创建例外项
编辑创建例外项
编辑创建例外项并将其与指定的例外容器关联。
有关从列表(例如 IP 地址或主机名列表)创建例外项的信息,请参阅列表 API。
在创建例外项之前,您必须创建例外容器。
端点规则例外项不能使用列表(entries数组中的list),并且以下字段不能在例外查询中使用(作为entries对象中的field值):
-
file.Ext.quarantine_path -
file.Ext.quarantine_result -
process.entity_id -
process.parent.entity_id -
process.ancestry
请求 URL
编辑POST <kibana 主机>:<端口>/api/exception_lists/items
请求正文
编辑包含以下字段的 JSON 对象
| 名称 | 类型 | 描述 | 必填 |
|---|---|---|---|
|
comments[] |
|
否,默认为空数组。 |
|
字符串 |
描述例外项。 |
是 |
|
包含例外查询的数组。布尔值 |
是 |
|
|
字符串 |
例外项的到期日期,采用 ISO 格式。此字段仅适用于常规例外项,不适用于端点例外。 |
否 |
|
字符串 |
关联的例外容器的 ID。 |
是 |
|
字符串 |
例外项的唯一标识符。 |
否,未提供时会自动创建。 |
|
对象 |
关于例外项的元数据的占位符。 |
否 |
|
字符串 |
例外项的名称。 |
是 |
|
字符串 |
确定例外项是在所有 Kibana 空间中可用,还是仅在创建它的空间中可用,其中
必须与其关联的例外容器的值相同。 |
否,默认为 |
|
String[] |
包含用于帮助对例外项进行分类的单词和短语的字符串数组。 |
否 |
|
字符串 |
例外查询类型,必须为 |
是 |
|
String[] |
仅对于端点规则,定义实施例外的操作系统。有效值为
该数组还必须包含一个 |
对于端点例外,为是。对于检测例外,为否。 |
entries 架构
编辑| 名称 | 类型 | 描述 | 必填 |
|---|---|---|---|
|
字符串 |
用于定义例外的源事件字段。不能为空字符串。 |
是 |
|
list |
包含列表容器的 |
否,除非使用列表来定义检测例外。 |
|
字符串 |
用于确定何时使用例外的运算符。可以是
|
是 |
|
字符串 |
查询的 |
是 |
|
字符串 String[] |
字段值或多个值
|
是,当 |
当您使用列表容器("type": "list")时,您不能在entries数组中使用其他类型(match、match_any、exists或nested)。
对于端点例外,您不能基于排除的值创建例外项("operator": "excluded")。
示例请求
编辑示例 1
将maintenance-job进程添加到trusted-linux-processes例外容器
POST api/exception_lists/items
{
"description": "Excludes the weekly maintenance job",
"entries": [
{
"field": "process.name",
"operator": "included",
"type": "match",
"value": "maintenance-job"
}
],
"list_id": "trusted-linux-processes",
"name": "Linux maintenance job",
"namespace_type": "single",
"tags": [
"in-house processes",
"linux"
],
"type": "simple"
}
示例 2
将允许运行maintenance进程的主机添加到allowed-processes例外容器
POST api/exception_lists/items
{
"comments": [
{"comment": "Allows maintenance process to run on the specified machines"}
],
"description": "Process allowlist",
"entries": [
{
"field": "process.name",
"operator": "included",
"type": "match",
"value": "maintenance"
},
{
"field": "host.name",
"operator": "included",
"type": "match_any",
"value": [
"liv-win-anf",
"livw-win-mel",
"linux-anfield"
]
}
],
"list_id": "allowed-processes",
"item_id": "allow-process-on-machines",
"name": "Host-process exclusions",
"namespace_type": "single",
"tags": [
"hosts",
"processes"
],
"type": "simple"
}
示例 3
为 Windows 操作系统上具有指定 SHA-1 哈希值的文件创建端点例外项
POST api/exception_lists/items
{
"_tags": [
"endpoint",
"os:windows"
],
"comments": [
]
"description": "File exception for Windows",
"entries": [
{
"field": "file.hash.sha1",
"operator": "included",
"type": "match",
"value": "27fb21cf5db95ffca43b234affa99becc4023b9d"
}
],
"item_id": "trusted-windows-file",
"list_id": "endpoint-exception-container",
"name": "Trusted Windows file",
"namespace_type": "agnostic",
"tags": [
]
"type": "simple"
}
示例 4
将external-ip-excludes列表容器作为例外项与trusted-IPs例外容器关联
POST api/exception_lists/items
{
"description": "Uses the external-ip-container list to exclude trusted external IPs.",
"entries": [
{
"field": "destination.ip",
"list": {
"id": "external-ip-excludes",
"type": "ip"
},
"operator": "included",
"type": "list"
}
],
"list_id": "trusted-IPs",
"item_id": "external-IPs",
"name": "Trusted external IPs",
"namespace_type": "single",
"tags": [
"network",
"trusted IPs"
],
"type": "simple"
}
|
保存 IP 地址列表项的列表容器。 |
|
|
例外容器的 ID。 |
为嵌套的端点字段添加例外
POST api/exception_lists/items
{
"description": "Excludes all processes signed by Trusted Signer, Inc.",
"entries": [
{
"field": "process.Ext.code_signature",
"type": "nested",
"entries": [
{
"field": "trusted",
"type": "match",
"operator": "included",
"value": "true"
},
{
"field": "subject_name",
"type": "match",
"operator": "included",
"value": "Trusted Signer, Inc."
}
]
}
],
"list_id": "trusted-self-signed-processes",
"name": "In-house processes",
"namespace_type": "single",
"tags": [
"in-house processes",
"linux"
],
"type": "simple"
}
响应代码
编辑-
200 - 表示调用成功。
响应有效负载
编辑{
"_tags": [],
"comments": [
{
"comment": "Allows maintenance process to run on the specified machines",
"created_at": "2020-07-14T08:36:33.172Z",
"created_by": "elastic",
"id": "f6c61b4d-31dd-4a5d-8c73-f64787d03b4d"
}
],
"created_at": "2020-07-14T08:36:33.172Z",
"created_by": "elastic",
"description": "Process allowlist",
"entries": [
{
"field": "process.name",
"operator": "included",
"type": "match",
"value": "maintenance"
},
{
"field": "host.name",
"operator": "included",
"type": "match_any",
"value": [
"liv-win-anf",
"livw-win-mel",
"linux-anfield"
]
}
],
"id": "1f4d38b0-c5ad-11ea-a3d8-a5b753aeeb9e",
"item_id": "allow-process-on-machines",
"list_id": "allowed-processes",
"name": "Host-process exclusions",
"namespace_type": "single",
"tags": [
"hosts",
"processes"
],
"tie_breaker_id": "bb04f1c7-2537-47c1-aaca-40a7c8f771d3",
"type": "simple",
"updated_at": "2020-07-14T08:36:33.339Z",
"updated_by": "elastic"
}