index_patterns bulk action + summary: 8. dry run - Validate add_index_patterns bulk action value: action: edit edit: @@ -10488,7 +10488,7 @@ paths: - de8f5af0-0831-11ed-ac8b-05a222bd8d4a example9: description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. - summary: Edit - Add a tag to rules (idempotent) + summary: 9. Add a tag to rules (idempotent) value: action: edit edit: @@ -10514,7 +10514,7 @@ paths: examples: example1: description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. - summary: Successful response + summary: 1. Successful response value: attributes: results: @@ -10584,7 +10584,7 @@ paths: success: true example2: description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). - summary: Partial failure + summary: 2. Partial failure value: value: attributes: @@ -10691,7 +10691,7 @@ paths: success: false example3: description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. - summary: Dry run + summary: 3. Dry run value: attributes: errors: @@ -10721,7 +10721,7 @@ paths: status_code: 500 example4: description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. - summary: Set tags successsully for 2 rules + summary: 4. Set tags successsully for 2 rules value: attributes: results: @@ -10859,7 +10859,7 @@ paths: success: true example5: description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. - summary: Idempotent behavior of set_tags + summary: 5. Idempotent behavior of set_tags value: attributes: results: @@ -10882,7 +10882,7 @@ paths: success: true example6: description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. - summary: Idempotent behavior of add_tags + summary: 6. Idempotent behavior of add_tags value: attributes: results: @@ -10972,7 +10972,7 @@ paths: success: true example7: description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. - summary: Non-idempotent behavior for set_rule_actions + summary: 7. Non-idempotent behavior for set_rule_actions value: attributes: results: @@ -11059,7 +11059,7 @@ paths: success: true example8: description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. - summary: Non-idempotent behavior for add_rule_actions + summary: 8. Non-idempotent behavior for add_rule_actions value: attributes: results: @@ -54659,8 +54659,8 @@ components: description: | Edits rule actions of rules. - - `add_rule_actions` adds rule actions to rules. If a rule action already exists for a rule, no changes are made. - - `set_rule_actions` sets rule actions for rules. If the set of rule actions is the same as the existing rule actions, no changes are made. + - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. + - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. type: object properties: type: @@ -58039,9 +58039,9 @@ components: For PagerDuty: - - `severity` (string, required): Severity of on the alert notification, can be: `critical`, `error`, `warning` or `info`. - - `event_action` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - - `dedup_key` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. + - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 2aa978bb09d40..2d8c7d384cd2e 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -11858,13 +11858,13 @@ paths: examples: example1: description: The following request activates all rules with the test tag. - summary: Enable - Enable all rules with the test tag + summary: 1. Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' example10: description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. - summary: Edit - Add two tags to rules (idempotent) + summary: 10. Add two tags to rules (idempotent) value: action: edit edit: @@ -11877,7 +11877,7 @@ paths: - 8e5c1a40-9320-11ec-9265-8b772383a08d example11: description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. - summary: Edit - Delete a tag from rules (idempotent) + summary: 11. Delete a tag from rules (idempotent) value: action: edit edit: @@ -11889,7 +11889,7 @@ paths: - 8e5c1a40-9320-11ec-9265-8b772383a08d example12: description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. - summary: Edit - Set (overwrite existing) tags for rules (idempotent) + summary: 12. Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: @@ -11902,7 +11902,7 @@ paths: - 8e5c1a40-9320-11ec-9265-8b772383a08d example13: description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. - summary: Edit - Add index patterns to rules (idempotent) + summary: 13. Add index patterns to rules (idempotent) value: action: edit edit: @@ -11914,7 +11914,7 @@ paths: - dc015d10-0831-11ed-ac8b-05a222bd8d4a example14: description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. - summary: Edit - Remove index patterns from rules (idempotent) + summary: 14. Remove index patterns from rules (idempotent) value: action: edit edit: @@ -11926,7 +11926,7 @@ paths: - dc015d10-0831-11ed-ac8b-05a222bd8d4a example15: description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. - summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) + summary: 15. Set (overwrite existing) index patterns for rules patterns (idempotent) value: action: edit edit: @@ -11938,7 +11938,7 @@ paths: - dc015d10-0831-11ed-ac8b-05a222bd8d4a example16: description: The following request adds investigation field to the rules with the specified IDs. - summary: Edit - Add investigation field to rules + summary: 16. Add investigation field to rules value: action: edit edit: @@ -11951,7 +11951,7 @@ paths: - 87654321-4321-4321-4321-0987654321ba example17: description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. - summary: Edit - Delete investigation fields from rules (idempotent) + summary: 17. Delete investigation fields from rules (idempotent) value: action: edit edit: @@ -11964,7 +11964,7 @@ paths: - field2 example18: description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. - summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) + summary: 18. Set (overwrite existing) investigation fields for rules (idempotent) value: action: edit edit: @@ -11977,7 +11977,7 @@ paths: - 87654321-4321-4321-4321-0987654321ba example19: description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. - summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) + summary: 19. Set (overwrite existing) timeline template for rules (idempotent) value: action: edit edit: @@ -11989,14 +11989,14 @@ paths: - eacdfc95-e007-41c9-986e-4b2cbdfdc71b example2: description: The following request enables the rule with the specified ID. - summary: Enable - Enable a specific rule by ID. + summary: 2. Enable a specific rule by ID. value: action: enable ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example20: description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. - summary: Edit - Set (overwrite existing) schedule for rules (idempotent) + summary: 20. Set (overwrite existing) schedule for rules (idempotent) value: action: edit edit: @@ -12008,7 +12008,7 @@ paths: - 99887766-5544-3322-1100-aabbccddeeff example21: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules (non-idempotent) + summary: 21. Add rule actions to rules (non-idempotent) value: action: edit edit: @@ -12023,7 +12023,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191928 example22: description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. - summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) + summary: 22. Set (overwrite existing) rule actions for rules (non-idempotent) value: action: edit edit: @@ -12038,7 +12038,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191928 example23: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a webhook connector + summary: 23. Add rule actions to rules for a webhook connector value: action: edit edit: @@ -12053,7 +12053,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example24: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for an email connector + summary: 24. Add rule actions to rules for an email connector value: action: edit edit: @@ -12070,7 +12070,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example25: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a slack connector + summary: 25. Add rule actions to rules for a slack connector value: action: edit edit: @@ -12085,7 +12085,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example26: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: Edit - Add rule actions to rules for a PagerDuty connector + summary: 26. Add rule actions to rules for a PagerDuty connector value: action: edit edit: @@ -12103,14 +12103,14 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example3: description: The following request disables the rule with the specified ID. - summary: Disable - Disable a specific rule by ID + summary: 3. Disable a specific rule by ID value: action: disable ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example4: description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. - summary: Duplicate - Duplicate rules with specific IDs + summary: 4. Duplicate rules with specific IDs value: action: duplicate duplicate: @@ -12121,14 +12121,14 @@ paths: - 461a4c22-416e-4009-a9a7-cf79656454bf example5: description: The following request deletes the rule with the specified ID. - summary: Delete - Delete a specific rule by ID + summary: 5. Delete a specific rule by ID value: action: delete ids: - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 example6: description: The following request runs the rule with the specified ID within the given date range. - summary: Run - Run a specific rule by ID + summary: 6. Run a specific rule by ID value: action: run ids: @@ -12138,14 +12138,14 @@ paths: start_date: '2025-03-01T00:00:00.000Z' example7: description: The following request exports the rules with the specified IDs. - summary: Export - Export specific rules by ID + summary: 7. Export specific rules by ID value: action: export ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example8: description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true - summary: Edit - dry run - Validate add_index_patterns bulk action + summary: 8. dry run - Validate add_index_patterns bulk action value: action: edit edit: @@ -12158,7 +12158,7 @@ paths: - de8f5af0-0831-11ed-ac8b-05a222bd8d4a example9: description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. - summary: Edit - Add a tag to rules (idempotent) + summary: 9. Add a tag to rules (idempotent) value: action: edit edit: @@ -12184,7 +12184,7 @@ paths: examples: example1: description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. - summary: Successful response + summary: 1. Successful response value: attributes: results: @@ -12254,7 +12254,7 @@ paths: success: true example2: description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). - summary: Partial failure + summary: 2. Partial failure value: value: attributes: @@ -12361,7 +12361,7 @@ paths: success: false example3: description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. - summary: Dry run + summary: 3. Dry run value: attributes: errors: @@ -12391,7 +12391,7 @@ paths: status_code: 500 example4: description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. - summary: Set tags successsully for 2 rules + summary: 4. Set tags successsully for 2 rules value: attributes: results: @@ -12529,7 +12529,7 @@ paths: success: true example5: description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. - summary: Idempotent behavior of set_tags + summary: 5. Idempotent behavior of set_tags value: attributes: results: @@ -12552,7 +12552,7 @@ paths: success: true example6: description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. - summary: Idempotent behavior of add_tags + summary: 6. Idempotent behavior of add_tags value: attributes: results: @@ -12642,7 +12642,7 @@ paths: success: true example7: description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. - summary: Non-idempotent behavior for set_rule_actions + summary: 7. Non-idempotent behavior for set_rule_actions value: attributes: results: @@ -12729,7 +12729,7 @@ paths: success: true example8: description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. - summary: Non-idempotent behavior for add_rule_actions + summary: 8. Non-idempotent behavior for add_rule_actions value: attributes: results: @@ -63051,8 +63051,8 @@ components: description: | Edits rule actions of rules. - - `add_rule_actions` adds rule actions to rules. If a rule action already exists for a rule, no changes are made. - - `set_rule_actions` sets rule actions for rules. If the set of rule actions is the same as the existing rule actions, no changes are made. + - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. + - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. type: object properties: type: @@ -66552,9 +66552,9 @@ components: For PagerDuty: - - `severity` (string, required): Severity of on the alert notification, can be: `critical`, `error`, `warning` or `info`. - - `event_action` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - - `dedup_key` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. + - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. From 02df5a8a6398ee1a0e35c8cc59e8cdc0fd4ffe5d Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Wed, 9 Apr 2025 09:10:55 +0000 Subject: [PATCH 6/8] [CI] Auto-commit changed files from 'yarn openapi:generate' --- .../model/rule_schema/common_attributes.gen.ts | 6 +++--- .../rule_management/bulk_actions/bulk_actions_route.gen.ts | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.gen.ts index 88b41af67857b..51f63b8326fa1 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/common_attributes.gen.ts @@ -601,9 +601,9 @@ For Webhook: For PagerDuty: - - `severity` (string, required): Severity of on the alert notification, can be: `critical`, `error`, `warning` or `info`. - - `event_action` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - - `dedup_key` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. + - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.gen.ts index d437d1a204d46..6bdc28bdd1d65 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.gen.ts @@ -243,8 +243,8 @@ export const NormalizedRuleAction = z /** * Edits rule actions of rules. -- `add_rule_actions` adds rule actions to rules. If a rule action already exists for a rule, no changes are made. -- `set_rule_actions` sets rule actions for rules. If the set of rule actions is the same as the existing rule actions, no changes are made. +- `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. +- `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. */ export type BulkActionEditPayloadRuleActions = z.infer; From 657ad28f124a475f990387eebc01690a295384c4 Mon Sep 17 00:00:00 2001 From: Jacek Kolezynski Date: Wed, 9 Apr 2025 11:53:03 +0200 Subject: [PATCH 7/8] More fixes --- .../bulk_actions_route.schema.yaml | 104 ++++---- ...ections_api_2023_10_31.bundled.schema.yaml | 252 +++++++++--------- ...ections_api_2023_10_31.bundled.schema.yaml | 252 +++++++++--------- 3 files changed, 306 insertions(+), 302 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml index 03d83e7b6ed9b..7fd01367314f7 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_actions/bulk_actions_route.schema.yaml @@ -47,28 +47,28 @@ paths: - $ref: '#/components/schemas/BulkManualRuleRun' - $ref: '#/components/schemas/BulkEditRules' examples: - example1: - summary: 1. Enable all rules with the test tag + example01: + summary: Enable - Enable all rules with the test tag description: The following request activates all rules with the test tag. value: query: 'alert.attributes.tags: "test"' action: 'enable' - example2: - summary: 2. Enable a specific rule by ID. + example02: + summary: Enable - Enable a specific rule by ID. description: The following request enables the rule with the specified ID. value: action: 'enable' ids: - '748694f0-6977-4ea5-8384-cd2e39730779' - example3: - summary: 3. Disable a specific rule by ID + example03: + summary: Disable - Disable a specific rule by ID description: The following request disables the rule with the specified ID. value: action: 'disable' ids: - '748694f0-6977-4ea5-8384-cd2e39730779' - example4: - summary: 4. Duplicate rules with specific IDs + example04: + summary: Duplicate - Duplicate rules with specific IDs description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. value: action: 'duplicate' @@ -78,15 +78,15 @@ paths: duplicate: include_exceptions: true include_expired_exceptions: false - example5: - summary: 5. Delete a specific rule by ID + example05: + summary: Delete - Delete a specific rule by ID description: The following request deletes the rule with the specified ID. value: action: 'delete' ids: - 'cf4abfd1-7c37-4519-ab0f-5ea5c75fac60' - example6: - summary: 6. Run a specific rule by ID + example06: + summary: Run - Run a specific rule by ID description: The following request runs the rule with the specified ID within the given date range. value: action: 'run' @@ -95,15 +95,15 @@ paths: run: start_date: '2025-03-01T00:00:00.000Z' end_date: '2025-03-10T23:59:59.999Z' - example7: - summary: 7. Export specific rules by ID + example07: + summary: Export - Export specific rules by ID description: The following request exports the rules with the specified IDs. value: action: 'export' ids: - '748694f0-6977-4ea5-8384-cd2e39730779' - example8: - summary: 8. dry run - Validate add_index_patterns bulk action + example08: + summary: Edit - dry run - Validate add_index_patterns bulk action description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true value: action: 'edit' @@ -115,8 +115,8 @@ paths: - '81aa0480-06af-11ed-94fb-dd1a0597d8d2' - 'dc015d10-0831-11ed-ac8b-05a222bd8d4a' - 'de8f5af0-0831-11ed-ac8b-05a222bd8d4a' - example9: - summary: 9. Add a tag to rules (idempotent) + example09: + summary: Edit - Add a tag to rules (idempotent) description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. value: ids: @@ -128,7 +128,7 @@ paths: value: - 'tag-1' example10: - summary: 10. Add two tags to rules (idempotent) + summary: Edit - Add two tags to rules (idempotent) description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. value: ids: @@ -141,7 +141,7 @@ paths: - 'tag-1' - 'tag-2' example11: - summary: 11. Delete a tag from rules (idempotent) + summary: Edit - Delete a tag from rules (idempotent) description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. value: ids: @@ -153,7 +153,7 @@ paths: value: - 'tag-1' example12: - summary: 12. Set (overwrite existing) tags for rules (idempotent) + summary: Edit - Set (overwrite existing) tags for rules (idempotent) description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. value: ids: @@ -166,7 +166,7 @@ paths: - 'tag-1' - 'tag-2' example13: - summary: 13. Add index patterns to rules (idempotent) + summary: Edit - Add index patterns to rules (idempotent) description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. value: ids: @@ -178,7 +178,7 @@ paths: value: - 'test-*' example14: - summary: 14. Remove index patterns from rules (idempotent) + summary: Edit - Remove index patterns from rules (idempotent) description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. value: ids: @@ -190,7 +190,7 @@ paths: value: - 'test-*' example15: - summary: 15. Set (overwrite existing) index patterns for rules patterns (idempotent) + summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. value: ids: @@ -202,7 +202,7 @@ paths: value: - 'test-*' example16: - summary: 16. Add investigation field to rules + summary: Edit - Add investigation field to rules description: The following request adds investigation field to the rules with the specified IDs. value: ids: @@ -215,7 +215,7 @@ paths: field_names: - 'alert.status' example17: - summary: 17. Delete investigation fields from rules (idempotent) + summary: Edit - Delete investigation fields from rules (idempotent) description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. value: ids: @@ -228,7 +228,7 @@ paths: - 'field1' - 'field2' example18: - summary: 18. Set (overwrite existing) investigation fields for rules (idempotent) + summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. value: ids: @@ -241,7 +241,7 @@ paths: - 'field1' - 'field2' example19: - summary: 19. Set (overwrite existing) timeline template for rules (idempotent) + summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. value: action: edit @@ -253,7 +253,7 @@ paths: timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline example20: - summary: 20. Set (overwrite existing) schedule for rules (idempotent) + summary: Edit - Set (overwrite existing) schedule for rules (idempotent) description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. value: ids: @@ -265,7 +265,7 @@ paths: interval: '1h' lookback: '30m' example21: - summary: 21. Add rule actions to rules (non-idempotent) + summary: Edit - Add rule actions to rules (non-idempotent) description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. value: action: edit @@ -280,7 +280,7 @@ paths: body: The message body group: default example22: - summary: 22. Set (overwrite existing) rule actions for rules (non-idempotent) + summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. value: action: edit @@ -295,7 +295,7 @@ paths: body: The message body group: default example23: - summary: 23. Add rule actions to rules for a webhook connector + summary: Edit - Add rule actions to rules for a webhook connector description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. value: action: edit @@ -310,7 +310,7 @@ paths: body: The message body group: default3 example24: - summary: 24. Add rule actions to rules for an email connector + summary: Edit - Add rule actions to rules for an email connector description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. value: action: edit @@ -327,7 +327,7 @@ paths: message: The message body group: default3 example25: - summary: 25. Add rule actions to rules for a slack connector + summary: Edit - Add rule actions to rules for a slack connector description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. value: action: edit @@ -342,7 +342,7 @@ paths: message: The content of the message group: default3 example26: - summary: 26. Add rule actions to rules for a PagerDuty connector + summary: Edit - Add rule actions to rules for a PagerDuty connector description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. value: action: edit @@ -356,7 +356,7 @@ paths: params: severity: critical summary: The message body - event_action: trigger + eventAction: trigger timestamp: 2023-10-31T00:00:00Z group: default3 responses: @@ -369,8 +369,8 @@ paths: - $ref: '#/components/schemas/BulkEditActionResponse' - $ref: '#/components/schemas/BulkExportActionResponse' examples: - example1: - summary: 1. Successful response + example01: + summary: Successful response description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. value: success: true @@ -439,8 +439,8 @@ paths: skipped: 1 succeeded: 1 total: 2 - example2: - summary: 2. Partial failure + example02: + summary: Partial failure description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). value: value: @@ -545,8 +545,8 @@ paths: rules: - id: '8bc7dad0-9320-11ec-9265-8b772383a08d' name: 'DNS Tunneling [Duplicate]' - example3: - summary: 3. Dry run + example03: + summary: Dry run description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. value: message: 'Bulk edit partially failed' @@ -575,8 +575,8 @@ paths: succeeded: 1 skipped: 0 total: 3 - example4: - summary: 4. Set tags successsully for 2 rules + example04: + summary: Set tags successsully for 2 rules description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. value: success: true @@ -713,8 +713,8 @@ paths: succeeded: 2 skipped: 0 total: 2 - example5: - summary: 5. Idempotent behavior of set_tags + example05: + summary: Idempotent behavior of set_tags description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. value: success: true @@ -736,8 +736,8 @@ paths: succeeded: 0 skipped: 2 total: 2 - example6: - summary: 6. Idempotent behavior of add_tags + example06: + summary: Idempotent behavior of add_tags description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. value: success: true @@ -826,8 +826,8 @@ paths: succeeded: 1 skipped: 1 total: 2 - example7: - summary: 7. Non-idempotent behavior for set_rule_actions + example07: + summary: Non-idempotent behavior for set_rule_actions description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. value: success: true @@ -913,8 +913,8 @@ paths: succeeded: 1 skipped: 0 total: 1 - example8: - summary: 8. Non-idempotent behavior for add_rule_actions + example08: + summary: Non-idempotent behavior for add_rule_actions description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. value: success: true diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml index f3aba6f998962..3637c574c0b5b 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -1673,18 +1673,106 @@ paths: content: application/json: examples: - example1: + example01: description: The following request activates all rules with the test tag. - summary: 1. Enable all rules with the test tag + summary: Enable - Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' + example02: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example03: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example04: + description: >- + The following request duplicates rules with the specified IDs, + including exceptions but not expired exceptions. + summary: Duplicate - Duplicate rules with specific IDs + value: + action: duplicate + duplicate: + include_exceptions: true + include_expired_exceptions: false + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 461a4c22-416e-4009-a9a7-cf79656454bf + example05: + description: The following request deletes the rule with the specified ID. + summary: Delete - Delete a specific rule by ID + value: + action: delete + ids: + - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 + example06: + description: >- + The following request runs the rule with the specified ID + within the given date range. + summary: Run - Run a specific rule by ID + value: + action: run + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + example07: + description: >- + The following request exports the rules with the specified + IDs. + summary: Export - Export specific rules by ID + value: + action: export + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example08: + description: >- + The following request will validate that the + add_index_patterns bulk action can be successfully applied to + three rules. The dry_run parameter is specified in query + parameters, e.g. POST + api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example09: + description: >- + The following request adds the tag "tag-1" to the rules with + the specified IDs. If the tag already exists for a rule, no + changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d example10: description: >- The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. - summary: 10. Add two tags to rules (idempotent) + summary: Edit - Add two tags to rules (idempotent) value: action: edit edit: @@ -1700,7 +1788,7 @@ paths: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. - summary: 11. Delete a tag from rules (idempotent) + summary: Edit - Delete a tag from rules (idempotent) value: action: edit edit: @@ -1716,7 +1804,7 @@ paths: the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. - summary: 12. Set (overwrite existing) tags for rules (idempotent) + summary: Edit - Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: @@ -1732,7 +1820,7 @@ paths: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. - summary: 13. Add index patterns to rules (idempotent) + summary: Edit - Add index patterns to rules (idempotent) value: action: edit edit: @@ -1747,7 +1835,7 @@ paths: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. - summary: 14. Remove index patterns from rules (idempotent) + summary: Edit - Remove index patterns from rules (idempotent) value: action: edit edit: @@ -1764,8 +1852,8 @@ paths: existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. summary: >- - 15. Set (overwrite existing) index patterns for rules patterns - (idempotent) + Edit - Set (overwrite existing) index patterns for rules + patterns (idempotent) value: action: edit edit: @@ -1779,7 +1867,7 @@ paths: description: >- The following request adds investigation field to the rules with the specified IDs. - summary: 16. Add investigation field to rules + summary: Edit - Add investigation field to rules value: action: edit edit: @@ -1795,7 +1883,7 @@ paths: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. - summary: 17. Delete investigation fields from rules (idempotent) + summary: Edit - Delete investigation fields from rules (idempotent) value: action: edit edit: @@ -1813,7 +1901,7 @@ paths: fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. summary: >- - 18. Set (overwrite existing) investigation fields for rules + Edit - Set (overwrite existing) investigation fields for rules (idempotent) value: action: edit @@ -1831,7 +1919,7 @@ paths: with the specified IDs. If the same timeline template is already set for a rule, no changes are made. summary: >- - 19. Set (overwrite existing) timeline template for rules + Edit - Set (overwrite existing) timeline template for rules (idempotent) value: action: edit @@ -1842,19 +1930,14 @@ paths: timeline_title: Alerts Involving a Single User Timeline ids: - eacdfc95-e007-41c9-986e-4b2cbdfdc71b - example2: - description: The following request enables the rule with the specified ID. - summary: 2. Enable a specific rule by ID. - value: - action: enable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 example20: description: >- The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. - summary: 20. Set (overwrite existing) schedule for rules (idempotent) + summary: >- + Edit - Set (overwrite existing) schedule for rules + (idempotent) value: action: edit edit: @@ -1868,7 +1951,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 21. Add rule actions to rules (non-idempotent) + summary: Edit - Add rule actions to rules (non-idempotent) value: action: edit edit: @@ -1886,7 +1969,7 @@ paths: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. summary: >- - 22. Set (overwrite existing) rule actions for rules + Edit - Set (overwrite existing) rule actions for rules (non-idempotent) value: action: edit @@ -1904,7 +1987,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 23. Add rule actions to rules for a webhook connector + summary: Edit - Add rule actions to rules for a webhook connector value: action: edit edit: @@ -1921,7 +2004,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 24. Add rule actions to rules for an email connector + summary: Edit - Add rule actions to rules for an email connector value: action: edit edit: @@ -1940,7 +2023,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 25. Add rule actions to rules for a slack connector + summary: Edit - Add rule actions to rules for a slack connector value: action: edit edit: @@ -1957,7 +2040,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 26. Add rule actions to rules for a PagerDuty connector + summary: Edit - Add rule actions to rules for a PagerDuty connector value: action: edit edit: @@ -1967,93 +2050,12 @@ paths: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: - event_action: trigger + eventAction: trigger severity: critical summary: The message body timestamp: 2023-10-31T00:00:00.000Z ids: - 9e946bfc-3118-4c77-bb25-67d781191921 - example3: - description: The following request disables the rule with the specified ID. - summary: 3. Disable a specific rule by ID - value: - action: disable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example4: - description: >- - The following request duplicates rules with the specified IDs, - including exceptions but not expired exceptions. - summary: 4. Duplicate rules with specific IDs - value: - action: duplicate - duplicate: - include_exceptions: true - include_expired_exceptions: false - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 461a4c22-416e-4009-a9a7-cf79656454bf - example5: - description: The following request deletes the rule with the specified ID. - summary: 5. Delete a specific rule by ID - value: - action: delete - ids: - - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example6: - description: >- - The following request runs the rule with the specified ID - within the given date range. - summary: 6. Run a specific rule by ID - value: - action: run - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - example7: - description: >- - The following request exports the rules with the specified - IDs. - summary: 7. Export specific rules by ID - value: - action: export - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example8: - description: >- - The following request will validate that the - add_index_patterns bulk action can be successfully applied to - three rules. The dry_run parameter is specified in query - parameters, e.g. POST - api/detection_engine/rules/_bulk_action?dry_run=true - summary: 8. dry run - Validate add_index_patterns bulk action - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example9: - description: >- - The following request adds the tag "tag-1" to the rules with - the specified IDs. If the tag already exists for a rule, no - changes are made. - summary: 9. Add a tag to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d schema: oneOf: - $ref: '#/components/schemas/BulkDeleteRules' @@ -2068,12 +2070,12 @@ paths: content: application/json: examples: - example1: + example01: description: >- In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. - summary: 1. Successful response + summary: Successful response value: attributes: results: @@ -2158,13 +2160,13 @@ paths: total: 2 rules_count: 1 success: true - example2: + example02: description: >- If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). - summary: 2. Partial failure + summary: Partial failure value: value: attributes: @@ -2280,7 +2282,7 @@ paths: rules_count: 2 status_code: 500 success: false - example3: + example03: description: >- The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results @@ -2290,7 +2292,7 @@ paths: applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. - summary: 3. Dry run + summary: Dry run value: attributes: errors: @@ -2318,13 +2320,13 @@ paths: total: 3 message: Bulk edit partially failed status_code: 500 - example4: + example04: description: >- This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. - summary: 4. Set tags successsully for 2 rules + summary: Set tags successsully for 2 rules value: attributes: results: @@ -2461,13 +2463,13 @@ paths: total: 2 rules_count: 2 success: true - example5: + example05: description: >- This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. - summary: 5. Idempotent behavior of set_tags + summary: Idempotent behavior of set_tags value: attributes: results: @@ -2488,13 +2490,13 @@ paths: total: 2 rules_count: 2 success: true - example6: + example06: description: >- This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. - summary: 6. Idempotent behavior of add_tags + summary: Idempotent behavior of add_tags value: attributes: results: @@ -2583,13 +2585,13 @@ paths: total: 2 rules_count: 2 success: true - example7: + example07: description: >- This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. - summary: 7. Non-idempotent behavior for set_rule_actions + summary: Non-idempotent behavior for set_rule_actions value: attributes: results: @@ -2675,13 +2677,13 @@ paths: total: 1 rules_count: 1 success: true - example8: + example08: description: >- This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. - summary: 8. Non-idempotent behavior for add_rule_actions + summary: Non-idempotent behavior for add_rule_actions value: attributes: results: diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml index 3b2c9e9abe733..b7e4459b70acb 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -1537,18 +1537,106 @@ paths: content: application/json: examples: - example1: + example01: description: The following request activates all rules with the test tag. - summary: 1. Enable all rules with the test tag + summary: Enable - Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' + example02: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example03: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example04: + description: >- + The following request duplicates rules with the specified IDs, + including exceptions but not expired exceptions. + summary: Duplicate - Duplicate rules with specific IDs + value: + action: duplicate + duplicate: + include_exceptions: true + include_expired_exceptions: false + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 461a4c22-416e-4009-a9a7-cf79656454bf + example05: + description: The following request deletes the rule with the specified ID. + summary: Delete - Delete a specific rule by ID + value: + action: delete + ids: + - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 + example06: + description: >- + The following request runs the rule with the specified ID + within the given date range. + summary: Run - Run a specific rule by ID + value: + action: run + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + example07: + description: >- + The following request exports the rules with the specified + IDs. + summary: Export - Export specific rules by ID + value: + action: export + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example08: + description: >- + The following request will validate that the + add_index_patterns bulk action can be successfully applied to + three rules. The dry_run parameter is specified in query + parameters, e.g. POST + api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example09: + description: >- + The following request adds the tag "tag-1" to the rules with + the specified IDs. If the tag already exists for a rule, no + changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d example10: description: >- The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. - summary: 10. Add two tags to rules (idempotent) + summary: Edit - Add two tags to rules (idempotent) value: action: edit edit: @@ -1564,7 +1652,7 @@ paths: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. - summary: 11. Delete a tag from rules (idempotent) + summary: Edit - Delete a tag from rules (idempotent) value: action: edit edit: @@ -1580,7 +1668,7 @@ paths: the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. - summary: 12. Set (overwrite existing) tags for rules (idempotent) + summary: Edit - Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: @@ -1596,7 +1684,7 @@ paths: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. - summary: 13. Add index patterns to rules (idempotent) + summary: Edit - Add index patterns to rules (idempotent) value: action: edit edit: @@ -1611,7 +1699,7 @@ paths: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. - summary: 14. Remove index patterns from rules (idempotent) + summary: Edit - Remove index patterns from rules (idempotent) value: action: edit edit: @@ -1628,8 +1716,8 @@ paths: existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. summary: >- - 15. Set (overwrite existing) index patterns for rules patterns - (idempotent) + Edit - Set (overwrite existing) index patterns for rules + patterns (idempotent) value: action: edit edit: @@ -1643,7 +1731,7 @@ paths: description: >- The following request adds investigation field to the rules with the specified IDs. - summary: 16. Add investigation field to rules + summary: Edit - Add investigation field to rules value: action: edit edit: @@ -1659,7 +1747,7 @@ paths: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. - summary: 17. Delete investigation fields from rules (idempotent) + summary: Edit - Delete investigation fields from rules (idempotent) value: action: edit edit: @@ -1677,7 +1765,7 @@ paths: fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. summary: >- - 18. Set (overwrite existing) investigation fields for rules + Edit - Set (overwrite existing) investigation fields for rules (idempotent) value: action: edit @@ -1695,7 +1783,7 @@ paths: with the specified IDs. If the same timeline template is already set for a rule, no changes are made. summary: >- - 19. Set (overwrite existing) timeline template for rules + Edit - Set (overwrite existing) timeline template for rules (idempotent) value: action: edit @@ -1706,19 +1794,14 @@ paths: timeline_title: Alerts Involving a Single User Timeline ids: - eacdfc95-e007-41c9-986e-4b2cbdfdc71b - example2: - description: The following request enables the rule with the specified ID. - summary: 2. Enable a specific rule by ID. - value: - action: enable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 example20: description: >- The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. - summary: 20. Set (overwrite existing) schedule for rules (idempotent) + summary: >- + Edit - Set (overwrite existing) schedule for rules + (idempotent) value: action: edit edit: @@ -1732,7 +1815,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 21. Add rule actions to rules (non-idempotent) + summary: Edit - Add rule actions to rules (non-idempotent) value: action: edit edit: @@ -1750,7 +1833,7 @@ paths: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. summary: >- - 22. Set (overwrite existing) rule actions for rules + Edit - Set (overwrite existing) rule actions for rules (non-idempotent) value: action: edit @@ -1768,7 +1851,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 23. Add rule actions to rules for a webhook connector + summary: Edit - Add rule actions to rules for a webhook connector value: action: edit edit: @@ -1785,7 +1868,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 24. Add rule actions to rules for an email connector + summary: Edit - Add rule actions to rules for an email connector value: action: edit edit: @@ -1804,7 +1887,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 25. Add rule actions to rules for a slack connector + summary: Edit - Add rule actions to rules for a slack connector value: action: edit edit: @@ -1821,7 +1904,7 @@ paths: description: >- The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 26. Add rule actions to rules for a PagerDuty connector + summary: Edit - Add rule actions to rules for a PagerDuty connector value: action: edit edit: @@ -1831,93 +1914,12 @@ paths: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: - event_action: trigger + eventAction: trigger severity: critical summary: The message body timestamp: 2023-10-31T00:00:00.000Z ids: - 9e946bfc-3118-4c77-bb25-67d781191921 - example3: - description: The following request disables the rule with the specified ID. - summary: 3. Disable a specific rule by ID - value: - action: disable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example4: - description: >- - The following request duplicates rules with the specified IDs, - including exceptions but not expired exceptions. - summary: 4. Duplicate rules with specific IDs - value: - action: duplicate - duplicate: - include_exceptions: true - include_expired_exceptions: false - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 461a4c22-416e-4009-a9a7-cf79656454bf - example5: - description: The following request deletes the rule with the specified ID. - summary: 5. Delete a specific rule by ID - value: - action: delete - ids: - - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example6: - description: >- - The following request runs the rule with the specified ID - within the given date range. - summary: 6. Run a specific rule by ID - value: - action: run - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - example7: - description: >- - The following request exports the rules with the specified - IDs. - summary: 7. Export specific rules by ID - value: - action: export - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example8: - description: >- - The following request will validate that the - add_index_patterns bulk action can be successfully applied to - three rules. The dry_run parameter is specified in query - parameters, e.g. POST - api/detection_engine/rules/_bulk_action?dry_run=true - summary: 8. dry run - Validate add_index_patterns bulk action - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example9: - description: >- - The following request adds the tag "tag-1" to the rules with - the specified IDs. If the tag already exists for a rule, no - changes are made. - summary: 9. Add a tag to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d schema: oneOf: - $ref: '#/components/schemas/BulkDeleteRules' @@ -1932,12 +1934,12 @@ paths: content: application/json: examples: - example1: + example01: description: >- In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. - summary: 1. Successful response + summary: Successful response value: attributes: results: @@ -2022,13 +2024,13 @@ paths: total: 2 rules_count: 1 success: true - example2: + example02: description: >- If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). - summary: 2. Partial failure + summary: Partial failure value: value: attributes: @@ -2144,7 +2146,7 @@ paths: rules_count: 2 status_code: 500 success: false - example3: + example03: description: >- The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results @@ -2154,7 +2156,7 @@ paths: applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. - summary: 3. Dry run + summary: Dry run value: attributes: errors: @@ -2182,13 +2184,13 @@ paths: total: 3 message: Bulk edit partially failed status_code: 500 - example4: + example04: description: >- This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. - summary: 4. Set tags successsully for 2 rules + summary: Set tags successsully for 2 rules value: attributes: results: @@ -2325,13 +2327,13 @@ paths: total: 2 rules_count: 2 success: true - example5: + example05: description: >- This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. - summary: 5. Idempotent behavior of set_tags + summary: Idempotent behavior of set_tags value: attributes: results: @@ -2352,13 +2354,13 @@ paths: total: 2 rules_count: 2 success: true - example6: + example06: description: >- This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. - summary: 6. Idempotent behavior of add_tags + summary: Idempotent behavior of add_tags value: attributes: results: @@ -2447,13 +2449,13 @@ paths: total: 2 rules_count: 2 success: true - example7: + example07: description: >- This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. - summary: 7. Non-idempotent behavior for set_rule_actions + summary: Non-idempotent behavior for set_rule_actions value: attributes: results: @@ -2539,13 +2541,13 @@ paths: total: 1 rules_count: 1 success: true - example8: + example08: description: >- This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. - summary: 8. Non-idempotent behavior for add_rule_actions + summary: Non-idempotent behavior for add_rule_actions value: attributes: results: From bad278f3da7533adf1ac909ca9d902faeef137a7 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Wed, 9 Apr 2025 10:10:57 +0000 Subject: [PATCH 8/8] [CI] Auto-commit changed files from 'make api-docs' --- oas_docs/output/kibana.serverless.yaml | 220 ++++++++++++------------- oas_docs/output/kibana.yaml | 220 ++++++++++++------------- 2 files changed, 220 insertions(+), 220 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index d96f349b79120..ac14e4bd72c9b 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -10186,15 +10186,89 @@ paths: content: application/json: examples: - example1: + example01: description: The following request activates all rules with the test tag. - summary: 1. Enable all rules with the test tag + summary: Enable - Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' + example02: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example03: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example04: + description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. + summary: Duplicate - Duplicate rules with specific IDs + value: + action: duplicate + duplicate: + include_exceptions: true + include_expired_exceptions: false + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 461a4c22-416e-4009-a9a7-cf79656454bf + example05: + description: The following request deletes the rule with the specified ID. + summary: Delete - Delete a specific rule by ID + value: + action: delete + ids: + - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 + example06: + description: The following request runs the rule with the specified ID within the given date range. + summary: Run - Run a specific rule by ID + value: + action: run + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + example07: + description: The following request exports the rules with the specified IDs. + summary: Export - Export specific rules by ID + value: + action: export + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example08: + description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example09: + description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d example10: description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. - summary: 10. Add two tags to rules (idempotent) + summary: Edit - Add two tags to rules (idempotent) value: action: edit edit: @@ -10207,7 +10281,7 @@ paths: - 8e5c1a40-9320-11ec-9265-8b772383a08d example11: description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. - summary: 11. Delete a tag from rules (idempotent) + summary: Edit - Delete a tag from rules (idempotent) value: action: edit edit: @@ -10219,7 +10293,7 @@ paths: - 8e5c1a40-9320-11ec-9265-8b772383a08d example12: description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. - summary: 12. Set (overwrite existing) tags for rules (idempotent) + summary: Edit - Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: @@ -10232,7 +10306,7 @@ paths: - 8e5c1a40-9320-11ec-9265-8b772383a08d example13: description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. - summary: 13. Add index patterns to rules (idempotent) + summary: Edit - Add index patterns to rules (idempotent) value: action: edit edit: @@ -10244,7 +10318,7 @@ paths: - dc015d10-0831-11ed-ac8b-05a222bd8d4a example14: description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. - summary: 14. Remove index patterns from rules (idempotent) + summary: Edit - Remove index patterns from rules (idempotent) value: action: edit edit: @@ -10256,7 +10330,7 @@ paths: - dc015d10-0831-11ed-ac8b-05a222bd8d4a example15: description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. - summary: 15. Set (overwrite existing) index patterns for rules patterns (idempotent) + summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) value: action: edit edit: @@ -10268,7 +10342,7 @@ paths: - dc015d10-0831-11ed-ac8b-05a222bd8d4a example16: description: The following request adds investigation field to the rules with the specified IDs. - summary: 16. Add investigation field to rules + summary: Edit - Add investigation field to rules value: action: edit edit: @@ -10281,7 +10355,7 @@ paths: - 87654321-4321-4321-4321-0987654321ba example17: description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. - summary: 17. Delete investigation fields from rules (idempotent) + summary: Edit - Delete investigation fields from rules (idempotent) value: action: edit edit: @@ -10294,7 +10368,7 @@ paths: - field2 example18: description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. - summary: 18. Set (overwrite existing) investigation fields for rules (idempotent) + summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) value: action: edit edit: @@ -10307,7 +10381,7 @@ paths: - 87654321-4321-4321-4321-0987654321ba example19: description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. - summary: 19. Set (overwrite existing) timeline template for rules (idempotent) + summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) value: action: edit edit: @@ -10317,16 +10391,9 @@ paths: timeline_title: Alerts Involving a Single User Timeline ids: - eacdfc95-e007-41c9-986e-4b2cbdfdc71b - example2: - description: The following request enables the rule with the specified ID. - summary: 2. Enable a specific rule by ID. - value: - action: enable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 example20: description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. - summary: 20. Set (overwrite existing) schedule for rules (idempotent) + summary: Edit - Set (overwrite existing) schedule for rules (idempotent) value: action: edit edit: @@ -10338,7 +10405,7 @@ paths: - 99887766-5544-3322-1100-aabbccddeeff example21: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 21. Add rule actions to rules (non-idempotent) + summary: Edit - Add rule actions to rules (non-idempotent) value: action: edit edit: @@ -10353,7 +10420,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191928 example22: description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. - summary: 22. Set (overwrite existing) rule actions for rules (non-idempotent) + summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) value: action: edit edit: @@ -10368,7 +10435,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191928 example23: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 23. Add rule actions to rules for a webhook connector + summary: Edit - Add rule actions to rules for a webhook connector value: action: edit edit: @@ -10383,7 +10450,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example24: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 24. Add rule actions to rules for an email connector + summary: Edit - Add rule actions to rules for an email connector value: action: edit edit: @@ -10400,7 +10467,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example25: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 25. Add rule actions to rules for a slack connector + summary: Edit - Add rule actions to rules for a slack connector value: action: edit edit: @@ -10415,7 +10482,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example26: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 26. Add rule actions to rules for a PagerDuty connector + summary: Edit - Add rule actions to rules for a PagerDuty connector value: action: edit edit: @@ -10425,79 +10492,12 @@ paths: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: - event_action: trigger + eventAction: trigger severity: critical summary: The message body timestamp: '2023-10-31T00:00:00.000Z' ids: - 9e946bfc-3118-4c77-bb25-67d781191921 - example3: - description: The following request disables the rule with the specified ID. - summary: 3. Disable a specific rule by ID - value: - action: disable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example4: - description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. - summary: 4. Duplicate rules with specific IDs - value: - action: duplicate - duplicate: - include_exceptions: true - include_expired_exceptions: false - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 461a4c22-416e-4009-a9a7-cf79656454bf - example5: - description: The following request deletes the rule with the specified ID. - summary: 5. Delete a specific rule by ID - value: - action: delete - ids: - - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example6: - description: The following request runs the rule with the specified ID within the given date range. - summary: 6. Run a specific rule by ID - value: - action: run - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - example7: - description: The following request exports the rules with the specified IDs. - summary: 7. Export specific rules by ID - value: - action: export - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example8: - description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true - summary: 8. dry run - Validate add_index_patterns bulk action - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example9: - description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. - summary: 9. Add a tag to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' @@ -10512,9 +10512,9 @@ paths: content: application/json: examples: - example1: + example01: description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. - summary: 1. Successful response + summary: Successful response value: attributes: results: @@ -10582,9 +10582,9 @@ paths: total: 2 rules_count: 1 success: true - example2: + example02: description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). - summary: 2. Partial failure + summary: Partial failure value: value: attributes: @@ -10689,9 +10689,9 @@ paths: rules_count: 2 status_code: 500 success: false - example3: + example03: description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. - summary: 3. Dry run + summary: Dry run value: attributes: errors: @@ -10719,9 +10719,9 @@ paths: total: 3 message: Bulk edit partially failed status_code: 500 - example4: + example04: description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. - summary: 4. Set tags successsully for 2 rules + summary: Set tags successsully for 2 rules value: attributes: results: @@ -10857,9 +10857,9 @@ paths: total: 2 rules_count: 2 success: true - example5: + example05: description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. - summary: 5. Idempotent behavior of set_tags + summary: Idempotent behavior of set_tags value: attributes: results: @@ -10880,9 +10880,9 @@ paths: total: 2 rules_count: 2 success: true - example6: + example06: description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. - summary: 6. Idempotent behavior of add_tags + summary: Idempotent behavior of add_tags value: attributes: results: @@ -10970,9 +10970,9 @@ paths: total: 2 rules_count: 2 success: true - example7: + example07: description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. - summary: 7. Non-idempotent behavior for set_rule_actions + summary: Non-idempotent behavior for set_rule_actions value: attributes: results: @@ -11057,9 +11057,9 @@ paths: total: 1 rules_count: 1 success: true - example8: + example08: description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. - summary: 8. Non-idempotent behavior for add_rule_actions + summary: Non-idempotent behavior for add_rule_actions value: attributes: results: diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 2d8c7d384cd2e..6aa38f9da072b 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -11856,15 +11856,89 @@ paths: content: application/json: examples: - example1: + example01: description: The following request activates all rules with the test tag. - summary: 1. Enable all rules with the test tag + summary: Enable - Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' + example02: + description: The following request enables the rule with the specified ID. + summary: Enable - Enable a specific rule by ID. + value: + action: enable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example03: + description: The following request disables the rule with the specified ID. + summary: Disable - Disable a specific rule by ID + value: + action: disable + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example04: + description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. + summary: Duplicate - Duplicate rules with specific IDs + value: + action: duplicate + duplicate: + include_exceptions: true + include_expired_exceptions: false + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + - 461a4c22-416e-4009-a9a7-cf79656454bf + example05: + description: The following request deletes the rule with the specified ID. + summary: Delete - Delete a specific rule by ID + value: + action: delete + ids: + - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 + example06: + description: The following request runs the rule with the specified ID within the given date range. + summary: Run - Run a specific rule by ID + value: + action: run + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + run: + end_date: '2025-03-10T23:59:59.999Z' + start_date: '2025-03-01T00:00:00.000Z' + example07: + description: The following request exports the rules with the specified IDs. + summary: Export - Export specific rules by ID + value: + action: export + ids: + - 748694f0-6977-4ea5-8384-cd2e39730779 + example08: + description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true + summary: Edit - dry run - Validate add_index_patterns bulk action + value: + action: edit + edit: + - type: add_index_patterns + value: + - test-* + ids: + - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 + - dc015d10-0831-11ed-ac8b-05a222bd8d4a + - de8f5af0-0831-11ed-ac8b-05a222bd8d4a + example09: + description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. + summary: Edit - Add a tag to rules (idempotent) + value: + action: edit + edit: + - type: add_tags + value: + - tag-1 + ids: + - 8bc7dad0-9320-11ec-9265-8b772383a08d + - 8e5c1a40-9320-11ec-9265-8b772383a08d example10: description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. - summary: 10. Add two tags to rules (idempotent) + summary: Edit - Add two tags to rules (idempotent) value: action: edit edit: @@ -11877,7 +11951,7 @@ paths: - 8e5c1a40-9320-11ec-9265-8b772383a08d example11: description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. - summary: 11. Delete a tag from rules (idempotent) + summary: Edit - Delete a tag from rules (idempotent) value: action: edit edit: @@ -11889,7 +11963,7 @@ paths: - 8e5c1a40-9320-11ec-9265-8b772383a08d example12: description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. - summary: 12. Set (overwrite existing) tags for rules (idempotent) + summary: Edit - Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: @@ -11902,7 +11976,7 @@ paths: - 8e5c1a40-9320-11ec-9265-8b772383a08d example13: description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. - summary: 13. Add index patterns to rules (idempotent) + summary: Edit - Add index patterns to rules (idempotent) value: action: edit edit: @@ -11914,7 +11988,7 @@ paths: - dc015d10-0831-11ed-ac8b-05a222bd8d4a example14: description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. - summary: 14. Remove index patterns from rules (idempotent) + summary: Edit - Remove index patterns from rules (idempotent) value: action: edit edit: @@ -11926,7 +12000,7 @@ paths: - dc015d10-0831-11ed-ac8b-05a222bd8d4a example15: description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. - summary: 15. Set (overwrite existing) index patterns for rules patterns (idempotent) + summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) value: action: edit edit: @@ -11938,7 +12012,7 @@ paths: - dc015d10-0831-11ed-ac8b-05a222bd8d4a example16: description: The following request adds investigation field to the rules with the specified IDs. - summary: 16. Add investigation field to rules + summary: Edit - Add investigation field to rules value: action: edit edit: @@ -11951,7 +12025,7 @@ paths: - 87654321-4321-4321-4321-0987654321ba example17: description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. - summary: 17. Delete investigation fields from rules (idempotent) + summary: Edit - Delete investigation fields from rules (idempotent) value: action: edit edit: @@ -11964,7 +12038,7 @@ paths: - field2 example18: description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. - summary: 18. Set (overwrite existing) investigation fields for rules (idempotent) + summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) value: action: edit edit: @@ -11977,7 +12051,7 @@ paths: - 87654321-4321-4321-4321-0987654321ba example19: description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. - summary: 19. Set (overwrite existing) timeline template for rules (idempotent) + summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) value: action: edit edit: @@ -11987,16 +12061,9 @@ paths: timeline_title: Alerts Involving a Single User Timeline ids: - eacdfc95-e007-41c9-986e-4b2cbdfdc71b - example2: - description: The following request enables the rule with the specified ID. - summary: 2. Enable a specific rule by ID. - value: - action: enable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 example20: description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. - summary: 20. Set (overwrite existing) schedule for rules (idempotent) + summary: Edit - Set (overwrite existing) schedule for rules (idempotent) value: action: edit edit: @@ -12008,7 +12075,7 @@ paths: - 99887766-5544-3322-1100-aabbccddeeff example21: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 21. Add rule actions to rules (non-idempotent) + summary: Edit - Add rule actions to rules (non-idempotent) value: action: edit edit: @@ -12023,7 +12090,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191928 example22: description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. - summary: 22. Set (overwrite existing) rule actions for rules (non-idempotent) + summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) value: action: edit edit: @@ -12038,7 +12105,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191928 example23: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 23. Add rule actions to rules for a webhook connector + summary: Edit - Add rule actions to rules for a webhook connector value: action: edit edit: @@ -12053,7 +12120,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example24: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 24. Add rule actions to rules for an email connector + summary: Edit - Add rule actions to rules for an email connector value: action: edit edit: @@ -12070,7 +12137,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example25: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 25. Add rule actions to rules for a slack connector + summary: Edit - Add rule actions to rules for a slack connector value: action: edit edit: @@ -12085,7 +12152,7 @@ paths: - 9e946bfc-3118-4c77-bb25-67d781191921 example26: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. - summary: 26. Add rule actions to rules for a PagerDuty connector + summary: Edit - Add rule actions to rules for a PagerDuty connector value: action: edit edit: @@ -12095,79 +12162,12 @@ paths: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: - event_action: trigger + eventAction: trigger severity: critical summary: The message body timestamp: '2023-10-31T00:00:00.000Z' ids: - 9e946bfc-3118-4c77-bb25-67d781191921 - example3: - description: The following request disables the rule with the specified ID. - summary: 3. Disable a specific rule by ID - value: - action: disable - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example4: - description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. - summary: 4. Duplicate rules with specific IDs - value: - action: duplicate - duplicate: - include_exceptions: true - include_expired_exceptions: false - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - - 461a4c22-416e-4009-a9a7-cf79656454bf - example5: - description: The following request deletes the rule with the specified ID. - summary: 5. Delete a specific rule by ID - value: - action: delete - ids: - - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 - example6: - description: The following request runs the rule with the specified ID within the given date range. - summary: 6. Run a specific rule by ID - value: - action: run - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - run: - end_date: '2025-03-10T23:59:59.999Z' - start_date: '2025-03-01T00:00:00.000Z' - example7: - description: The following request exports the rules with the specified IDs. - summary: 7. Export specific rules by ID - value: - action: export - ids: - - 748694f0-6977-4ea5-8384-cd2e39730779 - example8: - description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true - summary: 8. dry run - Validate add_index_patterns bulk action - value: - action: edit - edit: - - type: add_index_patterns - value: - - test-* - ids: - - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - - dc015d10-0831-11ed-ac8b-05a222bd8d4a - - de8f5af0-0831-11ed-ac8b-05a222bd8d4a - example9: - description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. - summary: 9. Add a tag to rules (idempotent) - value: - action: edit - edit: - - type: add_tags - value: - - tag-1 - ids: - - 8bc7dad0-9320-11ec-9265-8b772383a08d - - 8e5c1a40-9320-11ec-9265-8b772383a08d schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' @@ -12182,9 +12182,9 @@ paths: content: application/json: examples: - example1: + example01: description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. - summary: 1. Successful response + summary: Successful response value: attributes: results: @@ -12252,9 +12252,9 @@ paths: total: 2 rules_count: 1 success: true - example2: + example02: description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). - summary: 2. Partial failure + summary: Partial failure value: value: attributes: @@ -12359,9 +12359,9 @@ paths: rules_count: 2 status_code: 500 success: false - example3: + example03: description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. - summary: 3. Dry run + summary: Dry run value: attributes: errors: @@ -12389,9 +12389,9 @@ paths: total: 3 message: Bulk edit partially failed status_code: 500 - example4: + example04: description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. - summary: 4. Set tags successsully for 2 rules + summary: Set tags successsully for 2 rules value: attributes: results: @@ -12527,9 +12527,9 @@ paths: total: 2 rules_count: 2 success: true - example5: + example05: description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. - summary: 5. Idempotent behavior of set_tags + summary: Idempotent behavior of set_tags value: attributes: results: @@ -12550,9 +12550,9 @@ paths: total: 2 rules_count: 2 success: true - example6: + example06: description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. - summary: 6. Idempotent behavior of add_tags + summary: Idempotent behavior of add_tags value: attributes: results: @@ -12640,9 +12640,9 @@ paths: total: 2 rules_count: 2 success: true - example7: + example07: description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. - summary: 7. Non-idempotent behavior for set_rule_actions + summary: Non-idempotent behavior for set_rule_actions value: attributes: results: @@ -12727,9 +12727,9 @@ paths: total: 1 rules_count: 1 success: true - example8: + example08: description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. - summary: 8. Non-idempotent behavior for add_rule_actions + summary: Non-idempotent behavior for add_rule_actions value: attributes: results: