创建异常项
编辑创建异常项
编辑创建异常项并将其与指定的 异常容器 关联。
有关从列表(例如 IP 地址或主机名列表)创建异常项的信息,请参阅 列表 API。
在创建异常项之前,必须先创建一个异常容器。
端点规则异常项不能使用 列表(entries
数组中的 list
),并且以下字段不能用于异常查询(作为 entries
对象中的 field
值)
-
file.Ext.quarantine_path
-
file.Ext.quarantine_result
-
process.entity_id
-
process.parent.entity_id
-
process.ancestry
请求 URL
编辑POST <kibana 主机>:<端口>/api/exception_lists/items
请求正文
编辑具有以下字段的 JSON 对象
名称 | 类型 | 描述 | 必填 |
---|---|---|---|
|
comments[] |
|
否,默认为空数组。 |
|
字符串 |
描述异常项。 |
是 |
|
包含异常查询的数组。布尔 |
是 |
|
|
字符串 |
异常项的过期日期,采用 ISO 格式。此字段仅适用于常规异常项,不适用于端点异常。 |
否 |
|
字符串 |
关联的 异常容器 的 ID。 |
是 |
|
字符串 |
异常项的唯一标识符。 |
否,未提供时自动创建。 |
|
对象 |
异常项元数据的占位符。 |
否 |
|
字符串 |
异常项的名称。 |
是 |
|
字符串 |
确定异常项是在所有 Kibana 空间中可用,还是仅在其创建的空间中可用,其中
必须与其关联的异常容器的值相同。 |
否,默认为 |
|
String[] |
包含单词和短语的字符串数组,用于帮助对异常项进行分类。 |
否 |
|
字符串 |
异常查询类型,必须为 |
是 |
|
String[] |
仅对于端点规则,定义实现异常的操作系统。有效值为
数组还必须包含 |
对于端点异常,是。对于检测异常,否。 |
entries
模式
编辑名称 | 类型 | 描述 | 必填 |
---|---|---|---|
|
字符串 |
用于定义异常的源事件字段。不能是空字符串。 |
是 |
|
list |
包含 列表容器 的 |
否,除非使用列表定义检测异常。 |
|
字符串 |
用于确定何时使用异常的操作符。可以是
|
是 |
|
字符串 |
查询的 |
是 |
|
字符串 String[] |
字段值或值
|
是,除非 |
当使用 列表容器("type": "list"
)时,不能在 entries
数组中使用其他类型(match
、match_any
、exists
或 nested
)。
对于端点异常,不能基于排除的值创建异常项("operator": "excluded"
)。
示例请求
编辑示例 1
将 maintenance-job
进程添加到 trusted-linux-processes
异常容器
POST api/exception_lists/items { "description": "Excludes the weekly maintenance job", "entries": [ { "field": "process.name", "operator": "included", "type": "match", "value": "maintenance-job" } ], "list_id": "trusted-linux-processes", "name": "Linux maintenance job", "namespace_type": "single", "tags": [ "in-house processes", "linux" ], "type": "simple" }
示例 2
将允许 maintenance
进程运行的主机添加到 allowed-processes
异常容器
POST api/exception_lists/items { "comments": [ {"comment": "Allows maintenance process to run on the specified machines"} ], "description": "Process allowlist", "entries": [ { "field": "process.name", "operator": "included", "type": "match", "value": "maintenance" }, { "field": "host.name", "operator": "included", "type": "match_any", "value": [ "liv-win-anf", "livw-win-mel", "linux-anfield" ] } ], "list_id": "allowed-processes", "item_id": "allow-process-on-machines", "name": "Host-process exclusions", "namespace_type": "single", "tags": [ "hosts", "processes" ], "type": "simple" }
示例 3
为 Windows 操作系统上具有指定 SHA-1 哈希值的创建端点异常项
POST api/exception_lists/items { "_tags": [ "endpoint", "os:windows" ], "comments": [ ] "description": "File exception for Windows", "entries": [ { "field": "file.hash.sha1", "operator": "included", "type": "match", "value": "27fb21cf5db95ffca43b234affa99becc4023b9d" } ], "item_id": "trusted-windows-file", "list_id": "endpoint-exception-container", "name": "Trusted Windows file", "namespace_type": "agnostic", "tags": [ ] "type": "simple" }
示例 4
将 external-ip-excludes
列表容器 作为异常项关联到 trusted-IPs
异常容器
POST api/exception_lists/items { "description": "Uses the external-ip-container list to exclude trusted external IPs.", "entries": [ { "field": "destination.ip", "list": { "id": "external-ip-excludes", "type": "ip" }, "operator": "included", "type": "list" } ], "list_id": "trusted-IPs", "item_id": "external-IPs", "name": "Trusted external IPs", "namespace_type": "single", "tags": [ "network", "trusted IPs" ], "type": "simple" }
包含 IP 地址 列表项 的列表容器。 |
|
异常容器的 ID。 |
为嵌套端点字段添加异常
POST api/exception_lists/items { "description": "Excludes all processes signed by Trusted Signer, Inc.", "entries": [ { "field": "process.Ext.code_signature", "type": "nested", "entries": [ { "field": "trusted", "type": "match", "operator": "included", "value": "true" }, { "field": "subject_name", "type": "match", "operator": "included", "value": "Trusted Signer, Inc." } ] } ], "list_id": "trusted-self-signed-processes", "name": "In-house processes", "namespace_type": "single", "tags": [ "in-house processes", "linux" ], "type": "simple" }
响应代码
编辑-
200
- 指示调用成功。
响应有效负载
编辑{ "_tags": [], "comments": [ { "comment": "Allows maintenance process to run on the specified machines", "created_at": "2020-07-14T08:36:33.172Z", "created_by": "elastic", "id": "f6c61b4d-31dd-4a5d-8c73-f64787d03b4d" } ], "created_at": "2020-07-14T08:36:33.172Z", "created_by": "elastic", "description": "Process allowlist", "entries": [ { "field": "process.name", "operator": "included", "type": "match", "value": "maintenance" }, { "field": "host.name", "operator": "included", "type": "match_any", "value": [ "liv-win-anf", "livw-win-mel", "linux-anfield" ] } ], "id": "1f4d38b0-c5ad-11ea-a3d8-a5b753aeeb9e", "item_id": "allow-process-on-machines", "list_id": "allowed-processes", "name": "Host-process exclusions", "namespace_type": "single", "tags": [ "hosts", "processes" ], "tie_breaker_id": "bb04f1c7-2537-47c1-aaca-40a7c8f771d3", "type": "simple", "updated_at": "2020-07-14T08:36:33.339Z", "updated_by": "elastic" }