Skip to content

Commit

Permalink
update rule query clarification (#2985)
Browse files Browse the repository at this point in the history 
The example 2 provided in the documentation has a few typos and is using an incorrect parameter.

Also the documentation on the "params" in the action schema could use an example. 
https://www.elastic.co/guide/en/security/current/bulk-actions-rules-api.html#actions-object-schema-bulk
![image](https://user-images.githubusercontent.com/22603166/218981222-839eca6c-117b-42a8-98fc-cd47f310919a.png)

It can be difficult to apprehend that you need to define it as a list with a single item that is an array. An example would have made it a lot more clear. 
Like for example:
```
POST api/detection_engine/rules/_bulk_action
"query": "alert.attributes.params.severity: \"critical\"",
"action": "edit",
"edit": [
{
"type": "set_rule_actions",
"value": {
"actions": [
{
"id": "id",
"group": "default",
"params": {
"subAction": "pushToService",
"subActionParams": {
"incident": {
"issueType": "10009",
"priority": "Critical",
"description": "{{#context.alerts}}\n*Host:* {{host.name}} ({{source.ip}}) *OS:* {{host.os.name}} {{host.os.version}}\n*Time:* {{event.start}} - {{event.end}}\n*Reason:* {{signal.reason}}\n\n*------------------ Optional Fields ------------------*\n*Username:* {{winlog.user.name}} - {{user.name}}\n*File name:* {{file.name}}\n*Process Name:* {{process.name}} \n*Parent Process:* {{parent.process.name}}\n*-----------------------------------------------------*\n{{/context.alerts}}\n\n*Count of events:* {{state.signals_count}}\n\n*Link:* TENANTURL{{{context.results_link}}}",
"summary": "{{context.rule.name}} - {{context.rule.severity}}"
},
"comments": [
{
"commentId": "1",
"comment": "*Description:* {{context.rule.description}}\n\n*Rule Severity:* {{context.rule.severity}}\n\n*References:* {{context.rule.references}}\n\n*Possible false positive reason:* {{context.rule.false_positives}}\n\n*MITRE ATT&CK and ID:* {{context.rule.threat}}"
}
]
}
}
},
{
"group": "default",
"id": "id",
"params": {
"message": "# **{{context.rule.name}}**\n\n**Alerts:** {{state.signals_count}}\n\n**Severity:** {{context.rule.severity}}\n\n**Kibana URL:** TENANTURL{{{context.results_link}}}"
}
}
],
"throttle": "rule"
}
}
]
```
  • Loading branch information
@Tibo669
Tibo669 authored Apr 3, 2023
1 parent 554b35d commit f7aff54
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions docs/detections/api/rules/rules-api-bulk-actions.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -568,10 +568,10 @@ POST api/detection_engine/rules/_bulk_action
{
"ids":[
"8bc7dad0-9320-11ec-9265-8b772383a08d",
"8e5c1a40-9320-11ec-9265-8b772383a08d",
"8e5c1a40-9320-11ec-9265-8b772383a08d"
],
"action": "edit",
"edit": [{ action: "add_tags", value:["tag-1", "tag-2"] }]
"edit": [{ "type": "add_tags", "value":["tag-1", "tag-2"] }]
}
--------------------------------------------------

Expand Down

0 comments on commit f7aff54

Please sign in to comment.