From 05c2c68487f3d0ca694f8f612abc3316870640fe Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sat, 22 Mar 2025 12:12:13 -0400 Subject: [PATCH 1/2] First draft --- .../security/detect-and-alert/create-detection-rule.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/solutions/security/detect-and-alert/create-detection-rule.md b/solutions/security/detect-and-alert/create-detection-rule.md index f7c8639315..eea5215fa5 100644 --- a/solutions/security/detect-and-alert/create-detection-rule.md +++ b/solutions/security/detect-and-alert/create-detection-rule.md @@ -829,11 +829,11 @@ To interact with the rule preview: ### View your rule’s {{es}} queries (optional) [view-rule-es-queries] ::::{note} -This option is only offered for {{esql}} and event correlation rules. +This option is offered for all rule types except indicator match rules. :::: -When previewing a rule, you can also learn about its {{es}} queries, which are submitted when the rule runs. This information can help you identify and troubleshoot potential rule issues. You can also use it to confirm that your rule is retrieving the expected data. +When previewing a rule, you can also examine the {{es}} queries that are submitted when the rule runs. Use this information to identify and troubleshoot potential rule issues and confirm that your rule is retrieving the expected data.data. To learn more about your rule’s {{es}} queries, preview its results and do the following: @@ -843,7 +843,7 @@ To learn more about your rule’s {{es}} queries, preview its results and do the * When the rule execution started, and how long it took to complete * A brief explanation of what the {{es}} queries do - * The actual {{es}} queries that the rule submits to indices containing events that are used during the rule execution + * The first two {{es}} queries that the rule submits to indices containing events that are used during the rule execution ::::{tip} Run the queries in [Console](/explore-analyze/query-filter/tools/console.md) to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s {{es}} queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. From a5afdf418545fc39dd059eaa431b00cf52ec897d Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sat, 22 Mar 2025 13:50:22 -0400 Subject: [PATCH 2/2] Extra word --- solutions/security/detect-and-alert/create-detection-rule.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/detect-and-alert/create-detection-rule.md b/solutions/security/detect-and-alert/create-detection-rule.md index eea5215fa5..1418777f5e 100644 --- a/solutions/security/detect-and-alert/create-detection-rule.md +++ b/solutions/security/detect-and-alert/create-detection-rule.md @@ -833,7 +833,7 @@ This option is offered for all rule types except indicator match rules. :::: -When previewing a rule, you can also examine the {{es}} queries that are submitted when the rule runs. Use this information to identify and troubleshoot potential rule issues and confirm that your rule is retrieving the expected data.data. +When previewing a rule, you can also examine the {{es}} queries that are submitted when the rule runs. Use this information to identify and troubleshoot potential rule issues and confirm that your rule is retrieving the expected data. To learn more about your rule’s {{es}} queries, preview its results and do the following: