Skip to content

[DOCS] "Create rule" updates: rule preview, saved queries #2559

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
Oct 18, 2022
Merged

[DOCS] "Create rule" updates: rule preview, saved queries #2559

merged 15 commits into from
Oct 18, 2022

Conversation

@joepeeples
Copy link
Contributor

@joepeeples joepeeples commented Oct 10, 2022
edited
Loading

Related issues — Both of these features involved updating the "Create a detection rule" page, so they're streamlined into a single docs PR:

Preview: Create a detection rule

There are a lot of changes scattered throughout the page. Some highlights:

  • Updated the Preview your rule section with the new rule preview side panel
  • Revised lines that previously assumed rule preview was only available in the "Define rule" step
  • Expanded the Create a custom query section to include the new saved query checkbox
  • Added the saved query/Timeline query note to a few more rule types that allow adding those queries

@joepeeples joepeeples self-assigned this Oct 10, 2022
@github-actions
Copy link

github-actions bot commented Oct 10, 2022

Documentation previews:

@joepeeples joepeeples changed the title [DOCS] Rule preview enhancements [DOCS] "Create rule" updates: rule preview, saved queries Oct 11, 2022
@joepeeples joepeeples marked this pull request as ready for review October 11, 2022 18:31
nastasha-solomon
nastasha-solomon approved these changes Oct 13, 2022
View reviewed changes
Copy link
Contributor

@nastasha-solomon nastasha-solomon left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! The only issue I noticed is out of the scope of this doc task - the image under step 1f here is outdated. I filed #2570 to fix it.

vitaliidm
vitaliidm reviewed Oct 13, 2022
View reviewed changes
benironside
benironside reviewed Oct 13, 2022
View reviewed changes
Copy link
Contributor

@benironside benironside left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just two minor suggestions

This was referenced Oct 13, 2022
Closed
Closed
@joepeeples @benironside
Apply suggestions from Ben's review
0f32acc 
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
vitaliidm
vitaliidm approved these changes Oct 14, 2022
View reviewed changes
Copy link
Contributor

@vitaliidm vitaliidm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

saved query notes LGTM

@joepeeples
Copy link
Contributor Author

joepeeples commented Oct 14, 2022
edited
Loading

Looks great! The only issue I noticed is out of the scope of this doc task - the image under step 1f here is outdated. I filed #2570 to fix it.

Thanks @nastasha-solomon, good catch! I've fixed the screenshot in this PR so we have it correct in 8.5 and going forward, and #2570 can follow up with fixing any backports. IMO it's a pretty low priority fix for backporting, especially weighing the complexity; looks like it'll take multiple different screenshots and probably require manual backports, and it's been like this for a few versions and even QA never caught it.

@joepeeples joepeeples mentioned this pull request Oct 14, 2022
Closed
e40pud
e40pud approved these changes Oct 17, 2022
View reviewed changes
Copy link
Contributor

@e40pud e40pud left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Preview notes LGTM! Maybe we could add couple more notes (not sure if needed though):

  1. We can preview pre-built rules with the latest changes
  2. The difference between Refresh button states. There are two states (indicated by green and blue button colors). "Green button" indicates that there were some rule configuration or time range changes which will affect the preview results. "Blue button" indicates that we can refresh preview results with the same rule configurations, but updated time range in case of relative time range specified (like "last 2 hours", "last day" etc.). Happy to provide more details about this one, if it sounds a bit confusing. :-)

@joepeeples
Copy link
Contributor Author

joepeeples commented Oct 17, 2022

Preview notes LGTM! Maybe we could add couple more notes (not sure if needed though):

  1. We can preview pre-built rules with the latest changes
  2. The difference between Refresh button states. There are two states (indicated by green and blue button colors). "Green button" indicates that there were some rule configuration or time range changes which will affect the preview results. "Blue button" indicates that we can refresh preview results with the same rule configurations, but updated time range in case of relative time range specified (like "last 2 hours", "last day" etc.). Happy to provide more details about this one, if it sounds a bit confusing. :-)

Hi @e40pud, thanks for these notes! They definitely sound worth adding, especially the button colors which I didn't know about. I'll play around with the feature and let you know if I have any questions, will push a revision soon.

@joepeeples
Copy link
Contributor Author

joepeeples commented Oct 17, 2022

Update: I pushed an update to address @e40pud's feedback (mention prebuilt rules, explain Refresh button), and the docs preview now reflects this too.

@joepeeples joepeeples added the readyforQA PRs that are ready for QA review. label Oct 17, 2022
marshallmain
marshallmain reviewed Oct 17, 2022
View reviewed changes
@ghost

This comment was marked as resolved.

Sign in to view
@ghost ghost added QA:Validated Issue has been Validated by QA Team and removed readyforQA PRs that are ready for QA review. labels Oct 18, 2022
marshallmain
marshallmain approved these changes Oct 18, 2022
View reviewed changes
Copy link
Contributor

@marshallmain marshallmain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks Joe!

@joepeeples joepeeples merged commit be778eb into main Oct 18, 2022
mergify bot pushed a commit that referenced this pull request Oct 18, 2022
@joepeeples @benironside
@marshallmain @mergify
[DOCS] "Create rule" updates: rule preview, saved queries (#2559)
c3951e0 
* First draft

* Remove preview from ordered steps

(Preview is now available at any step)

* Update screenshot, edits

* Add saved query checkbox, other related

* Typo

* Apply suggestions from Ben's review

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Fix outdated screenshot

* Add refresh button details, mention prebuilt rules

* Apply suggestions from Marshall's review

Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>
(cherry picked from commit be778eb)
@mergify mergify bot mentioned this pull request Oct 18, 2022
Merged
@joepeeples joepeeples deleted the 2469-create-rule-preview branch October 18, 2022 23:36
joepeeples added a commit that referenced this pull request Oct 18, 2022
@mergify @joepeeples
[DOCS] "Create rule" updates: rule preview, saved queries (#2559) (#2603
04df906 
)

* First draft

* Remove preview from ordered steps

(Preview is now available at any step)

* Update screenshot, edits

* Add saved query checkbox, other related

* Typo

* Apply suggestions from Ben's review

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Fix outdated screenshot

* Add refresh button details, mention prebuilt rules

* Apply suggestions from Marshall's review

Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>
(cherry picked from commit be778eb)

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
@joepeeples joepeeples mentioned this pull request Oct 19, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benironside benironside benironside left review comments

@e40pud e40pud e40pud approved these changes

@marshallmain marshallmain marshallmain approved these changes

@nastasha-solomon nastasha-solomon nastasha-solomon approved these changes

@vitaliidm vitaliidm vitaliidm approved these changes

@jethr0null jethr0null Awaiting requested review from jethr0null

@jmikell821 jmikell821 Awaiting requested review from jmikell821

Assignees

@joepeeples joepeeples

Labels

Feature: Rules QA:Validated Issue has been Validated by QA Team Team: Detections/Response Detections and Response Team: Docs v8.5.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[DOCS] Saved query UX updates [DOCS] Rule preview enhancements: side panel, exceptions, overrides, prebuilt rules

7 participants

@joepeeples @e40pud @marshallmain @nastasha-solomon @benironside @vitaliidm