diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index dea8dc0331..80cc93875f 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -38,24 +38,24 @@ specific event in the sequence, update the rule's EQL statement. For example: + -- * To add an exception from the rule details page: -.. Go to the rule details page of the rule to which you want to add an -exception (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*). +.. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. In the Rules table, search for the rule that you want to add an exception to, then click its name to open the rule details. .. Scroll down the rule details page, select the *Rule exceptions* tab, then click *Add rule exception*. + [role="screenshot"] image::images/rule-exception-tab.png[Detail of rule exceptions tab] * To add an exception from the Alerts table: -.. Go to *Alerts*. +.. Find **Alerts** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the *More Actions* menu (*...*), then select *Add rule exception*. * To add an exception from the alert details flyout: -.. Go to *Alerts*. +.. Find **Alerts** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Click the *View details* button from the Alerts table. .. In the alert details flyout, click *Take action -> Add rule exception*. * To add an exception from the Shared Exception Lists page: -.. Go to *Rules* -> *Shared exception lists*. +.. Find the **Shared exception lists** page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Click *Create shared exception list* -> *Create exception item*. -- @@ -157,16 +157,17 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there -- * To add an Endpoint exception from the rule details page: -.. Go to the rule details page (*Rules* -> *Detection rules (SIEM)*), and then search for and select the Elastic *Endpoint Security* rule. +.. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +.. In the Rules table, search for and select the Elastic *Endpoint Security* rule. .. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*. * To add an Endpoint exception from the Alerts table: -.. Go to *Alerts*. +.. Find **Alerts** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Scroll down to the Alerts table, and from an {elastic-endpoint} alert, click the *More actions* menu (*...*), then select *Add Endpoint exception*. * To add an Endpoint exception from Shared Exception Lists page: -.. Go to *Rules* -> *Shared exception lists*. +.. Find the *Shared exception lists* page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Expand the Endpoint Security Exception List or click the list name to open the list's details page. Next, click *Add endpoint exception*. + NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <> option selected. @@ -264,8 +265,13 @@ image::images/nested-exp.png[] [[manage-exception]] === View and manage exceptions -To view a rule's exceptions, open the rule's details page (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*), then scroll down and select the *Rule exceptions* or *Endpoint exceptions* tab. All exceptions that belong to the rule will display in a list. From the list, you can filter, edit, and delete exceptions. You can also toggle between *Active exceptions* and *Expired exceptions*. +To view a rule's exceptions: +. Open the rule's details page. To do this, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for the rule that you want to examine, then click the rule's name to open its details. +. Scroll down and select the *Rule exceptions* or *Endpoint exceptions* tab. All exceptions that belong to the rule will display in a list. ++ +From the list, you can filter, edit, and delete exceptions. You can also toggle between *Active exceptions* and *Expired exceptions*. ++ [role="screenshot"] image::images/manage-default-rule-list.png[A default rule list] diff --git a/docs/detections/building-block-rule.asciidoc b/docs/detections/building-block-rule.asciidoc index 829d09088f..acac04d7f4 100644 --- a/docs/detections/building-block-rule.asciidoc +++ b/docs/detections/building-block-rule.asciidoc @@ -25,7 +25,7 @@ image::images/alert-indices-ui.png[] By default, building block alerts are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts. -. Go to *Alerts*. +. Find **Alerts** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . In the Alerts table, select *Additional filters* -> *Include building block alerts*, located on the far-right. diff --git a/docs/detections/prebuilt-rules-management.asciidoc b/docs/detections/prebuilt-rules-management.asciidoc index 7adb34db43..2f2efc421e 100644 --- a/docs/detections/prebuilt-rules-management.asciidoc +++ b/docs/detections/prebuilt-rules-management.asciidoc @@ -27,7 +27,9 @@ Follow these guidelines to start using the {security-app}'s < *Detection rules (SIEM)*. The badge next to *Add Elastic rules* shows the number of prebuilt rules available for installation. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to the Rules table. ++ +The badge next to *Add Elastic rules* shows the number of prebuilt rules available for installation. + [role="screenshot"] image::images/prebuilt-rules-add-badge.png[The Add Elastic Rules page] @@ -81,7 +83,8 @@ Each prebuilt rule includes several tags identifying the rule's purpose, detecti [[select-all-prebuilt-rules]] === Select and duplicate all prebuilt rules -. Go to *Rules* -> *Detection rules (SIEM)*, then select the *Elastic rules* filter. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. In the *Rules* table, select the *Elastic rules* filter. . Click *Select all _x_ rules* above the rules table. . Click *Bulk actions* -> *Duplicate*. . Select whether to duplicate the rules' exceptions, then click *Duplicate*. @@ -94,7 +97,8 @@ You can then modify the duplicated rules and, if required, delete the prebuilt o Elastic regularly updates prebuilt rules to optimize their performance and ensure they detect the latest threats and techniques. When updated versions are available for your installed prebuilt rules, the *Rule Updates* tab appears on the *Rules* page, allowing you to update your installed rules with the latest versions. -. Go to *Rules* -> *Detection rules (SIEM)*, then select the *Rule Updates* tab. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. In the *Rules* table, select the *Rule Updates* tab. + NOTE: The *Rule Updates* tab doesn't appear if all your installed prebuilt rules are up to date. + diff --git a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc index 2c4bcbe402..d609d4a87e 100644 --- a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc +++ b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc @@ -35,8 +35,8 @@ add an exception for the required application. For example, to prevent the <> rule from producing alerts for an in-house application named `myautomatedbuild`: -. Go to *Rules* -> *Detection rules (SIEM)*. -. Search for and then click on the *Unusual Process Execution Path - Alternate Data Stream* rule. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. In the Rules table, search for and then click on the *Unusual Process Execution Path - Alternate Data Stream* rule. + The *Unusual Process Execution Path - Alternate Data Stream* rule details page is displayed. [role="screenshot"] diff --git a/docs/detections/rules-coverage.asciidoc b/docs/detections/rules-coverage.asciidoc index 098b703c8f..0667bde8e1 100644 --- a/docs/detections/rules-coverage.asciidoc +++ b/docs/detections/rules-coverage.asciidoc @@ -6,10 +6,12 @@ :frontmatter-tags-content-type: [how-to] :frontmatter-tags-user-goals: [manage, analyze, visualize] -The **MITRE ATT&CK® coverage** page (**Rules** -> **MITRE ATT&CK® Coverage**) shows which https://attack.mitre.org[MITRE ATT&CK®] adversary tactics and techniques are covered by your installed and enabled detection rules. This includes both Elastic prebuilt rules and custom rules. +The **MITRE ATT&CK® coverage** page shows which https://attack.mitre.org[MITRE ATT&CK®] adversary tactics and techniques are covered by your installed and enabled detection rules. This includes both Elastic prebuilt rules and custom rules. Mirroring the MITRE ATT&CK® framework, columns represent major tactics, and cells within each column represent a tactic's related techniques. Cells are darker when a technique has more rules matching the current filters, as indicated in the **Legend** at the top. +To access the **MITRE ATT&CK® coverage** page, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to **MITRE ATT&CK® coverage**. + [NOTE] ==== This page only includes the detection rules you currently have installed, and only rules that are mapped to MITRE ATT&CK®. The coverage page maps detections to the following https://attack.mitre.org/resources/updates/updates-april-2024[MITRE ATT&CK® version] used by {elastic-sec}: `v15.1`. Elastic prebuilt rules that aren't installed and custom rules that are either unmapped or mapped to a deprecated tactic or technique will not appear on the coverage map. diff --git a/docs/detections/rules-cross-cluster-search.asciidoc b/docs/detections/rules-cross-cluster-search.asciidoc index 4ec19ed7b8..90c56d7e35 100644 --- a/docs/detections/rules-cross-cluster-search.asciidoc +++ b/docs/detections/rules-cross-cluster-search.asciidoc @@ -66,7 +66,8 @@ To update a rule's API key, log into the local cluster as a user with the privil * Edit and save the rule. * Update the rule's API key manually: -. Go to {kib} -> *Stack Management* -> *Rules*. +. Find **Stack Management** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to +*Rules*. . Use the search box and filters to find the rules you want to update. For example, use the *Type* filter to find rules under the *Security* category. . Select the rule's actions menu (*...*), then *Update API key*. + diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 52542e411d..1638a6664c 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -42,9 +42,9 @@ To create or edit {ml} rules, you must have the https://www.elastic.co/subscript {ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user role, and the selected {ml} job must be running for the rule to function correctly. ============== -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. -. To create a rule based on a {ml} anomaly threshold, select *Machine Learning*, -then select: +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click *Create new rule*. +. To create a rule based on a {ml} anomaly threshold, select *Machine Learning* on the *Create new rule* page, then select: .. The required {ml} jobs. + NOTE: If a required job isn't currently running, it will automatically start when you finish configuring and enable the rule. @@ -68,9 +68,9 @@ in the step or its sub-steps, apply the change to the other rule types, too. [discrete] [[create-custom-rule]] === Create a custom query rule -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. -. To create a rule based on a KQL or Lucene query, select *Custom query*, -then: +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click *Create new rule*. +. To create a rule based on a KQL or Lucene query, select *Custom query* on the *Create new rule* page, then: .. Define which {es} indices or data view the rule searches for alerts. .. Use the filter and query fields to create the criteria used for detecting alerts. @@ -119,8 +119,9 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-threshold-rule]] === Create a threshold rule -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. -. To create a rule based on a source event field threshold, select *Threshold*, then: +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click *Create new rule*. +. To create a rule based on a source event field threshold, select *Threshold* on the *Create new rule* page, then: .. Define which {es} indices the rule analyzes for alerts. .. Use the filter and query fields to create the criteria used for detecting alerts. @@ -159,7 +160,9 @@ in these steps or sub-steps, apply the change to the other rule types, too. [discrete] [[create-eql-rule]] === Create an event correlation rule -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click *Create new rule*. +. To create an event correlation rule using EQL, select *Event Correlation* on the *Create new rule* page, then: . To create an event correlation rule using EQL, select *Event Correlation*, then: .. Define which {es} indices or data view the rule searches when querying for events. .. Write an {ref}/eql-syntax.html[EQL query] that searches for matching events or a series of matching events. @@ -225,9 +228,9 @@ in these steps or sub-steps, apply the change to the other rule types, too. NOTE: {elastic-sec} provides limited support for indicator match rules. See <> for more information. -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. -. To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields: - +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click *Create new rule*. +. To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match* on the *Create new rule* page, then fill in the following fields: .. *Source*: The individual index patterns or data view that specifies what data to search. .. *Custom query*: The query and filters used to retrieve the required results from the {elastic-sec} event indices. For example, if you want to match documents that only contain a `destination.ip` address field, add `destination.ip : *`. @@ -304,7 +307,7 @@ You uploaded a value list of known ransomware domains, and you want to be notifi * *Field*: Enter the field from the Elastic Security event indices to be used for comparing values. * *Indicator index field*: Enter the type of value list you created (i.e., `keyword`, `text`, or `IP`). + -TIP: If you don't remember this information, go to *Rules* -> *Detection rules (SIEM)* -> *Manage value lists*. Locate the appropriate value list and note the field in the corresponding `Type` column. (Examples include keyword, text, and IP.) +TIP: If you don't remember this information, refer to the appropriate <> and find the list's type in the *Type* column (for example, the type can be `Keywords`, `Text`, or `IP`). [role="screenshot"] image::images/indicator_value_list.png[] @@ -313,8 +316,9 @@ image::images/indicator_value_list.png[] [[create-new-terms-rule]] === Create a new terms rule -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. -. To create a rule that searches for each new term detected in source documents, select *New Terms*, then: +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click *Create new rule*. +. To create a rule that searches for each new term detected in source documents, select *New Terms* on the *Create new rule* page, then: .. Specify what data to search by entering individual {es} index patterns or selecting an existing data view. .. Use the filter and query fields to create the criteria used for detecting alerts. @@ -353,8 +357,9 @@ Use {ref}/esql.html[{esql}] to query your source events and aggregate event data To create an {esql} rule: -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page appears. -. Select **{esql}**, then write a query. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click *Create new rule*. +. Select **{esql}**, then write a query. + NOTE: Refer to the sections below to learn more about <>, <>, and <>. + diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 2c033b4151..8043ccbf69 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -67,7 +67,7 @@ For prebuilt Elastic rules, you can't modify most settings. You can only edit << Similarly, rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. ==== -. Go to *Rules* -> *Detection rules (SIEM)*. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. The *Edit rule settings* view opens, where you can modify the <>. * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu: @@ -98,8 +98,8 @@ You can duplicate, enable, disable, delete, and snooze actions for rules: NOTE: When duplicating a rule with exceptions, you can choose to duplicate the rule and its exceptions (active and expired), the rule and active exceptions only, or only the rule. If you duplicate the rule and its exceptions, copies of the exceptions are created and added to the duplicated rule's <>. If the original rule used exceptions from a shared exception list, the duplicated rule will reference the same shared exception list. -. Go to *Rules* -> *Detection rules (SIEM)*. -. Do one of the following: +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. In the Rules table, do one of the following: * Select the *All actions* menu (*...*) on a rule, then select an action. * Select all the rules you want to modify, then select an action from the *Bulk actions* menu. * To enable or disable a single rule, switch on the rule's *Enabled* toggle. @@ -115,7 +115,8 @@ Manually run enabled rules for a specified period of time for testing purposes o IMPORTANT: Before manually running rules, make sure you properly understand and plan for rule dependencies. Incorrect scheduling can lead to inconsistent rule results. -1. Navigate to the detection rules page, and do one of the following: +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. In the *Rules* table, do one of the following: * Select the **All actions** menu (**...**) on a rule, then select **Manual run**. * Select all the rules you want to manually run, select the **Bulk actions** menu, then select **Manual run**. . Specify when the manual run starts and ends. The default selection is the current day starting three hours in the past. The rule will search for events during the selected time range. @@ -162,21 +163,21 @@ If you try to export with both prebuilt and custom rules selected, only the cust The `.ndjson` file also includes any actions, connectors, and exception lists related to the exported rules. However, other configuration items require additional handling when exporting and importing rules: -- *Data views*: For rules that use a {kib} data view as a data source, the exported file contains the associated `data_view_id`, but does _not_ include any other data view configuration. To export/import between {kib} spaces, first use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-share-to-space[Saved Objects] UI (*Stack Management* -> *Kibana* -> *Saved Objects*) to share the data view with the destination space. +- *Data views*: For rules that use a {kib} data view as a data source, the exported file contains the associated `data_view_id`, but does _not_ include any other data view configuration. To export/import between {kib} spaces, first use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-share-to-space[Saved Objects] UI to share the data view with the destination space. + To import into a different {stack} deployment, the destination cluster must include a data view with a matching data view ID (configured in the {kibana-ref}/data-views.html[data view's advanced settings]). Alternatively, after importing, you can manually reconfigure the rule to use an appropriate data view in the destination system. - *Actions and connectors*: Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) _is not_ included. You must re-add missing connector details after importing detection rules. + -TIP: You can also use {kib}'s {kibana-ref}/managing-saved-objects.html#managing-saved-objects-export-objects[Saved Objects] UI (*Stack Management* -> *Kibana* -> *Saved Objects*) to export and import necessary connectors before importing detection rules. +TIP: You can also use {kib}'s {kibana-ref}/managing-saved-objects.html#managing-saved-objects-export-objects[Saved Objects] UI to export and import necessary connectors before importing detection rules. -- *Value lists*: Any value lists used for rule exceptions are _not_ included in rule exports or imports. Use the <> UI (*Rules* -> *Detection rules (SIEM)* -> *Manage value lists*) to export and import value lists separately. +- *Value lists*: Any value lists used for rule exceptions are _not_ included in rule exports or imports. Use the <> UI to export and import value lists separately. To export and import detection rules: -. Go to *Rules* -> *Detection rules (SIEM)*. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . To export rules: -.. In the rules table, select the rules you want to export. +.. In the Rules table, select the rules you want to export. .. Select *Bulk actions* -> *Export*, then save the exported file. . To import rules: + @@ -196,7 +197,7 @@ NOTE: Imported rules must be in an `.ndjson` file. [[rule-prerequisites]] === Confirm rule prerequisites -Many detection rules are designed to work with specific {integrations-docs}[Elastic integrations] and data fields. These prerequisites are identified in *Related integrations* and *Required fields* on a rule's details page (*Rules* -> *Detection rules (SIEM)*, then click a rule's name). *Related integrations* also displays each integration's installation status and includes links for installing and configuring the listed integrations. +Many detection rules are designed to work with specific {integrations-docs}[Elastic integrations] and data fields. These prerequisites are identified in *Related integrations* and *Required fields* on a rule's details page. *Related integrations* also displays each integration's installation status and includes links for installing and configuring the listed integrations. Additionally, the *Setup guide* section provides guidance on setting up the rule's requirements. @@ -208,4 +209,4 @@ You can also check rules' related integrations in the *Installed Rules* and *Rul [role="screenshot"] image::images/rules-table-related-integrations.png[Rules table with related integrations popup,75%] -TIP: You can hide the *integrations* badge in the rules tables. Go to *{kib}* -> *Stack Management* -> *Advanced Settings*, then turn off `securitySolution:showRelatedIntegrations`. +TIP: You can hide the *integrations* badge in the rules tables. To do this, turn off `securitySolution:showRelatedIntegrations` <>. diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc index 946c98ac54..193c9583da 100644 --- a/docs/detections/rules-ui-monitor.asciidoc +++ b/docs/detections/rules-ui-monitor.asciidoc @@ -21,8 +21,7 @@ Refer to the <> section below for strategies on adjusting === Rule Monitoring tab To view a summary of all rule executions, including the most recent failures and execution -times, select the *Rule Monitoring* tab on the *Rules* page (*Rules* -> -*Detection rules (SIEM)* -> *Rule Monitoring*). +times, select the *Rule Monitoring* tab on the *Rules* page. To access the tab, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to the *Rule Monitoring* tab. [role="screenshot"] image::images/monitor-table.png[] @@ -39,7 +38,7 @@ For detailed information on a rule, the alerts it generated, and associated erro Each detection rule execution is logged, including the execution type, the execution's success or failure, any warning or error messages, how long it took to search for data, create alerts, and complete. This can help you troubleshoot a particular rule if it isn't behaving as expected (for example, if it isn't creating alerts or takes a long time to run). -To access a rule's execution log, go to **Rules** → **Detection rules (SIEM)**, click the rule's name to open its details, then scroll down and select the **Execution results** tab. Within the Execution log table, you can click the arrow at the end of a row to expand a long warning or error message. +To access a rule's execution log, click the rule's name to open its details, then scroll down and select the **Execution results** tab. Within the Execution log table, you can click the arrow at the end of a row to expand a long warning or error message. [role="screenshot"] image::images/rule-execution-logs.png[Execution log table on the rule execution results tab] @@ -122,8 +121,7 @@ If you receive this warning, go to the rule's **Alerts** tab and check for anyth ==== Troubleshoot gaps If you see values in the Gaps column in the Rule Monitoring table or on the Rule details page -for a small number of rules, you can increase those rules' -Additional look-back time (*Rules* -> *Detection rules (SIEM)* -> the rule's *All actions* menu (*...*) -> *Edit rule settings* -> *Schedule* -> *Additional look-back time*). +for a small number of rules, you can edit those rules and increase their additional look-back time. It's recommended to set the `Additional look-back time` to at least 1 minute. This ensures there are no missing alerts when a rule doesn't diff --git a/docs/detections/shared-exception-lists.asciidoc b/docs/detections/shared-exception-lists.asciidoc index b7eab6e2e9..58e4918d89 100644 --- a/docs/detections/shared-exception-lists.asciidoc +++ b/docs/detections/shared-exception-lists.asciidoc @@ -14,7 +14,7 @@ image::images/rule-exceptions-page.png[Shared Exception Lists page] Set up shared exception lists to contain exception items: -. Go to *Rules* -> *Shared exception lists*. +. Find the *Shared exception lists* page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Create shared exception list* -> *Create shared list*. . Give the shared exception list a name. . (Optional) Provide a description. @@ -26,7 +26,7 @@ Set up shared exception lists to contain exception items: Add exception items: -. Go to *Rules* -> *Shared exception lists*. +. Find the *Shared exception lists* page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Create shared exception list* -> *Create exception item*. + TIP: You can add exceptions to an empty shared exception list by expanding the list, or viewing its details page and clicking *Create rule exception*. After creating an exception, you can associate the shared exception list with rules. Refer to <> to learn more. @@ -73,7 +73,7 @@ Closes all alerts that match the exception's conditions and were generated only Apply shared exception lists to rules: -. Go to *Rules* -> *Shared exception lists*. +. Find the *Shared exception lists* page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: ** Select a shared exception list's name to open its details page, then click *Link rules*. ** Find the shared exception list you want to assign to rules, then from the *More actions* menu (*...*), select *Link rules*. diff --git a/docs/detections/value-list-exceptions.asciidoc b/docs/detections/value-list-exceptions.asciidoc index 609c2ef095..3268869c86 100644 --- a/docs/detections/value-list-exceptions.asciidoc +++ b/docs/detections/value-list-exceptions.asciidoc @@ -39,7 +39,7 @@ act as delimiters. * The maximum accepted file size is 9 million bytes. ========================= -. Go to *Rules* -> *Detection rules (SIEM)*. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Manage value lists*. The *Manage value lists* window opens. + [role="screenshot"] @@ -61,7 +61,7 @@ You can edit, remove, or export existing value lists. [discrete] ==== Edit value lists -. Go to **Rules** → **Detection rules (SIEM)**. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click **Manage value lists**. The **Manage value lists** window opens. . In the **Value lists** table, click the value list you want to edit. . Do any of the following: @@ -83,7 +83,7 @@ TIP: You can also edit value lists while creating and managing exceptions that u [discrete] ==== Export or remove value lists -. Go to *Rules* -> *Detection rules (SIEM)*. +. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Manage value lists*. The *Manage value lists* window opens. . From the *Value lists* table, you can: .. Click the **Export value list** button (image:images/export-value-list.png[Export button from Manage value lists window,15,15]) to export the value list. diff --git a/docs/getting-started/ingest-data.asciidoc b/docs/getting-started/ingest-data.asciidoc index ebbf6aef5d..10051eaf64 100644 --- a/docs/getting-started/ingest-data.asciidoc +++ b/docs/getting-started/ingest-data.asciidoc @@ -5,7 +5,7 @@ To ingest data, you can use: * The {fleet-guide}/fleet-overview.html[{agent}] with the **{elastic-defend}** integration, which protects your hosts and sends logs, metrics, and endpoint security data to {elastic-sec}. See <>. -* The {agent} with integrations, which are available in the {fleet-guide}/fleet-overview.html#package-registry-intro[Elastic Package Registry (EPR)]. To install an integration that works with {elastic-sec}, go to the {kib} Home page or main navigation menu and click *Add integrations*. On the Integrations page, click the *Security* category filter, then select an integration to view the installation instructions. For more information on integrations, refer to {integrations-docs}[{integrations}]. +* The {agent} with integrations, which are available in the {fleet-guide}/fleet-overview.html#package-registry-intro[Elastic Package Registry (EPR)]. To install an integration that works with {elastic-sec}, go to the {kib} Home page or navigation menu and click *Add integrations*. On the Integrations page, click the *Security* category filter, then select an integration to view the installation instructions. For more information on integrations, refer to {integrations-docs}[{integrations}]. * *{beats}* shippers installed for each system you want to monitor. * The {agent} to send data from Splunk to {elastic-sec}. See {observability-guide}/splunk-get-started.html[Get started with data from Splunk]. * Third-party collectors configured to ship ECS-compliant data.