diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index b810e9beb5..1e1161988f 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -2,12 +2,12 @@ [role="xpack"] == Rule exceptions and value lists -To prevent the creation of unwanted alerts, you can add exceptions to these -detection rule types: +To prevent the creation of unwanted alerts, you can add exceptions to the following rule types: * Custom query * Event Correlation * Indicator match +* Machine learning Exceptions contain the source event conditions that determine when alerts are not generated. They provide a convenient way of allowing trusted @@ -34,12 +34,13 @@ After creating value lists, you can use `is in list` and `is not in list` operators to define exceptions. [float] -=== Manage value lists +[[manage-value-lists]] +=== Create and manage value lists -To create a value list for use with exceptions: +To create a value list to use with exceptions: . Prepare a `txt` or `csv` file with all the values you want to use for -determining exceptions from a single list. If you use a `txt` file, newlines +determining exceptions from a single list. If you use a `txt` file, new lines act as value delimiters. + NOTE: All values in the file must be of the same {es} type. @@ -50,18 +51,20 @@ NOTE: All values in the file must be of the same {es} type. [role="screenshot"] image::images/upload-lists-ui.png[] -. Select the list type (`Keywords`, `IP addresses`, `IP ranges`, or -`Text`) +. Select the list type (`Keywords`, `IP addresses`, `IP ranges`, or `Text`) from the *Type of value list* drop-down. . Drag or select the `csv` or `txt` file that contains the values. . Click *Upload list*. NOTE: When the name of the file you are uploading already exists, the values in the new file are appended to the previously uploaded values. -To view, delete, or export existing lists: +To view, delete, or export existing value lists: . Go to *Security* -> *Detections* -> *Manage detection rules*. -. In the *Value lists* pane, click the required action icon. +. In the *Value lists* pane, click the required action button. + +[role="screenshot"] +image::images/manage-value-list.png[] [float] [[detection-rule-exceptions]] @@ -99,7 +102,7 @@ image::images/exception-histogram.png[] .. Click *Add new exception*. . To add an exception via the Alerts table: .. Go to Detections (*Security* -> *Detections*). -.. Scroll down to the Alerts table and click the *More Actions* button, then select *Add rule exception*. +.. Scroll down to the Alerts table and click the *More Actions* button (*...*), then select *Add rule exception*. + [role="screenshot"] image::images/more-action-button.png[] @@ -169,7 +172,7 @@ alerts. . To add an exception via the Alerts table: .. Go to Detections (*Security* -> *Detections*). .. Scroll down to the Alerts table and, from an Elastic Security Endpoint -alert, click the more actions icon, and then select *Add Endpoint exception*. +alert, click the *More actions* button (*...*), then select *Add Endpoint exception*. + The *Add Endpoint Exception* window opens (via Alerts table). + @@ -253,3 +256,23 @@ Creates an exception that excludes all LFC-signed trusted processes: [role="screenshot"] image::images/nested-exp.png[] + +[float] +[[manage-exceptions]] +=== View and manage Exception lists + +The Exception lists table enables you to view and manage all exceptions that have been assigned to rules. To view the Exception lists table, go to *Detections* -> *Manage detection rules*, then select the *Exception Lists* tab. + +[role="screenshot"] +image::images/exception-list.png[] + +The table displays each Exception list on an individual row, with the most recently created list at the top. Each row contains information such as the number and name of rule(s) the Exception list is assigned to, the name of the rule(s) assigned to the Exception list, the date the list was created, last edited, and options to export or delete the it. + +TIP: To view details of the rule the Exception list is assigned to, click the link in the `Rules assigned to` column. + +To export or delete an Exception list, select the required action button on the appropriate list. Exception lists are exported to `.ndjson` format. + +[role="screenshot"] +image::images/actions-exception-list.png[] + +NOTE: If a list is linked to any rules, you'll see a warning appear that asks you to confirm the deletion. If no rules are linked to a list, it is deleted without confirmation. diff --git a/docs/detections/images/actions-exception-list.png b/docs/detections/images/actions-exception-list.png new file mode 100644 index 0000000000..71e6063a4d Binary files /dev/null and b/docs/detections/images/actions-exception-list.png differ diff --git a/docs/detections/images/delete-list.png b/docs/detections/images/delete-list.png new file mode 100644 index 0000000000..83f05bb84c Binary files /dev/null and b/docs/detections/images/delete-list.png differ diff --git a/docs/detections/images/exception-list.png b/docs/detections/images/exception-list.png new file mode 100644 index 0000000000..284453bcc5 Binary files /dev/null and b/docs/detections/images/exception-list.png differ diff --git a/docs/detections/images/export-list.png b/docs/detections/images/export-list.png new file mode 100644 index 0000000000..f5f603de51 Binary files /dev/null and b/docs/detections/images/export-list.png differ diff --git a/docs/detections/images/manage-value-list.png b/docs/detections/images/manage-value-list.png new file mode 100644 index 0000000000..49cf3bf368 Binary files /dev/null and b/docs/detections/images/manage-value-list.png differ diff --git a/docs/detections/images/monitor-table.png b/docs/detections/images/monitor-table.png new file mode 100644 index 0000000000..80e212b237 Binary files /dev/null and b/docs/detections/images/monitor-table.png differ diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 4f29b30dc7..91262eb5af 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -3,9 +3,12 @@ == Monitoring and troubleshooting rule executions To view a summary of all rule executions, such as failures and last execution -times, click the Monitoring tab in the *All rules* table (*Security* -> +times, select the *Rule Monitoring* tab in the *All rules* table (*Security* -> *Detections* -> *Manage detection rules*). +[role="screenshot"] +image::images/monitor-table.png[] + For detailed information on a rule, its generated alerts and errors, click on a rule name in the *All rules* table. @@ -13,18 +16,17 @@ a rule name in the *All rules* table. [[troubleshoot-signals]] === Troubleshoot missing alerts -When a rule fails to run close to its scheduled time, some alerts may be -missing. There are a number of steps you can perform to try and resolve this +When a rule fails to run close to its scheduled time, some alerts may be +missing. There are a number of steps you can perform to try and resolve this issue. If you see `Gaps` in the All rules table or on the Rule details page for a small number of rules, you can increase those rules' -`Additional look-back time` (*Detection rules* page -> the rule's -actions icon -> *Edit rule settings* -> *Schedule* -> _Additional look-back time_). +`Additional look-back time` (*Detection rules* page -> the rule's *All actions* button (*...*) -> *Edit rule settings* -> *Schedule* -> _Additional look-back time_). -If you see gaps for a lot of rules: +If you see gaps for numerous rules: -* If you restarted {kib} when many rules were activated, try deactivating them -and then reactivating them in small batches at staggered intervals. This +* If you restarted {kib} when many rules were activated, try deactivating them +and then reactivating them in small batches at staggered intervals. This ensures {kib} does not attempt to run all the rules at the same time. -* Consider adding another {kib} instance to your environment. \ No newline at end of file +* Consider adding another {kib} instance to your environment.