github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[8.18] [Security Solution] Add note about removing bulk crud API in v9.0 and migrate examples (#213260) (#214710)

Browse source 
# Backport

This will backport the following commits from `8.x` to `8.18`:
- [[Security Solution] Add note about removing bulk crud API in v9.0 and
migrate examples
(#213260)](https://github.com/elastic/kibana/pull/213260)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Jacek
Kolezynski","email":"jacek.kolezynski@elastic.co"},"sourceCommit":{"committedDate":"2025-03-14T19:55:22Z","message":"[Security
Solution] Add note about removing bulk crud API in v9.0 and migrate
examples (#213260)\n\n**Partially addresses:**
#211808,\nhttps://github.com/elastic/security-docs/issues/5981
(internal)\n\n## Summary\n\nThis is the third part of the migration
effort, containing changes for\nBULK CRUD:\n- adding a note informing of
removing this API in v.9.0\n- migrating examples\n- adding infos in
description\n\nThis PR will be backported only to versions for Kibana
v8\n\n# Testing\n1. cd
x-pack/solutions/security/plugins/security_solution\n2. yarn
openapi:bundle:detections \n3. Take the bundled
file\n(docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml)\nand
load it into bump.sh console to see the changes.\n4. Compare the changes
with the
[Legacy\ndocumentation](https://www.elastic.co/guide/en/security/current/rule-api-overview.html)\n\nYou
can also use this
[link](https://bump.sh/jkelas2/doc/kibana_wip3/)\nwhere I deployed the
generated bundled doc.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
Georgii Gorbachev
<banderror@gmail.com>","sha":"e334449b82da6fad82808091e860f4c2248fcb74","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Detections
and Resp","Team: SecuritySolution","APIDocs","Team:Detection Rule
Management","backport:version","8.18
candidate","v8.18.0","v8.19.0"],"title":"[Security Solution] Add note
about removing bulk crud API in v9.0 and migrate
examples","number":213260,"url":"https://github.com/elastic/kibana/pull/213260","mergeCommit":{"message":"[Security
Solution] Add note about removing bulk crud API in v9.0 and migrate
examples (#213260)\n\n**Partially addresses:**
#211808,\nhttps://github.com/elastic/security-docs/issues/5981
(internal)\n\n## Summary\n\nThis is the third part of the migration
effort, containing changes for\nBULK CRUD:\n- adding a note informing of
removing this API in v.9.0\n- migrating examples\n- adding infos in
description\n\nThis PR will be backported only to versions for Kibana
v8\n\n# Testing\n1. cd
x-pack/solutions/security/plugins/security_solution\n2. yarn
openapi:bundle:detections \n3. Take the bundled
file\n(docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml)\nand
load it into bump.sh console to see the changes.\n4. Compare the changes
with the
[Legacy\ndocumentation](https://www.elastic.co/guide/en/security/current/rule-api-overview.html)\n\nYou
can also use this
[link](https://bump.sh/jkelas2/doc/kibana_wip3/)\nwhere I deployed the
generated bundled doc.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
Georgii Gorbachev
<banderror@gmail.com>","sha":"e334449b82da6fad82808091e860f4c2248fcb74"}},"sourceBranch":"8.x","suggestedTargetBranches":["8.18"],"targetPullRequestStates":[{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
This commit is contained in:
Jacek Kolezynski 2025-03-17 13:58:46 +01:00 committed by GitHub
parent 80ca1caf91
commit 80909da78f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 463 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

120
oas_docs/output/kibana.yaml
View file

@ -10921,11 +10921,50 @@ paths:
/api/detection_engine/rules/_bulk_create:
post:
deprecated: true
description: Create new detection rules in bulk.
description: |
Create new detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
operationId: BulkCreateRules
requestBody:
content:
application/json:
examples:
example1:
value:
- description: Process started by MS Office program - possible payload
enabled: false
filters:
- query:
match:
event.action:
query: 'Process Create (rule: ProcessCreate)'
type: phrase
from: now-6m
interval: 5m
language: kuery
name: MS Office child process
query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE
risk_score: 50
rule_id: process_started_by_ms_office_program_possible_payload
severity: low
tags:
- child process
- ms office
type: query
- description: Query with a rule_id for referencing an external id
from: now-6m
name: Second bulk rule
query: 'user.name: root or user.name: admin'
risk_score: 2
rule_id: query-rule-id-2
severity: low
type: query
schema:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleCreateProps'
@ -10945,11 +10984,19 @@ paths:
/api/detection_engine/rules/_bulk_delete:
delete:
deprecated: true
description: Delete detection rules in bulk.
description: |
Delete detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
operationId: BulkDeleteRules
requestBody:
content:
application/json:
examples:
example1:
value:
- rule_id: process_started_by_ms_office_program_possible_payload
- id: 51658332-a15e-4c9e-912a-67214e2e2359
schema:
items:
type: object
@ -10993,11 +11040,19 @@ paths:
- Security Detections API
post:
deprecated: true
description: Deletes multiple rules.
description: |
Delete detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
operationId: BulkDeleteRulesPost
requestBody:
content:
application/json:
examples:
example1:
value:
- rule_id: process_started_by_ms_office_program_possible_payload
- id: 51658332-a15e-4c9e-912a-67214e2e2359
schema:
items:
type: object
@ -11042,11 +11097,35 @@ paths:
/api/detection_engine/rules/_bulk_update:
patch:
deprecated: true
description: Update specific fields of existing detection rules using the `rule_id` or `id` field.
description: |
Update specific fields of existing detection rules using the `rule_id` or `id` field.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
operationId: BulkPatchRules
requestBody:
content:
application/json:
examples:
example1:
value:
- rule_id: process_started_by_ms_office_program_possible_payload
threat:
- framework: MITRE ATT&CK
id: TA0001
name: Initial Access
reference: https://attack.mitre.org/tactics/TA0001
tactic: null
technique:
- id: T1193
name: Spearphishing Attachment
reference: https://attack.mitre.org/techniques/T1193
- id: 56b22b65-173e-4a5b-b27a-82599cb1433e
name: New name
schema:
items:
$ref: '#/components/schemas/Security_Detections_API_RulePatchProps'
@ -11067,17 +11146,44 @@ paths:
deprecated: true
description: |
Update multiple detection rules using the `rule_id` or `id` field. The original rules are replaced, and all unspecified fields are deleted.
> info
> You cannot modify the `id` or `rule_id` values.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
operationId: BulkUpdateRules
requestBody:
content:
application/json:
examples:
example1:
value:
- description: Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.
id: 7d2f5ed8-6c05-44ab-81ce-9160ae147057
name: Updated Google Workspace Suspended User Account Renewed
risk_score: 21
severity: low
tags:
- new_tag
type: query
- description: Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.
id: 43b2dc3b-4f21-4a10-95e2-0dbc19e6e974
name: Updated AWS Redshift Cluster Creation
risk_score: 21
severity: low
tags:
- new_tag
type: query
schema:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps'
type: array
description: A JSON array where each element includes the `id` or `rule_id` field of the rule you want to update and the fields you want to modify.
description: |
A JSON array where each element includes the `id` or `rule_id` field of the rule you want to update and the fields you want to be specified in this rule.
> info
> All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values.
required: true
responses:
'200':

41
x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_create_rules/bulk_create_rules_route.schema.yaml
View file

@ -10,7 +10,15 @@ paths:
operationId: BulkCreateRules
deprecated: true
summary: Create multiple detection rules
description: Create new detection rules in bulk.
description: |
Create new detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
tags:
- Bulk API
requestBody:
@ -22,6 +30,37 @@ paths:
type: array
items:
$ref: '../../../model/rule_schema/rule_schemas.schema.yaml#/components/schemas/RuleCreateProps'
examples:
example1:
value:
- rule_id: process_started_by_ms_office_program_possible_payload
risk_score: 50
description: Process started by MS Office program - possible payload
interval: 5m
name: MS Office child process
severity: low
tags:
- child process
- ms office
type: query
from: now-6m
query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE
language: kuery
filters:
- query:
match:
event.action:
query: "Process Create (rule: ProcessCreate)"
type: phrase
enabled: false
- name: Second bulk rule
description: Query with a rule_id for referencing an external id
rule_id: query-rule-id-2
risk_score: 2
severity: low
type: query
from: now-6m
query: "user.name: root or user.name: admin"
responses:
200:
description: Indicates a successful call.

20
x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_delete_rules/bulk_delete_rules_route.schema.yaml
View file

@ -10,7 +10,10 @@ paths:
operationId: BulkDeleteRules
deprecated: true
summary: Delete multiple detection rules
description: Delete detection rules in bulk.
description: |
Delete detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
tags:
- Bulk API
requestBody:
@ -27,6 +30,11 @@ paths:
$ref: '../../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/RuleObjectId'
rule_id:
$ref: '../../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/RuleSignatureId'
examples:
example1:
value:
- rule_id: process_started_by_ms_office_program_possible_payload
- id: 51658332-a15e-4c9e-912a-67214e2e2359
responses:
200:
description: Indicates a successful call.
@ -61,7 +69,10 @@ paths:
operationId: BulkDeleteRulesPost
deprecated: true
summary: Delete multiple detection rules
description: Deletes multiple rules.
description: |
Delete detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
tags:
- Bulk API
requestBody:
@ -78,6 +89,11 @@ paths:
$ref: '../../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/RuleObjectId'
rule_id:
$ref: '../../../model/rule_schema/common_attributes.schema.yaml#/components/schemas/RuleSignatureId'
examples:
example1:
value:
- rule_id: process_started_by_ms_office_program_possible_payload
- id: 51658332-a15e-4c9e-912a-67214e2e2359
responses:
200:
description: Indicates a successful call.

26
x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_patch_rules/bulk_patch_rules_route.schema.yaml
View file

@ -10,7 +10,15 @@ paths:
summary: Patch multiple detection rules
operationId: BulkPatchRules
deprecated: true
description: Update specific fields of existing detection rules using the `rule_id` or `id` field.
description: |
Update specific fields of existing detection rules using the `rule_id` or `id` field.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
tags:
- Bulk API
requestBody:
@ -22,6 +30,22 @@ paths:
type: array
items:
$ref: '../../../model/rule_schema/rule_schemas.schema.yaml#/components/schemas/RulePatchProps'
examples:
example1:
value:
- threat:
- framework: MITRE ATT&CK
tactic:
id: TA0001
reference: https://attack.mitre.org/tactics/TA0001
name: Initial Access
technique:
- id: T1193
name: Spearphishing Attachment
reference: https://attack.mitre.org/techniques/T1193
rule_id: process_started_by_ms_office_program_possible_payload
- name: New name
id: 56b22b65-173e-4a5b-b27a-82599cb1433e
responses:
200:
description: Indicates a successful call.

33
x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_update_rules/bulk_update_rules_route.schema.yaml
View file

@ -12,12 +12,20 @@ paths:
summary: Update multiple detection rules
description: |
Update multiple detection rules using the `rule_id` or `id` field. The original rules are replaced, and all unspecified fields are deleted.
> info
> You cannot modify the `id` or `rule_id` values.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
tags:
- Bulk API
requestBody:
description: A JSON array where each element includes the `id` or `rule_id` field of the rule you want to update and the fields you want to modify.
description: |
A JSON array where each element includes the `id` or `rule_id` field of the rule you want to update and the fields you want to be specified in this rule.
> info
> All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values.
required: true
content:
application/json:
@ -25,6 +33,25 @@ paths:
type: array
items:
$ref: '../../../model/rule_schema/rule_schemas.schema.yaml#/components/schemas/RuleUpdateProps'
examples:
example1:
value:
- id: "7d2f5ed8-6c05-44ab-81ce-9160ae147057"
name: "Updated Google Workspace Suspended User Account Renewed"
tags:
- "new_tag"
description: "Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account."
risk_score: 21
severity: "low"
type: "query"
- id: "43b2dc3b-4f21-4a10-95e2-0dbc19e6e974"
name: "Updated AWS Redshift Cluster Creation"
tags:
- "new_tag"
description: "Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities."
risk_score: 21
severity: "low"
type: "query"
responses:
200:
description: Indicates a successful call.

47
x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts
View file

@ -491,8 +491,16 @@ after 30 days. It also deletes other artifacts specific to the migration impleme
.catch(catchAxiosErrorFormatAndThrow);
}
/**
* Create new detection rules in bulk.
*/
* Create new detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
*/
async bulkCreateRules(props: BulkCreateRulesProps) {
this.log.info(`${new Date().toISOString()} Calling API BulkCreateRules`);
return this.kbnClient
@ -507,8 +515,11 @@ after 30 days. It also deletes other artifacts specific to the migration impleme
.catch(catchAxiosErrorFormatAndThrow);
}
/**
* Delete detection rules in bulk.
*/
* Delete detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
*/
async bulkDeleteRules(props: BulkDeleteRulesProps) {
this.log.info(`${new Date().toISOString()} Calling API BulkDeleteRules`);
return this.kbnClient
@ -523,8 +534,11 @@ after 30 days. It also deletes other artifacts specific to the migration impleme
.catch(catchAxiosErrorFormatAndThrow);
}
/**
* Deletes multiple rules.
*/
* Delete detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
*/
async bulkDeleteRulesPost(props: BulkDeleteRulesPostProps) {
this.log.info(`${new Date().toISOString()} Calling API BulkDeleteRulesPost`);
return this.kbnClient
@ -539,8 +553,16 @@ after 30 days. It also deletes other artifacts specific to the migration impleme
.catch(catchAxiosErrorFormatAndThrow);
}
/**
* Update specific fields of existing detection rules using the `rule_id` or `id` field.
*/
* Update specific fields of existing detection rules using the `rule_id` or `id` field.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
*/
async bulkPatchRules(props: BulkPatchRulesProps) {
this.log.info(`${new Date().toISOString()} Calling API BulkPatchRules`);
return this.kbnClient
@ -556,8 +578,13 @@ after 30 days. It also deletes other artifacts specific to the migration impleme
}
/**
* Update multiple detection rules using the `rule_id` or `id` field. The original rules are replaced, and all unspecified fields are deleted.
> info
> You cannot modify the `id` or `rule_id` values.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
*/
async bulkUpdateRules(props: BulkUpdateRulesProps) {

171
x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml
View file

@ -396,11 +396,67 @@ paths:
/api/detection_engine/rules/_bulk_create:
post:
deprecated: true
description: Create new detection rules in bulk.
description: >
Create new detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API
key](https://www.elastic.co/guide/en/kibana/current/api-keys.html)
authentication, the user's key gets assigned to the affected rules. If
the user's key gets deleted or the user becomes inactive, the rules will
stop running.
> If the API key that is used for authorization has different privileges
than the key that created or most recently updated the rule, the rule
behavior might change.
operationId: BulkCreateRules
requestBody:
content:
application/json:
examples:
example1:
value:
- description: Process started by MS Office program - possible payload
enabled: false
filters:
- query:
match:
event.action:
query: 'Process Create (rule: ProcessCreate)'
type: phrase
from: now-6m
interval: 5m
language: kuery
name: MS Office child process
query: >-
process.parent.name:EXCEL.EXE or
process.parent.name:MSPUB.EXE or
process.parent.name:OUTLOOK.EXE or
process.parent.name:POWERPNT.EXE or
process.parent.name:VISIO.EXE or
process.parent.name:WINWORD.EXE
risk_score: 50
rule_id: process_started_by_ms_office_program_possible_payload
severity: low
tags:
- child process
- ms office
type: query
- description: Query with a rule_id for referencing an external id
from: now-6m
name: Second bulk rule
query: 'user.name: root or user.name: admin'
risk_score: 2
rule_id: query-rule-id-2
severity: low
type: query
schema:
items:
$ref: '#/components/schemas/RuleCreateProps'
@ -421,11 +477,19 @@ paths:
/api/detection_engine/rules/_bulk_delete:
delete:
deprecated: true
description: Delete detection rules in bulk.
description: |
Delete detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
operationId: BulkDeleteRules
requestBody:
content:
application/json:
examples:
example1:
value:
- rule_id: process_started_by_ms_office_program_possible_payload
- id: 51658332-a15e-4c9e-912a-67214e2e2359
schema:
items:
type: object
@ -472,11 +536,19 @@ paths:
- Bulk API
post:
deprecated: true
description: Deletes multiple rules.
description: |
Delete detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
operationId: BulkDeleteRulesPost
requestBody:
content:
application/json:
examples:
example1:
value:
- rule_id: process_started_by_ms_office_program_possible_payload
- id: 51658332-a15e-4c9e-912a-67214e2e2359
schema:
items:
type: object
@ -524,13 +596,47 @@ paths:
/api/detection_engine/rules/_bulk_update:
patch:
deprecated: true
description: >-
description: >
Update specific fields of existing detection rules using the `rule_id`
or `id` field.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API
key](https://www.elastic.co/guide/en/kibana/current/api-keys.html)
authentication, the user's key gets assigned to the affected rules. If
the user's key gets deleted or the user becomes inactive, the rules will
stop running.
> If the API key that is used for authorization has different privileges
than the key that created or most recently updated the rule, the rule
behavior might change.
operationId: BulkPatchRules
requestBody:
content:
application/json:
examples:
example1:
value:
- rule_id: process_started_by_ms_office_program_possible_payload
threat:
- framework: MITRE ATT&CK
id: TA0001
name: Initial Access
reference: 'https://attack.mitre.org/tactics/TA0001'
tactic: null
technique:
- id: T1193
name: Spearphishing Attachment
reference: 'https://attack.mitre.org/techniques/T1193'
- id: 56b22b65-173e-4a5b-b27a-82599cb1433e
name: New name
schema:
items:
$ref: '#/components/schemas/RulePatchProps'
@ -554,20 +660,69 @@ paths:
Update multiple detection rules using the `rule_id` or `id` field. The
original rules are replaced, and all unspecified fields are deleted.
> info
> warn
> You cannot modify the `id` or `rule_id` values.
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API
key](https://www.elastic.co/guide/en/kibana/current/api-keys.html)
authentication, the user's key gets assigned to the affected rules. If
the user's key gets deleted or the user becomes inactive, the rules will
stop running.
> If the API key that is used for authorization has different privileges
than the key that created or most recently updated the rule, the rule
behavior might change.
operationId: BulkUpdateRules
requestBody:
content:
application/json:
examples:
example1:
value:
- description: >-
Detects when a previously suspended user's account is
renewed in Google Workspace. An adversary may renew a
suspended user account to maintain access to the Google
Workspace organization with a valid account.
id: 7d2f5ed8-6c05-44ab-81ce-9160ae147057
name: Updated Google Workspace Suspended User Account Renewed
risk_score: 21
severity: low
tags:
- new_tag
type: query
- description: >-
Identifies the creation of an Amazon Redshift cluster.
Unexpected creation of this cluster by a
non-administrative user may indicate a permission or role
issue with current users. If unexpected, the resource may
not properly be configured and could introduce security
vulnerabilities.
id: 43b2dc3b-4f21-4a10-95e2-0dbc19e6e974
name: Updated AWS Redshift Cluster Creation
risk_score: 21
severity: low
tags:
- new_tag
type: query
schema:
items:
$ref: '#/components/schemas/RuleUpdateProps'
type: array
description: >-
description: >
A JSON array where each element includes the `id` or `rule_id` field
of the rule you want to update and the fields you want to modify.
of the rule you want to update and the fields you want to be specified
in this rule.
> info
> All unspecified fields are deleted. You cannot modify the `id` or
`rule_id` values.
required: true
responses:
'200':

47
x-pack/test/api_integration/services/security_solution_api.gen.ts
View file

@ -222,8 +222,16 @@ after 30 days. It also deletes other artifacts specific to the migration impleme
.set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
},
/**
* Create new detection rules in bulk.
*/
* Create new detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
*/
bulkCreateRules(props: BulkCreateRulesProps, kibanaSpace: string = 'default') {
return supertest
.post(routeWithNamespace('/api/detection_engine/rules/_bulk_create', kibanaSpace))
@ -233,8 +241,11 @@ after 30 days. It also deletes other artifacts specific to the migration impleme
.send(props.body as object);
},
/**
* Delete detection rules in bulk.
*/
* Delete detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
*/
bulkDeleteRules(props: BulkDeleteRulesProps, kibanaSpace: string = 'default') {
return supertest
.delete(routeWithNamespace('/api/detection_engine/rules/_bulk_delete', kibanaSpace))
@ -244,8 +255,11 @@ after 30 days. It also deletes other artifacts specific to the migration impleme
.send(props.body as object);
},
/**
* Deletes multiple rules.
*/
* Delete detection rules in bulk.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
*/
bulkDeleteRulesPost(props: BulkDeleteRulesPostProps, kibanaSpace: string = 'default') {
return supertest
.post(routeWithNamespace('/api/detection_engine/rules/_bulk_delete', kibanaSpace))
@ -255,8 +269,16 @@ after 30 days. It also deletes other artifacts specific to the migration impleme
.send(props.body as object);
},
/**
* Update specific fields of existing detection rules using the `rule_id` or `id` field.
*/
* Update specific fields of existing detection rules using the `rule_id` or `id` field.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
*/
bulkPatchRules(props: BulkPatchRulesProps, kibanaSpace: string = 'default') {
return supertest
.patch(routeWithNamespace('/api/detection_engine/rules/_bulk_update', kibanaSpace))
@ -267,8 +289,13 @@ after 30 days. It also deletes other artifacts specific to the migration impleme
},
/**
* Update multiple detection rules using the `rule_id` or `id` field. The original rules are replaced, and all unspecified fields are deleted.
> info
> You cannot modify the `id` or `rule_id` values.
> warn
> This API is deprecated and will be removed in Kibana v9.0.
> warn
> When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
*/
bulkUpdateRules(props: BulkUpdateRulesProps, kibanaSpace: string = 'default') {