[SIEM][Detections] Create Exception List API #65938
Description
This issue is for creating the Exception Lists implementation and API. While a SIEM/Endpoint feature, this functionality will live within the lists plugin added as part of #62552.
References:
- Meta issue for saved object needs for large lists ([SIEM] Meta issue for saved object needs for large lists #64715)
Features dependent on this API:
- Create Add/Edit Exception Modal ([SIEM][Detections] Create Add/Edit Exception Modal #65930)
- Create All Exceptions page/table ([SIEM][Detections] Create All Exceptions page/table #65933)
- Create Endpoint Exceptions page/table ([SIEM][Endpoint] Create Endpoint Exceptions page/table #65934)
- Add support for Exceptions to Rule Creation/Details ([SIEM][Detections] Add support for Exceptions to Rule Creation/Details #65937)
Exception List / Exception Item Schema
The tentative exception-list schema is as follows:
Note: Details around adding comments are still WIP.
exceptions list
{
"id": "test-exception",
"created_at": "2020-04-23T00:18:56.361Z",
"created_by": "user_name",
"description": "This is a sample endpoint type exception",
"name": "Sample Endpoint Exception",
"tie_breaker_id": "6e879314-08a2-42eb-8137-3e43885a1aaf",
"tags": ["endpoint", "process", "malware"],
"type": "endpoint",
"updated_at": "2020-04-23T00:18:56.361Z",
"updated_by": "user_name",
"exceptions_hash": "hash-here"
}exception item
{
"id": "[insert_uuid_here]",
"created_at": "2020-04-23T00:19:13.289Z",
"created_by": "user_name",
"exception_id": "test-exception",
"tie_breaker_id": "77fd1909-6786-428a-a671-30229a719c1f",
"updated_at": "2020-04-23T00:19:13.289Z",
"updated_by": "user_name",
"exceptions_hash": "hash_here",
"sensor_os": "windows",
"entries": [
{
"field": "actingProcess.file.signer",
"operator": "included",
"entry": {
"match": "Elastic, N.V."
}
},
{
"field": "event.category",
"operator": "included",
"entry": {
"match_any": ["process", "malware"]
}
}
]
}