From c6e289e6e2c3cc8817b713e093807870a36b10d1 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 23 Aug 2022 10:15:31 -0400 Subject: [PATCH] [DOCS] Bulk action handling for detection rules (#2328) * First draft * Apply suggestions from review Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Apply suggestions from Janeen's review Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> (cherry picked from commit fb9cef03d5572189fcb41dd066887a1fe4d54c2a) --- docs/detections/rules-ui-manage.asciidoc | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 346c2ca5ff..2d6e8fae2d 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -88,7 +88,12 @@ image::images/install-prebuilt-rules.png[] You can edit an existing rule's settings, and can bulk edit index patterns, tags, and Timeline templates for multiple rules at once. -NOTE: For prebuilt Elastic rules, you can't modify most settings. You can only edit <> and <>. +[NOTE] +==== +For prebuilt Elastic rules, you can't modify most settings. You can only edit <> and <>. + +If you try to bulk edit with both prebuilt and custom rules selected, the action will affect only custom rules. +==== . Go to *Manage* -> *Rules*. . Do one of the following: @@ -117,7 +122,16 @@ You can duplicate, enable, disable, and delete rules: [[import-export-rules-ui]] === Export and import rules -You can export detection rules to an `.ndjson` file, which you can then import into another {elastic-sec} environment. The following configuration items are also included in the `.ndjson` file: +You can export custom detection rules to an `.ndjson` file, which you can then import into another {elastic-sec} environment. + +[NOTE] +==== +You cannot export Elastic prebuilt rules, but you can duplicate a prebuilt rule, then export the duplicated rule. + +If you try to export with both prebuilt and custom rules selected, only the custom rules are exported. +==== + +The following configuration items are also included in the `.ndjson` file: * Actions * Exception lists @@ -135,8 +149,6 @@ To export and import detection rules: . To export rules: .. In the rules table, select the rules you want to export. .. Select *Bulk actions* -> *Export*, then save the exported file. -+ -NOTE: You cannot export Elastic prebuilt rules. . To import rules: + NOTE: You need at least `Read` privileges for the `Action and Connectors` feature to import rules with actions. If you're importing rules without actions, `Action and Connectors` feature privileges are not required. Refer to <> for more information.