diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 346c2ca5ff..2d6e8fae2d 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -88,7 +88,12 @@ image::images/install-prebuilt-rules.png[] You can edit an existing rule's settings, and can bulk edit index patterns, tags, and Timeline templates for multiple rules at once. -NOTE: For prebuilt Elastic rules, you can't modify most settings. You can only edit <> and <>. +[NOTE] +==== +For prebuilt Elastic rules, you can't modify most settings. You can only edit <> and <>. + +If you try to bulk edit with both prebuilt and custom rules selected, the action will affect only custom rules. +==== . Go to *Manage* -> *Rules*. . Do one of the following: @@ -117,7 +122,16 @@ You can duplicate, enable, disable, and delete rules: [[import-export-rules-ui]] === Export and import rules -You can export detection rules to an `.ndjson` file, which you can then import into another {elastic-sec} environment. The following configuration items are also included in the `.ndjson` file: +You can export custom detection rules to an `.ndjson` file, which you can then import into another {elastic-sec} environment. + +[NOTE] +==== +You cannot export Elastic prebuilt rules, but you can duplicate a prebuilt rule, then export the duplicated rule. + +If you try to export with both prebuilt and custom rules selected, only the custom rules are exported. +==== + +The following configuration items are also included in the `.ndjson` file: * Actions * Exception lists @@ -135,8 +149,6 @@ To export and import detection rules: . To export rules: .. In the rules table, select the rules you want to export. .. Select *Bulk actions* -> *Export*, then save the exported file. -+ -NOTE: You cannot export Elastic prebuilt rules. . To import rules: + NOTE: You need at least `Read` privileges for the `Action and Connectors` feature to import rules with actions. If you're importing rules without actions, `Action and Connectors` feature privileges are not required. Refer to <> for more information.