From bbeced0fa290e6a54bec932df7534041ccde5215 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 30 Sep 2024 00:05:58 -0400 Subject: [PATCH 01/24] First draft --- docs/detections/rules-ui-create.asciidoc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 1c1f404baf..d9eadf4df3 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -820,3 +820,20 @@ TIP: Avoid setting long time ranges with short rule intervals, or the rule previ * To close the preview, click the *Rule preview* button again. +[discrete] +[[debug-rule-queries]] +==== Debug rule queries (optional) + +NOTE: This option is only offered for {esql} rules. + +When previewing an {esql} rule, you can also learn more about the {es} queries that are submitted when the rule runs. This information can be helpful for identifying and troubleshooting potential rule issues, or validating that your rule is retrieving the expected data. + +To learn more your rule's {es} queries, preview its results and do the following: + +. Beneath the rule preview's date and time picker, find the **Show Elasticsearch requests, ran during rule executions** option and select it. The **Preview logged results** section displays under the the histogram and alerts table in the panel. +. Expand the **Preview logged results** section to display subsections with more information about the rule's {es} queries. The following details are provided: +** The expected start date and time of each rule execution and how long it took to complete +** A brief explanation of the {es} queries +** The actual {es} queries that the rule submits when it runs ++ +TIP: Copy the queries and run them in Dev Tools (**{kib}** -> **Management** -> **Dev Tools**) to determine if your rule is retrieving the expected data. From 390b265bb03462da581490e6fa368775ddf5ecec Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 30 Sep 2024 00:16:24 -0400 Subject: [PATCH 02/24] Serverless first draft --- docs/serverless/rules/rules-ui-create.mdx | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index 4189eb8bdf..1cde229680 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -875,3 +875,24 @@ To interact with the rule preview: * To close the preview, click the **Rule preview** button again. +
+ +### Debug rule queries (optional) + + +This option is only offered for ((esql)) rules. + + +When previewing an ((esql)) rule, you can also learn more about the ((es)) queries that are submitted when the rule runs. This information can be helpful for identifying and troubleshooting potential rule issues, or validating that your rule is retrieving the expected data. + +To learn more your rule's ((es)) queries, preview its results and do the following: + +1. Beneath the rule preview's date and time picker, find the **Show Elasticsearch requests, ran during rule executions** option and select it. The **Preview logged results** section displays under the the histogram and alerts table in the panel. +1. Expand the **Preview logged results** section to display subsections with more information about the rule's ((es)) queries. The following details are provided: + * The expected start date and time of each rule execution and how long it took to complete + * A brief explanation of the ((es)) queries + * The actual ((es)) queries that the rule submits when it runs + + + Copy the queries and run them in Console (**Developer tools** -> **Console**) to determine if your rule is retrieving the expected data. + From 24e750fead4b48eb2e23b7de25c0aa1d0a14761d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 30 Sep 2024 10:12:32 -0400 Subject: [PATCH 03/24] Update docs/detections/rules-ui-create.asciidoc --- docs/detections/rules-ui-create.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index d9eadf4df3..7513bd4a7e 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -824,7 +824,7 @@ TIP: Avoid setting long time ranges with short rule intervals, or the rule previ [[debug-rule-queries]] ==== Debug rule queries (optional) -NOTE: This option is only offered for {esql} rules. +NOTE: This option is only offered for {esql} and event correlation rules. When previewing an {esql} rule, you can also learn more about the {es} queries that are submitted when the rule runs. This information can be helpful for identifying and troubleshooting potential rule issues, or validating that your rule is retrieving the expected data. From 2e6f2910a8feac5a3396304c0211771dd5bde9b7 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 30 Sep 2024 21:34:47 -0400 Subject: [PATCH 04/24] Fixing typos --- docs/detections/rules-ui-create.asciidoc | 4 ++-- docs/serverless/rules/rules-ui-create.mdx | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 7513bd4a7e..a0322c1a14 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -826,9 +826,9 @@ TIP: Avoid setting long time ranges with short rule intervals, or the rule previ NOTE: This option is only offered for {esql} and event correlation rules. -When previewing an {esql} rule, you can also learn more about the {es} queries that are submitted when the rule runs. This information can be helpful for identifying and troubleshooting potential rule issues, or validating that your rule is retrieving the expected data. +When previewing a rule, you can also learn more about the {es} queries that are submitted when the rule runs. This information can be helpful for identifying and troubleshooting potential rule issues, or validating that your rule is retrieving the expected data. -To learn more your rule's {es} queries, preview its results and do the following: +To learn more about your rule's {es} queries, preview its results and do the following: . Beneath the rule preview's date and time picker, find the **Show Elasticsearch requests, ran during rule executions** option and select it. The **Preview logged results** section displays under the the histogram and alerts table in the panel. . Expand the **Preview logged results** section to display subsections with more information about the rule's {es} queries. The following details are provided: diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index 1cde229680..d48f6cc507 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -880,12 +880,12 @@ To interact with the rule preview: ### Debug rule queries (optional) -This option is only offered for ((esql)) rules. +This option is only offered for ((esql)) and event correlation rules. -When previewing an ((esql)) rule, you can also learn more about the ((es)) queries that are submitted when the rule runs. This information can be helpful for identifying and troubleshooting potential rule issues, or validating that your rule is retrieving the expected data. +When previewing a rule, you can also learn more about the ((es)) queries that are submitted when the rule runs. This information can be helpful for identifying and troubleshooting potential rule issues, or validating that your rule is retrieving the expected data. -To learn more your rule's ((es)) queries, preview its results and do the following: +To learn more about your rule's ((es)) queries, preview its results and do the following: 1. Beneath the rule preview's date and time picker, find the **Show Elasticsearch requests, ran during rule executions** option and select it. The **Preview logged results** section displays under the the histogram and alerts table in the panel. 1. Expand the **Preview logged results** section to display subsections with more information about the rule's ((es)) queries. The following details are provided: From b9183d46222fc4ece163b89b1f6c266dde04c49a Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 30 Sep 2024 21:48:10 -0400 Subject: [PATCH 05/24] Update docs/detections/rules-ui-create.asciidoc --- docs/detections/rules-ui-create.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index a0322c1a14..53fad384bb 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -822,7 +822,7 @@ TIP: Avoid setting long time ranges with short rule intervals, or the rule previ [discrete] [[debug-rule-queries]] -==== Debug rule queries (optional) +==== View {es} queries sent by your rule (optional) NOTE: This option is only offered for {esql} and event correlation rules. From de269cc98d619bdaf80d6c9f2d65f71c0055d6be Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 30 Sep 2024 21:48:16 -0400 Subject: [PATCH 06/24] Update docs/detections/rules-ui-create.asciidoc --- docs/detections/rules-ui-create.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 53fad384bb..9b00f3533e 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -832,7 +832,7 @@ To learn more about your rule's {es} queries, preview its results and do the fol . Beneath the rule preview's date and time picker, find the **Show Elasticsearch requests, ran during rule executions** option and select it. The **Preview logged results** section displays under the the histogram and alerts table in the panel. . Expand the **Preview logged results** section to display subsections with more information about the rule's {es} queries. The following details are provided: -** The expected start date and time of each rule execution and how long it took to complete +** The start date and time for each rule execution and how long it took to complete ** A brief explanation of the {es} queries ** The actual {es} queries that the rule submits when it runs + From d9b849c4f26df8d55837521b72ad3d3c0d983b25 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 30 Sep 2024 23:46:32 -0400 Subject: [PATCH 07/24] Vitalii's input --- docs/detections/rules-ui-create.asciidoc | 15 ++++++++------- docs/serverless/rules/rules-ui-create.mdx | 20 +++++++++++--------- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 9b00f3533e..9f3ac2741f 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -821,7 +821,7 @@ TIP: Avoid setting long time ranges with short rule intervals, or the rule previ * To close the preview, click the *Rule preview* button again. [discrete] -[[debug-rule-queries]] +[[view-es-rule-queries]] ==== View {es} queries sent by your rule (optional) NOTE: This option is only offered for {esql} and event correlation rules. @@ -830,10 +830,11 @@ When previewing a rule, you can also learn more about the {es} queries that are To learn more about your rule's {es} queries, preview its results and do the following: -. Beneath the rule preview's date and time picker, find the **Show Elasticsearch requests, ran during rule executions** option and select it. The **Preview logged results** section displays under the the histogram and alerts table in the panel. -. Expand the **Preview logged results** section to display subsections with more information about the rule's {es} queries. The following details are provided: -** The start date and time for each rule execution and how long it took to complete -** A brief explanation of the {es} queries -** The actual {es} queries that the rule submits when it runs +. Select the **Show Elasticsearch requests, ran during rule executions** option below the preview's date and time picker. The **Preview logged results** section displays under the the histogram and alerts table. +. Click the **Preview logged results** section to expand it. Within the section, each rule execution is shown on an individual row. +. Expand each row to learn more about the {es} queries that the rule submits each time it executes. The following details are provided: +** When the rule execution started and how long it took to complete +** A brief explanation of what the {es} queries do +** The actual {es} queries that the rule sends to search indices containing events that are used during alert creation + -TIP: Copy the queries and run them in Dev Tools (**{kib}** -> **Management** -> **Dev Tools**) to determine if your rule is retrieving the expected data. +TIP: Run the queries in Dev Tools (**{kib}** -> **Management** -> **Dev Tools**) to determine if your rule is retrieving the expected data. For example, test your rule's exceptions by using its {es} queries to find events that should be ignored during alert creation. If alerts aren't created for those events, your rule's exceptions are working as expected. diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index d48f6cc507..8eccf5a01b 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -875,9 +875,9 @@ To interact with the rule preview: * To close the preview, click the **Rule preview** button again. -
+
-### Debug rule queries (optional) +### View ((es)) queries sent by your rule (optional) This option is only offered for ((esql)) and event correlation rules. @@ -887,12 +887,14 @@ When previewing a rule, you can also learn more about the ((es)) queries that ar To learn more about your rule's ((es)) queries, preview its results and do the following: -1. Beneath the rule preview's date and time picker, find the **Show Elasticsearch requests, ran during rule executions** option and select it. The **Preview logged results** section displays under the the histogram and alerts table in the panel. -1. Expand the **Preview logged results** section to display subsections with more information about the rule's ((es)) queries. The following details are provided: - * The expected start date and time of each rule execution and how long it took to complete - * A brief explanation of the ((es)) queries - * The actual ((es)) queries that the rule submits when it runs +1. Select the **Show Elasticsearch requests, ran during rule executions** option below the preview's date and time picker. The **Preview logged results** section displays under the the histogram and alerts table. +1. Click the **Preview logged results** section to expand it. Within the section, each rule execution is shown on an individual row. +1. Expand each row to learn more about the ((es)) queries that the rule submits each time it executes. The following details are provided: + * When it started and how long it took to complete + * A brief explanation of what the {es} queries do + * The actual ((es)) queries that the rule sends to search indices containing events that are used during alert creation + + + Run the queries in Console (**Developer tools** -> **Console**) to determine if your rule is retrieving the expected data. For example, test your rule's exceptions by using its ((es)) queries to find events that should be ignored during alert creation. If alerts aren't created for those events, your rule's exceptions are working as expected. - - Copy the queries and run them in Console (**Developer tools** -> **Console**) to determine if your rule is retrieving the expected data. From 3172a1ec1e419cf7a193be51845bebe3150127d8 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 30 Sep 2024 23:49:31 -0400 Subject: [PATCH 08/24] Updated anchor text --- docs/detections/rules-ui-create.asciidoc | 2 +- docs/serverless/rules/rules-ui-create.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 9f3ac2741f..bdbeda5e30 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -821,7 +821,7 @@ TIP: Avoid setting long time ranges with short rule intervals, or the rule previ * To close the preview, click the *Rule preview* button again. [discrete] -[[view-es-rule-queries]] +[[view-rule-es-queries]] ==== View {es} queries sent by your rule (optional) NOTE: This option is only offered for {esql} and event correlation rules. diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index 8eccf5a01b..52132bdcc8 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -875,7 +875,7 @@ To interact with the rule preview: * To close the preview, click the **Rule preview** button again. -
+
### View ((es)) queries sent by your rule (optional) From 1194e07a8abc31d576bab3e838015068c7e88b16 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 30 Sep 2024 23:50:34 -0400 Subject: [PATCH 09/24] Updated title --- docs/detections/rules-ui-create.asciidoc | 2 +- docs/serverless/rules/rules-ui-create.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index bdbeda5e30..d26b34bec6 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -822,7 +822,7 @@ TIP: Avoid setting long time ranges with short rule intervals, or the rule previ [discrete] [[view-rule-es-queries]] -==== View {es} queries sent by your rule (optional) +==== View your rule's {es} queries (optional) NOTE: This option is only offered for {esql} and event correlation rules. diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index 52132bdcc8..677b431767 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -877,7 +877,7 @@ To interact with the rule preview:
-### View ((es)) queries sent by your rule (optional) +### View your rule's ((es)) queries (optional) This option is only offered for ((esql)) and event correlation rules. From fc2390a51c1f766b39e033f8caaeaa1f15fc5a62 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 30 Sep 2024 23:56:37 -0400 Subject: [PATCH 10/24] Minor changes --- docs/detections/rules-ui-create.asciidoc | 2 +- docs/serverless/rules/rules-ui-create.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index d26b34bec6..81cb1ab2c8 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -826,7 +826,7 @@ TIP: Avoid setting long time ranges with short rule intervals, or the rule previ NOTE: This option is only offered for {esql} and event correlation rules. -When previewing a rule, you can also learn more about the {es} queries that are submitted when the rule runs. This information can be helpful for identifying and troubleshooting potential rule issues, or validating that your rule is retrieving the expected data. +When previewing a rule, you can also learn about its {es} queries, which are submitted when the rule runs. This information can be helpful for identifying and troubleshooting potential rule issues. You can also use it to confirm that your rule is retrieving the expected data. To learn more about your rule's {es} queries, preview its results and do the following: diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index 677b431767..805ba49dd5 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -883,7 +883,7 @@ To interact with the rule preview: This option is only offered for ((esql)) and event correlation rules. -When previewing a rule, you can also learn more about the ((es)) queries that are submitted when the rule runs. This information can be helpful for identifying and troubleshooting potential rule issues, or validating that your rule is retrieving the expected data. +When previewing a rule, you can also learn about its ((es)) queries, which are submitted when the rule runs. This information can be helpful for identifying and troubleshooting potential rule issues. You can also use it to confirm that your rule is retrieving the expected data. To learn more about your rule's ((es)) queries, preview its results and do the following: From 56ef20a8868be4f62715aaaa739619da6a3a7634 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 1 Oct 2024 00:02:11 -0400 Subject: [PATCH 11/24] Removed extra the --- docs/detections/rules-ui-create.asciidoc | 6 +++--- docs/serverless/rules/rules-ui-create.mdx | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 81cb1ab2c8..933329374b 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -830,11 +830,11 @@ When previewing a rule, you can also learn about its {es} queries, which are sub To learn more about your rule's {es} queries, preview its results and do the following: -. Select the **Show Elasticsearch requests, ran during rule executions** option below the preview's date and time picker. The **Preview logged results** section displays under the the histogram and alerts table. +. Select the **Show Elasticsearch requests, ran during rule executions** option below the preview's date and time picker. The **Preview logged results** section displays under the histogram and alerts table. . Click the **Preview logged results** section to expand it. Within the section, each rule execution is shown on an individual row. . Expand each row to learn more about the {es} queries that the rule submits each time it executes. The following details are provided: -** When the rule execution started and how long it took to complete +** When the rule execution started, and how long it took to complete ** A brief explanation of what the {es} queries do ** The actual {es} queries that the rule sends to search indices containing events that are used during alert creation + -TIP: Run the queries in Dev Tools (**{kib}** -> **Management** -> **Dev Tools**) to determine if your rule is retrieving the expected data. For example, test your rule's exceptions by using its {es} queries to find events that should be ignored during alert creation. If alerts aren't created for those events, your rule's exceptions are working as expected. +TIP: Run the queries in Dev Tools (**{kib}** -> **Management** -> **Dev Tools**) to determine if your rule is retrieving the expected data. For example, to test your rule's exceptions, use the rule's {es} queries to find events that should be ignored during alert creation. If alerts weren't created for those events, your rule's exceptions are working as expected. diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index 805ba49dd5..86fa049b0c 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -887,14 +887,14 @@ When previewing a rule, you can also learn about its ((es)) queries, which are s To learn more about your rule's ((es)) queries, preview its results and do the following: -1. Select the **Show Elasticsearch requests, ran during rule executions** option below the preview's date and time picker. The **Preview logged results** section displays under the the histogram and alerts table. +1. Select the **Show Elasticsearch requests, ran during rule executions** option below the preview's date and time picker. The **Preview logged results** section displays under the histogram and alerts table. 1. Click the **Preview logged results** section to expand it. Within the section, each rule execution is shown on an individual row. 1. Expand each row to learn more about the ((es)) queries that the rule submits each time it executes. The following details are provided: - * When it started and how long it took to complete + * When it started, and how long it took to complete * A brief explanation of what the {es} queries do * The actual ((es)) queries that the rule sends to search indices containing events that are used during alert creation - Run the queries in Console (**Developer tools** -> **Console**) to determine if your rule is retrieving the expected data. For example, test your rule's exceptions by using its ((es)) queries to find events that should be ignored during alert creation. If alerts aren't created for those events, your rule's exceptions are working as expected. + Run the queries in Console (**Developer tools** -> **Console**) to determine if your rule is retrieving the expected data. For example, to test your rule's exceptions, use the rule's {es} queries to find events that should be ignored during alert creation. If alerts weren't created for those events, your rule's exceptions are working as expected. From 6c7d87c67629b9f81ac277ee1480cd66e0e7f413 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 1 Oct 2024 00:54:57 -0400 Subject: [PATCH 12/24] Fix conflict --- docs/serverless/rules/rules-ui-create.mdx | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index 86fa049b0c..00cac8643f 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -894,7 +894,6 @@ To learn more about your rule's ((es)) queries, preview its results and do the f * A brief explanation of what the {es} queries do * The actual ((es)) queries that the rule sends to search indices containing events that are used during alert creation - - Run the queries in Console (**Developer tools** -> **Console**) to determine if your rule is retrieving the expected data. For example, to test your rule's exceptions, use the rule's {es} queries to find events that should be ignored during alert creation. If alerts weren't created for those events, your rule's exceptions are working as expected. - + + Run the queries in Console (**Developer tools** -> **Console**) to determine if your rule is retrieving the expected data. For example, to test your rule's exceptions, use the rule's ((es)) queries to find events that should be ignored during alert creation. If alerts weren't created for those events, your rule's exceptions are working as expected. From 2967d20f65710521a0624eed1c49eeb0e735195e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 1 Oct 2024 08:11:15 -0400 Subject: [PATCH 13/24] Update docs/detections/rules-ui-create.asciidoc Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com> --- docs/detections/rules-ui-create.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 933329374b..a585729dcf 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -835,6 +835,6 @@ To learn more about your rule's {es} queries, preview its results and do the fol . Expand each row to learn more about the {es} queries that the rule submits each time it executes. The following details are provided: ** When the rule execution started, and how long it took to complete ** A brief explanation of what the {es} queries do -** The actual {es} queries that the rule sends to search indices containing events that are used during alert creation +** The actual {es} queries that the rule sends to search indices containing events used during rule execution + TIP: Run the queries in Dev Tools (**{kib}** -> **Management** -> **Dev Tools**) to determine if your rule is retrieving the expected data. For example, to test your rule's exceptions, use the rule's {es} queries to find events that should be ignored during alert creation. If alerts weren't created for those events, your rule's exceptions are working as expected. From bd98d1eb166c00c642fc31823ad33e4944126f38 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 1 Oct 2024 10:48:06 -0400 Subject: [PATCH 14/24] Update docs/detections/rules-ui-create.asciidoc --- docs/detections/rules-ui-create.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index a585729dcf..7c7b7ff228 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -837,4 +837,4 @@ To learn more about your rule's {es} queries, preview its results and do the fol ** A brief explanation of what the {es} queries do ** The actual {es} queries that the rule sends to search indices containing events used during rule execution + -TIP: Run the queries in Dev Tools (**{kib}** -> **Management** -> **Dev Tools**) to determine if your rule is retrieving the expected data. For example, to test your rule's exceptions, use the rule's {es} queries to find events that should be ignored during alert creation. If alerts weren't created for those events, your rule's exceptions are working as expected. +TIP: Run the queries in Dev Tools (**{kib}** -> **Management** -> **Dev Tools**) to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s {es} queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. From d985ca3da7019032072f762dd7b741181bd88523 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 1 Oct 2024 10:51:18 -0400 Subject: [PATCH 15/24] Vitalii's feedback round 2 --- docs/detections/rules-ui-create.asciidoc | 2 +- docs/serverless/rules/rules-ui-create.mdx | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 7c7b7ff228..6e670c01b2 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -835,6 +835,6 @@ To learn more about your rule's {es} queries, preview its results and do the fol . Expand each row to learn more about the {es} queries that the rule submits each time it executes. The following details are provided: ** When the rule execution started, and how long it took to complete ** A brief explanation of what the {es} queries do -** The actual {es} queries that the rule sends to search indices containing events used during rule execution +** The actual {es} queries that the rule submits to indices containing events that are used during rule execution + TIP: Run the queries in Dev Tools (**{kib}** -> **Management** -> **Dev Tools**) to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s {es} queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index 00cac8643f..d35d39a2eb 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -892,8 +892,8 @@ To learn more about your rule's ((es)) queries, preview its results and do the f 1. Expand each row to learn more about the ((es)) queries that the rule submits each time it executes. The following details are provided: * When it started, and how long it took to complete * A brief explanation of what the {es} queries do - * The actual ((es)) queries that the rule sends to search indices containing events that are used during alert creation + * The actual ((es)) queries that the rule submits to indices containing events that are used during rule execution - Run the queries in Console (**Developer tools** -> **Console**) to determine if your rule is retrieving the expected data. For example, to test your rule's exceptions, use the rule's ((es)) queries to find events that should be ignored during alert creation. If alerts weren't created for those events, your rule's exceptions are working as expected. + Run the queries in Console (**Developer tools** -> **Console**) to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s {es} queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. From fdc7dd0c769bb5a022d2594420bc6a2abd36ea52 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 1 Oct 2024 11:00:41 -0400 Subject: [PATCH 16/24] var fixes --- docs/serverless/rules/rules-ui-create.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index d35d39a2eb..e40c4274e0 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -891,9 +891,9 @@ To learn more about your rule's ((es)) queries, preview its results and do the f 1. Click the **Preview logged results** section to expand it. Within the section, each rule execution is shown on an individual row. 1. Expand each row to learn more about the ((es)) queries that the rule submits each time it executes. The following details are provided: * When it started, and how long it took to complete - * A brief explanation of what the {es} queries do + * A brief explanation of what the ((es)) queries do * The actual ((es)) queries that the rule submits to indices containing events that are used during rule execution - Run the queries in Console (**Developer tools** -> **Console**) to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s {es} queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. + Run the queries in Console (**Developer tools** -> **Console**) to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s ((es)) queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. From ef045cded6ae0ad8a42da036825b04b0d8913f27 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 1 Oct 2024 11:56:55 -0400 Subject: [PATCH 17/24] Active voice --- docs/detections/rules-ui-create.asciidoc | 4 ++-- docs/serverless/rules/rules-ui-create.mdx | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 6e670c01b2..66b0475fbd 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -826,7 +826,7 @@ TIP: Avoid setting long time ranges with short rule intervals, or the rule previ NOTE: This option is only offered for {esql} and event correlation rules. -When previewing a rule, you can also learn about its {es} queries, which are submitted when the rule runs. This information can be helpful for identifying and troubleshooting potential rule issues. You can also use it to confirm that your rule is retrieving the expected data. +When previewing a rule, you can also learn about its {es} queries, which are submitted when the rule runs. This information can help you identify and troubleshoot potential rule issues. You can also use it to confirm that your rule is retrieving the expected data. To learn more about your rule's {es} queries, preview its results and do the following: @@ -835,6 +835,6 @@ To learn more about your rule's {es} queries, preview its results and do the fol . Expand each row to learn more about the {es} queries that the rule submits each time it executes. The following details are provided: ** When the rule execution started, and how long it took to complete ** A brief explanation of what the {es} queries do -** The actual {es} queries that the rule submits to indices containing events that are used during rule execution +** The actual {es} queries that the rule submits to indices containing events that are used during the rule execution + TIP: Run the queries in Dev Tools (**{kib}** -> **Management** -> **Dev Tools**) to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s {es} queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index e40c4274e0..be4f6d5eb4 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -883,7 +883,7 @@ To interact with the rule preview: This option is only offered for ((esql)) and event correlation rules. -When previewing a rule, you can also learn about its ((es)) queries, which are submitted when the rule runs. This information can be helpful for identifying and troubleshooting potential rule issues. You can also use it to confirm that your rule is retrieving the expected data. +When previewing a rule, you can also learn about its ((es)) queries, which are submitted when the rule runs. This information can help you identify and troubleshoot potential rule issues. You can also use it to confirm that your rule is retrieving the expected data. To learn more about your rule's ((es)) queries, preview its results and do the following: @@ -892,7 +892,7 @@ To learn more about your rule's ((es)) queries, preview its results and do the f 1. Expand each row to learn more about the ((es)) queries that the rule submits each time it executes. The following details are provided: * When it started, and how long it took to complete * A brief explanation of what the ((es)) queries do - * The actual ((es)) queries that the rule submits to indices containing events that are used during rule execution + * The actual ((es)) queries that the rule submits to indices containing events that are used during the rule execution Run the queries in Console (**Developer tools** -> **Console**) to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s ((es)) queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. From 2be3231a9876d8197a6f655ae8b8009d6c3390bd Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 1 Oct 2024 23:27:12 -0400 Subject: [PATCH 18/24] Update docs/detections/rules-ui-create.asciidoc Co-authored-by: Joe Peeples --- docs/detections/rules-ui-create.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 66b0475fbd..a12e4929c8 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -830,7 +830,7 @@ When previewing a rule, you can also learn about its {es} queries, which are sub To learn more about your rule's {es} queries, preview its results and do the following: -. Select the **Show Elasticsearch requests, ran during rule executions** option below the preview's date and time picker. The **Preview logged results** section displays under the histogram and alerts table. +. Select the **Show {es} requests, ran during rule executions** option below the preview's date and time picker. The **Preview logged results** section displays under the histogram and alerts table. . Click the **Preview logged results** section to expand it. Within the section, each rule execution is shown on an individual row. . Expand each row to learn more about the {es} queries that the rule submits each time it executes. The following details are provided: ** When the rule execution started, and how long it took to complete From d2b73bd7c8eeefe2038db1e41bd0d7d1349e102e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 1 Oct 2024 23:27:18 -0400 Subject: [PATCH 19/24] Update docs/serverless/rules/rules-ui-create.mdx Co-authored-by: Joe Peeples --- docs/serverless/rules/rules-ui-create.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index be4f6d5eb4..30cbd03454 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -887,7 +887,7 @@ When previewing a rule, you can also learn about its ((es)) queries, which are s To learn more about your rule's ((es)) queries, preview its results and do the following: -1. Select the **Show Elasticsearch requests, ran during rule executions** option below the preview's date and time picker. The **Preview logged results** section displays under the histogram and alerts table. +1. Select the **Show ((es)) requests, ran during rule executions** option below the preview's date and time picker. The **Preview logged results** section displays under the histogram and alerts table. 1. Click the **Preview logged results** section to expand it. Within the section, each rule execution is shown on an individual row. 1. Expand each row to learn more about the ((es)) queries that the rule submits each time it executes. The following details are provided: * When it started, and how long it took to complete From ffb767fa65b2da72a26871a0488708d7f288c1c0 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 1 Oct 2024 23:29:49 -0400 Subject: [PATCH 20/24] Update docs/detections/rules-ui-create.asciidoc --- docs/detections/rules-ui-create.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index a12e4929c8..8e9427cf4e 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -837,4 +837,4 @@ To learn more about your rule's {es} queries, preview its results and do the fol ** A brief explanation of what the {es} queries do ** The actual {es} queries that the rule submits to indices containing events that are used during the rule execution + -TIP: Run the queries in Dev Tools (**{kib}** -> **Management** -> **Dev Tools**) to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s {es} queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. +TIP: Run the queries in {kibana-ref}/console-kibana.html[Console] to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s {es} queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. From 45e2aef4610f5bcbba5a85d3072e4f4f443d95fe Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 1 Oct 2024 23:31:54 -0400 Subject: [PATCH 21/24] Update docs/serverless/rules/rules-ui-create.mdx --- docs/serverless/rules/rules-ui-create.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index 30cbd03454..d0a9d6071a 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -895,5 +895,5 @@ To learn more about your rule's ((es)) queries, preview its results and do the f * The actual ((es)) queries that the rule submits to indices containing events that are used during the rule execution - Run the queries in Console (**Developer tools** -> **Console**) to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s ((es)) queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. + Run the queries in [Console](((kibana-ref))/run-api-requests-in-the-console.html) to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s ((es)) queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. From 087731c185c225237695e5b037f1e907bf781bee Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 2 Oct 2024 18:08:50 -0400 Subject: [PATCH 22/24] Update docs/serverless/rules/rules-ui-create.mdx --- docs/serverless/rules/rules-ui-create.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index d0a9d6071a..32e8c6a6ac 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -895,5 +895,5 @@ To learn more about your rule's ((es)) queries, preview its results and do the f * The actual ((es)) queries that the rule submits to indices containing events that are used during the rule execution - Run the queries in [Console](((kibana-ref))/run-api-requests-in-the-console.html) to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s ((es)) queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. + Run the queries in Console to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s ((es)) queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. From 8883ee5d94cf17cdb598150832a1ab377c9b504a Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 2 Oct 2024 19:56:59 -0400 Subject: [PATCH 23/24] Update slug --- docs/serverless/rules/rules-ui-create.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index 32e8c6a6ac..1639fe17e2 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -895,5 +895,5 @@ To learn more about your rule's ((es)) queries, preview its results and do the f * The actual ((es)) queries that the rule submits to indices containing events that are used during the rule execution - Run the queries in Console to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s ((es)) queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. + Run the queries in Console to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s ((es)) queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. From bfca164eba3d8ab5aeb5fadbab25272e322a2b0c Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 2 Oct 2024 20:10:29 -0400 Subject: [PATCH 24/24] slugslugslug --- docs/serverless/rules/rules-ui-create.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index 1639fe17e2..055cc51f7b 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -894,6 +894,6 @@ To learn more about your rule's ((es)) queries, preview its results and do the f * A brief explanation of what the ((es)) queries do * The actual ((es)) queries that the rule submits to indices containing events that are used during the rule execution - - Run the queries in Console to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s ((es)) queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored. + + Run the queries in Console to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s ((es)) queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored.