diff --git a/docs/detections/api/rules/rules-api-export.asciidoc b/docs/detections/api/rules/rules-api-export.asciidoc index 3c1370f219..971459a2a4 100644 --- a/docs/detections/api/rules/rules-api-export.asciidoc +++ b/docs/detections/api/rules/rules-api-export.asciidoc @@ -12,7 +12,7 @@ You cannot export prebuilt rules, but they are available at https://github.com/e ================= Although detection rule actions are included in the exported file, the connectors used by the actions are not included. Use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-export-objects[Saved Objects] UI in Kibana (*Stack Management* -> *Kibana* -> *Saved Objects*) or the Saved Objects APIs (experimental) to {kibana-ref}/saved-objects-api-export.html[export] and {kibana-ref}/saved-objects-api-import.html[import] any necessary connectors _before_ you export and import the detection rules. -Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the <> UI (*Manage* -> *Rules* -> *Upload value lists*) to export and import value lists separately. +Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the <> UI (*Manage* -> *Rules* -> *Import value lists*) to export and import value lists separately. ================= ==== Request URL diff --git a/docs/detections/api/rules/rules-api-import.asciidoc b/docs/detections/api/rules/rules-api-import.asciidoc index de11902f14..e063fbe320 100644 --- a/docs/detections/api/rules/rules-api-import.asciidoc +++ b/docs/detections/api/rules/rules-api-import.asciidoc @@ -14,7 +14,7 @@ NOTE: You need at least `Read` privileges for the `Action and Connectors` featur ================= Although detection rule actions are included in the exported file, the connectors used by the actions are not included. Use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-export-objects[Saved Objects] UI in Kibana (*Stack Management* -> *Kibana* -> *Saved Objects*) or the Saved Objects APIs (experimental) to {kibana-ref}/saved-objects-api-export.html[export] and {kibana-ref}/saved-objects-api-import.html[import] any necessary connectors _before_ you export and import the detection rules. -Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the <> UI (*Manage* -> *Rules* -> *Upload value lists*) to export and import value lists separately. +Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the <> UI (*Manage* -> *Rules* -> *Import value lists*) to export and import value lists separately. ================= ==== Request URL diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 4eea9c36aa..6e3a84e564 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -24,6 +24,8 @@ operators to define exceptions. IMPORTANT: Operators `is in list` and `is not in list` are not available for threshold and event correlation rules. +TIP: You can also use value lists as the <> when creating an indicator match rule. + [float] [[manage-value-lists]] == Create value lists @@ -42,17 +44,17 @@ act as value delimiters. ========================= . Go to *Manage* -> *Rules*. -. Click *Upload value lists*. The *Upload value lists* window opens. +. Click *Import value lists*. The *Import value lists* window opens. + [role="screenshot"] -image::images/upload-lists-ui.png[] +image::images/upload-lists-ui.png[Import value lists flyout,75%] . Select the list type (*Keywords*, *IP addresses*, *IP ranges*, or *Text*) from the *Type of value list* drop-down. . Drag or select the `csv` or `txt` file that contains the values. -. Click *Upload list*. +. Click *Import list*. -NOTE: When the name of the file you are uploading already exists, the values in -the new file are appended to the previously uploaded values. +NOTE: When the name of the file you are importing already exists, the values in +the new file are appended to the previously imported values. [[edit-value-lists]] [discrete] @@ -61,13 +63,11 @@ the new file are appended to the previously uploaded values. To view, delete, or export existing value lists: . Go to *Manage* -> *Rules*. -. Click *Upload value lists*. The *Upload value lists* window opens. +. Click *Import value lists*. The *Import value lists* window opens. . In the *Value lists* table, click the required action button. - ++ [role="screenshot"] -image::images/manage-value-list.png[] - -TIP: You can also use a value list as the indicator match index when creating an indicator match rule. Refer to <> for more information. +image::images/manage-value-list.png[Import value list flyout with action buttons highlighted,75%] [float] [[detection-rule-exceptions]] diff --git a/docs/detections/images/all-rules.png b/docs/detections/images/all-rules.png index 2efe19da8e..b5311a9a6b 100644 Binary files a/docs/detections/images/all-rules.png and b/docs/detections/images/all-rules.png differ diff --git a/docs/detections/images/manage-value-list.png b/docs/detections/images/manage-value-list.png index 200b85a699..3da91109f5 100644 Binary files a/docs/detections/images/manage-value-list.png and b/docs/detections/images/manage-value-list.png differ diff --git a/docs/detections/images/monitor-table.png b/docs/detections/images/monitor-table.png index ee33613fba..fed6c9b244 100644 Binary files a/docs/detections/images/monitor-table.png and b/docs/detections/images/monitor-table.png differ diff --git a/docs/detections/images/upload-lists-ui.png b/docs/detections/images/upload-lists-ui.png index 8eac6e1f41..3297c4d0d3 100644 Binary files a/docs/detections/images/upload-lists-ui.png and b/docs/detections/images/upload-lists-ui.png differ diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 16c4e1ac35..9555a2ce7c 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -558,7 +558,7 @@ You uploaded a value list of known ransomware domains, and you want to be notifi * *Field*: Enter the field from the Elastic Security event indices to be used for comparing values. * *Indicator index field*: Enter the type of value list you created (i.e., `keyword`, `text`, or `IP`). + -TIP: If you don't remember this information, go to *Manage* -> *Rules* -> *Upload value lists*. Locate the appropriate value list and note the field in the corresponding `Type` column. (Examples include keyword, text, and IP.) +TIP: If you don't remember this information, go to *Manage* -> *Rules* -> *Import value lists*. Locate the appropriate value list and note the field in the corresponding `Type` column. (Examples include keyword, text, and IP.) [role="screenshot"] image::images/indicator_value_list.png[] diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 2d6e8fae2d..440802dd99 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -140,7 +140,7 @@ The following configuration items are also included in the `.ndjson` file: ================= Although detection rule actions are included in the exported file, the connectors used by the actions are not included. Use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-export-objects[Saved Objects] UI in Kibana (*Stack Management* -> *Kibana* -> *Saved Objects*) to export and import any necessary connectors _before_ you export and import the detection rules. -Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the <> UI (*Detect* -> *Rules* -> *Upload value lists*) to export and import value lists separately. +Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the <> UI (*Detect* -> *Rules* -> *Import value lists*) to export and import value lists separately. ================= To export and import detection rules: