Skip to content

Commit

Permalink
[8.15] Edit required_fields field for custom rules in UI [classic] (b…
Browse files Browse the repository at this point in the history
…ackport #5287) (#5506)

* Edit required_fields field for custom rules in UI [classic] (#5287)

* First draft: add step to rule procedures

* Edit step (both serverless & classic)

(cherry picked from commit ff8d574)

# Conflicts:
#	docs/serverless/rules/rules-ui-create.mdx

* Delete docs/serverless directory and its contents

---------

Co-authored-by: Joe Peeples <[email protected]>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
  • Loading branch information
3 people authored Jul 3, 2024
1 parent 5a259fe commit b9efb09
Showing 1 changed file with 36 additions and 12 deletions.
48 changes: 36 additions & 12 deletions docs/detections/rules-ui-create.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -95,9 +95,13 @@ When you use a saved query, the *Load saved query "_query name_" dynamically on
+

////
The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too.
The following steps are repeated across multiple rule types. If you change anything
in these steps or sub-steps, apply the change to the other rule types, too.
////
. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs.
.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field.
.. Enter the field's data type.

. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster.
.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
Expand Down Expand Up @@ -131,9 +135,13 @@ IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not re
+

////
The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too.
The following steps are repeated across multiple rule types. If you change anything
in these steps or sub-steps, apply the change to the other rule types, too.
////
. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs.
.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field.
.. Enter the field's data type.

. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster.
.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
Expand Down Expand Up @@ -190,9 +198,13 @@ NOTE: For sequence events, the {security-app} generates a single alert when all
+

////
The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too.
The following steps are repeated across multiple rule types. If you change anything
in these steps or sub-steps, apply the change to the other rule types, too.
////
. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs.
.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field.
.. Enter the field's data type.

. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster.
.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
Expand Down Expand Up @@ -253,9 +265,13 @@ field values.
+

////
The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too.
The following steps are repeated across multiple rule types. If you change anything
in these steps or sub-steps, apply the change to the other rule types, too.
////
. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs.
.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field.
.. Enter the field's data type.

. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster.
.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
Expand Down Expand Up @@ -308,9 +324,13 @@ For example, if a rule has an interval of 5 minutes, no additional look-back tim
+

////
The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too.
The following steps are repeated across multiple rule types. If you change anything
in these steps or sub-steps, apply the change to the other rule types, too.
////
. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs.
.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field.
.. Enter the field's data type.

. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster.
.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
Expand All @@ -334,9 +354,13 @@ TIP: Click the help icon (image:images/esql-help-ref-button.png[Click the ES|QL
+

////
The following step is repeated across all rule types. If you change anything
in the step or its sub-steps, apply the change to the other rule types, too.
The following steps are repeated across multiple rule types. If you change anything
in these steps or sub-steps, apply the change to the other rule types, too.
////
. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs.
.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field.
.. Enter the field's data type.

. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <<rule-prerequisites,installation status>> when viewing the rule.
.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster.
.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0.
Expand Down

0 comments on commit b9efb09

Please sign in to comment.