Skip to content

[SEC-30403] Add API schema reference to Cloud SIEM detection rule docs#36142

Draft
chelsea-xu-dd wants to merge 2 commits intomasterfrom
chelsea.xu/detection-rules-schema-for-agents
Draft

[SEC-30403] Add API schema reference to Cloud SIEM detection rule docs#36142
chelsea-xu-dd wants to merge 2 commits intomasterfrom
chelsea.xu/detection-rules-schema-for-agents

Conversation

@chelsea-xu-dd
Copy link
Copy Markdown
Contributor

@chelsea-xu-dd chelsea-xu-dd commented Apr 20, 2026
edited by atlassian Bot
Loading

Summary

Adds an API schema reference section to each Cloud SIEM detection method documentation page, so AI coding agents can author detection rules by fetching a single per-method doc instead of parsing the full Security Monitoring API reference (~51k lines).

Motivation

Cloud SIEM pod (SEC-30403) is building an MCP tool to help agents author detection rules via the v2 API. Originally scoped as a static schema tool, but the pod's direction is to have agents fetch schema from public docs on demand (following the pup security findings schema pattern) to avoid sync drift between static content and the real API.

For that to work, the public docs need enough schema detail to be self-sufficient. Today they are UI-focused and miss non-OpenAPI content: case condition grammar, field-level constraints, method-specific behavioral thresholds, and the third_party schema.

What's in this PR

Every detection method page becomes a self-contained schema reference for that method. An agent authoring a new_value rule can fetch just new_value.md and have everything it needs.

File Change
anomaly.md Add API schema reference + anomalyDetectionOptions + case condition subset
content_anomaly.md Add API schema reference + content anomaly options
impossible_travel.md Add API schema reference + impossibleTravelOptions + exact 1000 km/h / 500 km thresholds
new_value.md Add API schema reference + newValueOptions + limits (max 5 attributes, 30-day caps)
sequence.md Add API schema reference + sequenceDetectionOptions + 24h constraint + THEN prohibition
real_time_rule.md Add threshold schema + full case condition grammar (corrects existing public docs: both query op NUMBER and NUMBER op query forms are valid)
third_party.md (new) Full third_party schema including thirdPartyRuleOptions, rootQueries, vendor patterns
suppressions.md Note on the deprecated filters array field on rule payloads

Design notes

  • Duplication is intentional: each method page includes the common schema (top-level fields, queries, cases, options common) so an agent fetches one URL per task rather than multiple. If an agent-only Hugo shortcode mechanism becomes available, the verbose schema tables can be wrapped in it so they remain in the .md output agents fetch but are stripped from the human-facing HTML — addressing HTML hygiene without changing what agents receive. Cross-file deduplication (Hugo partials) is a separate, orthogonal tool that can be adopted later if the authoring burden becomes painful.
  • Field descriptions match the existing Security Monitoring API reference wording where available, to keep terminology consistent.
  • signal_correlation is intentionally omitted from this PR (pending internal rework). Can be added in a follow-up.

Scope / non-goals

  • No changes to any shared partials or shortcodes
  • No changes to the UI-focused content on existing pages — only appending an "API schema reference" section
  • No changes to non-Cloud-SIEM rule types (workload_security, application_security, etc.)
  • MITRE tag conventions, rule-specific message templating nuances, and rule lifecycle metadata are intentionally deferred (see SEC-30403 plan)

Test plan

  • Render pages locally and confirm the UI-focused sections continue to render correctly (tabs, images, shortcodes)
  • Confirm .md versions are served cleanly to agent user-agents (WEB-8445)
  • Fetch each updated page and verify the schema reference is self-contained
  • Attempt to author one rule per detection method (threshold, new_value, anomaly, impossible_travel, content_anomaly, sequence, third_party) using only the per-method doc — no API reference, no other sources
  • Verify the NUMBER op query correction doesn't contradict any other docs or UI guidance

🤖 Generated with Claude Code

@chelsea-xu-dd
Add API schema reference to Cloud SIEM detection rule docs
6b5aaeb 
Adds a self-contained "API schema reference" section to each Cloud
SIEM detection method page so AI coding agents can author rules by
fetching a single per-method doc instead of parsing the full
Security Monitoring API reference (~51k lines).

Each page now covers: top-level payload fields, queries schema,
cases schema, options common fields, the method-specific options
sub-object, and an example payload.

Also adds the case condition grammar — an ANTLR-backed operator
set (`>`, `>=`, `<`, `<=`, `&&`, `||`, `THEN`, `*`) with an
explicit list of rejected operators. Corrects the public docs on
operand ordering: both `query op NUMBER` and `NUMBER op query`
forms are valid.

Changes:
- anomaly.md: add schema reference + anomalyDetectionOptions
- content_anomaly.md: add schema reference
- impossible_travel.md: add schema reference + exact thresholds
- new_value.md: add schema reference + newValueOptions + limits
- sequence.md: add schema reference + sequenceDetectionOptions
- real_time_rule.md: add threshold schema + full case grammar
- third_party.md (new): full third_party schema + vendor patterns
- suppressions.md: deprecation note for legacy `filters` field

Field descriptions reuse the existing API reference wording where
available to keep terminology consistent.
@chelsea-xu-dd chelsea-xu-dd requested a review from a team as a code owner April 20, 2026 20:45
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 20, 2026

Preview links (active after the build_preview check completes)

New or renamed files

Modified Files

@chelsea-xu-dd @claude
Add Third Party nav entry and reframe schema reference intros
6be45eb 
Add missing Third Party side-panel nav entry and rephrase the API
schema reference intro on each detection method page to frame the
section as the rule schema with a reference to the Security Monitoring
API, instead of describing specific endpoints.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@git-thuerk-done
Copy link
Copy Markdown
Contributor

git-thuerk-done commented Apr 20, 2026

Editorial review tracked in DOCS-14084.

@github-actions github-actions Bot added the Architecture Everything related to the Doc backend label Apr 20, 2026
@git-thuerk-done git-thuerk-done added the editorial review Waiting on a more in-depth review label Apr 20, 2026
@chelsea-xu-dd chelsea-xu-dd marked this pull request as draft April 21, 2026 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Architecture Everything related to the Doc backend editorial review Waiting on a more in-depth review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chelsea-xu-dd @git-thuerk-done