From 10707b3c07fadb6034530ed83927ecba1fc00e3d Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 3 Mar 2025 15:45:46 -0500 Subject: [PATCH 01/17] First draft --- docs/detections/rules-ui-manage.asciidoc | 67 ++++++++++++++---------- 1 file changed, 39 insertions(+), 28 deletions(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 8043ccbf69..0204bb8cb6 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -58,19 +58,22 @@ For {ml} rules, an indicator icon (image:images/rules-table-error-icon.png[Error [[edit-rules-settings]] === Modify existing rules settings -You can edit an existing rule's settings, and can bulk edit settings for multiple rules at once. +You can edit an existing prebuilt or custom rule's settings, and can bulk edit settings for multiple rules at once. [NOTE] ==== -For prebuilt Elastic rules, you can't modify most settings. You can only edit <> and <>. If you try to bulk edit with both prebuilt and custom rules selected, the action will affect only the rules that can be modified. - -Similarly, rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. +* You cannot change the **Author** and **License** field values for prebuilt Elastic rules. +* Rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. ==== +TIP: Customized prebuilt rules are marked as `Modified` in the Rules table. + . Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: -* Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. The *Edit rule settings* view opens, where you can modify the <>. +* Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. Alternatively, open the rule’s details page and click **Edit rule settings**. The *Edit rule settings* view opens, where you can modify the <>. * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu: +** *Enable*: +** *Duplicate*: ** *Index patterns*: Add or delete the index patterns used by all selected rules. ** *Tags*: Add or delete tags on all selected rules. ** *Custom highlighted fields*: Add custom highlighted fields on all selected rules. You can choose any fields that are available in the <>, or enter field names from other indices. To overwrite a rule's current set of custom highlighted fields, select the **Overwrite all selected rules' custom highlighted fields** option, then click **Save**. @@ -84,9 +87,14 @@ NOTE: Rule actions won't run during a {kibana-ref}/maintenance-windows.html[main ** *Update rule schedules*: Update the <> and look-back times on all selected rules. ** *Apply Timeline template*: Apply a specified <> to the selected rules. You can also choose *None* to remove Timeline templates from the selected rules. +** *Export*: +** *Manual run*: +** *Disable*: +** *Delete*: . On the flyout that opens, update the rule settings and actions. + TIP: To <> rule actions, go to the *Actions* tab and click the bell icon. + . If available, select *Overwrite all selected _x_* to overwrite the settings on the rules. For example, if you're adding tags to multiple rules, selecting *Overwrite all selected rules tags* removes all the rules' original tags and replaces them with the tags you specify. . Click *Save*. @@ -152,14 +160,13 @@ image::images/rule-snoozing.png[Rules snooze options,65%] [[import-export-rules-ui]] === Export and import rules -You can export custom detection rules to an `.ndjson` file, which you can then import into another {elastic-sec} environment. +.Requirements +[sidebar] +-- +At minimum, your role needs `Read` privileges for the **Action and Connectors** feature to import rules with actions. To overwrite or add new connectors, you need `All` privileges. Refer to <> to learn more about the required privileges for managing rules. +-- -[NOTE] -==== -You cannot export Elastic prebuilt rules, but you can duplicate a prebuilt rule, then export the duplicated rule. - -If you try to export with both prebuilt and custom rules selected, only the custom rules are exported. -==== +You can export prebuilt Elastic rules and custom rules to an `.ndjson` file, which you can then import into another {elastic-sec} environment. The `.ndjson` file also includes any actions, connectors, and exception lists related to the exported rules. However, other configuration items require additional handling when exporting and importing rules: @@ -173,25 +180,29 @@ TIP: You can also use {kib}'s {kibana-ref}/managing-saved-objects.html#managing- - *Value lists*: Any value lists used for rule exceptions are _not_ included in rule exports or imports. Use the <> UI to export and import value lists separately. -To export and import detection rules: +[float] +[[export-rules-ui]] +==== Export rules . Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -. To export rules: -.. In the Rules table, select the rules you want to export. -.. Select *Bulk actions* -> *Export*, then save the exported file. -. To import rules: -+ -NOTE: To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions, you don't need `Actions and Connectors` privileges. Refer to <> for more information. +. Do one of the following: +** Export a single rule: Find the rule in the Rules table, then select **All actions** ->**Export**. Alternatively, export the rule from its details page (click on the rule name to open its details, then click **All actions** ->**Export**). +** Export multiple rules: In the Rules table, select the rules you want to export, then click **Bulk actions -> Export**. -.. Click *Import rules*. -.. Drag and drop the file that contains the detection rules. -+ -NOTE: Imported rules must be in an `.ndjson` file. -.. (Optional) Select *Overwrite existing detection rules with conflicting "rule_id"* to update existing rules if they match the `rule_id` value of any rules in the import file. Configuration data included with the rules, such as actions, is also overwritten. -.. (Optional) Select *Overwrite existing exception lists with conflicting "list_id"* to replace existing exception lists with exception lists from the import file if they have a matching `list_id` value. -.. (Optional) Select *Overwrite existing connectors with conflicting action "id"* to update existing connectors if they match the `action id` value of any rule actions in the import file. Configuration data included with the actions is also overwritten. +The rules are exported to an `.ndjson` file. + +[float] +[[import-rules-ui]] +==== Import rules + +. Above the Rules table, click *Import rules*. +. In the Import rules modal: +.. Drag and drop the `.ndjson` file that contains the exported rules. +.. (Optional) Select the appropriate options to overwrite existing data: +** *Overwrite existing detection rules with conflicting "rule_id"*: Updates existing rules if they match the `rule_id` value of any rules in the import file. Configuration data included with the rules, such as actions, is also overwritten. +** *Overwrite existing exception lists with conflicting "list_id"*: Replaces existing exception lists with exception lists from the import file if they have a matching `list_id` value. +** *Overwrite existing connectors with conflicting action "id"*: Updates existing connectors if they match the `action id` value of any rule actions in the import file. Configuration data included with the actions is also overwritten. .. Click *Import rule*. -.. (Optional) If a connector is missing sensitive information after the import, a warning displays and you're prompted to fix the connector. In the warning, click *Go to connector*. On the Connectors page, find the connector that needs to be updated, click *Fix*, then add the necessary details. [float] [[rule-prerequisites]] @@ -209,4 +220,4 @@ You can also check rules' related integrations in the *Installed Rules* and *Rul [role="screenshot"] image::images/rules-table-related-integrations.png[Rules table with related integrations popup,75%] -TIP: You can hide the *integrations* badge in the rules tables. To do this, turn off `securitySolution:showRelatedIntegrations` <>. +TIP: You can hide the *integrations* badge in the Rules tables. To do this, turn off `securitySolution:showRelatedIntegrations` <>. From 9b113690916881cca245c14998d8e49d37322314 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 5 Mar 2025 15:36:29 -0500 Subject: [PATCH 02/17] Defined missing bulk actions --- docs/detections/rules-ui-manage.asciidoc | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 0204bb8cb6..911f45a7be 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -72,8 +72,8 @@ TIP: Customized prebuilt rules are marked as `Modified` in the Rules table. . Do one of the following: * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. Alternatively, open the rule’s details page and click **Edit rule settings**. The *Edit rule settings* view opens, where you can modify the <>. * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu: -** *Enable*: -** *Duplicate*: +** *Enable*: Turn the selected rules on. +** *Duplicate*: Create copies of the selected rules. ** *Index patterns*: Add or delete the index patterns used by all selected rules. ** *Tags*: Add or delete tags on all selected rules. ** *Custom highlighted fields*: Add custom highlighted fields on all selected rules. You can choose any fields that are available in the <>, or enter field names from other indices. To overwrite a rule's current set of custom highlighted fields, select the **Overwrite all selected rules' custom highlighted fields** option, then click **Save**. @@ -87,10 +87,10 @@ NOTE: Rule actions won't run during a {kibana-ref}/maintenance-windows.html[main ** *Update rule schedules*: Update the <> and look-back times on all selected rules. ** *Apply Timeline template*: Apply a specified <> to the selected rules. You can also choose *None* to remove Timeline templates from the selected rules. -** *Export*: -** *Manual run*: -** *Disable*: -** *Delete*: +** *Export*: Export the selected rules to an `.ndjson` file also includes any actions, connectors, and exception lists related to the exported rules. +** *Manual run*: Manually run the specified rules for a specified period of time. This option is only available for enabled rules. +** *Disable*: Turn the selected rules off. +** *Delete*: Remove the selected rules. . On the flyout that opens, update the rule settings and actions. + TIP: To <> rule actions, go to the *Actions* tab and click the bell icon. @@ -102,7 +102,7 @@ TIP: To <> rule actions, go to the *Actions* tab and [[manage-rules-ui]] === Manage rules -You can duplicate, enable, disable, delete, and snooze actions for rules: +You can duplicate, enable, disable, delete, and do more to rules: NOTE: When duplicating a rule with exceptions, you can choose to duplicate the rule and its exceptions (active and expired), the rule and active exceptions only, or only the rule. If you duplicate the rule and its exceptions, copies of the exceptions are created and added to the duplicated rule's <>. If the original rule used exceptions from a shared exception list, the duplicated rule will reference the same shared exception list. @@ -204,6 +204,8 @@ The rules are exported to an `.ndjson` file. ** *Overwrite existing connectors with conflicting action "id"*: Updates existing connectors if they match the `action id` value of any rule actions in the import file. Configuration data included with the actions is also overwritten. .. Click *Import rule*. +The exported rules are imported to the Rules table. + [float] [[rule-prerequisites]] === Confirm rule prerequisites From 9d49585ada78a729c20bdc1591495e5a400c94f4 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 5 Mar 2025 16:51:31 -0500 Subject: [PATCH 03/17] Formatting and org fixes --- docs/detections/rules-ui-manage.asciidoc | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 911f45a7be..4b64f9e4aa 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -60,11 +60,7 @@ For {ml} rules, an indicator icon (image:images/rules-table-error-icon.png[Error You can edit an existing prebuilt or custom rule's settings, and can bulk edit settings for multiple rules at once. -[NOTE] -==== -* You cannot change the **Author** and **License** field values for prebuilt Elastic rules. -* Rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. -==== +NOTE: You cannot change the **Author** and **License** field values for prebuilt Elastic rules. TIP: Customized prebuilt rules are marked as `Modified` in the Rules table. @@ -72,19 +68,20 @@ TIP: Customized prebuilt rules are marked as `Modified` in the Rules table. . Do one of the following: * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. Alternatively, open the rule’s details page and click **Edit rule settings**. The *Edit rule settings* view opens, where you can modify the <>. * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu: ++ +NOTE: Rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. ++ ** *Enable*: Turn the selected rules on. ** *Duplicate*: Create copies of the selected rules. ** *Index patterns*: Add or delete the index patterns used by all selected rules. ** *Tags*: Add or delete tags on all selected rules. ** *Custom highlighted fields*: Add custom highlighted fields on all selected rules. You can choose any fields that are available in the <>, or enter field names from other indices. To overwrite a rule's current set of custom highlighted fields, select the **Overwrite all selected rules' custom highlighted fields** option, then click **Save**. ** *Add rule actions*: Add <> on all selected rules. If you add multiple actions, you can specify an action frequency for each of them. To overwrite the frequency of existing actions select the option to **Overwrite all selected rules actions**. - + IMPORTANT: After upgrading to 8.8 or later, frequency settings for rule actions created in 8.7 or earlier are moved from the rule level to the action level. The action schedules remain the same and will continue to run on their previously specified frequency (`On each rule execution`, `Hourly`, `Daily`, or `Weekly`). - + NOTE: Rule actions won't run during a {kibana-ref}/maintenance-windows.html[maintenance window]. They'll resume running after the maintenance window ends. - ++ ** *Update rule schedules*: Update the <> and look-back times on all selected rules. ** *Apply Timeline template*: Apply a specified <> to the selected rules. You can also choose *None* to remove Timeline templates from the selected rules. ** *Export*: Export the selected rules to an `.ndjson` file also includes any actions, connectors, and exception lists related to the exported rules. @@ -92,9 +89,6 @@ NOTE: Rule actions won't run during a {kibana-ref}/maintenance-windows.html[main ** *Disable*: Turn the selected rules off. ** *Delete*: Remove the selected rules. . On the flyout that opens, update the rule settings and actions. -+ -TIP: To <> rule actions, go to the *Actions* tab and click the bell icon. - . If available, select *Overwrite all selected _x_* to overwrite the settings on the rules. For example, if you're adding tags to multiple rules, selecting *Overwrite all selected rules tags* removes all the rules' original tags and replaces them with the tags you specify. . Click *Save*. @@ -163,7 +157,9 @@ image::images/rule-snoozing.png[Rules snooze options,65%] .Requirements [sidebar] -- -At minimum, your role needs `Read` privileges for the **Action and Connectors** feature to import rules with actions. To overwrite or add new connectors, you need `All` privileges. Refer to <> to learn more about the required privileges for managing rules. +//Commenting out the first list item because need to confirm that the tables will be updated for 8.18 and 9.0. +//* To use the import and export rules feature, you must have the appropriate subscription. Refer to the subscription page for https://www.elastic.co/subscriptions/cloud[Elastic Cloud] and {subscriptions}[Elastic Stack/self-managed] for the breakdown of available features and their associated subscription tiers. +* At minimum, your role needs `Read` privileges for the **Action and Connectors** feature to import rules with actions. To overwrite or add new connectors, you need `All` privileges. Refer to <> to learn more about the required privileges for managing rules. -- You can export prebuilt Elastic rules and custom rules to an `.ndjson` file, which you can then import into another {elastic-sec} environment. From d659692965975b3b372ecd48c1dd2d26dcd9738b Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 5 Mar 2025 17:01:13 -0500 Subject: [PATCH 04/17] Minor change to tip about modified prebuilt rules --- docs/detections/rules-ui-manage.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 4b64f9e4aa..85752ca143 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -62,7 +62,7 @@ You can edit an existing prebuilt or custom rule's settings, and can bulk edit s NOTE: You cannot change the **Author** and **License** field values for prebuilt Elastic rules. -TIP: Customized prebuilt rules are marked as `Modified` in the Rules table. +TIP: Customized prebuilt rules display the `Modified` badge in the Rules table and on their details pages. . Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: From b48a2cbc6dcb5460b755482be6ac6998f0fe7958 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 5 Mar 2025 17:30:39 -0500 Subject: [PATCH 05/17] possession! --- docs/detections/rules-ui-manage.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 85752ca143..132ef441f4 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -62,7 +62,7 @@ You can edit an existing prebuilt or custom rule's settings, and can bulk edit s NOTE: You cannot change the **Author** and **License** field values for prebuilt Elastic rules. -TIP: Customized prebuilt rules display the `Modified` badge in the Rules table and on their details pages. +TIP: Customized prebuilt rules display the `Modified` badge in the Rules table and on their details' pages. . Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: From baf80d5ba461c9f082d449f068ea83f84d91f716 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 10 Mar 2025 21:14:54 -0400 Subject: [PATCH 06/17] Incorporate feedback from first round of reviews. --- docs/detections/rules-ui-manage.asciidoc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 132ef441f4..4bdf2a5c7d 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -58,18 +58,19 @@ For {ml} rules, an indicator icon (image:images/rules-table-error-icon.png[Error [[edit-rules-settings]] === Modify existing rules settings -You can edit an existing prebuilt or custom rule's settings, and can bulk edit settings for multiple rules at once. - -NOTE: You cannot change the **Author** and **License** field values for prebuilt Elastic rules. +You can edit an existing custom rule's settings and can bulk edit settings for multiple rules at once. With the https://www.elastic.co/subscriptions/cloud[Enterprise] subscription, you can edit prebuilt rules too and bulk modify them. TIP: Customized prebuilt rules display the `Modified` badge in the Rules table and on their details' pages. . Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. Alternatively, open the rule’s details page and click **Edit rule settings**. The *Edit rule settings* view opens, where you can modify the <>. ++ +NOTE: You cannot change the **Author** and **License** field values for prebuilt Elastic rules. ++ * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu: + -NOTE: Rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. +Rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. + ** *Enable*: Turn the selected rules on. ** *Duplicate*: Create copies of the selected rules. @@ -157,12 +158,11 @@ image::images/rule-snoozing.png[Rules snooze options,65%] .Requirements [sidebar] -- -//Commenting out the first list item because need to confirm that the tables will be updated for 8.18 and 9.0. -//* To use the import and export rules feature, you must have the appropriate subscription. Refer to the subscription page for https://www.elastic.co/subscriptions/cloud[Elastic Cloud] and {subscriptions}[Elastic Stack/self-managed] for the breakdown of available features and their associated subscription tiers. +* To learn which subscription you need for exporting and importing custom rules and prebuilt rules (modified and unmodified), refer to the https://www.elastic.co/subscriptions/cloud[Elastic Cloud] subscription page. * At minimum, your role needs `Read` privileges for the **Action and Connectors** feature to import rules with actions. To overwrite or add new connectors, you need `All` privileges. Refer to <> to learn more about the required privileges for managing rules. -- -You can export prebuilt Elastic rules and custom rules to an `.ndjson` file, which you can then import into another {elastic-sec} environment. +You can export prebuilt Elastic rules and custom rules to an `.ndjson` file, which you can then (with the proper subscription) import into another {elastic-sec} environment. The `.ndjson` file also includes any actions, connectors, and exception lists related to the exported rules. However, other configuration items require additional handling when exporting and importing rules: From e32db2125f4fec8da7caeac66683cf4f91e508a1 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 10 Mar 2025 21:50:08 -0400 Subject: [PATCH 07/17] Cleanup --- docs/detections/rules-ui-manage.asciidoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 4bdf2a5c7d..0e63ac55a0 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -58,15 +58,15 @@ For {ml} rules, an indicator icon (image:images/rules-table-error-icon.png[Error [[edit-rules-settings]] === Modify existing rules settings -You can edit an existing custom rule's settings and can bulk edit settings for multiple rules at once. With the https://www.elastic.co/subscriptions/cloud[Enterprise] subscription, you can edit prebuilt rules too and bulk modify them. +You can edit an existing custom rule's settings and can bulk edit settings for multiple rules at once. With the https://www.elastic.co/subscriptions/cloud[Enterprise] subscription, you can edit Elastic prebuilt rules and bulk modify them too. -TIP: Customized prebuilt rules display the `Modified` badge in the Rules table and on their details' pages. +TIP: Edited prebuilt rules have the `Modified` badge on their details' pages and in the Rules table. . Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. Alternatively, open the rule’s details page and click **Edit rule settings**. The *Edit rule settings* view opens, where you can modify the <>. + -NOTE: You cannot change the **Author** and **License** field values for prebuilt Elastic rules. +NOTE: You cannot change the **Author** and **License** field values for prebuilt rules. + * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu: + @@ -162,7 +162,7 @@ image::images/rule-snoozing.png[Rules snooze options,65%] * At minimum, your role needs `Read` privileges for the **Action and Connectors** feature to import rules with actions. To overwrite or add new connectors, you need `All` privileges. Refer to <> to learn more about the required privileges for managing rules. -- -You can export prebuilt Elastic rules and custom rules to an `.ndjson` file, which you can then (with the proper subscription) import into another {elastic-sec} environment. +You can export prebuilt rules and custom rules to an `.ndjson` file, which you can then (with the proper subscription) import into another {elastic-sec} environment. The `.ndjson` file also includes any actions, connectors, and exception lists related to the exported rules. However, other configuration items require additional handling when exporting and importing rules: From cadae86979e525ad1be20c40f3a99e1890e11f34 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 11 Mar 2025 18:36:59 -0400 Subject: [PATCH 08/17] Adds note about imported rules without base verions --- docs/detections/rules-ui-manage.asciidoc | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 0e63ac55a0..fa40741c60 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -202,6 +202,15 @@ The rules are exported to an `.ndjson` file. The exported rules are imported to the Rules table. +[NOTE] +===== +When the prebuilt rule package doesn't have the original version of a rule that you're importing, the rule is marked as `Modified` if both the following criteria is met: + +- The rule's ID (`rule_id`) is identical to that of an already installed prebuilt rule. +- The imported rule's settings are different from the currently installed rule. +===== + + [float] [[rule-prerequisites]] === Confirm rule prerequisites From cbf01a0299694e291d08a14a73176dc336f7d29a Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 11 Mar 2025 18:38:57 -0400 Subject: [PATCH 09/17] Merge branch 'issue-5061-import-export-modify' of github.com:elastic/security-docs into issue-5061-import-export-modify --- docs/AI-for-security/ai-security-assistant.asciidoc | 3 +-- docs/cloud-native-security/cspm-get-started-aws.asciidoc | 2 ++ docs/cloud-native-security/cspm-get-started-azure.asciidoc | 2 ++ docs/cloud-native-security/cspm-get-started-gcp.asciidoc | 1 + docs/getting-started/agentless-troubleshooting.asciidoc | 7 ++++++- 5 files changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/AI-for-security/ai-security-assistant.asciidoc b/docs/AI-for-security/ai-security-assistant.asciidoc index 218bc94953..98e934ea42 100644 --- a/docs/AI-for-security/ai-security-assistant.asciidoc +++ b/docs/AI-for-security/ai-security-assistant.asciidoc @@ -66,7 +66,6 @@ You can also chat with AI Assistant from several particular pages in {elastic-se * <> or Event details flyout: Click *Chat* while viewing the details of an alert or event. * <>: Use AI Assistant to help create or correct rule queries. * <>: Select the *Incompatible fields* tab, then click *Chat*. (This is only available for fields marked red, indicating they're incompatible). -* <>: Select the *Security Assistant* tab. NOTE: Each user's chat history (up to the 99 most recent conversations) and custom Quick Prompts are automatically saved, so you can leave {elastic-sec} and return to a conversation later. Chat history appears to the left of the AI Assistant chat window, and on the **Conversations** tab of the **AI Assistant settings** menu. To access the settings menu, use the global search field to search for "AI Assistant for Security". @@ -106,7 +105,7 @@ The *Security AI settings* page allows you to configure AI Assistant. To access It has the following tabs: -* **Conversations:** When you open AI Assistant from certain pages, such as **Timeline** or **Alerts**, it defaults to the relevant conversation type. For each conversation type, choose the default System Prompt, the default connector, and the default model (if applicable). The **Streaming** setting controls whether AI Assistant's responses appear word-by-word (streamed), or as a complete block of text. Streaming is currently only available for OpenAI models. +* **Conversations:** When you open AI Assistant from certain pages, such as **Alerts**, it defaults to the relevant conversation type. For each conversation type, choose the default System Prompt, the default connector, and the default model (if applicable). The **Streaming** setting controls whether AI Assistant's responses appear word-by-word (streamed), or as a complete block of text. Streaming is currently only available for OpenAI models. * **Connectors:** Manage all LLM connectors. * **System Prompts:** Edit existing System Prompts or create new ones. To create a new System Prompt, type a unique name in the *Name* field, then press *enter*. Under *Prompt*, enter or update the System Prompt's text. Under *Contexts*, select where the System Prompt should appear. * **Quick Prompts:** Modify existing Quick Prompts or create new ones. To create a new Quick Prompt, type a unique name in the *Name* field, then press *enter*. Under *Prompt*, enter or update the Quick Prompt's text. diff --git a/docs/cloud-native-security/cspm-get-started-aws.asciidoc b/docs/cloud-native-security/cspm-get-started-aws.asciidoc index 81457c336e..63e476d7a1 100644 --- a/docs/cloud-native-security/cspm-get-started-aws.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-aws.asciidoc @@ -41,6 +41,8 @@ NOTE: If you don't want to monitor every account in your organization, specify w .. Option 2: Temporary keys. To authenticate using temporary keys, refer to the instructions for <>. . Once you've selected an authentication method and provided all necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. +IMPORTANT: Agentless deployment does not work if you are using {cloud}/ec-traffic-filtering-deployment-configuration.html[Traffic filtering]. + [discrete] [[cspm-aws-agent-based]] == Agent-based deployment diff --git a/docs/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/cloud-native-security/cspm-get-started-azure.asciidoc index 0b9602e498..df59ceddaa 100644 --- a/docs/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-azure.asciidoc @@ -36,6 +36,8 @@ You can set up CSPM for Azure by by enrolling an Azure organization (management . Next, you'll need to authenticate to Azure by providing a **Client ID**, **Tenant ID**, and **Client Secret**. To learn how to generate them, refer to <>. . Once you've provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. +IMPORTANT: Agentless deployment does not work if you are using {cloud}/ec-traffic-filtering-deployment-configuration.html[Traffic filtering]. + [discrete] [[cspm-azure-agent-based]] == Agent-based deployment diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc index 58c9a76d09..db24c8bb50 100644 --- a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -36,6 +36,7 @@ You can set up CSPM for GCP either by enrolling a single project, or by enrollin . Next, you'll need to authenticate to GCP. Expand the **Steps to Generate GCP Account Credentials** section, then follow the instructions that appear to automatically create the necessary credentials using Google Cloud Shell. . Once you've provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. +IMPORTANT: Agentless deployment does not work if you are using {cloud}/ec-traffic-filtering-deployment-configuration.html[Traffic filtering]. [discrete] [[cspm-gcp-agent-based]] diff --git a/docs/getting-started/agentless-troubleshooting.asciidoc b/docs/getting-started/agentless-troubleshooting.asciidoc index 6629458449..8f1c5a9885 100644 --- a/docs/getting-started/agentless-troubleshooting.asciidoc +++ b/docs/getting-started/agentless-troubleshooting.asciidoc @@ -31,7 +31,12 @@ On the **{fleet}** page, the agent associated with an agentless integration has [elastic_agent.cloudbeat][error] Failed to update registry: failed to get AWS accounts: operation error Organizations: ListAccounts, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: XXX, api error AccessDenied: User: XXX is not authorized to perform: sts:AssumeRole on resource:XXX ``` -For instructions on checking {{fleet}} logs, refer to {fleet-guide}/fleet-troubleshooting.html[{fleet} troubleshooting]. +For instructions on checking {fleet} logs, refer to {fleet-guide}/fleet-troubleshooting.html[{fleet} troubleshooting]. + +[discrete] +== What does it mean if no agents appear in my integration policy? + +Your agentless integration policy won't have any enrolled agents if you are using traffic filtering, because agentless integrations do not work in environments with {cloud}/ec-traffic-filtering-deployment-configuration.html[Traffic filtering]. [discrete] == How do I delete an agentless integration? From c65709085766a0b9884d513a2055db10b39a259f Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 11 Mar 2025 18:40:27 -0400 Subject: [PATCH 10/17] Edits --- docs/detections/rules-ui-manage.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index fa40741c60..e96625d84d 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -204,7 +204,7 @@ The exported rules are imported to the Rules table. [NOTE] ===== -When the prebuilt rule package doesn't have the original version of a rule that you're importing, the rule is marked as `Modified` if both the following criteria is met: +If the prebuilt rule package doesn't have the original version of a rule that you're importing, the rule is marked as `Modified` when both the following criteria are met: - The rule's ID (`rule_id`) is identical to that of an already installed prebuilt rule. - The imported rule's settings are different from the currently installed rule. From a689ca9e0fdccafe0c1dd33d97a7919c4b9b4656 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 14 Mar 2025 09:31:37 -0400 Subject: [PATCH 11/17] Update docs/detections/rules-ui-manage.asciidoc --- docs/detections/rules-ui-manage.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index e96625d84d..7358490da4 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -200,7 +200,7 @@ The rules are exported to an `.ndjson` file. ** *Overwrite existing connectors with conflicting action "id"*: Updates existing connectors if they match the `action id` value of any rule actions in the import file. Configuration data included with the actions is also overwritten. .. Click *Import rule*. -The exported rules are imported to the Rules table. +The imported rules are added to the Rules table. [NOTE] ===== From 6150e3d87c695e2b80b93705f37c2dc4169f94d8 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 14 Mar 2025 09:34:28 -0400 Subject: [PATCH 12/17] Update docs/detections/rules-ui-manage.asciidoc --- docs/detections/rules-ui-manage.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 7358490da4..5ebe69e706 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -158,7 +158,7 @@ image::images/rule-snoozing.png[Rules snooze options,65%] .Requirements [sidebar] -- -* To learn which subscription you need for exporting and importing custom rules and prebuilt rules (modified and unmodified), refer to the https://www.elastic.co/subscriptions/cloud[Elastic Cloud] subscription page. +* To learn which subscription you need for exporting and importing custom rules and prebuilt rules (modified and unmodified), refer to the subscription page for https://www.elastic.co/subscriptions/cloud[{ecloud}] and {subscriptions}[{stack}/self-managed] * At minimum, your role needs `Read` privileges for the **Action and Connectors** feature to import rules with actions. To overwrite or add new connectors, you need `All` privileges. Refer to <> to learn more about the required privileges for managing rules. -- From c35c7c6c583b10035ab361b0ba8ea9318e59d576 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 17 Mar 2025 09:15:00 -0400 Subject: [PATCH 13/17] Update docs/detections/rules-ui-manage.asciidoc --- docs/detections/rules-ui-manage.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 5ebe69e706..47706bf453 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -162,7 +162,7 @@ image::images/rule-snoozing.png[Rules snooze options,65%] * At minimum, your role needs `Read` privileges for the **Action and Connectors** feature to import rules with actions. To overwrite or add new connectors, you need `All` privileges. Refer to <> to learn more about the required privileges for managing rules. -- -You can export prebuilt rules and custom rules to an `.ndjson` file, which you can then (with the proper subscription) import into another {elastic-sec} environment. +You can export prebuilt rules and custom rules to an `.ndjson` file, which you can then import into another {elastic-sec} environment. The `.ndjson` file also includes any actions, connectors, and exception lists related to the exported rules. However, other configuration items require additional handling when exporting and importing rules: From 46d9559ad5cca37583e90aa7b678069f11dedede Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 20 Mar 2025 23:56:26 -0400 Subject: [PATCH 14/17] Update docs/detections/rules-ui-manage.asciidoc Co-authored-by: Georgii Gorbachev --- docs/detections/rules-ui-manage.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 47706bf453..eed3825b90 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -85,7 +85,7 @@ NOTE: Rule actions won't run during a {kibana-ref}/maintenance-windows.html[main + ** *Update rule schedules*: Update the <> and look-back times on all selected rules. ** *Apply Timeline template*: Apply a specified <> to the selected rules. You can also choose *None* to remove Timeline templates from the selected rules. -** *Export*: Export the selected rules to an `.ndjson` file also includes any actions, connectors, and exception lists related to the exported rules. +** *Export*: Export the selected rules to an `.ndjson` file which also includes any actions, connectors, and exception lists related to the exported rules. ** *Manual run*: Manually run the specified rules for a specified period of time. This option is only available for enabled rules. ** *Disable*: Turn the selected rules off. ** *Delete*: Remove the selected rules. From bb2e2cc0cb8a081dad416e0f58e86bb885234439 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sun, 23 Mar 2025 20:31:02 -0400 Subject: [PATCH 15/17] Georgii's feedback pt.1 --- docs/detections/rules-ui-manage.asciidoc | 30 +++++++----------------- 1 file changed, 9 insertions(+), 21 deletions(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index eed3825b90..38d3e0dd8d 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -58,22 +58,20 @@ For {ml} rules, an indicator icon (image:images/rules-table-error-icon.png[Error [[edit-rules-settings]] === Modify existing rules settings -You can edit an existing custom rule's settings and can bulk edit settings for multiple rules at once. With the https://www.elastic.co/subscriptions/cloud[Enterprise] subscription, you can edit Elastic prebuilt rules and bulk modify them too. - -TIP: Edited prebuilt rules have the `Modified` badge on their details' pages and in the Rules table. +.Requirements +[sidebar] +-- +* You can edit custom rules and bulk-modify them with any {subscriptions}[{stack} subscription]. Editing <> (notifications and response actions) for prebuilt rules can also be done with any subscription. +* You must have an https://www.elastic.co/pricing/[Enterprise subscription] to edit all prebuilt rule settings (except for the **Author** and **License** fields) and bulk-modify them. +-- . Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. Alternatively, open the rule’s details page and click **Edit rule settings**. The *Edit rule settings* view opens, where you can modify the <>. -+ -NOTE: You cannot change the **Author** and **License** field values for prebuilt rules. -+ * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu: + Rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views. + -** *Enable*: Turn the selected rules on. -** *Duplicate*: Create copies of the selected rules. ** *Index patterns*: Add or delete the index patterns used by all selected rules. ** *Tags*: Add or delete tags on all selected rules. ** *Custom highlighted fields*: Add custom highlighted fields on all selected rules. You can choose any fields that are available in the <>, or enter field names from other indices. To overwrite a rule's current set of custom highlighted fields, select the **Overwrite all selected rules' custom highlighted fields** option, then click **Save**. @@ -85,13 +83,12 @@ NOTE: Rule actions won't run during a {kibana-ref}/maintenance-windows.html[main + ** *Update rule schedules*: Update the <> and look-back times on all selected rules. ** *Apply Timeline template*: Apply a specified <> to the selected rules. You can also choose *None* to remove Timeline templates from the selected rules. -** *Export*: Export the selected rules to an `.ndjson` file which also includes any actions, connectors, and exception lists related to the exported rules. ** *Manual run*: Manually run the specified rules for a specified period of time. This option is only available for enabled rules. -** *Disable*: Turn the selected rules off. -** *Delete*: Remove the selected rules. . On the flyout that opens, update the rule settings and actions. . If available, select *Overwrite all selected _x_* to overwrite the settings on the rules. For example, if you're adding tags to multiple rules, selecting *Overwrite all selected rules tags* removes all the rules' original tags and replaces them with the tags you specify. . Click *Save*. ++ +NOTE: Edited prebuilt rules have the `Modified` badge on their details' pages and in the Rules table. [float] [[manage-rules-ui]] @@ -158,7 +155,7 @@ image::images/rule-snoozing.png[Rules snooze options,65%] .Requirements [sidebar] -- -* To learn which subscription you need for exporting and importing custom rules and prebuilt rules (modified and unmodified), refer to the subscription page for https://www.elastic.co/subscriptions/cloud[{ecloud}] and {subscriptions}[{stack}/self-managed] +* You can export and import custom rules and prebuilt rules (modified and unmodified) with any {subscriptions}[{stack} subscription]. * At minimum, your role needs `Read` privileges for the **Action and Connectors** feature to import rules with actions. To overwrite or add new connectors, you need `All` privileges. Refer to <> to learn more about the required privileges for managing rules. -- @@ -202,15 +199,6 @@ The rules are exported to an `.ndjson` file. The imported rules are added to the Rules table. -[NOTE] -===== -If the prebuilt rule package doesn't have the original version of a rule that you're importing, the rule is marked as `Modified` when both the following criteria are met: - -- The rule's ID (`rule_id`) is identical to that of an already installed prebuilt rule. -- The imported rule's settings are different from the currently installed rule. -===== - - [float] [[rule-prerequisites]] === Confirm rule prerequisites From 6e1f96fb3736c520374a518ffb8700b022ac1e90 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Sun, 23 Mar 2025 23:26:03 -0400 Subject: [PATCH 16/17] Update docs/detections/rules-ui-manage.asciidoc --- docs/detections/rules-ui-manage.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 38d3e0dd8d..6165ee0d80 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -179,7 +179,7 @@ TIP: You can also use {kib}'s {kibana-ref}/managing-saved-objects.html#managing- . Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: -** Export a single rule: Find the rule in the Rules table, then select **All actions** ->**Export**. Alternatively, export the rule from its details page (click on the rule name to open its details, then click **All actions** ->**Export**). +** Export a single rule: Find the rule in the Rules table, then select **All actions** ->**Export**. Alternatively, export the rule from its details page (click on the rule name to open its details, then click **All actions** ->**Export**). ** Export multiple rules: In the Rules table, select the rules you want to export, then click **Bulk actions -> Export**. The rules are exported to an `.ndjson` file. From d300ff39500ff2975b17b041ca840ad8de7e8a0a Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Sun, 23 Mar 2025 23:27:11 -0400 Subject: [PATCH 17/17] Update docs/detections/rules-ui-manage.asciidoc --- docs/detections/rules-ui-manage.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 6165ee0d80..3a3955682d 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -179,7 +179,7 @@ TIP: You can also use {kib}'s {kibana-ref}/managing-saved-objects.html#managing- . Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Do one of the following: -** Export a single rule: Find the rule in the Rules table, then select **All actions** ->**Export**. Alternatively, export the rule from its details page (click on the rule name to open its details, then click **All actions** ->**Export**). +** Export a single rule: Find the rule in the Rules table, then select **All actions** -> **Export**. Alternatively, export the rule from its details page (click on the rule name to open its details, then click **All actions** -> **Export**). ** Export multiple rules: In the Rules table, select the rules you want to export, then click **Bulk actions -> Export**. The rules are exported to an `.ndjson` file.