-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SIEM][Detections Engine] - Update rule.lists to be rule.exceptions_list #63717
Conversation
Pinging @elastic/siem (Team:SIEM) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Simple enough, LGTM for the name change. Appreciate the time you took to accept feedback and then apply it to this to make it super simple for the API vocabulary to avoid user confusion.
This will save us time in the long run from forum posts and documentation for end users.
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
…ist (elastic#63717) ### Summary [63717] This PR updates the rules lists param to be `exceptions_list`. This is done in an attempt to make the terminology less confusing as lists will generally be referring to the big lists values. It should also make it more clear that the `exceptions_list` logic is being applied as a double not.
…bana into ingest-node-pipelines/privileges * 'feature/ingest-node-pipelines' of github.com:elastic/kibana: (126 commits) [SEARCH] Cleanup fetch soon (elastic#63320) skip flaky suite (elastic#58692) [Uptime] Refresh index and also show more info to user regardi… (elastic#62606) [Drilldowns] Fix back button by removing panels from url in dashboard in view mode (elastic#62415) [platform] serve plugins from /bundles/plugin:${id} [Alerting] Documentation for how to pre-configure connectors. (elastic#63807) skip flaky suite (elastic#63621) Revert "skip flaky suite (elastic#63747)" skip flaky suite (elastic#63747) [SIEM][Detections Engine] - Update rule.lists to be rule.exceptions_list (elastic#63717) [SIEM] Flaky test fix: Bump find_statuses timeout (elastic#63900) [Uptime] Add cert API request and runtime type checking (elastic#63062) [Lens] Allow table to scroll horizontally (elastic#63805) [Metrics UI] Allow users to create alerts from the central Alerts UI (elastic#63803) Migrate legacy maps licensing (x-pack/tilemap) to NP (elastic#63539) [Alerting] "Create alert" and alert list design improvements (elastic#63515) [Lens] Fix existence for dotted paths in _source (elastic#63752) Example plugins in X-Pack (elastic#63823) [ML] Migrate Mocha unit tests to Jest: migrate job utils and query utils tests (elastic#63775) Endpoint: middleware receive immutable versions of state and actions (elastic#63802) ...
…ist (elastic#63717) ### Summary [63717] This PR updates the rules lists param to be `exceptions_list`. This is done in an attempt to make the terminology less confusing as lists will generally be referring to the big lists values. It should also make it more clear that the `exceptions_list` logic is being applied as a double not.
…bana into pipeline-editor-part-mvp-2 * 'feature/ingest-node-pipelines' of github.com:elastic/kibana: (127 commits) [Ingest pipelines] Polish details panel and empty list (elastic#63926) [SEARCH] Cleanup fetch soon (elastic#63320) skip flaky suite (elastic#58692) [Uptime] Refresh index and also show more info to user regardi… (elastic#62606) [Drilldowns] Fix back button by removing panels from url in dashboard in view mode (elastic#62415) [platform] serve plugins from /bundles/plugin:${id} [Alerting] Documentation for how to pre-configure connectors. (elastic#63807) skip flaky suite (elastic#63621) Revert "skip flaky suite (elastic#63747)" skip flaky suite (elastic#63747) [SIEM][Detections Engine] - Update rule.lists to be rule.exceptions_list (elastic#63717) [SIEM] Flaky test fix: Bump find_statuses timeout (elastic#63900) [Uptime] Add cert API request and runtime type checking (elastic#63062) [Lens] Allow table to scroll horizontally (elastic#63805) [Metrics UI] Allow users to create alerts from the central Alerts UI (elastic#63803) Migrate legacy maps licensing (x-pack/tilemap) to NP (elastic#63539) [Alerting] "Create alert" and alert list design improvements (elastic#63515) [Lens] Fix existence for dotted paths in _source (elastic#63752) Example plugins in X-Pack (elastic#63823) [ML] Migrate Mocha unit tests to Jest: migrate job utils and query utils tests (elastic#63775) ...
…ist (#63717) (#63962) ### Summary [63717] This PR updates the rules lists param to be `exceptions_list`. This is done in an attempt to make the terminology less confusing as lists will generally be referring to the big lists values. It should also make it more clear that the `exceptions_list` logic is being applied as a double not.
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
This PR updates the rules
lists
param to beexceptions_list
. This is done in an attempt to make the terminology less confusing as lists will generally be referring to the big lists values. It should also make it more clear that theexceptions_list
logic is being applied as a double not.The following example does say
event.module is not suricata
BUT as this is an exceptions list, the logic isnot when even.module is not suricata
-->query && !(!event.module:suricata)
--->query && event.module:suricata
Did not update type names (ex
lists_values
etc...) as they'll also be useful when (maybe) adding such things as inclusion lists.Tests marked
describe.skip
due to this being behind a feature flag were checked to be sure they are passing when feature flag is turned on.Testing
./post_rule.sh ./rules/queries/lists/query_with_list.json
./update_rule.sh ./rules/updates/update_list.json
./patch_rule.sh ./rules/patches/update_list.json
Checklist
For maintainers