Skip to content

[DOCS] Bulk action handling for detection rules #2328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Aug 23, 2022
Merged

[DOCS] Bulk action handling for detection rules #2328

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
12946cd
First draft
joepeeples Aug 20, 2022
2e2014e
Apply suggestions from review
joepeeples Aug 22, 2022
1949c59
Apply suggestions from Janeen's review
joepeeples Aug 23, 2022
65cd18d
Merge branch 'main' into issue-2209-rules-bulk-action-handling
joepeeples Aug 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 16 additions & 4 deletions docs/detections/rules-ui-manage.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,12 @@ image::images/install-prebuilt-rules.png[]

You can edit an existing rule's settings, and can bulk edit index patterns, tags, and Timeline templates for multiple rules at once.

NOTE: For prebuilt Elastic rules, you can't modify most settings. You can only edit <<rule-schedule, rule actions>> and <<detections-ui-exceptions, add exceptions>>.
[NOTE]
====
For prebuilt Elastic rules, you can't modify most settings. You can only edit <<rule-schedule, rule actions>> and <<detections-ui-exceptions, add exceptions>>.

If you try to bulk edit with both prebuilt and custom rules selected, the action will affect only custom rules.
====

. Go to *Manage* -> *Rules*.
. Do one of the following:
Expand Down Expand Up @@ -117,7 +122,16 @@ You can duplicate, enable, disable, and delete rules:
[[import-export-rules-ui]]
=== Export and import rules

You can export detection rules to an `.ndjson` file, which you can then import into another {elastic-sec} environment. The following configuration items are also included in the `.ndjson` file:
You can export custom detection rules to an `.ndjson` file, which you can then import into another {elastic-sec} environment.

[NOTE]
====
You cannot export Elastic prebuilt rules, but you can duplicate a prebuilt rule, then export the duplicated rule.

If you try to export with both prebuilt and custom rules selected, only the custom rules are exported.
====

The following configuration items are also included in the `.ndjson` file:

* Actions
* Exception lists
Expand All @@ -135,8 +149,6 @@ To export and import detection rules:
. To export rules:
.. In the rules table, select the rules you want to export.
.. Select *Bulk actions* -> *Export*, then save the exported file.
+
NOTE: You cannot export Elastic prebuilt rules.
. To import rules:
+
NOTE: You need at least `Read` privileges for the `Action and Connectors` feature to import rules with actions. If you're importing rules without actions, `Action and Connectors` feature privileges are not required. Refer to <<enable-detections-ui>> for more information.
Expand Down