-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Detection Engine][Exceptions] - Document exception item list types API side #3491
Comments
Notes on the different type options that users can specify:
|
Following up with more details.
I think we can add a section under
A user just needs to pass in a rule It would be important to note that as of right now, rule default exception lists do not get displayed in the shared exception list UI page. It's something we're tracking and hoping to get to. |
Action items from today's meeting with @yctercero and @natasha-moore-elastic:
cc: @jmikell821 |
@nastasha-solomon we found the route! https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lib/detection_engine/rule_exceptions/api/create_rule_exceptions/route.ts It just exists under detection_engine directory, not the lists plugin. |
Mystery solved! Thanks both for investigating this :) @dhurley14 what's the correct endpoint route for the Create shared exception list endpoint? Is it Also, @yctercero would you be able to provide the following information for the create_rule_exceptions endpoint:
tyty |
Thanks @dhurley14 for helping clarify. I think we can move that endpoint to be documented under the detections section as it is not an endpoint that exists in the As for create_rule_exceptions - here's the information:
Allows a user to create exception items to be associated with the specified rule Refer to Exceptions API for details on exception item format. POST :/api/detection_engine/rules/{id}/exceptions
Request Params
Body Params
|
My action items/notes from meeting with @yctercero today: Exception API doc updates:
|
Description
Back in 8.7 (I think?) we'd made the decision not to explain the details of the different containers for exception items applied to a rule and exception items that are considered "shared". In the community slack, one of our heavy API users was asking about how to differentiate between the two and if there was any documentation. I still feel that the UI docs should stay as they are since for none API users, I don't think they need to know the underlying details and more information could just add confusion. However, it could be worth updating the API side docs to dive into a bit more detail so that users know how to fetch the different types.
Here is the convo with the community member for context.
We could update this section to do the following:
rule_default
list type as an optionrule_default
vsdetection
(shared) isCreate rule exception
The text was updated successfully, but these errors were encountered: