Skip to content

Commit

Permalink
Edit required_fields field for custom rules in UI [classic] (#5287)
Browse files Browse the repository at this point in the history
* First draft: add step to rule procedures

* Edit step (both serverless & classic)

(cherry picked from commit ff8d574)

# Conflicts:
#	docs/serverless/rules/rules-ui-create.mdx
  • Loading branch information
joepeeples authored and mergify[bot] committed Jul 3, 2024
1 parent 5a259fe commit 5912c54
Show file tree
Hide file tree
Showing 2 changed files with 909 additions and 12 deletions.
48 changes: 36 additions & 12 deletions docs/detections/rules-ui-create.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -95,9 +95,13 @@ When you use a saved query, the *Load saved query "_query name_" dynamically on
+

////
The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too.
The following steps are repeated across multiple rule types. If you change anything
in these steps or sub-steps, apply the change to the other rule types, too.
////
. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs.
.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field.
.. Enter the field's data type.

. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster.
.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
Expand Down Expand Up @@ -131,9 +135,13 @@ IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not re
+

////
The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too.
The following steps are repeated across multiple rule types. If you change anything
in these steps or sub-steps, apply the change to the other rule types, too.
////
. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs.
.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field.
.. Enter the field's data type.

. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster.
.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
Expand Down Expand Up @@ -190,9 +198,13 @@ NOTE: For sequence events, the {security-app} generates a single alert when all
+

////
The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too.
The following steps are repeated across multiple rule types. If you change anything
in these steps or sub-steps, apply the change to the other rule types, too.
////
. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs.
.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field.
.. Enter the field's data type.

. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster.
.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
Expand Down Expand Up @@ -253,9 +265,13 @@ field values.
+

////
The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too.
The following steps are repeated across multiple rule types. If you change anything
in these steps or sub-steps, apply the change to the other rule types, too.
////
. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs.
.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field.
.. Enter the field's data type.

. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster.
.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
Expand Down Expand Up @@ -308,9 +324,13 @@ For example, if a rule has an interval of 5 minutes, no additional look-back tim
+

////
The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too.
The following steps are repeated across multiple rule types. If you change anything
in these steps or sub-steps, apply the change to the other rule types, too.
////
. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs.
.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field.
.. Enter the field's data type.

. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster.
.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
Expand All @@ -334,9 +354,13 @@ TIP: Click the help icon (image:images/esql-help-ref-button.png[Click the ES|QL
+

////
The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too.
The following steps are repeated across multiple rule types. If you change anything
in these steps or sub-steps, apply the change to the other rule types, too.
////
. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs.
.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field.
.. Enter the field's data type.

. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster.
.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
Expand Down
Loading

0 comments on commit 5912c54

Please sign in to comment.