Skip to content

Commit

Permalink
Edit related_integrations field for custom rules in UI [serverless] (#…
Browse files Browse the repository at this point in the history 
…337)

* Add new step to all rule types

* Revise step, use variable for URL

* Mention type-ahead

* Explain related integrations

Also links to more info, and moves that info to a more generic location (no longer just prebuilt)

* Apply changes from Ben's review

Review from #5151
  • Loading branch information
@joepeeples
joepeeples authored May 8, 2024
1 parent c9e896a commit 8786250
Show file tree
Hide file tree
Showing 3 changed files with 69 additions and 22 deletions.
23 changes: 1 addition & 22 deletions rules/prebuilt-rules/prebuilt-rules-management.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Follow these guidelines to start using the ((security-app))'s <DocLink id="serve
* <DocLink id="serverlessSecurityPrebuiltRulesManagement" section="prebuilt-rule-tags">Prebuilt rule tags</DocLink>
* <DocLink id="serverlessSecurityPrebuiltRulesManagement" section="select-and-duplicate-all-prebuilt-rules">Select and duplicate all prebuilt rules</DocLink>
* <DocLink id="serverlessSecurityPrebuiltRulesManagement" section="update-elastic-prebuilt-rules">Update Elastic prebuilt rules</DocLink>
* <DocLink id="serverlessSecurityPrebuiltRulesManagement" section="confirm-rule-prerequisites">Confirm rule prerequisites</DocLink>
* <DocLink id="serverlessSecurityRulesUiManagement" section="confirm-rule-prerequisites">Confirm rule prerequisites</DocLink>

<DocCallOut title="Note">

Expand Down Expand Up @@ -125,24 +125,3 @@ Elastic regularly updates prebuilt rules to optimize their performance and ensur
<DocCallOut title="Tip">
Use the search bar and **Tags** filter to find the rules you want to update. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to <DocLink id="serverlessSecurityPrebuiltRulesManagement" section="prebuilt-rule-tags">Prebuilt rule tags</DocLink>.
</DocCallOut>

<div id="rule-prerequisites"></div>

## Confirm rule prerequisites

Many Elastic prebuilt rules are designed to work with specific Elastic integrations and data fields. These prerequisites are identified in the **Related integrations** and **Required fields** fields on a rule's details page (**Rules****Detection rules (SIEM)**, then click a rule's name). **Related integrations** also displays each integration's installation status and includes links for installing and configuring the listed integrations.

Additionally, the **Setup guide** section provides guidance on setting up the rule's requirements.

![Rule details page with Related integrations, Required fields, and Setup guide highlighted](../../images/prebuilt-rules-management/-detections-rule-details-prerequisites.png)

You can also check rules' related integrations in the **Installed Rules** and **Rule Monitoring** tables. Click the **integrations** badge to display the related integrations in a popup.

<DocImage size="xl" url="../../images/prebuilt-rules-management/-detections-rules-table-related-integrations.png" alt="Rules table with related integrations popup" />


<DocCallOut title="Tip">
You can hide the **integrations** badge in the rules tables by turning off the `securitySolution:showRelatedIntegrations` advanced setting.
{/* Will need to revisit this section since it mentions advanced settings, which aren't exposed yet. */}
</DocCallOut>

49 changes: 49 additions & 0 deletions rules/rules-ui-create.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,15 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally,
</DocCallOut>

1. The anomaly score threshold above which alerts are created.

{/* The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too. */}
1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <DocLink id="serverlessSecurityRulesUiManagement" section="confirm-rule-prerequisites">installation status</DocLink> when viewing the rule.

1. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster.

1. Enter the version of the integration you want to associate with the rule, using [semantic versioning](https://semver.org/). For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.

1. Click **Continue** to <DocLink id="serverlessSecurityRulesUiCreate" section="configure-basic-rule-settings">configure basic rule settings</DocLink>.

<div id="create-custom-rule"></div>
Expand Down Expand Up @@ -87,6 +96,14 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally,

1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <DocLink id="serverlessSecurityAlertSuppression">Suppress detection alerts</DocLink> for more information.

{/* The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too. */}
1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <DocLink id="serverlessSecurityRulesUiManagement" section="confirm-rule-prerequisites">installation status</DocLink> when viewing the rule.

1. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster.

1. Enter the version of the integration you want to associate with the rule, using [semantic versioning](https://semver.org/). For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.

1. Click **Continue** to <DocLink id="serverlessSecurityRulesUiCreate" section="configure-basic-rule-settings">configure basic rule settings</DocLink>.

<div id="create-threshold-rule"></div>
Expand Down Expand Up @@ -115,6 +132,14 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally,

1. <DocBadge template="technical preview" /> (Optional) Select **Suppress alerts** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <DocLink id="serverlessSecurityAlertSuppression">Suppress detection alerts</DocLink> for more information.

{/* The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too. */}
1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <DocLink id="serverlessSecurityRulesUiManagement" section="confirm-rule-prerequisites">installation status</DocLink> when viewing the rule.

1. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster.

1. Enter the version of the integration you want to associate with the rule, using [semantic versioning](https://semver.org/). For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.

1. Click **Continue** to <DocLink id="serverlessSecurityRulesUiCreate" section="configure-basic-rule-settings">configure basic rule settings</DocLink>.

<div id="create-eql-rule"></div>
Expand Down Expand Up @@ -167,6 +192,14 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally,

1. <DocBadge template="technical preview" /> (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <DocLink id="serverlessSecurityAlertSuppression">Suppress detection alerts</DocLink> for more information.

{/* The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too. */}
1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <DocLink id="serverlessSecurityRulesUiManagement" section="confirm-rule-prerequisites">installation status</DocLink> when viewing the rule.

1. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster.

1. Enter the version of the integration you want to associate with the rule, using [semantic versioning](https://semver.org/). For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.

1. Click **Continue** to <DocLink id="serverlessSecurityRulesUiCreate" section="configure-basic-rule-settings">configure basic rule settings</DocLink>.

<div id="create-indicator-rule"></div>
Expand Down Expand Up @@ -231,6 +264,14 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally,

1. <DocBadge template="technical preview" /> (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <DocLink id="serverlessSecurityAlertSuppression">Suppress detection alerts</DocLink> for more information.

{/* The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too. */}
1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <DocLink id="serverlessSecurityRulesUiManagement" section="confirm-rule-prerequisites">installation status</DocLink> when viewing the rule.

1. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster.

1. Enter the version of the integration you want to associate with the rule, using [semantic versioning](https://semver.org/). For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.

1. Click **Continue** to <DocLink id="serverlessSecurityRulesUiCreate" section="configure-basic-rule-settings">configure basic rule settings</DocLink>.

<div id="indicator-value-lists"></div>
Expand Down Expand Up @@ -284,6 +325,14 @@ You uploaded a value list of known ransomware domains, and you want to be notifi

1. <DocBadge template="technical preview" /> (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <DocLink id="serverlessSecurityAlertSuppression">Suppress detection alerts</DocLink> for more information.

{/* The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too. */}
1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <DocLink id="serverlessSecurityRulesUiManagement" section="confirm-rule-prerequisites">installation status</DocLink> when viewing the rule.

1. Click **Add integration**, then select an integration from the list. You can also start typing an integration's name to find it faster.

1. Enter the version of the integration you want to associate with the rule, using [semantic versioning](https://semver.org/). For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.

1. Click **Continue** to <DocLink id="serverlessSecurityRulesUiCreate" section="configure-basic-rule-settings">configure basic rule settings</DocLink>.

<div id="rule-ui-basic-params"></div>
Expand Down
19 changes: 19 additions & 0 deletions rules/rules-ui-management.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ On the Rules page, you can:
* <DocLink id="serverlessSecurityRulesUiManagement" section="manage-rules">Manage rules</DocLink>
* <DocLink id="serverlessSecurityRulesUiManagement" section="snooze-rule-actions">Snooze rule actions</DocLink>
* <DocLink id="serverlessSecurityRulesUiManagement" section="export-and-import-rules">Export and import rules</DocLink>
* <DocLink id="serverlessSecurityRulesUiManagement" section="confirm-rule-prerequisites">Confirm rule prerequisites</DocLink>
* <DocLink id="serverlessSecurityAlertsUiMonitor" section="troubleshoot-missing-alerts">Troubleshoot missing alerts</DocLink>

<div id="sort-filter-rules"></div>
Expand Down Expand Up @@ -175,3 +176,21 @@ To export and import detection rules:
1. Click **Import rule**.
1. (Optional) If a connector is missing sensitive information after the import, a warning displays and you're prompted to fix the connector. In the warning, click **Go to connector**. On the Connectors page, find the connector that needs to be updated, click **Fix**, then add the necessary details.

<div id="rule-prerequisites"></div>

## Confirm rule prerequisites

Many detection rules are designed to work with specific [Elastic integrations](((integrations-docs))) and data fields. These prerequisites are identified in **Related integrations** and **Required fields** on a rule's details page (**Rules****Detection rules (SIEM)**, then click a rule's name). **Related integrations** also displays each integration's installation status and includes links for installing and configuring the listed integrations.

Additionally, the **Setup guide** section provides guidance on setting up the rule's requirements.

![Rule details page with Related integrations, Required fields, and Setup guide highlighted](../images/prebuilt-rules-management/-detections-rule-details-prerequisites.png)

You can also check rules' related integrations in the **Installed Rules** and **Rule Monitoring** tables. Click the **integrations** badge to display the related integrations in a popup.

<DocImage size="xl" url="../images/prebuilt-rules-management/-detections-rules-table-related-integrations.png" alt="Rules table with related integrations popup" />

<DocCallOut title="Tip">
You can hide the **integrations** badge in the rules tables by turning off the `securitySolution:showRelatedIntegrations` advanced setting.
</DocCallOut>

0 comments on commit 8786250

Please sign in to comment.