From ebbbf2f760a726548c0433b07cc8f47826a8d8ac Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 2 Aug 2022 17:13:05 -0400 Subject: [PATCH 01/13] Update Host isolation --- docs/management/admin/host-isolation-ov.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/management/admin/host-isolation-ov.asciidoc b/docs/management/admin/host-isolation-ov.asciidoc index 74cda0e1e6..4fa72555f7 100644 --- a/docs/management/admin/host-isolation-ov.asciidoc +++ b/docs/management/admin/host-isolation-ov.asciidoc @@ -35,7 +35,7 @@ All actions executed on a host are tracked in the host’s activity log, which y To isolate a host from a case alert: -. Go to *Investigate -> Cases*, then select the appropriate case to view the case activity. Ensure you are viewing a case with at least one alert attached to it. +. Go to *Cases*, then select the appropriate case to view the case activity. Ensure you are viewing a case with at least one alert attached to it. . Find the appropriate alert, then click the *Show alert details* button (*>*). The alert details flyout opens. . Click *Take action -> Isolate host*. . Enter a comment describing why you’re isolating the host (optional). @@ -60,7 +60,7 @@ image::images/host-isolated-notif.png[Host isolated notification message,350] To release a host from a case alert: -. Go to *Investigate -> Cases*, then click on the appropriate case to view the case activity its details. +. Go to *Cases*, then click on the appropriate case to view the case activity its details. . Find the appropriate alert, then click the *Show alert details* button (*>*). The alert details flyout opens. . From the alert details flyout, click *Take action -> Release host*. . Enter a comment describing why you're releasing the host (optional). From f88e2bdc6c67536b0a0f5194e896a63b2f0a163c Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 3 Aug 2022 09:42:42 -0400 Subject: [PATCH 02/13] Update Configure and install Endpoint integration --- docs/getting-started/install-endpoint.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/install-endpoint.asciidoc b/docs/getting-started/install-endpoint.asciidoc index 9f8bff3098..3272709ffc 100644 --- a/docs/getting-started/install-endpoint.asciidoc +++ b/docs/getting-started/install-endpoint.asciidoc @@ -16,7 +16,7 @@ If you're using macOS, some versions may require you to grant Full Disk Access t [[add-security-integration]] == Add the {endpoint-cloud-sec} integration -. In {kib}, select **Security** -> **Endpoints**. If this is not your first time using {es-sec}, select **Management** -> **Integrations**, then search for and select **{endpoint-cloud-sec}**. +. In {kib}, select **Security** -> **Manage** -> **Endpoints**. If this is not your first time using {es-sec}, select **Management** -> **Integrations**, then search for and select **{endpoint-cloud-sec}**. + [role="screenshot"] image::images/install-endpoint/endpoint-cloud-sec-integrations-page.png[Search result for "Endpoint and Cloud Security" on the Integrations page.] From 8327673cee291848a1f547cdf6dbbbed743661f2 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 3 Aug 2022 11:16:29 -0400 Subject: [PATCH 03/13] Update Detections and alerts intro --- .../detection-engine-intro.asciidoc | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc index 046cc87884..8c3972c85c 100644 --- a/docs/detections/detection-engine-intro.asciidoc +++ b/docs/detections/detection-engine-intro.asciidoc @@ -3,15 +3,15 @@ = Detections and alerts -Use the Detections feature to create and manage rules, and view the alerts -these rules create. Rules periodically search indices (such as `endgame-*` and -`filebeat-*`) for suspicious source events, and create alerts when a rule's +Use the detection engine to create and manage rules and view the alerts +these rules create. Rules periodically search indices (such as `logs-*` and +`filebeat-*`) for suspicious source events and create alerts when a rule's conditions are met. When an alert is created, its status is `Open`. To help -track investigations, an alert's status can be set as `Open`, `Acknowledged`, or -`Closed` (see <>). +track investigations, an alert's <> can be set as +`Open`, `Acknowledged`, or `Closed`. [role="screenshot"] -image::images/alert-page.png[Shows the Alerts page] +image::images/alert-page.png[Alerts page] In addition to creating <>, enable <> to immediately start detecting @@ -195,26 +195,26 @@ NOTE: Ransomware prevention is a paid feature and is enabled by default if you h === Resolve UI error messages Depending on your privileges and whether detection system indices have already -been created for the {kib} space, you might see an error message when you try -to open the *Detections* page. - -*`Let’s set up your detection engine`* - -If you see this message, a user with specific privileges must visit the -*Detections* page before you can view detection rules and alerts. -See <> for a list of all the requirements. +been created for the {kib} space, you might get one of these error messages when you +open the *Alerts* or *Rules* page: +* *`Let’s set up your detection engine`* ++ +If you get this message, a user with specific privileges must visit the +*Alerts* or *Rules* page before you can view detection alerts and rules. +Refer to <> for a list of all the requirements. ++ NOTE: For *self-managed* {stack} deployments only, this message may be displayed when the <> -setting has not been added to the `kibana.yml` file. For more information, see <>. +setting has not been added to the `kibana.yml` file. For more information, refer to <>. -*`Detection engine permissions required`* - -If you see this message, you do not have the +* *`Detection engine permissions required`* ++ +If you get this message, you do not have the <> to view the *Detections* feature, and you should contact your {kib} administrator. - ++ NOTE: For *self-managed* {stack} deployments only, this message may be displayed when the <> -setting is not enabled in the `elasticsearch.yml` file. For more information, see <>. +setting is not enabled in the `elasticsearch.yml` file. For more information, refer to <>. From 471479ab0dbb1dfce603e47ca76c899d541756f0 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 3 Aug 2022 11:45:45 -0400 Subject: [PATCH 04/13] Update Create a detection rule --- docs/detections/rules-ui-create.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 73f37bb615..5fe3f0ef4e 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -81,7 +81,7 @@ If a rule requires certain privileges to run, such as index privileges, keep in [[create-rule-ui]] === Select rule type and scope -. Go to *Detect* -> *Rules* -> *Create new rule*. The *Create new rule* page displays. +. Go to *Manage* -> *Rules* -> *Create new rule*. The *Create new rule* page displays. + [role="screenshot"] image::images/create-new-rule.png[] @@ -554,7 +554,7 @@ You uploaded a value list of known ransomware domains, and you want to be notifi * *Field*: Enter the field from the Elastic Security event indices to be used for comparing values. * *Indicator index field*: Enter the type of value list you created (i.e., `keyword`, `text`, or `IP`). + -TIP: If you don't remember this information, go to *Detect* -> *Rules > Upload value lists*. Locate the appropriate value list and note the field in the corresponding `Type` column. (Examples include keyword, text, and IP.) +TIP: If you don't remember this information, go to *Manage* -> *Rules* -> *Upload value lists*. Locate the appropriate value list and note the field in the corresponding `Type` column. (Examples include keyword, text, and IP.) [role="screenshot"] image::images/indicator_value_list.png[] From 2c4470509f862c37c3396a93e4558fee38d55c77 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 3 Aug 2022 11:50:38 -0400 Subject: [PATCH 05/13] Update Manage detection rules --- docs/detections/rules-ui-manage.asciidoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 13251a89d1..346c2ca5ff 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -38,7 +38,7 @@ NOTE: Searches for index patterns and MITRE ATT&CK tactics and techniques must m [[load-prebuilt-rules]] === Load and activate prebuilt Elastic rules -To load the {es-sec-app}'s <>, go to *Detect -> Rules -> Load Elastic prebuilt rules and Timeline templates*). +To load the {es-sec-app}'s <>, go to *Manage* -> *Rules* -> *Load Elastic prebuilt rules and Timeline templates*. You can then activate whichever rules you want. If you delete any prebuilt rules, a button appears that enables you to reload all of the deleted ones. @@ -54,7 +54,7 @@ To learn how to enable detection rules in Elastic Security, watch the < Rules*. +. Go to *Manage* -> *Rules*. . Click *Select all _x_ rules* above the rules table. . Click *Bulk actions* -> *Duplicate*. . Select the *Custom rules* tab. @@ -90,7 +90,7 @@ You can edit an existing rule's settings, and can bulk edit index patterns, tags NOTE: For prebuilt Elastic rules, you can't modify most settings. You can only edit <> and <>. -. Go to *Detect* -> *Rules*. +. Go to *Manage* -> *Rules*. . Do one of the following: * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. The *Edit rule settings* view opens, where you can modify the <>. * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu: @@ -107,7 +107,7 @@ NOTE: For prebuilt Elastic rules, you can't modify most settings. You can only e You can duplicate, enable, disable, and delete rules: -. Go to *Detect* -> *Rules*. +. Go to *Manage* -> *Rules*. . Do one of the following: * Select the *All actions* menu (*...*) on a rule, then select an action. * Select all the rules you want to modify, then select an action from the *Bulk actions* menu. @@ -131,7 +131,7 @@ Similarly, any value lists used for rule exceptions are not included in rule exp To export and import detection rules: -. Go to *Detect* -> *Rules*. +. Go to *Manage* -> *Rules*. . To export rules: .. In the rules table, select the rules you want to export. .. Select *Bulk actions* -> *Export*, then save the exported file. From 052af9a2c10ee245c5c47294578db8a2dd68a977 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 3 Aug 2022 11:52:42 -0400 Subject: [PATCH 06/13] Update Monitor and troubleshoot rule executions --- docs/detections/rules-ui-monitor.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 587982e0e4..d44cf319eb 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -15,7 +15,7 @@ Refer to the <> section below for strategies on using thes === Rule Monitoring tab To view a summary of all rule executions, including the most recent failures and execution -times, select the *Rule Monitoring* tab on the *Rules* page (*Detect* -> +times, select the *Rule Monitoring* tab on the *Rules* page (*Manage* -> *Rules* -> *Rule Monitoring*). [role="screenshot"] @@ -33,7 +33,7 @@ For detailed information on a rule, the alerts it generated, and associated erro Each detection rule execution is logged, including its success or failure, any warning or error messages, and how long it took to search for data, create alerts, and complete. This can help you troubleshoot a particular rule if it isn't behaving as expected (for example, if it isn't creating alerts or takes a long time to run). -To access a rule's execution log, go to *Detect* -> *Rules*, click the rule's name to open its details, then scroll down and select the *Rule execution logs* tab. +To access a rule's execution log, go to *Manage* -> *Rules*, click the rule's name to open its details, then scroll down and select the *Rule execution logs* tab. [role="screenshot"] image::images/rule-execution-logs.png[Rule execution logs table] @@ -75,7 +75,7 @@ You can also use Task Manager in {kib} to troubleshoot background tasks and proc If you see values in the Gaps column in the Rule Monitoring table or on the Rule details page for a small number of rules, you can increase those rules' -Additional look-back time (*Detect* -> *Rules* -> the rule's *All actions* menu (*...*) -> *Edit rule settings* -> *Schedule* -> *Additional look-back time*). +Additional look-back time (*Manage* -> *Rules* -> the rule's *All actions* menu (*...*) -> *Edit rule settings* -> *Schedule* -> *Additional look-back time*). It's recommended to set the `Additional look-back time` to at least 1 minute. This ensures there are no missing alerts when a rule doesn't From 35c39b010a0d432c7a9bcce5cd0a9a32634f66d7 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 3 Aug 2022 12:06:56 -0400 Subject: [PATCH 07/13] Update Rule exceptions and value lists --- docs/detections/detections-ui-exceptions.asciidoc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 15fd1bb28e..155662c785 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -41,7 +41,7 @@ act as value delimiters. * Wildcards are not supported in rule exceptions or value lists. Values must be literal values. ========================= -. Go to *Detect* -> *Rules*. +. Go to *Manage* -> *Rules*. . Click *Upload value lists*. The *Upload value lists* window opens. + [role="screenshot"] @@ -60,7 +60,7 @@ the new file are appended to the previously uploaded values. To view, delete, or export existing value lists: -. Go to *Detect* -> *Rules*. +. Go to *Manage* -> *Rules*. . Click *Upload value lists*. The *Upload value lists* window opens. . In the *Value lists* table, click the required action button. @@ -101,7 +101,7 @@ specific event in the sequence, update the rule's EQL statement. For example: -- * To add an exception from the rule details page: .. Go to the rule details page of the rule to which you want to add an -exception (*Detect* -> *Rules* -> *__*). +exception (*Manage* -> *Rules* -> *__*). .. Scroll down below the rule details and select the *Exceptions* tab. + [role="screenshot"] @@ -109,7 +109,7 @@ image::images/exception-histogram.png[Detail of Exceptions tab, 75%] .. Click *Add new exception* -> *Add rule exception*. * To add an exception from the Alerts table: -.. Go to *Detect* -> *Alerts*. +.. Go to *Alerts*. .. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the *More Actions* menu (*...*), then select *Add rule exception*. The *Add Rule Exception* flyout opens (the example below was opened from the Alerts table): @@ -182,11 +182,11 @@ Additionally, to add an Endpoint exception to the Elastic Endpoint Security rule + -- * To add an Endpoint exception from the rule details page: -.. Go to the rule details page (*Detect* -> *Rules*), and then search for and select the Elastic *Endpoint Security* rule. +.. Go to the rule details page (*Manage* -> *Rules*), and then search for and select the Elastic *Endpoint Security* rule. .. Scroll down to the *Trend* histogram and select the *Exceptions* tab. .. Click *Add new exception* -> *Add Endpoint exception*. * To add an Endpoint exception from the Alerts table: -.. Go to *Detect* -> *Alerts*. +.. Go to *Alerts*. .. Scroll down to the Alerts table, and from an {elastic-endpoint} alert, click the *More actions* menu (*...*), then select *Add Endpoint exception*. -- @@ -275,7 +275,7 @@ image::images/nested-exp.png[] [[manage-exceptions]] === View and manage exception lists -The Exception lists table enables you to view and manage all exceptions that have been assigned to rules. To view the Exception lists table, go to *Detect* -> *Exception lists*. +The Exception lists table enables you to view and manage all exceptions that have been assigned to rules. To view the Exception lists table, go to *Manage* -> *Exception lists*. [role="screenshot"] image::images/exceptions-page.png[] From 19fcc8283b69af5d0ed076011e838852d99ea005 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 3 Aug 2022 12:08:42 -0400 Subject: [PATCH 08/13] Update About building block rules --- docs/detections/building-block-rule.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/building-block-rule.asciidoc b/docs/detections/building-block-rule.asciidoc index 4a3af7527d..c4afa52d90 100644 --- a/docs/detections/building-block-rule.asciidoc +++ b/docs/detections/building-block-rule.asciidoc @@ -26,7 +26,7 @@ image::images/alert-indices-ui.png[] By default, building block alerts are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts. -. Go to *Detect* -> *Alerts*. +. Go to *Alerts*. . In the Alerts table, select *Additional filters* -> *Include building block alerts*, located on the far-right. From 81be517bb317e7c767014405c40019e617461f1b Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 3 Aug 2022 12:13:16 -0400 Subject: [PATCH 09/13] Update Manage detection alerts --- docs/detections/alerts-ui-manage.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc index b20fe9b0be..b4235e8d74 100644 --- a/docs/detections/alerts-ui-manage.asciidoc +++ b/docs/detections/alerts-ui-manage.asciidoc @@ -39,7 +39,7 @@ NOTE: When updating alert results to include building block alerts, the Security [role="screenshot"] image::images/additional-filters.png[Alerts table with Additional filters menu highlighted] -* View detection alerts generated by a specific rule. Go to *Detect* -> *Rules*, then select a rule name in the table. The rule details page displays a comprehensive view of the rule's settings, and the Alerts table under the Trend histogram displays the alerts associated with the rule, including alerts from any previous or deleted revision of that rule. +* View detection alerts generated by a specific rule. Go to *Manage* -> *Rules*, then select a rule name in the table. The rule details page displays a comprehensive view of the rule's settings, and the Alerts table under the Trend histogram displays the alerts associated with the rule, including alerts from any previous or deleted revision of that rule. [float] [[customize-the-alerts-table]] From ea88c371445febfc42b1eede2349af7dbf5d8f45 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 3 Aug 2022 12:23:45 -0400 Subject: [PATCH 10/13] Update Visual event analyzer --- docs/detections/visual-event-analyzer.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/visual-event-analyzer.asciidoc b/docs/detections/visual-event-analyzer.asciidoc index 0f9bf856f1..c9ed998d59 100644 --- a/docs/detections/visual-event-analyzer.asciidoc +++ b/docs/detections/visual-event-analyzer.asciidoc @@ -19,7 +19,7 @@ To find events that can be visually analyzed: . First, view a list of events by doing one of the following: * Go to *Explore* -> *Hosts*, then select the *Events* tab. A list of all your hosts' events appears at the bottom of the page. -* Go to *Detect* -> *Alerts*, then scroll down to view the Alerts table. +* Go to *Alerts*, then scroll down to view the Alerts table. . Filter events that can be visually analyzed by entering either of the following queries in the KQL search bar, then selecting *Enter*: ** `agent.type:"endpoint" and process.entity_id :*` + From dcb27233eb980e07f032ddf1134c3705ce702093 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 3 Aug 2022 12:25:43 -0400 Subject: [PATCH 11/13] Update Session View --- docs/detections/session-view.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/session-view.asciidoc b/docs/detections/session-view.asciidoc index e4f6465b5f..00f5c2c9e7 100644 --- a/docs/detections/session-view.asciidoc +++ b/docs/detections/session-view.asciidoc @@ -35,7 +35,7 @@ Session View is accessible from the **Hosts**, **Alerts**, and **Timelines** pag Events and sessions that you can investigate in Session View have a rectangular *Open Session View* button in the *Actions* column. For example: -* On the Alerts page (*Detect* -> *Alerts*), scroll down to view the Alerts table. +* On the Alerts page, scroll down to view the Alerts table. Look for alerts that have the **Open Session View** button in the **Actions** column: [role="screenshot"] image::images/session-view-action-icon-detail.png[Detail of the Open Session View icon,width=75%] From 8f50469ce627d9f6e034ed494a9e73d54ab9b19a Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 3 Aug 2022 12:28:37 -0400 Subject: [PATCH 12/13] Update Tune detection rules --- docs/detections/prebuilt-rules/tune-rule-signals.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc index d41f62cc3c..7bfb8f6312 100644 --- a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc +++ b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc @@ -33,7 +33,7 @@ add an exception for the required application. For example, to prevent the <> rule from producing alerts for an in-house application named `myautomatedbuild`: -. Go to *Detect* -> *Rules*. +. Go to *Manage* -> *Rules*. . Search for and then click on the *Unusual Process Execution - Temp* rule. + The *Unusual Process Execution - Temp* rule details page is displayed. From 2dd7fce0f9fb481f748e1426e3d0be3e2318a647 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Thu, 4 Aug 2022 11:11:13 -0400 Subject: [PATCH 13/13] Update API docs Create rule Update rule Import rules Export rules --- docs/detections/api/rules/rules-api-create.asciidoc | 5 ++--- docs/detections/api/rules/rules-api-export.asciidoc | 2 +- docs/detections/api/rules/rules-api-import.asciidoc | 2 +- docs/detections/api/rules/rules-api-update.asciidoc | 5 ++--- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 55ba07b896..2213a79abb 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -394,7 +394,7 @@ a value from the source event: |rule_name_override |String |Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is -displayed in the *Rule* column on the Detections page). When unspecified, the +displayed on the *Rules* page in the *Rule* column). When unspecified, the rule's `name` value is used. The source field must be a string data type. |severity_mapping |Object[] a|Overrides generated alerts' `severity` with @@ -550,8 +550,7 @@ All fields are required: |============================================== NOTE: Only threats described using the MITRE ATT&CK^TM^ framework are displayed -in the UI (*Detections* -> *Manage detection rules* -> ). +in the UI (*Manage* -> *Rules* -> *_Rule name_*). ===== Example requests diff --git a/docs/detections/api/rules/rules-api-export.asciidoc b/docs/detections/api/rules/rules-api-export.asciidoc index c6c53cc21b..3c1370f219 100644 --- a/docs/detections/api/rules/rules-api-export.asciidoc +++ b/docs/detections/api/rules/rules-api-export.asciidoc @@ -12,7 +12,7 @@ You cannot export prebuilt rules, but they are available at https://github.com/e ================= Although detection rule actions are included in the exported file, the connectors used by the actions are not included. Use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-export-objects[Saved Objects] UI in Kibana (*Stack Management* -> *Kibana* -> *Saved Objects*) or the Saved Objects APIs (experimental) to {kibana-ref}/saved-objects-api-export.html[export] and {kibana-ref}/saved-objects-api-import.html[import] any necessary connectors _before_ you export and import the detection rules. -Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the <> UI (*Detect* -> *Rules* -> *Upload value lists*) to export and import value lists separately. +Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the <> UI (*Manage* -> *Rules* -> *Upload value lists*) to export and import value lists separately. ================= ==== Request URL diff --git a/docs/detections/api/rules/rules-api-import.asciidoc b/docs/detections/api/rules/rules-api-import.asciidoc index ef1428e223..de11902f14 100644 --- a/docs/detections/api/rules/rules-api-import.asciidoc +++ b/docs/detections/api/rules/rules-api-import.asciidoc @@ -14,7 +14,7 @@ NOTE: You need at least `Read` privileges for the `Action and Connectors` featur ================= Although detection rule actions are included in the exported file, the connectors used by the actions are not included. Use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-export-objects[Saved Objects] UI in Kibana (*Stack Management* -> *Kibana* -> *Saved Objects*) or the Saved Objects APIs (experimental) to {kibana-ref}/saved-objects-api-export.html[export] and {kibana-ref}/saved-objects-api-import.html[import] any necessary connectors _before_ you export and import the detection rules. -Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the <> UI (*Detect* -> *Rules* -> *Upload value lists*) to export and import value lists separately. +Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the <> UI (*Manage* -> *Rules* -> *Upload value lists*) to export and import value lists separately. ================= ==== Request URL diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index ee05e91a18..fe4dced8fd 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -310,7 +310,7 @@ a value from the source event: |rule_name_override |String |Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is -displayed in the *Rule* column on the Detections page). When unspecified, the +displayed on the *Rules* page in the *Rule* column). When unspecified, the rule's `name` value is used. The source field must be a string data type. |severity_mapping |Object[] a|Overrides generated alerts' `severity` with @@ -427,8 +427,7 @@ technique: |============================================== NOTE: Only threats described using the MITRE ATT&CK^TM^ framework are displayed -in the UI (*Security* -> *Detections* -> *Manage detection rules* -> ). +in the UI (*Manage* -> *Rules* -> *_Rule name_*). ===== Example request