From 8c906780a8c971ee88568a6edd0d6cb3a6371f9c Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 23 Oct 2024 22:23:05 -0400 Subject: [PATCH 01/10] First draft --- docs/detections/rules-ui-create.asciidoc | 34 +++++++++++++----------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 52542e411d..e70f5803c4 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -42,9 +42,8 @@ To create or edit {ml} rules, you must have the https://www.elastic.co/subscript {ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user role, and the selected {ml} job must be running for the rule to function correctly. ============== -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. -. To create a rule based on a {ml} anomaly threshold, select *Machine Learning*, -then select: +. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <>. +. To create a rule based on a {ml} anomaly threshold, select *Machine Learning* on the *Create new rule*, then select: .. The required {ml} jobs. + NOTE: If a required job isn't currently running, it will automatically start when you finish configuring and enable the rule. @@ -68,9 +67,8 @@ in the step or its sub-steps, apply the change to the other rule types, too. [discrete] [[create-custom-rule]] === Create a custom query rule -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. -. To create a rule based on a KQL or Lucene query, select *Custom query*, -then: +. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <>. +. To create a rule based on a KQL or Lucene query, select *Custom query* on the *Create new rule* page, then: .. Define which {es} indices or data view the rule searches for alerts. .. Use the filter and query fields to create the criteria used for detecting alerts. @@ -119,8 +117,8 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-threshold-rule]] === Create a threshold rule -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. -. To create a rule based on a source event field threshold, select *Threshold*, then: +. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <>. +. To create a rule based on a source event field threshold, select *Threshold* on the *Create new rule* page, then: .. Define which {es} indices the rule analyzes for alerts. .. Use the filter and query fields to create the criteria used for detecting alerts. @@ -159,7 +157,8 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-eql-rule]] === Create an event correlation rule -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. +. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <>. +. To create an event correlation rule using EQL, select *Event Correlation* on the *Create new rule* page, then: . To create an event correlation rule using EQL, select *Event Correlation*, then: .. Define which {es} indices or data view the rule searches when querying for events. .. Write an {ref}/eql-syntax.html[EQL query] that searches for matching events or a series of matching events. @@ -225,9 +224,8 @@ in these steps or sub-steps, apply the change to the other rule types, too. NOTE: {elastic-sec} provides limited support for indicator match rules. See <> for more information. -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. -. To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields: - +. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <>. +. To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match* on the *Create new rule* page, then fill in the following fields: .. *Source*: The individual index patterns or data view that specifies what data to search. .. *Custom query*: The query and filters used to retrieve the required results from the {elastic-sec} event indices. For example, if you want to match documents that only contain a `destination.ip` address field, add `destination.ip : *`. @@ -306,6 +304,10 @@ You uploaded a value list of known ransomware domains, and you want to be notifi + TIP: If you don't remember this information, go to *Rules* -> *Detection rules (SIEM)* -> *Manage value lists*. Locate the appropriate value list and note the field in the corresponding `Type` column. (Examples include keyword, text, and IP.) +//// +Revisit this tip ^ +//// + [role="screenshot"] image::images/indicator_value_list.png[] @@ -313,8 +315,8 @@ image::images/indicator_value_list.png[] [[create-new-terms-rule]] === Create a new terms rule -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. -. To create a rule that searches for each new term detected in source documents, select *New Terms*, then: +. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <>. +. To create a rule that searches for each new term detected in source documents, select *New Terms* on the *Create new rule* page, then: .. Specify what data to search by entering individual {es} index patterns or selecting an existing data view. .. Use the filter and query fields to create the criteria used for detecting alerts. @@ -353,8 +355,8 @@ Use {ref}/esql.html[{esql}] to query your source events and aggregate event data To create an {esql} rule: -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page appears. -. Select **{esql}**, then write a query. +. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <>. +. Select **{esql}**, then write a query. + NOTE: Refer to the sections below to learn more about <>, <>, and <>. + From 99ebf938da319177f512ea5006da13c05b759609 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 23 Oct 2024 23:12:10 -0400 Subject: [PATCH 02/10] Second draft --- docs/detections/add-exceptions.asciidoc | 14 ++++++++----- docs/detections/building-block-rule.asciidoc | 2 +- .../prebuilt-rules-management.asciidoc | 10 +++++++--- .../prebuilt-rules/tune-rule-signals.asciidoc | 2 +- docs/detections/rules-coverage.asciidoc | 2 ++ .../rules-cross-cluster-search.asciidoc | 3 ++- docs/detections/rules-ui-create.asciidoc | 14 ++++++------- docs/detections/rules-ui-manage.asciidoc | 20 ++++++++++++++----- docs/detections/rules-ui-monitor.asciidoc | 8 +++++++- .../shared-exception-lists.asciidoc | 6 +++--- .../detections/value-list-exceptions.asciidoc | 6 +++--- 11 files changed, 57 insertions(+), 30 deletions(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index dea8dc0331..0d1fe9c2b8 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -40,22 +40,23 @@ specific event in the sequence, update the rule's EQL statement. For example: * To add an exception from the rule details page: .. Go to the rule details page of the rule to which you want to add an exception (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*). +//Revisit the nav instructions in this step. .. Scroll down the rule details page, select the *Rule exceptions* tab, then click *Add rule exception*. + [role="screenshot"] image::images/rule-exception-tab.png[Detail of rule exceptions tab] * To add an exception from the Alerts table: -.. Go to *Alerts*. +.. Find **Alerts** in the main menu or by using the <>. .. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the *More Actions* menu (*...*), then select *Add rule exception*. * To add an exception from the alert details flyout: -.. Go to *Alerts*. +.. Find **Alerts** in the main menu or by using the <>. .. Click the *View details* button from the Alerts table. .. In the alert details flyout, click *Take action -> Add rule exception*. * To add an exception from the Shared Exception Lists page: -.. Go to *Rules* -> *Shared exception lists*. +.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>, then go to *Shared exception lists*. .. Click *Create shared exception list* -> *Create exception item*. -- @@ -158,15 +159,16 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there * To add an Endpoint exception from the rule details page: .. Go to the rule details page (*Rules* -> *Detection rules (SIEM)*), and then search for and select the Elastic *Endpoint Security* rule. +//Revisit the instructions in the above step. .. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*. * To add an Endpoint exception from the Alerts table: -.. Go to *Alerts*. +.. Find **Alerts** in the main menu or by using the <>. .. Scroll down to the Alerts table, and from an {elastic-endpoint} alert, click the *More actions* menu (*...*), then select *Add Endpoint exception*. * To add an Endpoint exception from Shared Exception Lists page: -.. Go to *Rules* -> *Shared exception lists*. +.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>, then go to *Shared exception lists*. .. Expand the Endpoint Security Exception List or click the list name to open the list's details page. Next, click *Add endpoint exception*. + NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <> option selected. @@ -266,6 +268,8 @@ image::images/nested-exp.png[] To view a rule's exceptions, open the rule's details page (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*), then scroll down and select the *Rule exceptions* or *Endpoint exceptions* tab. All exceptions that belong to the rule will display in a list. From the list, you can filter, edit, and delete exceptions. You can also toggle between *Active exceptions* and *Expired exceptions*. +//Revisit the instruction in the para above. + [role="screenshot"] image::images/manage-default-rule-list.png[A default rule list] diff --git a/docs/detections/building-block-rule.asciidoc b/docs/detections/building-block-rule.asciidoc index 829d09088f..d99dcf7380 100644 --- a/docs/detections/building-block-rule.asciidoc +++ b/docs/detections/building-block-rule.asciidoc @@ -25,7 +25,7 @@ image::images/alert-indices-ui.png[] By default, building block alerts are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts. -. Go to *Alerts*. +. Find **Alerts** in the main menu or by using the <>. . In the Alerts table, select *Additional filters* -> *Include building block alerts*, located on the far-right. diff --git a/docs/detections/prebuilt-rules-management.asciidoc b/docs/detections/prebuilt-rules-management.asciidoc index 7adb34db43..87e2618399 100644 --- a/docs/detections/prebuilt-rules-management.asciidoc +++ b/docs/detections/prebuilt-rules-management.asciidoc @@ -27,7 +27,9 @@ Follow these guidelines to start using the {security-app}'s < *Detection rules (SIEM)*. The badge next to *Add Elastic rules* shows the number of prebuilt rules available for installation. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. ++ +The badge next to *Add Elastic rules* shows the number of prebuilt rules available for installation. + [role="screenshot"] image::images/prebuilt-rules-add-badge.png[The Add Elastic Rules page] @@ -81,7 +83,8 @@ Each prebuilt rule includes several tags identifying the rule's purpose, detecti [[select-all-prebuilt-rules]] === Select and duplicate all prebuilt rules -. Go to *Rules* -> *Detection rules (SIEM)*, then select the *Elastic rules* filter. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. From the *Rules* page, select the *Elastic rules* filter. . Click *Select all _x_ rules* above the rules table. . Click *Bulk actions* -> *Duplicate*. . Select whether to duplicate the rules' exceptions, then click *Duplicate*. @@ -94,7 +97,8 @@ You can then modify the duplicated rules and, if required, delete the prebuilt o Elastic regularly updates prebuilt rules to optimize their performance and ensure they detect the latest threats and techniques. When updated versions are available for your installed prebuilt rules, the *Rule Updates* tab appears on the *Rules* page, allowing you to update your installed rules with the latest versions. -. Go to *Rules* -> *Detection rules (SIEM)*, then select the *Rule Updates* tab. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. From the *Rules* page, select the *Rule Updates* tab. + NOTE: The *Rule Updates* tab doesn't appear if all your installed prebuilt rules are up to date. + diff --git a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc index 2c4bcbe402..cd6e82df53 100644 --- a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc +++ b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc @@ -35,7 +35,7 @@ add an exception for the required application. For example, to prevent the <> rule from producing alerts for an in-house application named `myautomatedbuild`: -. Go to *Rules* -> *Detection rules (SIEM)*. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. . Search for and then click on the *Unusual Process Execution Path - Alternate Data Stream* rule. + The *Unusual Process Execution Path - Alternate Data Stream* rule details page is displayed. diff --git a/docs/detections/rules-coverage.asciidoc b/docs/detections/rules-coverage.asciidoc index 098b703c8f..3ff609d157 100644 --- a/docs/detections/rules-coverage.asciidoc +++ b/docs/detections/rules-coverage.asciidoc @@ -8,6 +8,8 @@ The **MITRE ATT&CK® coverage** page (**Rules** -> **MITRE ATT&CK® Coverage**) shows which https://attack.mitre.org[MITRE ATT&CK®] adversary tactics and techniques are covered by your installed and enabled detection rules. This includes both Elastic prebuilt rules and custom rules. +//Revisit the nav instructions in the para above. + Mirroring the MITRE ATT&CK® framework, columns represent major tactics, and cells within each column represent a tactic's related techniques. Cells are darker when a technique has more rules matching the current filters, as indicated in the **Legend** at the top. [NOTE] diff --git a/docs/detections/rules-cross-cluster-search.asciidoc b/docs/detections/rules-cross-cluster-search.asciidoc index 4ec19ed7b8..b4b08327ce 100644 --- a/docs/detections/rules-cross-cluster-search.asciidoc +++ b/docs/detections/rules-cross-cluster-search.asciidoc @@ -66,7 +66,8 @@ To update a rule's API key, log into the local cluster as a user with the privil * Edit and save the rule. * Update the rule's API key manually: -. Go to {kib} -> *Stack Management* -> *Rules*. +. Go to {kib} -> *Stack Management* -> *Rules*. +//Revisit nav instructions in step 1. . Use the search box and filters to find the rules you want to update. For example, use the *Type* filter to find rules under the *Security* category. . Select the rule's actions menu (*...*), then *Update API key*. + diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index e70f5803c4..2783643563 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -42,7 +42,7 @@ To create or edit {ml} rules, you must have the https://www.elastic.co/subscript {ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user role, and the selected {ml} job must be running for the rule to function correctly. ============== -. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. . To create a rule based on a {ml} anomaly threshold, select *Machine Learning* on the *Create new rule*, then select: .. The required {ml} jobs. + @@ -67,7 +67,7 @@ in the step or its sub-steps, apply the change to the other rule types, too. [discrete] [[create-custom-rule]] === Create a custom query rule -. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. . To create a rule based on a KQL or Lucene query, select *Custom query* on the *Create new rule* page, then: .. Define which {es} indices or data view the rule searches for alerts. .. Use the filter and query fields to create the criteria used for detecting @@ -117,7 +117,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-threshold-rule]] === Create a threshold rule -. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. . To create a rule based on a source event field threshold, select *Threshold* on the *Create new rule* page, then: .. Define which {es} indices the rule analyzes for alerts. .. Use the filter and query fields to create the criteria used for detecting @@ -157,7 +157,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-eql-rule]] === Create an event correlation rule -. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. . To create an event correlation rule using EQL, select *Event Correlation* on the *Create new rule* page, then: . To create an event correlation rule using EQL, select *Event Correlation*, then: .. Define which {es} indices or data view the rule searches when querying for events. @@ -224,7 +224,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. NOTE: {elastic-sec} provides limited support for indicator match rules. See <> for more information. -. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. . To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match* on the *Create new rule* page, then fill in the following fields: .. *Source*: The individual index patterns or data view that specifies what data to search. .. *Custom query*: The query and filters used to retrieve the required results from @@ -315,7 +315,7 @@ image::images/indicator_value_list.png[] [[create-new-terms-rule]] === Create a new terms rule -. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. . To create a rule that searches for each new term detected in source documents, select *New Terms* on the *Create new rule* page, then: .. Specify what data to search by entering individual {es} index patterns or selecting an existing data view. .. Use the filter and query fields to create the criteria used for detecting @@ -355,7 +355,7 @@ Use {ref}/esql.html[{esql}] to query your source events and aggregate event data To create an {esql} rule: -. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. . Select **{esql}**, then write a query. + NOTE: Refer to the sections below to learn more about <>, <>, and <>. diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 2c033b4151..a611c2a5b5 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -67,7 +67,7 @@ For prebuilt Elastic rules, you can't modify most settings. You can only edit << Similarly, rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. ==== -. Go to *Rules* -> *Detection rules (SIEM)*. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. . Do one of the following: * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. The *Edit rule settings* view opens, where you can modify the <>. * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu: @@ -98,7 +98,7 @@ You can duplicate, enable, disable, delete, and snooze actions for rules: NOTE: When duplicating a rule with exceptions, you can choose to duplicate the rule and its exceptions (active and expired), the rule and active exceptions only, or only the rule. If you duplicate the rule and its exceptions, copies of the exceptions are created and added to the duplicated rule's <>. If the original rule used exceptions from a shared exception list, the duplicated rule will reference the same shared exception list. -. Go to *Rules* -> *Detection rules (SIEM)*. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. . Do one of the following: * Select the *All actions* menu (*...*) on a rule, then select an action. * Select all the rules you want to modify, then select an action from the *Bulk actions* menu. @@ -115,7 +115,8 @@ Manually run enabled rules for a specified period of time for testing purposes o IMPORTANT: Before manually running rules, make sure you properly understand and plan for rule dependencies. Incorrect scheduling can lead to inconsistent rule results. -1. Navigate to the detection rules page, and do one of the following: +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. From the *Rules* page, do one of the following: * Select the **All actions** menu (**...**) on a rule, then select **Manual run**. * Select all the rules you want to manually run, select the **Bulk actions** menu, then select **Manual run**. . Specify when the manual run starts and ends. The default selection is the current day starting three hours in the past. The rule will search for events during the selected time range. @@ -162,7 +163,8 @@ If you try to export with both prebuilt and custom rules selected, only the cust The `.ndjson` file also includes any actions, connectors, and exception lists related to the exported rules. However, other configuration items require additional handling when exporting and importing rules: -- *Data views*: For rules that use a {kib} data view as a data source, the exported file contains the associated `data_view_id`, but does _not_ include any other data view configuration. To export/import between {kib} spaces, first use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-share-to-space[Saved Objects] UI (*Stack Management* -> *Kibana* -> *Saved Objects*) to share the data view with the destination space. +- *Data views*: For rules that use a {kib} data view as a data source, the exported file contains the associated `data_view_id`, but does _not_ include any other data view configuration. To export/import between {kib} spaces, first use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-share-to-space[Saved Objects] UI (*Stack Management* -> *Kibana* -> *Saved Objects*) to share the data view with the destination space. +//Revisit the nav instructions in this list item. + To import into a different {stack} deployment, the destination cluster must include a data view with a matching data view ID (configured in the {kibana-ref}/data-views.html[data view's advanced settings]). Alternatively, after importing, you can manually reconfigure the rule to use an appropriate data view in the destination system. @@ -170,11 +172,15 @@ To import into a different {stack} deployment, the destination cluster must incl + TIP: You can also use {kib}'s {kibana-ref}/managing-saved-objects.html#managing-saved-objects-export-objects[Saved Objects] UI (*Stack Management* -> *Kibana* -> *Saved Objects*) to export and import necessary connectors before importing detection rules. +//Revisit the nav instructions in the tip above. + - *Value lists*: Any value lists used for rule exceptions are _not_ included in rule exports or imports. Use the <> UI (*Rules* -> *Detection rules (SIEM)* -> *Manage value lists*) to export and import value lists separately. +//Revisit the nav instructions in the list item above. + To export and import detection rules: -. Go to *Rules* -> *Detection rules (SIEM)*. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. . To export rules: .. In the rules table, select the rules you want to export. .. Select *Bulk actions* -> *Export*, then save the exported file. @@ -198,6 +204,8 @@ NOTE: Imported rules must be in an `.ndjson` file. Many detection rules are designed to work with specific {integrations-docs}[Elastic integrations] and data fields. These prerequisites are identified in *Related integrations* and *Required fields* on a rule's details page (*Rules* -> *Detection rules (SIEM)*, then click a rule's name). *Related integrations* also displays each integration's installation status and includes links for installing and configuring the listed integrations. +//Revisit the nav instructions in the para above. + Additionally, the *Setup guide* section provides guidance on setting up the rule's requirements. [role="screenshot"] @@ -209,3 +217,5 @@ You can also check rules' related integrations in the *Installed Rules* and *Rul image::images/rules-table-related-integrations.png[Rules table with related integrations popup,75%] TIP: You can hide the *integrations* badge in the rules tables. Go to *{kib}* -> *Stack Management* -> *Advanced Settings*, then turn off `securitySolution:showRelatedIntegrations`. + +//Revisit the nav instructions in the tip above. \ No newline at end of file diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 946c98ac54..fb6f36cb7f 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -21,7 +21,9 @@ Refer to the <> section below for strategies on adjusting === Rule Monitoring tab To view a summary of all rule executions, including the most recent failures and execution -times, select the *Rule Monitoring* tab on the *Rules* page (*Rules* -> +times, select the *Rule Monitoring* tab on the *Rules* page. To access the tab, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>, then go to the *Rule Monitoring* tab. + + (*Rules* -> *Detection rules (SIEM)* -> *Rule Monitoring*). [role="screenshot"] @@ -41,6 +43,8 @@ Each detection rule execution is logged, including the execution type, the execu To access a rule's execution log, go to **Rules** → **Detection rules (SIEM)**, click the rule's name to open its details, then scroll down and select the **Execution results** tab. Within the Execution log table, you can click the arrow at the end of a row to expand a long warning or error message. +//Revisit the nav instructions in the para above. + [role="screenshot"] image::images/rule-execution-logs.png[Execution log table on the rule execution results tab] @@ -125,6 +129,8 @@ If you see values in the Gaps column in the Rule Monitoring table or on the Rule for a small number of rules, you can increase those rules' Additional look-back time (*Rules* -> *Detection rules (SIEM)* -> the rule's *All actions* menu (*...*) -> *Edit rule settings* -> *Schedule* -> *Additional look-back time*). +//Revisit the nav instructions in the para above. + It's recommended to set the `Additional look-back time` to at least 1 minute. This ensures there are no missing alerts when a rule doesn't run exactly at its scheduled time. diff --git a/docs/detections/shared-exception-lists.asciidoc b/docs/detections/shared-exception-lists.asciidoc index b7eab6e2e9..171d591d8d 100644 --- a/docs/detections/shared-exception-lists.asciidoc +++ b/docs/detections/shared-exception-lists.asciidoc @@ -14,7 +14,7 @@ image::images/rule-exceptions-page.png[Shared Exception Lists page] Set up shared exception lists to contain exception items: -. Go to *Rules* -> *Shared exception lists*. +. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>, then go to *Shared exception lists*. . Click *Create shared exception list* -> *Create shared list*. . Give the shared exception list a name. . (Optional) Provide a description. @@ -26,7 +26,7 @@ Set up shared exception lists to contain exception items: Add exception items: -. Go to *Rules* -> *Shared exception lists*. +. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>, then go to *Shared exception lists*. . Click *Create shared exception list* -> *Create exception item*. + TIP: You can add exceptions to an empty shared exception list by expanding the list, or viewing its details page and clicking *Create rule exception*. After creating an exception, you can associate the shared exception list with rules. Refer to <> to learn more. @@ -73,7 +73,7 @@ Closes all alerts that match the exception's conditions and were generated only Apply shared exception lists to rules: -. Go to *Rules* -> *Shared exception lists*. +. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>, then go to *Shared exception lists*. . Do one of the following: ** Select a shared exception list's name to open its details page, then click *Link rules*. ** Find the shared exception list you want to assign to rules, then from the *More actions* menu (*...*), select *Link rules*. diff --git a/docs/detections/value-list-exceptions.asciidoc b/docs/detections/value-list-exceptions.asciidoc index 609c2ef095..a05c34a19d 100644 --- a/docs/detections/value-list-exceptions.asciidoc +++ b/docs/detections/value-list-exceptions.asciidoc @@ -39,7 +39,7 @@ act as delimiters. * The maximum accepted file size is 9 million bytes. ========================= -. Go to *Rules* -> *Detection rules (SIEM)*. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. . Click *Manage value lists*. The *Manage value lists* window opens. + [role="screenshot"] @@ -61,7 +61,7 @@ You can edit, remove, or export existing value lists. [discrete] ==== Edit value lists -. Go to **Rules** → **Detection rules (SIEM)**. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. . Click **Manage value lists**. The **Manage value lists** window opens. . In the **Value lists** table, click the value list you want to edit. . Do any of the following: @@ -83,7 +83,7 @@ TIP: You can also edit value lists while creating and managing exceptions that u [discrete] ==== Export or remove value lists -. Go to *Rules* -> *Detection rules (SIEM)*. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. . Click *Manage value lists*. The *Manage value lists* window opens. . From the *Value lists* table, you can: .. Click the **Export value list** button (image:images/export-value-list.png[Export button from Manage value lists window,15,15]) to export the value list. From 55ef7529ba2300994d471f505b61cbd60440b7d1 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 23 Oct 2024 23:24:28 -0400 Subject: [PATCH 03/10] Fix refs --- docs/detections/add-exceptions.asciidoc | 10 +++++----- docs/detections/building-block-rule.asciidoc | 2 +- docs/detections/prebuilt-rules-management.asciidoc | 6 +++--- .../prebuilt-rules/tune-rule-signals.asciidoc | 2 +- docs/detections/rules-ui-create.asciidoc | 14 +++++++------- docs/detections/rules-ui-manage.asciidoc | 8 ++++---- docs/detections/rules-ui-monitor.asciidoc | 2 +- docs/detections/shared-exception-lists.asciidoc | 6 +++--- docs/detections/value-list-exceptions.asciidoc | 6 +++--- 9 files changed, 28 insertions(+), 28 deletions(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 0d1fe9c2b8..2f785949cb 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -47,16 +47,16 @@ exception (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*). image::images/rule-exception-tab.png[Detail of rule exceptions tab] * To add an exception from the Alerts table: -.. Find **Alerts** in the main menu or by using the <>. +.. Find **Alerts** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the *More Actions* menu (*...*), then select *Add rule exception*. * To add an exception from the alert details flyout: -.. Find **Alerts** in the main menu or by using the <>. +.. Find **Alerts** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Click the *View details* button from the Alerts table. .. In the alert details flyout, click *Take action -> Add rule exception*. * To add an exception from the Shared Exception Lists page: -.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>, then go to *Shared exception lists*. +.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. .. Click *Create shared exception list* -> *Create exception item*. -- @@ -163,12 +163,12 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there .. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*. * To add an Endpoint exception from the Alerts table: -.. Find **Alerts** in the main menu or by using the <>. +.. Find **Alerts** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Scroll down to the Alerts table, and from an {elastic-endpoint} alert, click the *More actions* menu (*...*), then select *Add Endpoint exception*. * To add an Endpoint exception from Shared Exception Lists page: -.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>, then go to *Shared exception lists*. +.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. .. Expand the Endpoint Security Exception List or click the list name to open the list's details page. Next, click *Add endpoint exception*. + NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <> option selected. diff --git a/docs/detections/building-block-rule.asciidoc b/docs/detections/building-block-rule.asciidoc index d99dcf7380..be73ae0394 100644 --- a/docs/detections/building-block-rule.asciidoc +++ b/docs/detections/building-block-rule.asciidoc @@ -25,7 +25,7 @@ image::images/alert-indices-ui.png[] By default, building block alerts are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts. -. Find **Alerts** in the main menu or by using the <>. +. Find **Alerts** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . In the Alerts table, select *Additional filters* -> *Include building block alerts*, located on the far-right. diff --git a/docs/detections/prebuilt-rules-management.asciidoc b/docs/detections/prebuilt-rules-management.asciidoc index 87e2618399..a7dc941bd6 100644 --- a/docs/detections/prebuilt-rules-management.asciidoc +++ b/docs/detections/prebuilt-rules-management.asciidoc @@ -27,7 +27,7 @@ Follow these guidelines to start using the {security-app}'s <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. + The badge next to *Add Elastic rules* shows the number of prebuilt rules available for installation. + @@ -83,7 +83,7 @@ Each prebuilt rule includes several tags identifying the rule's purpose, detecti [[select-all-prebuilt-rules]] === Select and duplicate all prebuilt rules -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . From the *Rules* page, select the *Elastic rules* filter. . Click *Select all _x_ rules* above the rules table. . Click *Bulk actions* -> *Duplicate*. @@ -97,7 +97,7 @@ You can then modify the duplicated rules and, if required, delete the prebuilt o Elastic regularly updates prebuilt rules to optimize their performance and ensure they detect the latest threats and techniques. When updated versions are available for your installed prebuilt rules, the *Rule Updates* tab appears on the *Rules* page, allowing you to update your installed rules with the latest versions. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . From the *Rules* page, select the *Rule Updates* tab. + NOTE: The *Rule Updates* tab doesn't appear if all your installed prebuilt rules are up to date. diff --git a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc index cd6e82df53..fdb4ec5f33 100644 --- a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc +++ b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc @@ -35,7 +35,7 @@ add an exception for the required application. For example, to prevent the <> rule from producing alerts for an in-house application named `myautomatedbuild`: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Search for and then click on the *Unusual Process Execution Path - Alternate Data Stream* rule. + The *Unusual Process Execution Path - Alternate Data Stream* rule details page is displayed. diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 2783643563..2de43b193c 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -42,7 +42,7 @@ To create or edit {ml} rules, you must have the https://www.elastic.co/subscript {ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user role, and the selected {ml} job must be running for the rule to function correctly. ============== -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule based on a {ml} anomaly threshold, select *Machine Learning* on the *Create new rule*, then select: .. The required {ml} jobs. + @@ -67,7 +67,7 @@ in the step or its sub-steps, apply the change to the other rule types, too. [discrete] [[create-custom-rule]] === Create a custom query rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule based on a KQL or Lucene query, select *Custom query* on the *Create new rule* page, then: .. Define which {es} indices or data view the rule searches for alerts. .. Use the filter and query fields to create the criteria used for detecting @@ -117,7 +117,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-threshold-rule]] === Create a threshold rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule based on a source event field threshold, select *Threshold* on the *Create new rule* page, then: .. Define which {es} indices the rule analyzes for alerts. .. Use the filter and query fields to create the criteria used for detecting @@ -157,7 +157,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-eql-rule]] === Create an event correlation rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create an event correlation rule using EQL, select *Event Correlation* on the *Create new rule* page, then: . To create an event correlation rule using EQL, select *Event Correlation*, then: .. Define which {es} indices or data view the rule searches when querying for events. @@ -224,7 +224,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. NOTE: {elastic-sec} provides limited support for indicator match rules. See <> for more information. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match* on the *Create new rule* page, then fill in the following fields: .. *Source*: The individual index patterns or data view that specifies what data to search. .. *Custom query*: The query and filters used to retrieve the required results from @@ -315,7 +315,7 @@ image::images/indicator_value_list.png[] [[create-new-terms-rule]] === Create a new terms rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule that searches for each new term detected in source documents, select *New Terms* on the *Create new rule* page, then: .. Specify what data to search by entering individual {es} index patterns or selecting an existing data view. .. Use the filter and query fields to create the criteria used for detecting @@ -355,7 +355,7 @@ Use {ref}/esql.html[{esql}] to query your source events and aggregate event data To create an {esql} rule: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Select **{esql}**, then write a query. + NOTE: Refer to the sections below to learn more about <>, <>, and <>. diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index a611c2a5b5..795afa51f4 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -67,7 +67,7 @@ For prebuilt Elastic rules, you can't modify most settings. You can only edit << Similarly, rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. ==== -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. The *Edit rule settings* view opens, where you can modify the <>. * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu: @@ -98,7 +98,7 @@ You can duplicate, enable, disable, delete, and snooze actions for rules: NOTE: When duplicating a rule with exceptions, you can choose to duplicate the rule and its exceptions (active and expired), the rule and active exceptions only, or only the rule. If you duplicate the rule and its exceptions, copies of the exceptions are created and added to the duplicated rule's <>. If the original rule used exceptions from a shared exception list, the duplicated rule will reference the same shared exception list. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: * Select the *All actions* menu (*...*) on a rule, then select an action. * Select all the rules you want to modify, then select an action from the *Bulk actions* menu. @@ -115,7 +115,7 @@ Manually run enabled rules for a specified period of time for testing purposes o IMPORTANT: Before manually running rules, make sure you properly understand and plan for rule dependencies. Incorrect scheduling can lead to inconsistent rule results. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . From the *Rules* page, do one of the following: * Select the **All actions** menu (**...**) on a rule, then select **Manual run**. * Select all the rules you want to manually run, select the **Bulk actions** menu, then select **Manual run**. @@ -180,7 +180,7 @@ TIP: You can also use {kib}'s {kibana-ref}/managing-saved-objects.html#managing- To export and import detection rules: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To export rules: .. In the rules table, select the rules you want to export. .. Select *Bulk actions* -> *Export*, then save the exported file. diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index fb6f36cb7f..1782a224bb 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -21,7 +21,7 @@ Refer to the <> section below for strategies on adjusting === Rule Monitoring tab To view a summary of all rule executions, including the most recent failures and execution -times, select the *Rule Monitoring* tab on the *Rules* page. To access the tab, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>, then go to the *Rule Monitoring* tab. +times, select the *Rule Monitoring* tab on the *Rules* page. To access the tab, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to the *Rule Monitoring* tab. (*Rules* -> *Detection rules (SIEM)* -> *Rule Monitoring*). diff --git a/docs/detections/shared-exception-lists.asciidoc b/docs/detections/shared-exception-lists.asciidoc index 171d591d8d..5f8afb4315 100644 --- a/docs/detections/shared-exception-lists.asciidoc +++ b/docs/detections/shared-exception-lists.asciidoc @@ -14,7 +14,7 @@ image::images/rule-exceptions-page.png[Shared Exception Lists page] Set up shared exception lists to contain exception items: -. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>, then go to *Shared exception lists*. +. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. . Click *Create shared exception list* -> *Create shared list*. . Give the shared exception list a name. . (Optional) Provide a description. @@ -26,7 +26,7 @@ Set up shared exception lists to contain exception items: Add exception items: -. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>, then go to *Shared exception lists*. +. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. . Click *Create shared exception list* -> *Create exception item*. + TIP: You can add exceptions to an empty shared exception list by expanding the list, or viewing its details page and clicking *Create rule exception*. After creating an exception, you can associate the shared exception list with rules. Refer to <> to learn more. @@ -73,7 +73,7 @@ Closes all alerts that match the exception's conditions and were generated only Apply shared exception lists to rules: -. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>, then go to *Shared exception lists*. +. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. . Do one of the following: ** Select a shared exception list's name to open its details page, then click *Link rules*. ** Find the shared exception list you want to assign to rules, then from the *More actions* menu (*...*), select *Link rules*. diff --git a/docs/detections/value-list-exceptions.asciidoc b/docs/detections/value-list-exceptions.asciidoc index a05c34a19d..86e7837586 100644 --- a/docs/detections/value-list-exceptions.asciidoc +++ b/docs/detections/value-list-exceptions.asciidoc @@ -39,7 +39,7 @@ act as delimiters. * The maximum accepted file size is 9 million bytes. ========================= -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Manage value lists*. The *Manage value lists* window opens. + [role="screenshot"] @@ -61,7 +61,7 @@ You can edit, remove, or export existing value lists. [discrete] ==== Edit value lists -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click **Manage value lists**. The **Manage value lists** window opens. . In the **Value lists** table, click the value list you want to edit. . Do any of the following: @@ -83,7 +83,7 @@ TIP: You can also edit value lists while creating and managing exceptions that u [discrete] ==== Export or remove value lists -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the <>. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Manage value lists*. The *Manage value lists* window opens. . From the *Value lists* table, you can: .. Click the **Export value list** button (image:images/export-value-list.png[Export button from Manage value lists window,15,15]) to export the value list. From 051426982da1eb66396010bf460d2dc8734a718b Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 24 Oct 2024 13:25:52 -0400 Subject: [PATCH 04/10] Addresses comments --- docs/detections/add-exceptions.asciidoc | 18 ++++++++++-------- docs/detections/rules-coverage.asciidoc | 6 +++--- .../rules-cross-cluster-search.asciidoc | 4 ++-- docs/detections/rules-ui-manage.asciidoc | 19 +++++-------------- docs/detections/rules-ui-monitor.asciidoc | 12 ++---------- 5 files changed, 22 insertions(+), 37 deletions(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 2f785949cb..4f9108dc60 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -38,9 +38,8 @@ specific event in the sequence, update the rule's EQL statement. For example: + -- * To add an exception from the rule details page: -.. Go to the rule details page of the rule to which you want to add an -exception (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*). -//Revisit the nav instructions in this step. +.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Search for the rule that you want to add an exception to, then click its name to open the rule details. .. Scroll down the rule details page, select the *Rule exceptions* tab, then click *Add rule exception*. + [role="screenshot"] @@ -158,8 +157,8 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there -- * To add an Endpoint exception from the rule details page: -.. Go to the rule details page (*Rules* -> *Detection rules (SIEM)*), and then search for and select the Elastic *Endpoint Security* rule. -//Revisit the instructions in the above step. +.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Search for and select the Elastic *Endpoint Security* rule. .. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*. * To add an Endpoint exception from the Alerts table: @@ -266,10 +265,13 @@ image::images/nested-exp.png[] [[manage-exception]] === View and manage exceptions -To view a rule's exceptions, open the rule's details page (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*), then scroll down and select the *Rule exceptions* or *Endpoint exceptions* tab. All exceptions that belong to the rule will display in a list. From the list, you can filter, edit, and delete exceptions. You can also toggle between *Active exceptions* and *Expired exceptions*. - -//Revisit the instruction in the para above. +To view a rule's exceptions: +. Open the rule's details page. To do this, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for the rule that you want to examine, then click the rule's name to open its details. +. Scroll down and select the *Rule exceptions* or *Endpoint exceptions* tab. All exceptions that belong to the rule will display in a list. ++ +From the list, you can filter, edit, and delete exceptions. You can also toggle between *Active exceptions* and *Expired exceptions*. ++ [role="screenshot"] image::images/manage-default-rule-list.png[A default rule list] diff --git a/docs/detections/rules-coverage.asciidoc b/docs/detections/rules-coverage.asciidoc index 3ff609d157..8e3e7d639a 100644 --- a/docs/detections/rules-coverage.asciidoc +++ b/docs/detections/rules-coverage.asciidoc @@ -6,12 +6,12 @@ :frontmatter-tags-content-type: [how-to] :frontmatter-tags-user-goals: [manage, analyze, visualize] -The **MITRE ATT&CK® coverage** page (**Rules** -> **MITRE ATT&CK® Coverage**) shows which https://attack.mitre.org[MITRE ATT&CK®] adversary tactics and techniques are covered by your installed and enabled detection rules. This includes both Elastic prebuilt rules and custom rules. - -//Revisit the nav instructions in the para above. +The **MITRE ATT&CK® coverage** page shows which https://attack.mitre.org[MITRE ATT&CK®] adversary tactics and techniques are covered by your installed and enabled detection rules. This includes both Elastic prebuilt rules and custom rules. Mirroring the MITRE ATT&CK® framework, columns represent major tactics, and cells within each column represent a tactic's related techniques. Cells are darker when a technique has more rules matching the current filters, as indicated in the **Legend** at the top. +To access the **MITRE ATT&CK® coverage** page, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to **MITRE ATT&CK® coverage**. + [NOTE] ==== This page only includes the detection rules you currently have installed, and only rules that are mapped to MITRE ATT&CK®. The coverage page maps detections to the following https://attack.mitre.org/resources/updates/updates-april-2024[MITRE ATT&CK® version] used by {elastic-sec}: `v15.1`. Elastic prebuilt rules that aren't installed and custom rules that are either unmapped or mapped to a deprecated tactic or technique will not appear on the coverage map. diff --git a/docs/detections/rules-cross-cluster-search.asciidoc b/docs/detections/rules-cross-cluster-search.asciidoc index b4b08327ce..60ffeb5fea 100644 --- a/docs/detections/rules-cross-cluster-search.asciidoc +++ b/docs/detections/rules-cross-cluster-search.asciidoc @@ -66,8 +66,8 @@ To update a rule's API key, log into the local cluster as a user with the privil * Edit and save the rule. * Update the rule's API key manually: -. Go to {kib} -> *Stack Management* -> *Rules*. -//Revisit nav instructions in step 1. +. Find **Stack Management** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to +*Rules*. . Use the search box and filters to find the rules you want to update. For example, use the *Type* filter to find rules under the *Security* category. . Select the rule's actions menu (*...*), then *Update API key*. + diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 795afa51f4..f9f076d13e 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -163,20 +163,15 @@ If you try to export with both prebuilt and custom rules selected, only the cust The `.ndjson` file also includes any actions, connectors, and exception lists related to the exported rules. However, other configuration items require additional handling when exporting and importing rules: -- *Data views*: For rules that use a {kib} data view as a data source, the exported file contains the associated `data_view_id`, but does _not_ include any other data view configuration. To export/import between {kib} spaces, first use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-share-to-space[Saved Objects] UI (*Stack Management* -> *Kibana* -> *Saved Objects*) to share the data view with the destination space. -//Revisit the nav instructions in this list item. +- *Data views*: For rules that use a {kib} data view as a data source, the exported file contains the associated `data_view_id`, but does _not_ include any other data view configuration. To export/import between {kib} spaces, first use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-share-to-space[Saved Objects] UI to share the data view with the destination space. + To import into a different {stack} deployment, the destination cluster must include a data view with a matching data view ID (configured in the {kibana-ref}/data-views.html[data view's advanced settings]). Alternatively, after importing, you can manually reconfigure the rule to use an appropriate data view in the destination system. - *Actions and connectors*: Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) _is not_ included. You must re-add missing connector details after importing detection rules. + -TIP: You can also use {kib}'s {kibana-ref}/managing-saved-objects.html#managing-saved-objects-export-objects[Saved Objects] UI (*Stack Management* -> *Kibana* -> *Saved Objects*) to export and import necessary connectors before importing detection rules. +TIP: You can also use {kib}'s {kibana-ref}/managing-saved-objects.html#managing-saved-objects-export-objects[Saved Objects] UI to export and import necessary connectors before importing detection rules. -//Revisit the nav instructions in the tip above. - -- *Value lists*: Any value lists used for rule exceptions are _not_ included in rule exports or imports. Use the <> UI (*Rules* -> *Detection rules (SIEM)* -> *Manage value lists*) to export and import value lists separately. - -//Revisit the nav instructions in the list item above. +- *Value lists*: Any value lists used for rule exceptions are _not_ included in rule exports or imports. Use the <> UI to export and import value lists separately. To export and import detection rules: @@ -202,9 +197,7 @@ NOTE: Imported rules must be in an `.ndjson` file. [[rule-prerequisites]] === Confirm rule prerequisites -Many detection rules are designed to work with specific {integrations-docs}[Elastic integrations] and data fields. These prerequisites are identified in *Related integrations* and *Required fields* on a rule's details page (*Rules* -> *Detection rules (SIEM)*, then click a rule's name). *Related integrations* also displays each integration's installation status and includes links for installing and configuring the listed integrations. - -//Revisit the nav instructions in the para above. +Many detection rules are designed to work with specific {integrations-docs}[Elastic integrations] and data fields. These prerequisites are identified in *Related integrations* and *Required fields* on a rule's details page. *Related integrations* also displays each integration's installation status and includes links for installing and configuring the listed integrations. Additionally, the *Setup guide* section provides guidance on setting up the rule's requirements. @@ -216,6 +209,4 @@ You can also check rules' related integrations in the *Installed Rules* and *Rul [role="screenshot"] image::images/rules-table-related-integrations.png[Rules table with related integrations popup,75%] -TIP: You can hide the *integrations* badge in the rules tables. Go to *{kib}* -> *Stack Management* -> *Advanced Settings*, then turn off `securitySolution:showRelatedIntegrations`. - -//Revisit the nav instructions in the tip above. \ No newline at end of file +TIP: You can hide the *integrations* badge in the rules tables. To do this, turn off `securitySolution:showRelatedIntegrations` <>. diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 1782a224bb..625897beb7 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -23,9 +23,6 @@ Refer to the <> section below for strategies on adjusting To view a summary of all rule executions, including the most recent failures and execution times, select the *Rule Monitoring* tab on the *Rules* page. To access the tab, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to the *Rule Monitoring* tab. - (*Rules* -> -*Detection rules (SIEM)* -> *Rule Monitoring*). - [role="screenshot"] image::images/monitor-table.png[] @@ -41,9 +38,7 @@ For detailed information on a rule, the alerts it generated, and associated erro Each detection rule execution is logged, including the execution type, the execution's success or failure, any warning or error messages, how long it took to search for data, create alerts, and complete. This can help you troubleshoot a particular rule if it isn't behaving as expected (for example, if it isn't creating alerts or takes a long time to run). -To access a rule's execution log, go to **Rules** → **Detection rules (SIEM)**, click the rule's name to open its details, then scroll down and select the **Execution results** tab. Within the Execution log table, you can click the arrow at the end of a row to expand a long warning or error message. - -//Revisit the nav instructions in the para above. +To access a rule's execution log, click the rule's name to open its details, then scroll down and select the **Execution results** tab. Within the Execution log table, you can click the arrow at the end of a row to expand a long warning or error message. [role="screenshot"] image::images/rule-execution-logs.png[Execution log table on the rule execution results tab] @@ -126,10 +121,7 @@ If you receive this warning, go to the rule's **Alerts** tab and check for anyth ==== Troubleshoot gaps If you see values in the Gaps column in the Rule Monitoring table or on the Rule details page -for a small number of rules, you can increase those rules' -Additional look-back time (*Rules* -> *Detection rules (SIEM)* -> the rule's *All actions* menu (*...*) -> *Edit rule settings* -> *Schedule* -> *Additional look-back time*). - -//Revisit the nav instructions in the para above. +for a small number of rules, you can edit those rules and increase their additional look-back time. It's recommended to set the `Additional look-back time` to at least 1 minute. This ensures there are no missing alerts when a rule doesn't From 483329d11fbb786618eee1d280ca6377da23e840 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 24 Oct 2024 13:35:01 -0400 Subject: [PATCH 05/10] removes additional comment --- docs/detections/rules-ui-create.asciidoc | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 2de43b193c..a2a91a2f68 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -302,11 +302,7 @@ You uploaded a value list of known ransomware domains, and you want to be notifi * *Field*: Enter the field from the Elastic Security event indices to be used for comparing values. * *Indicator index field*: Enter the type of value list you created (i.e., `keyword`, `text`, or `IP`). + -TIP: If you don't remember this information, go to *Rules* -> *Detection rules (SIEM)* -> *Manage value lists*. Locate the appropriate value list and note the field in the corresponding `Type` column. (Examples include keyword, text, and IP.) - -//// -Revisit this tip ^ -//// +TIP: If you don't remember this information, refer to the appropriate <> and find the list's type in the *Type* column (for example, the type can be `Keywords`, `Text`, or `IP`). [role="screenshot"] image::images/indicator_value_list.png[] From 1a2c38f60437d272362afab8639d8ee9359d5408 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 29 Oct 2024 23:37:58 -0400 Subject: [PATCH 06/10] Changes menu to navigation --- docs/detections/add-exceptions.asciidoc | 16 ++++++++-------- docs/detections/building-block-rule.asciidoc | 2 +- .../prebuilt-rules-management.asciidoc | 6 +++--- .../prebuilt-rules/tune-rule-signals.asciidoc | 2 +- docs/detections/rules-coverage.asciidoc | 2 +- .../rules-cross-cluster-search.asciidoc | 2 +- docs/detections/rules-ui-create.asciidoc | 14 +++++++------- docs/detections/rules-ui-manage.asciidoc | 8 ++++---- docs/detections/rules-ui-monitor.asciidoc | 2 +- docs/detections/shared-exception-lists.asciidoc | 6 +++--- docs/detections/value-list-exceptions.asciidoc | 6 +++--- 11 files changed, 33 insertions(+), 33 deletions(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 4f9108dc60..bb34382d80 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -38,7 +38,7 @@ specific event in the sequence, update the rule's EQL statement. For example: + -- * To add an exception from the rule details page: -.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Search for the rule that you want to add an exception to, then click its name to open the rule details. .. Scroll down the rule details page, select the *Rule exceptions* tab, then click *Add rule exception*. + @@ -46,16 +46,16 @@ specific event in the sequence, update the rule's EQL statement. For example: image::images/rule-exception-tab.png[Detail of rule exceptions tab] * To add an exception from the Alerts table: -.. Find **Alerts** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Find **Alerts** in the main navigation or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the *More Actions* menu (*...*), then select *Add rule exception*. * To add an exception from the alert details flyout: -.. Find **Alerts** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Find **Alerts** in the main navigation or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Click the *View details* button from the Alerts table. .. In the alert details flyout, click *Take action -> Add rule exception*. * To add an exception from the Shared Exception Lists page: -.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. .. Click *Create shared exception list* -> *Create exception item*. -- @@ -157,17 +157,17 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there -- * To add an Endpoint exception from the rule details page: -.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Search for and select the Elastic *Endpoint Security* rule. .. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*. * To add an Endpoint exception from the Alerts table: -.. Find **Alerts** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Find **Alerts** in the main navigation or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Scroll down to the Alerts table, and from an {elastic-endpoint} alert, click the *More actions* menu (*...*), then select *Add Endpoint exception*. * To add an Endpoint exception from Shared Exception Lists page: -.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. .. Expand the Endpoint Security Exception List or click the list name to open the list's details page. Next, click *Add endpoint exception*. + NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <> option selected. @@ -267,7 +267,7 @@ image::images/nested-exp.png[] To view a rule's exceptions: -. Open the rule's details page. To do this, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for the rule that you want to examine, then click the rule's name to open its details. +. Open the rule's details page. To do this, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for the rule that you want to examine, then click the rule's name to open its details. . Scroll down and select the *Rule exceptions* or *Endpoint exceptions* tab. All exceptions that belong to the rule will display in a list. + From the list, you can filter, edit, and delete exceptions. You can also toggle between *Active exceptions* and *Expired exceptions*. diff --git a/docs/detections/building-block-rule.asciidoc b/docs/detections/building-block-rule.asciidoc index be73ae0394..df6365a2cb 100644 --- a/docs/detections/building-block-rule.asciidoc +++ b/docs/detections/building-block-rule.asciidoc @@ -25,7 +25,7 @@ image::images/alert-indices-ui.png[] By default, building block alerts are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts. -. Find **Alerts** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Find **Alerts** in the main navigation or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . In the Alerts table, select *Additional filters* -> *Include building block alerts*, located on the far-right. diff --git a/docs/detections/prebuilt-rules-management.asciidoc b/docs/detections/prebuilt-rules-management.asciidoc index a7dc941bd6..1562a59562 100644 --- a/docs/detections/prebuilt-rules-management.asciidoc +++ b/docs/detections/prebuilt-rules-management.asciidoc @@ -27,7 +27,7 @@ Follow these guidelines to start using the {security-app}'s < *Duplicate*. @@ -97,7 +97,7 @@ You can then modify the duplicated rules and, if required, delete the prebuilt o Elastic regularly updates prebuilt rules to optimize their performance and ensure they detect the latest threats and techniques. When updated versions are available for your installed prebuilt rules, the *Rule Updates* tab appears on the *Rules* page, allowing you to update your installed rules with the latest versions. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . From the *Rules* page, select the *Rule Updates* tab. + NOTE: The *Rule Updates* tab doesn't appear if all your installed prebuilt rules are up to date. diff --git a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc index fdb4ec5f33..dc1de98a55 100644 --- a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc +++ b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc @@ -35,7 +35,7 @@ add an exception for the required application. For example, to prevent the <> rule from producing alerts for an in-house application named `myautomatedbuild`: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Search for and then click on the *Unusual Process Execution Path - Alternate Data Stream* rule. + The *Unusual Process Execution Path - Alternate Data Stream* rule details page is displayed. diff --git a/docs/detections/rules-coverage.asciidoc b/docs/detections/rules-coverage.asciidoc index 8e3e7d639a..0fa4567f54 100644 --- a/docs/detections/rules-coverage.asciidoc +++ b/docs/detections/rules-coverage.asciidoc @@ -10,7 +10,7 @@ The **MITRE ATT&CK® coverage** page shows which https://attack.mitre.org[MITRE Mirroring the MITRE ATT&CK® framework, columns represent major tactics, and cells within each column represent a tactic's related techniques. Cells are darker when a technique has more rules matching the current filters, as indicated in the **Legend** at the top. -To access the **MITRE ATT&CK® coverage** page, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to **MITRE ATT&CK® coverage**. +To access the **MITRE ATT&CK® coverage** page, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to **MITRE ATT&CK® coverage**. [NOTE] ==== diff --git a/docs/detections/rules-cross-cluster-search.asciidoc b/docs/detections/rules-cross-cluster-search.asciidoc index 60ffeb5fea..f2a97d5325 100644 --- a/docs/detections/rules-cross-cluster-search.asciidoc +++ b/docs/detections/rules-cross-cluster-search.asciidoc @@ -66,7 +66,7 @@ To update a rule's API key, log into the local cluster as a user with the privil * Edit and save the rule. * Update the rule's API key manually: -. Find **Stack Management** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to +. Find **Stack Management** in the main navigation or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Rules*. . Use the search box and filters to find the rules you want to update. For example, use the *Type* filter to find rules under the *Security* category. . Select the rule's actions menu (*...*), then *Update API key*. diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index a2a91a2f68..22ba243561 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -42,7 +42,7 @@ To create or edit {ml} rules, you must have the https://www.elastic.co/subscript {ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user role, and the selected {ml} job must be running for the rule to function correctly. ============== -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule based on a {ml} anomaly threshold, select *Machine Learning* on the *Create new rule*, then select: .. The required {ml} jobs. + @@ -67,7 +67,7 @@ in the step or its sub-steps, apply the change to the other rule types, too. [discrete] [[create-custom-rule]] === Create a custom query rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule based on a KQL or Lucene query, select *Custom query* on the *Create new rule* page, then: .. Define which {es} indices or data view the rule searches for alerts. .. Use the filter and query fields to create the criteria used for detecting @@ -117,7 +117,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-threshold-rule]] === Create a threshold rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule based on a source event field threshold, select *Threshold* on the *Create new rule* page, then: .. Define which {es} indices the rule analyzes for alerts. .. Use the filter and query fields to create the criteria used for detecting @@ -157,7 +157,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-eql-rule]] === Create an event correlation rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create an event correlation rule using EQL, select *Event Correlation* on the *Create new rule* page, then: . To create an event correlation rule using EQL, select *Event Correlation*, then: .. Define which {es} indices or data view the rule searches when querying for events. @@ -224,7 +224,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. NOTE: {elastic-sec} provides limited support for indicator match rules. See <> for more information. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match* on the *Create new rule* page, then fill in the following fields: .. *Source*: The individual index patterns or data view that specifies what data to search. .. *Custom query*: The query and filters used to retrieve the required results from @@ -311,7 +311,7 @@ image::images/indicator_value_list.png[] [[create-new-terms-rule]] === Create a new terms rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule that searches for each new term detected in source documents, select *New Terms* on the *Create new rule* page, then: .. Specify what data to search by entering individual {es} index patterns or selecting an existing data view. .. Use the filter and query fields to create the criteria used for detecting @@ -351,7 +351,7 @@ Use {ref}/esql.html[{esql}] to query your source events and aggregate event data To create an {esql} rule: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Select **{esql}**, then write a query. + NOTE: Refer to the sections below to learn more about <>, <>, and <>. diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index f9f076d13e..6c92a9952d 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -67,7 +67,7 @@ For prebuilt Elastic rules, you can't modify most settings. You can only edit << Similarly, rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. ==== -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. The *Edit rule settings* view opens, where you can modify the <>. * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu: @@ -98,7 +98,7 @@ You can duplicate, enable, disable, delete, and snooze actions for rules: NOTE: When duplicating a rule with exceptions, you can choose to duplicate the rule and its exceptions (active and expired), the rule and active exceptions only, or only the rule. If you duplicate the rule and its exceptions, copies of the exceptions are created and added to the duplicated rule's <>. If the original rule used exceptions from a shared exception list, the duplicated rule will reference the same shared exception list. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: * Select the *All actions* menu (*...*) on a rule, then select an action. * Select all the rules you want to modify, then select an action from the *Bulk actions* menu. @@ -115,7 +115,7 @@ Manually run enabled rules for a specified period of time for testing purposes o IMPORTANT: Before manually running rules, make sure you properly understand and plan for rule dependencies. Incorrect scheduling can lead to inconsistent rule results. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . From the *Rules* page, do one of the following: * Select the **All actions** menu (**...**) on a rule, then select **Manual run**. * Select all the rules you want to manually run, select the **Bulk actions** menu, then select **Manual run**. @@ -175,7 +175,7 @@ TIP: You can also use {kib}'s {kibana-ref}/managing-saved-objects.html#managing- To export and import detection rules: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To export rules: .. In the rules table, select the rules you want to export. .. Select *Bulk actions* -> *Export*, then save the exported file. diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 625897beb7..f55f783e4c 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -21,7 +21,7 @@ Refer to the <> section below for strategies on adjusting === Rule Monitoring tab To view a summary of all rule executions, including the most recent failures and execution -times, select the *Rule Monitoring* tab on the *Rules* page. To access the tab, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to the *Rule Monitoring* tab. +times, select the *Rule Monitoring* tab on the *Rules* page. To access the tab, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to the *Rule Monitoring* tab. [role="screenshot"] image::images/monitor-table.png[] diff --git a/docs/detections/shared-exception-lists.asciidoc b/docs/detections/shared-exception-lists.asciidoc index 5f8afb4315..6158226627 100644 --- a/docs/detections/shared-exception-lists.asciidoc +++ b/docs/detections/shared-exception-lists.asciidoc @@ -14,7 +14,7 @@ image::images/rule-exceptions-page.png[Shared Exception Lists page] Set up shared exception lists to contain exception items: -. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. . Click *Create shared exception list* -> *Create shared list*. . Give the shared exception list a name. . (Optional) Provide a description. @@ -26,7 +26,7 @@ Set up shared exception lists to contain exception items: Add exception items: -. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. . Click *Create shared exception list* -> *Create exception item*. + TIP: You can add exceptions to an empty shared exception list by expanding the list, or viewing its details page and clicking *Create rule exception*. After creating an exception, you can associate the shared exception list with rules. Refer to <> to learn more. @@ -73,7 +73,7 @@ Closes all alerts that match the exception's conditions and were generated only Apply shared exception lists to rules: -. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. . Do one of the following: ** Select a shared exception list's name to open its details page, then click *Link rules*. ** Find the shared exception list you want to assign to rules, then from the *More actions* menu (*...*), select *Link rules*. diff --git a/docs/detections/value-list-exceptions.asciidoc b/docs/detections/value-list-exceptions.asciidoc index 86e7837586..dd118b023b 100644 --- a/docs/detections/value-list-exceptions.asciidoc +++ b/docs/detections/value-list-exceptions.asciidoc @@ -39,7 +39,7 @@ act as delimiters. * The maximum accepted file size is 9 million bytes. ========================= -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Manage value lists*. The *Manage value lists* window opens. + [role="screenshot"] @@ -61,7 +61,7 @@ You can edit, remove, or export existing value lists. [discrete] ==== Edit value lists -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click **Manage value lists**. The **Manage value lists** window opens. . In the **Value lists** table, click the value list you want to edit. . Do any of the following: @@ -83,7 +83,7 @@ TIP: You can also edit value lists while creating and managing exceptions that u [discrete] ==== Export or remove value lists -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Manage value lists*. The *Manage value lists* window opens. . From the *Value lists* table, you can: .. Click the **Export value list** button (image:images/export-value-list.png[Export button from Manage value lists window,15,15]) to export the value list. From 2da610cd5b1026521d6cf748b1685bdfc9adb73f Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 29 Oct 2024 23:43:42 -0400 Subject: [PATCH 07/10] re-adds menu after nav --- docs/detections/add-exceptions.asciidoc | 16 ++++++++-------- docs/detections/building-block-rule.asciidoc | 2 +- .../prebuilt-rules-management.asciidoc | 6 +++--- .../prebuilt-rules/tune-rule-signals.asciidoc | 2 +- docs/detections/rules-coverage.asciidoc | 2 +- .../rules-cross-cluster-search.asciidoc | 2 +- docs/detections/rules-ui-create.asciidoc | 14 +++++++------- docs/detections/rules-ui-manage.asciidoc | 8 ++++---- docs/detections/rules-ui-monitor.asciidoc | 2 +- docs/detections/shared-exception-lists.asciidoc | 6 +++--- docs/detections/value-list-exceptions.asciidoc | 6 +++--- 11 files changed, 33 insertions(+), 33 deletions(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index bb34382d80..3537f5ea18 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -38,7 +38,7 @@ specific event in the sequence, update the rule's EQL statement. For example: + -- * To add an exception from the rule details page: -.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Search for the rule that you want to add an exception to, then click its name to open the rule details. .. Scroll down the rule details page, select the *Rule exceptions* tab, then click *Add rule exception*. + @@ -46,16 +46,16 @@ specific event in the sequence, update the rule's EQL statement. For example: image::images/rule-exception-tab.png[Detail of rule exceptions tab] * To add an exception from the Alerts table: -.. Find **Alerts** in the main navigation or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Find **Alerts** in the main navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the *More Actions* menu (*...*), then select *Add rule exception*. * To add an exception from the alert details flyout: -.. Find **Alerts** in the main navigation or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Find **Alerts** in the main navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Click the *View details* button from the Alerts table. .. In the alert details flyout, click *Take action -> Add rule exception*. * To add an exception from the Shared Exception Lists page: -.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. .. Click *Create shared exception list* -> *Create exception item*. -- @@ -157,17 +157,17 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there -- * To add an Endpoint exception from the rule details page: -.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Search for and select the Elastic *Endpoint Security* rule. .. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*. * To add an Endpoint exception from the Alerts table: -.. Find **Alerts** in the main navigation or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Find **Alerts** in the main navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Scroll down to the Alerts table, and from an {elastic-endpoint} alert, click the *More actions* menu (*...*), then select *Add Endpoint exception*. * To add an Endpoint exception from Shared Exception Lists page: -.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. .. Expand the Endpoint Security Exception List or click the list name to open the list's details page. Next, click *Add endpoint exception*. + NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <> option selected. @@ -267,7 +267,7 @@ image::images/nested-exp.png[] To view a rule's exceptions: -. Open the rule's details page. To do this, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for the rule that you want to examine, then click the rule's name to open its details. +. Open the rule's details page. To do this, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for the rule that you want to examine, then click the rule's name to open its details. . Scroll down and select the *Rule exceptions* or *Endpoint exceptions* tab. All exceptions that belong to the rule will display in a list. + From the list, you can filter, edit, and delete exceptions. You can also toggle between *Active exceptions* and *Expired exceptions*. diff --git a/docs/detections/building-block-rule.asciidoc b/docs/detections/building-block-rule.asciidoc index df6365a2cb..6a5c7d6832 100644 --- a/docs/detections/building-block-rule.asciidoc +++ b/docs/detections/building-block-rule.asciidoc @@ -25,7 +25,7 @@ image::images/alert-indices-ui.png[] By default, building block alerts are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts. -. Find **Alerts** in the main navigation or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Find **Alerts** in the main navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . In the Alerts table, select *Additional filters* -> *Include building block alerts*, located on the far-right. diff --git a/docs/detections/prebuilt-rules-management.asciidoc b/docs/detections/prebuilt-rules-management.asciidoc index 1562a59562..a5aef0ed06 100644 --- a/docs/detections/prebuilt-rules-management.asciidoc +++ b/docs/detections/prebuilt-rules-management.asciidoc @@ -27,7 +27,7 @@ Follow these guidelines to start using the {security-app}'s < *Duplicate*. @@ -97,7 +97,7 @@ You can then modify the duplicated rules and, if required, delete the prebuilt o Elastic regularly updates prebuilt rules to optimize their performance and ensure they detect the latest threats and techniques. When updated versions are available for your installed prebuilt rules, the *Rule Updates* tab appears on the *Rules* page, allowing you to update your installed rules with the latest versions. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . From the *Rules* page, select the *Rule Updates* tab. + NOTE: The *Rule Updates* tab doesn't appear if all your installed prebuilt rules are up to date. diff --git a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc index dc1de98a55..7dc7f79c17 100644 --- a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc +++ b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc @@ -35,7 +35,7 @@ add an exception for the required application. For example, to prevent the <> rule from producing alerts for an in-house application named `myautomatedbuild`: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Search for and then click on the *Unusual Process Execution Path - Alternate Data Stream* rule. + The *Unusual Process Execution Path - Alternate Data Stream* rule details page is displayed. diff --git a/docs/detections/rules-coverage.asciidoc b/docs/detections/rules-coverage.asciidoc index 0fa4567f54..700ad0baff 100644 --- a/docs/detections/rules-coverage.asciidoc +++ b/docs/detections/rules-coverage.asciidoc @@ -10,7 +10,7 @@ The **MITRE ATT&CK® coverage** page shows which https://attack.mitre.org[MITRE Mirroring the MITRE ATT&CK® framework, columns represent major tactics, and cells within each column represent a tactic's related techniques. Cells are darker when a technique has more rules matching the current filters, as indicated in the **Legend** at the top. -To access the **MITRE ATT&CK® coverage** page, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to **MITRE ATT&CK® coverage**. +To access the **MITRE ATT&CK® coverage** page, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to **MITRE ATT&CK® coverage**. [NOTE] ==== diff --git a/docs/detections/rules-cross-cluster-search.asciidoc b/docs/detections/rules-cross-cluster-search.asciidoc index f2a97d5325..b4d67d6ece 100644 --- a/docs/detections/rules-cross-cluster-search.asciidoc +++ b/docs/detections/rules-cross-cluster-search.asciidoc @@ -66,7 +66,7 @@ To update a rule's API key, log into the local cluster as a user with the privil * Edit and save the rule. * Update the rule's API key manually: -. Find **Stack Management** in the main navigation or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to +. Find **Stack Management** in the main navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Rules*. . Use the search box and filters to find the rules you want to update. For example, use the *Type* filter to find rules under the *Security* category. . Select the rule's actions menu (*...*), then *Update API key*. diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 22ba243561..d165532911 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -42,7 +42,7 @@ To create or edit {ml} rules, you must have the https://www.elastic.co/subscript {ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user role, and the selected {ml} job must be running for the rule to function correctly. ============== -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule based on a {ml} anomaly threshold, select *Machine Learning* on the *Create new rule*, then select: .. The required {ml} jobs. + @@ -67,7 +67,7 @@ in the step or its sub-steps, apply the change to the other rule types, too. [discrete] [[create-custom-rule]] === Create a custom query rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule based on a KQL or Lucene query, select *Custom query* on the *Create new rule* page, then: .. Define which {es} indices or data view the rule searches for alerts. .. Use the filter and query fields to create the criteria used for detecting @@ -117,7 +117,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-threshold-rule]] === Create a threshold rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule based on a source event field threshold, select *Threshold* on the *Create new rule* page, then: .. Define which {es} indices the rule analyzes for alerts. .. Use the filter and query fields to create the criteria used for detecting @@ -157,7 +157,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-eql-rule]] === Create an event correlation rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create an event correlation rule using EQL, select *Event Correlation* on the *Create new rule* page, then: . To create an event correlation rule using EQL, select *Event Correlation*, then: .. Define which {es} indices or data view the rule searches when querying for events. @@ -224,7 +224,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. NOTE: {elastic-sec} provides limited support for indicator match rules. See <> for more information. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match* on the *Create new rule* page, then fill in the following fields: .. *Source*: The individual index patterns or data view that specifies what data to search. .. *Custom query*: The query and filters used to retrieve the required results from @@ -311,7 +311,7 @@ image::images/indicator_value_list.png[] [[create-new-terms-rule]] === Create a new terms rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule that searches for each new term detected in source documents, select *New Terms* on the *Create new rule* page, then: .. Specify what data to search by entering individual {es} index patterns or selecting an existing data view. .. Use the filter and query fields to create the criteria used for detecting @@ -351,7 +351,7 @@ Use {ref}/esql.html[{esql}] to query your source events and aggregate event data To create an {esql} rule: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Select **{esql}**, then write a query. + NOTE: Refer to the sections below to learn more about <>, <>, and <>. diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 6c92a9952d..04588f4867 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -67,7 +67,7 @@ For prebuilt Elastic rules, you can't modify most settings. You can only edit << Similarly, rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. ==== -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. The *Edit rule settings* view opens, where you can modify the <>. * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu: @@ -98,7 +98,7 @@ You can duplicate, enable, disable, delete, and snooze actions for rules: NOTE: When duplicating a rule with exceptions, you can choose to duplicate the rule and its exceptions (active and expired), the rule and active exceptions only, or only the rule. If you duplicate the rule and its exceptions, copies of the exceptions are created and added to the duplicated rule's <>. If the original rule used exceptions from a shared exception list, the duplicated rule will reference the same shared exception list. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: * Select the *All actions* menu (*...*) on a rule, then select an action. * Select all the rules you want to modify, then select an action from the *Bulk actions* menu. @@ -115,7 +115,7 @@ Manually run enabled rules for a specified period of time for testing purposes o IMPORTANT: Before manually running rules, make sure you properly understand and plan for rule dependencies. Incorrect scheduling can lead to inconsistent rule results. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . From the *Rules* page, do one of the following: * Select the **All actions** menu (**...**) on a rule, then select **Manual run**. * Select all the rules you want to manually run, select the **Bulk actions** menu, then select **Manual run**. @@ -175,7 +175,7 @@ TIP: You can also use {kib}'s {kibana-ref}/managing-saved-objects.html#managing- To export and import detection rules: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To export rules: .. In the rules table, select the rules you want to export. .. Select *Bulk actions* -> *Export*, then save the exported file. diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index f55f783e4c..b3a02cafde 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -21,7 +21,7 @@ Refer to the <> section below for strategies on adjusting === Rule Monitoring tab To view a summary of all rule executions, including the most recent failures and execution -times, select the *Rule Monitoring* tab on the *Rules* page. To access the tab, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to the *Rule Monitoring* tab. +times, select the *Rule Monitoring* tab on the *Rules* page. To access the tab, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to the *Rule Monitoring* tab. [role="screenshot"] image::images/monitor-table.png[] diff --git a/docs/detections/shared-exception-lists.asciidoc b/docs/detections/shared-exception-lists.asciidoc index 6158226627..e9176909c0 100644 --- a/docs/detections/shared-exception-lists.asciidoc +++ b/docs/detections/shared-exception-lists.asciidoc @@ -14,7 +14,7 @@ image::images/rule-exceptions-page.png[Shared Exception Lists page] Set up shared exception lists to contain exception items: -. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. . Click *Create shared exception list* -> *Create shared list*. . Give the shared exception list a name. . (Optional) Provide a description. @@ -26,7 +26,7 @@ Set up shared exception lists to contain exception items: Add exception items: -. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. . Click *Create shared exception list* -> *Create exception item*. + TIP: You can add exceptions to an empty shared exception list by expanding the list, or viewing its details page and clicking *Create rule exception*. After creating an exception, you can associate the shared exception list with rules. Refer to <> to learn more. @@ -73,7 +73,7 @@ Closes all alerts that match the exception's conditions and were generated only Apply shared exception lists to rules: -. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. . Do one of the following: ** Select a shared exception list's name to open its details page, then click *Link rules*. ** Find the shared exception list you want to assign to rules, then from the *More actions* menu (*...*), select *Link rules*. diff --git a/docs/detections/value-list-exceptions.asciidoc b/docs/detections/value-list-exceptions.asciidoc index dd118b023b..17ac6327e5 100644 --- a/docs/detections/value-list-exceptions.asciidoc +++ b/docs/detections/value-list-exceptions.asciidoc @@ -39,7 +39,7 @@ act as delimiters. * The maximum accepted file size is 9 million bytes. ========================= -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Manage value lists*. The *Manage value lists* window opens. + [role="screenshot"] @@ -61,7 +61,7 @@ You can edit, remove, or export existing value lists. [discrete] ==== Edit value lists -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click **Manage value lists**. The **Manage value lists** window opens. . In the **Value lists** table, click the value list you want to edit. . Do any of the following: @@ -83,7 +83,7 @@ TIP: You can also edit value lists while creating and managing exceptions that u [discrete] ==== Export or remove value lists -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Manage value lists*. The *Manage value lists* window opens. . From the *Value lists* table, you can: .. Click the **Export value list** button (image:images/export-value-list.png[Export button from Manage value lists window,15,15]) to export the value list. From 1f02e5db7c17a82f3241f2e992626c0b608cb61e Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 30 Oct 2024 16:38:44 -0400 Subject: [PATCH 08/10] Removes main --- docs/detections/add-exceptions.asciidoc | 16 ++++++++-------- docs/detections/building-block-rule.asciidoc | 2 +- .../prebuilt-rules-management.asciidoc | 6 +++--- .../prebuilt-rules/tune-rule-signals.asciidoc | 2 +- docs/detections/rules-coverage.asciidoc | 2 +- .../rules-cross-cluster-search.asciidoc | 2 +- docs/detections/rules-ui-create.asciidoc | 14 +++++++------- docs/detections/rules-ui-manage.asciidoc | 8 ++++---- docs/detections/rules-ui-monitor.asciidoc | 2 +- docs/detections/shared-exception-lists.asciidoc | 6 +++--- docs/detections/value-list-exceptions.asciidoc | 6 +++--- docs/getting-started/ingest-data.asciidoc | 2 +- docs/serverless/alerts/alert-suppression.mdx | 2 +- 13 files changed, 35 insertions(+), 35 deletions(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 3537f5ea18..d7059ac656 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -38,7 +38,7 @@ specific event in the sequence, update the rule's EQL statement. For example: + -- * To add an exception from the rule details page: -.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Search for the rule that you want to add an exception to, then click its name to open the rule details. .. Scroll down the rule details page, select the *Rule exceptions* tab, then click *Add rule exception*. + @@ -46,16 +46,16 @@ specific event in the sequence, update the rule's EQL statement. For example: image::images/rule-exception-tab.png[Detail of rule exceptions tab] * To add an exception from the Alerts table: -.. Find **Alerts** in the main navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Find **Alerts** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the *More Actions* menu (*...*), then select *Add rule exception*. * To add an exception from the alert details flyout: -.. Find **Alerts** in the main navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Find **Alerts** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Click the *View details* button from the Alerts table. .. In the alert details flyout, click *Take action -> Add rule exception*. * To add an exception from the Shared Exception Lists page: -.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +.. Find the **Shared exception lists** page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Click *Create shared exception list* -> *Create exception item*. -- @@ -157,17 +157,17 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there -- * To add an Endpoint exception from the rule details page: -.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Search for and select the Elastic *Endpoint Security* rule. .. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*. * To add an Endpoint exception from the Alerts table: -.. Find **Alerts** in the main navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. Find **Alerts** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Scroll down to the Alerts table, and from an {elastic-endpoint} alert, click the *More actions* menu (*...*), then select *Add Endpoint exception*. * To add an Endpoint exception from Shared Exception Lists page: -.. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +.. Find the *Shared exception lists* page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Expand the Endpoint Security Exception List or click the list name to open the list's details page. Next, click *Add endpoint exception*. + NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <> option selected. @@ -267,7 +267,7 @@ image::images/nested-exp.png[] To view a rule's exceptions: -. Open the rule's details page. To do this, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for the rule that you want to examine, then click the rule's name to open its details. +. Open the rule's details page. To do this, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for the rule that you want to examine, then click the rule's name to open its details. . Scroll down and select the *Rule exceptions* or *Endpoint exceptions* tab. All exceptions that belong to the rule will display in a list. + From the list, you can filter, edit, and delete exceptions. You can also toggle between *Active exceptions* and *Expired exceptions*. diff --git a/docs/detections/building-block-rule.asciidoc b/docs/detections/building-block-rule.asciidoc index 6a5c7d6832..acac04d7f4 100644 --- a/docs/detections/building-block-rule.asciidoc +++ b/docs/detections/building-block-rule.asciidoc @@ -25,7 +25,7 @@ image::images/alert-indices-ui.png[] By default, building block alerts are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts. -. Find **Alerts** in the main navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Find **Alerts** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . In the Alerts table, select *Additional filters* -> *Include building block alerts*, located on the far-right. diff --git a/docs/detections/prebuilt-rules-management.asciidoc b/docs/detections/prebuilt-rules-management.asciidoc index a5aef0ed06..5d5eabc721 100644 --- a/docs/detections/prebuilt-rules-management.asciidoc +++ b/docs/detections/prebuilt-rules-management.asciidoc @@ -27,7 +27,7 @@ Follow these guidelines to start using the {security-app}'s < *Duplicate*. @@ -97,7 +97,7 @@ You can then modify the duplicated rules and, if required, delete the prebuilt o Elastic regularly updates prebuilt rules to optimize their performance and ensure they detect the latest threats and techniques. When updated versions are available for your installed prebuilt rules, the *Rule Updates* tab appears on the *Rules* page, allowing you to update your installed rules with the latest versions. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . From the *Rules* page, select the *Rule Updates* tab. + NOTE: The *Rule Updates* tab doesn't appear if all your installed prebuilt rules are up to date. diff --git a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc index 7dc7f79c17..c9a10290f0 100644 --- a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc +++ b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc @@ -35,7 +35,7 @@ add an exception for the required application. For example, to prevent the <> rule from producing alerts for an in-house application named `myautomatedbuild`: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Search for and then click on the *Unusual Process Execution Path - Alternate Data Stream* rule. + The *Unusual Process Execution Path - Alternate Data Stream* rule details page is displayed. diff --git a/docs/detections/rules-coverage.asciidoc b/docs/detections/rules-coverage.asciidoc index 700ad0baff..0667bde8e1 100644 --- a/docs/detections/rules-coverage.asciidoc +++ b/docs/detections/rules-coverage.asciidoc @@ -10,7 +10,7 @@ The **MITRE ATT&CK® coverage** page shows which https://attack.mitre.org[MITRE Mirroring the MITRE ATT&CK® framework, columns represent major tactics, and cells within each column represent a tactic's related techniques. Cells are darker when a technique has more rules matching the current filters, as indicated in the **Legend** at the top. -To access the **MITRE ATT&CK® coverage** page, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to **MITRE ATT&CK® coverage**. +To access the **MITRE ATT&CK® coverage** page, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to **MITRE ATT&CK® coverage**. [NOTE] ==== diff --git a/docs/detections/rules-cross-cluster-search.asciidoc b/docs/detections/rules-cross-cluster-search.asciidoc index b4d67d6ece..90c56d7e35 100644 --- a/docs/detections/rules-cross-cluster-search.asciidoc +++ b/docs/detections/rules-cross-cluster-search.asciidoc @@ -66,7 +66,7 @@ To update a rule's API key, log into the local cluster as a user with the privil * Edit and save the rule. * Update the rule's API key manually: -. Find **Stack Management** in the main navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to +. Find **Stack Management** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Rules*. . Use the search box and filters to find the rules you want to update. For example, use the *Type* filter to find rules under the *Security* category. . Select the rule's actions menu (*...*), then *Update API key*. diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index d165532911..59f86d7348 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -42,7 +42,7 @@ To create or edit {ml} rules, you must have the https://www.elastic.co/subscript {ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user role, and the selected {ml} job must be running for the rule to function correctly. ============== -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule based on a {ml} anomaly threshold, select *Machine Learning* on the *Create new rule*, then select: .. The required {ml} jobs. + @@ -67,7 +67,7 @@ in the step or its sub-steps, apply the change to the other rule types, too. [discrete] [[create-custom-rule]] === Create a custom query rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule based on a KQL or Lucene query, select *Custom query* on the *Create new rule* page, then: .. Define which {es} indices or data view the rule searches for alerts. .. Use the filter and query fields to create the criteria used for detecting @@ -117,7 +117,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-threshold-rule]] === Create a threshold rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule based on a source event field threshold, select *Threshold* on the *Create new rule* page, then: .. Define which {es} indices the rule analyzes for alerts. .. Use the filter and query fields to create the criteria used for detecting @@ -157,7 +157,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-eql-rule]] === Create an event correlation rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create an event correlation rule using EQL, select *Event Correlation* on the *Create new rule* page, then: . To create an event correlation rule using EQL, select *Event Correlation*, then: .. Define which {es} indices or data view the rule searches when querying for events. @@ -224,7 +224,7 @@ in these steps or sub-steps, apply the change to the other rule types, too. NOTE: {elastic-sec} provides limited support for indicator match rules. See <> for more information. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match* on the *Create new rule* page, then fill in the following fields: .. *Source*: The individual index patterns or data view that specifies what data to search. .. *Custom query*: The query and filters used to retrieve the required results from @@ -311,7 +311,7 @@ image::images/indicator_value_list.png[] [[create-new-terms-rule]] === Create a new terms rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To create a rule that searches for each new term detected in source documents, select *New Terms* on the *Create new rule* page, then: .. Specify what data to search by entering individual {es} index patterns or selecting an existing data view. .. Use the filter and query fields to create the criteria used for detecting @@ -351,7 +351,7 @@ Use {ref}/esql.html[{esql}] to query your source events and aggregate event data To create an {esql} rule: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Select **{esql}**, then write a query. + NOTE: Refer to the sections below to learn more about <>, <>, and <>. diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 04588f4867..634fa7859c 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -67,7 +67,7 @@ For prebuilt Elastic rules, you can't modify most settings. You can only edit << Similarly, rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. ==== -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. The *Edit rule settings* view opens, where you can modify the <>. * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu: @@ -98,7 +98,7 @@ You can duplicate, enable, disable, delete, and snooze actions for rules: NOTE: When duplicating a rule with exceptions, you can choose to duplicate the rule and its exceptions (active and expired), the rule and active exceptions only, or only the rule. If you duplicate the rule and its exceptions, copies of the exceptions are created and added to the duplicated rule's <>. If the original rule used exceptions from a shared exception list, the duplicated rule will reference the same shared exception list. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: * Select the *All actions* menu (*...*) on a rule, then select an action. * Select all the rules you want to modify, then select an action from the *Bulk actions* menu. @@ -115,7 +115,7 @@ Manually run enabled rules for a specified period of time for testing purposes o IMPORTANT: Before manually running rules, make sure you properly understand and plan for rule dependencies. Incorrect scheduling can lead to inconsistent rule results. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . From the *Rules* page, do one of the following: * Select the **All actions** menu (**...**) on a rule, then select **Manual run**. * Select all the rules you want to manually run, select the **Bulk actions** menu, then select **Manual run**. @@ -175,7 +175,7 @@ TIP: You can also use {kib}'s {kibana-ref}/managing-saved-objects.html#managing- To export and import detection rules: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To export rules: .. In the rules table, select the rules you want to export. .. Select *Bulk actions* -> *Export*, then save the exported file. diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index b3a02cafde..193c9583da 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -21,7 +21,7 @@ Refer to the <> section below for strategies on adjusting === Rule Monitoring tab To view a summary of all rule executions, including the most recent failures and execution -times, select the *Rule Monitoring* tab on the *Rules* page. To access the tab, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to the *Rule Monitoring* tab. +times, select the *Rule Monitoring* tab on the *Rules* page. To access the tab, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to the *Rule Monitoring* tab. [role="screenshot"] image::images/monitor-table.png[] diff --git a/docs/detections/shared-exception-lists.asciidoc b/docs/detections/shared-exception-lists.asciidoc index e9176909c0..58e4918d89 100644 --- a/docs/detections/shared-exception-lists.asciidoc +++ b/docs/detections/shared-exception-lists.asciidoc @@ -14,7 +14,7 @@ image::images/rule-exceptions-page.png[Shared Exception Lists page] Set up shared exception lists to contain exception items: -. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +. Find the *Shared exception lists* page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Create shared exception list* -> *Create shared list*. . Give the shared exception list a name. . (Optional) Provide a description. @@ -26,7 +26,7 @@ Set up shared exception lists to contain exception items: Add exception items: -. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +. Find the *Shared exception lists* page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Create shared exception list* -> *Create exception item*. + TIP: You can add exceptions to an empty shared exception list by expanding the list, or viewing its details page and clicking *Create rule exception*. After creating an exception, you can associate the shared exception list with rules. Refer to <> to learn more. @@ -73,7 +73,7 @@ Closes all alerts that match the exception's conditions and were generated only Apply shared exception lists to rules: -. Go to the *Shared exception lists* page. Find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to *Shared exception lists*. +. Find the *Shared exception lists* page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: ** Select a shared exception list's name to open its details page, then click *Link rules*. ** Find the shared exception list you want to assign to rules, then from the *More actions* menu (*...*), select *Link rules*. diff --git a/docs/detections/value-list-exceptions.asciidoc b/docs/detections/value-list-exceptions.asciidoc index 17ac6327e5..f4dcf873a7 100644 --- a/docs/detections/value-list-exceptions.asciidoc +++ b/docs/detections/value-list-exceptions.asciidoc @@ -39,7 +39,7 @@ act as delimiters. * The maximum accepted file size is 9 million bytes. ========================= -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Manage value lists*. The *Manage value lists* window opens. + [role="screenshot"] @@ -61,7 +61,7 @@ You can edit, remove, or export existing value lists. [discrete] ==== Edit value lists -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click **Manage value lists**. The **Manage value lists** window opens. . In the **Value lists** table, click the value list you want to edit. . Do any of the following: @@ -83,7 +83,7 @@ TIP: You can also edit value lists while creating and managing exceptions that u [discrete] ==== Export or remove value lists -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Manage value lists*. The *Manage value lists* window opens. . From the *Value lists* table, you can: .. Click the **Export value list** button (image:images/export-value-list.png[Export button from Manage value lists window,15,15]) to export the value list. diff --git a/docs/getting-started/ingest-data.asciidoc b/docs/getting-started/ingest-data.asciidoc index ebbf6aef5d..10051eaf64 100644 --- a/docs/getting-started/ingest-data.asciidoc +++ b/docs/getting-started/ingest-data.asciidoc @@ -5,7 +5,7 @@ To ingest data, you can use: * The {fleet-guide}/fleet-overview.html[{agent}] with the **{elastic-defend}** integration, which protects your hosts and sends logs, metrics, and endpoint security data to {elastic-sec}. See <>. -* The {agent} with integrations, which are available in the {fleet-guide}/fleet-overview.html#package-registry-intro[Elastic Package Registry (EPR)]. To install an integration that works with {elastic-sec}, go to the {kib} Home page or main navigation menu and click *Add integrations*. On the Integrations page, click the *Security* category filter, then select an integration to view the installation instructions. For more information on integrations, refer to {integrations-docs}[{integrations}]. +* The {agent} with integrations, which are available in the {fleet-guide}/fleet-overview.html#package-registry-intro[Elastic Package Registry (EPR)]. To install an integration that works with {elastic-sec}, go to the {kib} Home page or navigation menu and click *Add integrations*. On the Integrations page, click the *Security* category filter, then select an integration to view the installation instructions. For more information on integrations, refer to {integrations-docs}[{integrations}]. * *{beats}* shippers installed for each system you want to monitor. * The {agent} to send data from Splunk to {elastic-sec}. See {observability-guide}/splunk-get-started.html[Get started with data from Splunk]. * Third-party collectors configured to ship ECS-compliant data. diff --git a/docs/serverless/alerts/alert-suppression.mdx b/docs/serverless/alerts/alert-suppression.mdx index 35ac2030db..f4ade8dc74 100644 --- a/docs/serverless/alerts/alert-suppression.mdx +++ b/docs/serverless/alerts/alert-suppression.mdx @@ -114,4 +114,4 @@ With alert suppression, detection alerts aren't created for the grouped source e Some rule types have a maximum number of alerts that can be suppressed (custom query rules don't have a suppression limit): * **Threshold, event correlation (non-sequence queries only, ((esql)), and ((ml)):** The maximum number is the value you choose for the rule's **Max alerts per run** advanced setting, which is `100` by default. -* **Indicator match and new terms:** The maximum number is five times the value you choose for the the rule's **Max alerts per run** advanced setting. The default value is `100`, which means the default maximum limit for indicator match rules and new terms rules is `500`. \ No newline at end of file +* **Indicator match and new terms:** The maximum number is five times the value you choose for the rule's **Max alerts per run** advanced setting. The default value is `100`, which means the default maximum limit for indicator match rules and new terms rules is `500`. \ No newline at end of file From b8828e26b9ebd25723813479ba6a1998516d948d Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 4 Nov 2024 13:54:25 -0500 Subject: [PATCH 09/10] Revisiting instructions to rules page --- docs/detections/add-exceptions.asciidoc | 8 +++---- .../prebuilt-rules-management.asciidoc | 10 ++++---- .../prebuilt-rules/tune-rule-signals.asciidoc | 4 ++-- docs/detections/rules-ui-create.asciidoc | 23 ++++++++++++------- docs/detections/rules-ui-manage.asciidoc | 14 +++++------ .../detections/value-list-exceptions.asciidoc | 6 ++--- 6 files changed, 36 insertions(+), 29 deletions(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index d7059ac656..80cc93875f 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -38,8 +38,8 @@ specific event in the sequence, update the rule's EQL statement. For example: + -- * To add an exception from the rule details page: -.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -.. Search for the rule that you want to add an exception to, then click its name to open the rule details. +.. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. In the Rules table, search for the rule that you want to add an exception to, then click its name to open the rule details. .. Scroll down the rule details page, select the *Rule exceptions* tab, then click *Add rule exception*. + [role="screenshot"] @@ -157,8 +157,8 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there -- * To add an Endpoint exception from the rule details page: -.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -.. Search for and select the Elastic *Endpoint Security* rule. +.. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. In the Rules table, search for and select the Elastic *Endpoint Security* rule. .. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*. * To add an Endpoint exception from the Alerts table: diff --git a/docs/detections/prebuilt-rules-management.asciidoc b/docs/detections/prebuilt-rules-management.asciidoc index 5d5eabc721..2f2efc421e 100644 --- a/docs/detections/prebuilt-rules-management.asciidoc +++ b/docs/detections/prebuilt-rules-management.asciidoc @@ -27,7 +27,7 @@ Follow these guidelines to start using the {security-app}'s < *Duplicate*. . Select whether to duplicate the rules' exceptions, then click *Duplicate*. @@ -97,8 +97,8 @@ You can then modify the duplicated rules and, if required, delete the prebuilt o Elastic regularly updates prebuilt rules to optimize their performance and ensure they detect the latest threats and techniques. When updated versions are available for your installed prebuilt rules, the *Rule Updates* tab appears on the *Rules* page, allowing you to update your installed rules with the latest versions. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -. From the *Rules* page, select the *Rule Updates* tab. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. In the *Rules* table, select the *Rule Updates* tab. + NOTE: The *Rule Updates* tab doesn't appear if all your installed prebuilt rules are up to date. + diff --git a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc index c9a10290f0..d609d4a87e 100644 --- a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc +++ b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc @@ -35,8 +35,8 @@ add an exception for the required application. For example, to prevent the <> rule from producing alerts for an in-house application named `myautomatedbuild`: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -. Search for and then click on the *Unusual Process Execution Path - Alternate Data Stream* rule. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. In the Rules table, search for and then click on the *Unusual Process Execution Path - Alternate Data Stream* rule. + The *Unusual Process Execution Path - Alternate Data Stream* rule details page is displayed. [role="screenshot"] diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 59f86d7348..1638a6664c 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -42,8 +42,9 @@ To create or edit {ml} rules, you must have the https://www.elastic.co/subscript {ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user role, and the selected {ml} job must be running for the rule to function correctly. ============== -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -. To create a rule based on a {ml} anomaly threshold, select *Machine Learning* on the *Create new rule*, then select: +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click *Create new rule*. +. To create a rule based on a {ml} anomaly threshold, select *Machine Learning* on the *Create new rule* page, then select: .. The required {ml} jobs. + NOTE: If a required job isn't currently running, it will automatically start when you finish configuring and enable the rule. @@ -67,7 +68,8 @@ in the step or its sub-steps, apply the change to the other rule types, too. [discrete] [[create-custom-rule]] === Create a custom query rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click *Create new rule*. . To create a rule based on a KQL or Lucene query, select *Custom query* on the *Create new rule* page, then: .. Define which {es} indices or data view the rule searches for alerts. .. Use the filter and query fields to create the criteria used for detecting @@ -117,7 +119,8 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-threshold-rule]] === Create a threshold rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click *Create new rule*. . To create a rule based on a source event field threshold, select *Threshold* on the *Create new rule* page, then: .. Define which {es} indices the rule analyzes for alerts. .. Use the filter and query fields to create the criteria used for detecting @@ -157,7 +160,8 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-eql-rule]] === Create an event correlation rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click *Create new rule*. . To create an event correlation rule using EQL, select *Event Correlation* on the *Create new rule* page, then: . To create an event correlation rule using EQL, select *Event Correlation*, then: .. Define which {es} indices or data view the rule searches when querying for events. @@ -224,7 +228,8 @@ in these steps or sub-steps, apply the change to the other rule types, too. NOTE: {elastic-sec} provides limited support for indicator match rules. See <> for more information. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click *Create new rule*. . To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match* on the *Create new rule* page, then fill in the following fields: .. *Source*: The individual index patterns or data view that specifies what data to search. .. *Custom query*: The query and filters used to retrieve the required results from @@ -311,7 +316,8 @@ image::images/indicator_value_list.png[] [[create-new-terms-rule]] === Create a new terms rule -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click *Create new rule*. . To create a rule that searches for each new term detected in source documents, select *New Terms* on the *Create new rule* page, then: .. Specify what data to search by entering individual {es} index patterns or selecting an existing data view. .. Use the filter and query fields to create the criteria used for detecting @@ -351,7 +357,8 @@ Use {ref}/esql.html[{esql}] to query your source events and aggregate event data To create an {esql} rule: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click *Create new rule*. . Select **{esql}**, then write a query. + NOTE: Refer to the sections below to learn more about <>, <>, and <>. diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 634fa7859c..8043ccbf69 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -67,7 +67,7 @@ For prebuilt Elastic rules, you can't modify most settings. You can only edit << Similarly, rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. ==== -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. The *Edit rule settings* view opens, where you can modify the <>. * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu: @@ -98,8 +98,8 @@ You can duplicate, enable, disable, delete, and snooze actions for rules: NOTE: When duplicating a rule with exceptions, you can choose to duplicate the rule and its exceptions (active and expired), the rule and active exceptions only, or only the rule. If you duplicate the rule and its exceptions, copies of the exceptions are created and added to the duplicated rule's <>. If the original rule used exceptions from a shared exception list, the duplicated rule will reference the same shared exception list. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -. Do one of the following: +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. In the Rules table, do one of the following: * Select the *All actions* menu (*...*) on a rule, then select an action. * Select all the rules you want to modify, then select an action from the *Bulk actions* menu. * To enable or disable a single rule, switch on the rule's *Enabled* toggle. @@ -115,8 +115,8 @@ Manually run enabled rules for a specified period of time for testing purposes o IMPORTANT: Before manually running rules, make sure you properly understand and plan for rule dependencies. Incorrect scheduling can lead to inconsistent rule results. -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -. From the *Rules* page, do one of the following: +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. In the *Rules* table, do one of the following: * Select the **All actions** menu (**...**) on a rule, then select **Manual run**. * Select all the rules you want to manually run, select the **Bulk actions** menu, then select **Manual run**. . Specify when the manual run starts and ends. The default selection is the current day starting three hours in the past. The rule will search for events during the selected time range. @@ -175,9 +175,9 @@ TIP: You can also use {kib}'s {kibana-ref}/managing-saved-objects.html#managing- To export and import detection rules: -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To export rules: -.. In the rules table, select the rules you want to export. +.. In the Rules table, select the rules you want to export. .. Select *Bulk actions* -> *Export*, then save the exported file. . To import rules: + diff --git a/docs/detections/value-list-exceptions.asciidoc b/docs/detections/value-list-exceptions.asciidoc index f4dcf873a7..3268869c86 100644 --- a/docs/detections/value-list-exceptions.asciidoc +++ b/docs/detections/value-list-exceptions.asciidoc @@ -39,7 +39,7 @@ act as delimiters. * The maximum accepted file size is 9 million bytes. ========================= -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Manage value lists*. The *Manage value lists* window opens. + [role="screenshot"] @@ -61,7 +61,7 @@ You can edit, remove, or export existing value lists. [discrete] ==== Edit value lists -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click **Manage value lists**. The **Manage value lists** window opens. . In the **Value lists** table, click the value list you want to edit. . Do any of the following: @@ -83,7 +83,7 @@ TIP: You can also edit value lists while creating and managing exceptions that u [discrete] ==== Export or remove value lists -. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Manage value lists*. The *Manage value lists* window opens. . From the *Value lists* table, you can: .. Click the **Export value list** button (image:images/export-value-list.png[Export button from Manage value lists window,15,15]) to export the value list. From 4e47436702aabdccad17e3d5a05dc65cb45401a7 Mon Sep 17 00:00:00 2001 From: Colleen McGinnis Date: Tue, 5 Nov 2024 17:31:05 -0600 Subject: [PATCH 10/10] remove duplicate 'the' --- docs/serverless/alerts/alert-suppression.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/serverless/alerts/alert-suppression.asciidoc b/docs/serverless/alerts/alert-suppression.asciidoc index 6ff454c697..0b413a6636 100644 --- a/docs/serverless/alerts/alert-suppression.asciidoc +++ b/docs/serverless/alerts/alert-suppression.asciidoc @@ -131,4 +131,4 @@ image:images/alert-suppression/-detections-timeline-button.png[Investigate in ti Some rule types have a maximum number of alerts that can be suppressed (custom query rules don't have a suppression limit): * **Threshold, event correlation (non-sequence queries only, {esql}, and {ml}:** The maximum number is the value you choose for the rule's **Max alerts per run** <>, which is `100` by default. -* **Indicator match and new terms:** The maximum number is five times the value you choose for the the rule's **Max alerts per run** <>. The default value is `100`, which means the default maximum limit for indicator match rules and new terms rules is `500`. +* **Indicator match and new terms:** The maximum number is five times the value you choose for the rule's **Max alerts per run** <>. The default value is `100`, which means the default maximum limit for indicator match rules and new terms rules is `500`.