From fe4d8f2385dc18454a9ef10f09d325bdf477d0a0 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Thu, 17 Jul 2025 17:40:00 -0400 Subject: [PATCH 1/3] First draft --- .../detect-and-alert/manage-detection-rules.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/solutions/security/detect-and-alert/manage-detection-rules.md b/solutions/security/detect-and-alert/manage-detection-rules.md index 89a82a2863..c8d91f5a4e 100644 --- a/solutions/security/detect-and-alert/manage-detection-rules.md +++ b/solutions/security/detect-and-alert/manage-detection-rules.md @@ -111,6 +111,24 @@ For {{ml}} rules, an indicator icon (![Error icon from rules table](/solutions/i 4. If available, select **Overwrite all selected _x_** to overwrite the settings on the rules. For example, if you’re adding tags to multiple rules, selecting **Overwrite all selected rules tags** removes all the rules' original tags and replaces them with the tags you specify. 5. Click **Save**. +::::{note} + +Modified fields on prebuilt rules are marked with the **Modified** badge. From the rule's details page, click the badge to view the changed fields. Changes are displayed in a side-by-side comparison of the original Elastic version and the modified version. Deleted characters are highlighted in red; added characters are highlighted in green. You can also view this comparison by clicking the **Modified Elastic rule** badge under the rule's name on the rule's details page. + +:::: + +## Revert modifications to prebuilt rules [revert-rule-changes] + +```{applies_to} + stack: ga 9.1 +``` + +After modifying a prebuilt rule, you can restore it's original version. To do this: + +1. Open the rule's details page, click the **All actions** menu, then **Revert to Elastic version**. +2. In the flyout, review the modified fields. Deleted characters are highlighted in red; added characters are highlighted in green. +3. Click **Revert** to restore the modified fields to their original versions. + ## Manage rules [manage-rules-ui] From 97be0100bbdba14588b774ad06b093e77b601587 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Thu, 17 Jul 2025 17:50:05 -0400 Subject: [PATCH 2/3] Adding applies to --- solutions/security/detect-and-alert/manage-detection-rules.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/solutions/security/detect-and-alert/manage-detection-rules.md b/solutions/security/detect-and-alert/manage-detection-rules.md index c8d91f5a4e..a6e3797eee 100644 --- a/solutions/security/detect-and-alert/manage-detection-rules.md +++ b/solutions/security/detect-and-alert/manage-detection-rules.md @@ -113,6 +113,10 @@ For {{ml}} rules, an indicator icon (![Error icon from rules table](/solutions/i ::::{note} +```{applies_to} + stack: ga 9.1 +``` + Modified fields on prebuilt rules are marked with the **Modified** badge. From the rule's details page, click the badge to view the changed fields. Changes are displayed in a side-by-side comparison of the original Elastic version and the modified version. Deleted characters are highlighted in red; added characters are highlighted in green. You can also view this comparison by clicking the **Modified Elastic rule** badge under the rule's name on the rule's details page. :::: From 7463240ead916817da40b5c4aa93a6464de0921c Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Thu, 17 Jul 2025 20:34:19 -0400 Subject: [PATCH 3/3] Davis' input --- solutions/security/detect-and-alert/manage-detection-rules.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/solutions/security/detect-and-alert/manage-detection-rules.md b/solutions/security/detect-and-alert/manage-detection-rules.md index a6e3797eee..e8c6b0894d 100644 --- a/solutions/security/detect-and-alert/manage-detection-rules.md +++ b/solutions/security/detect-and-alert/manage-detection-rules.md @@ -133,6 +133,10 @@ After modifying a prebuilt rule, you can restore it's original version. To do th 2. In the flyout, review the modified fields. Deleted characters are highlighted in red; added characters are highlighted in green. 3. Click **Revert** to restore the modified fields to their original versions. +::::{note} +If you haven’t updated the rule in a while, its original version might be unavailable for comparison. You can avoid this by regularly updating prebuilt rules. +:::: + ## Manage rules [manage-rules-ui]