Add Docs for Bulk Update Schedule and Rule Actions #2506
Conversation
|
This pull request does not have a backport label. Could you fix it @jpdjere? 🙏
NOTE: |
|
Documentation previews: |
| [[actions-object-schema-update]] | ||
| ===== `actions` schema | ||
|
|
||
| These fields are required when calling `PUT` to modify the `actions` object: | ||
|
|
||
| [width="100%",options="header"] | ||
| |============================================== | ||
| |Name |Type |Description | ||
|
|
||
| |action_type_id |String a|The action type used for sending notifications, can | ||
| be: | ||
|
|
||
| * `.slack` | ||
| * `.email` | ||
| * `.pagerduty` | ||
| * `.webhook` | ||
|
|
||
| |group |String |Optionally groups actions by use cases. Use `default` for alert | ||
| notifications. | ||
|
|
||
| |id |String |The connector ID. | ||
|
|
||
| |params |Object a|Object containing the allowed connector fields, which varies according to the connector type: | ||
|
|
||
| * For Slack: | ||
| ** `message` (string, required): The notification message. | ||
| * For email: | ||
| ** `to`, `cc`, `bcc` (string): Email addresses to which the notifications are | ||
| sent. At least one field must have a value. | ||
| ** `subject` (string, optional): Email subject line. | ||
| ** `message` (string, required): Email body text. | ||
| * For Webhook: | ||
| ** `body` (string, required): JSON payload. | ||
| * For PagerDuty: | ||
| ** `severity` (string, required): Severity of on the alert notification, can | ||
| be: `Critical`, `Error`, `Warning` or `Info`. | ||
| ** `eventAction` (string, required): Event https://v2.developer.pagerduty.com/docs/events-api-v2#event-action[action type], which can be `trigger`, | ||
| `resolve`, or `acknowledge`. | ||
| ** `dedupKey` (string, optional): Groups alert notifications with the same | ||
| PagerDuty alert. | ||
| ** `timestamp` (DateTime, optional): https://v2.developer.pagerduty.com/v2/docs/types#datetime[ISO-8601 format timestamp]. | ||
| ** `component` (string, optional): Source machine component responsible for the | ||
| event, for example `security-solution`. | ||
| ** `group` (string, optional): Enables logical grouping of service components. | ||
| ** `source` (string, optional): The affected system. Defaults to the {kib} | ||
| saved object ID of the action. | ||
| ** `summary` (string, options): Summary of the event. Defaults to | ||
| `No summary provided`. Maximum length is 1024 characters. | ||
| ** `class` (string, optional): Value indicating the class/type of the event. | ||
|
|
||
| |============================================== |
There was a problem hiding this comment.
Copy pasted this actions schema from https://github.com/jpdjere/security-docs/blob/main/docs/detections/api/rules/rules-api-bulk-actions.asciidoc#L334
Does it make sense to extract this definition to its own page and link from both pages to that?
There was a problem hiding this comment.
Does it make sense to extract this definition to its own page and link from both pages to that?
I think we'd like to do something like that eventually, but we'll be migrating to a new docs system soon and are trying to limit restructuring ahead of that migration.
|
@joepeeples Is the build failing because of the wrong format in the asciidoc file? |
I think so, it looks like there are two errors in the console output:
Let me try to push a fix, it'll take just a few minutes |
- Add discrete tag to include section on same page of HTML output - Rename section anchor so it's a unique value
| `actions`: <<actions-object-schema, actions[]>> , | ||
| `throttle`: String | ||
| } | Add actions to rules | ||
| | `set_rule_actions` | { | ||
| `actions`: <<actions-object-schema, actions[]>> , |
There was a problem hiding this comment.
If these links are supposed to point to the new "actions schema" section on this page, the link anchors need to be revised (below); currently they're pointing to the section on the Create rule page.
| `actions`: <<actions-object-schema, actions[]>> , | |
| `throttle`: String | |
| } | Add actions to rules | |
| | `set_rule_actions` | { | |
| `actions`: <<actions-object-schema, actions[]>> , | |
| `actions`: <<actions-object-schema-bulk, actions[]>> , | |
| `throttle`: String | |
| } | Add actions to rules | |
| | `set_rule_actions` | { | |
| `actions`: <<actions-object-schema-bulk, actions[]>> , |
There was a problem hiding this comment.
Thanks 👍 fixed following your suggestion
|
|
||
| | `add_rule_actions` | { | ||
| `actions`: <<actions-object-schema, actions[]>> , | ||
| `throttle`: String |
There was a problem hiding this comment.
Throttle is not documented for add_rule_actions while it is for set_rule_actions. How do we usually document the same request parameters or response objects used in multiple contexts?
There was a problem hiding this comment.
I extracted out the throttle schema to the bottom of the page and linked to it from both add_rule_actions and set_rule_actions. What do you think? Also not exactly sure if to call a single property "schema" (I mean "throttle schema")
There was a problem hiding this comment.
I'd call it just throttle 🤷♂️
| [discrete] | ||
| [[actions-object-schema-bulk]] | ||
| ===== `actions` schema |
There was a problem hiding this comment.
Is this section going to be deleted?
There was a problem hiding this comment.
I think it shouldn't. See Joe's comment above: I would have liked to extract the actions schema to its own page and link to it from both this page and from this page, but he mentioned that he'd rather not do these refactoring before the docs are migrated, soon.
And I think the actions schema should be in this page, otherwise it's confusing to understand what it means in the context of this API request.
There was a problem hiding this comment.
I see. The reason I asked is that when I was reviewing this PR links to the actions schema were pointing to the rule creation endpoint. Now when they send the user to this section it LGTM 👍
There was a problem hiding this comment.
What I'd probably do is I'd lift "actions schema" and "throttle schema" up, because right now the page structure is:
- "BulkEditAction object" - its schema
- Examples
- "
actionsschema" - "
throttleschema"
I'd keep examples after all schemas
There was a problem hiding this comment.
Makes sense, reorganized page
|
This is ready for review. Thanks for your comments! The preview link: https://security-docs_2506.docs-preview.app.elstc.co/guide/en/security/master/bulk-actions-rules-api.html |
| [discrete] | ||
| [[actions-object-schema-bulk]] | ||
| ===== `actions` schema |
There was a problem hiding this comment.
I see. The reason I asked is that when I was reviewing this PR links to the actions schema were pointing to the rule creation endpoint. Now when they send the user to this section it LGTM 👍
| [discrete] | ||
| [[actions-object-schema-bulk]] | ||
| ===== `actions` schema |
There was a problem hiding this comment.
What I'd probably do is I'd lift "actions schema" and "throttle schema" up, because right now the page structure is:
- "BulkEditAction object" - its schema
- Examples
- "
actionsschema" - "
throttleschema"
I'd keep examples after all schemas
|
|
||
| `lookback`: Additional look-back time that the rule analyzes. For example, `"10m"` means the rule analyzes the last 10 minutes of data in addition to the frequency interval. | ||
|
|
||
| If `interval` is set to `"5m"` and `lookback` to `"1m"`, then the rule runs every 5 minutes but analyzes the documents added to indices during the last 6 minutes. |
There was a problem hiding this comment.
Modified this example to be consistent with the previous two examples for interval and lookback:
| If `interval` is set to `"5m"` and `lookback` to `"1m"`, then the rule runs every 5 minutes but analyzes the documents added to indices during the last 6 minutes. | |
| If `interval` is set to `"10m"` and `lookback` to `"1m"`, then the rule runs every 5 minutes but analyzes the documents added to indices during the last 11 minutes. |
| Both `interval` and `lookback` have a format of {integer}{time_unit}, with the accepted time units being `"s"` for | ||
| seconds, `"m"` for minutes and `"h"` for hours. The integer must be positive and larger than 0. | ||
|
|
||
| Examples: `"45s"`, `"30m"`, `"6h"` |
There was a problem hiding this comment.
| Both `interval` and `lookback` have a format of {integer}{time_unit}, with the accepted time units being `"s"` for | |
| seconds, `"m"` for minutes and `"h"` for hours. The integer must be positive and larger than 0. | |
| Examples: `"45s"`, `"30m"`, `"6h"` | |
| Both `interval` and `lookback` have a format of `"{integer}{time_unit}"`, where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: `"45s"`, `"30m"`, `"6h"` |
|
|
||
| --- | ||
|
|
There was a problem hiding this comment.
I'd omit the horiz rule line. We don't use them much in general, and here in particular it makes the throttle section look like it might be part of the preceding table.
| --- |
| ===== `throttle` schema | ||
|
|
||
|
|
||
| `throttle` defines the maximum interval in which a rules `actions` are executed. It accepts the following values: |
There was a problem hiding this comment.
| `throttle` defines the maximum interval in which a rules `actions` are executed. It accepts the following values: | |
| `throttle` defines the maximum interval in which a rule's actions are executed. It accepts the following values: |
…/github.com/jpdjere/security-docs into add-docs-for-bulk-edit-schedule-and-actions
|
@joepeeples Thanks Joe! Addressed all your comments 👍 Please et me know if I should go ahead and merge this once the tests pass. |
Yes, LGTM! 👍 Thanks again for this update |
joepeeples
added
Team: Docs
Team: Detections/Response
## Relates to: #2441 #2453 ## Changes - Updated Bulk Update API request to include new possible payloads for: - Bulk Update Schedule - Bulk Update Rule Actions ## Images  (cherry picked from commit c76fac6)
## Relates to: #2441 #2453 ## Changes - Updated Bulk Update API request to include new possible payloads for: - Bulk Update Schedule - Bulk Update Rule Actions ## Images  (cherry picked from commit c76fac6) Co-authored-by: Juan Pablo Djeredjian <jpdjeredjian@gmail.com>
Relates to:
#2441
#2453
Changes
Images