[8.16] [Request][8.16] Update nav references for all "Detection and a…

…lerts" topics (backport #5979) (#6082) * [Request][8.16] Update nav references for all "Detection and alerts" topics (#5979) * First draft * Second draft * Fix refs * Addresses comments * removes additional comment * Changes menu to navigation * re-adds menu after nav * Removes main * Revisiting instructions to rules page * remove duplicate 'the' --------- Co-authored-by: Colleen McGinnis <[email protected]> (cherry picked from commit 2736ed0) # Conflicts: # docs/serverless/alerts/alert-suppression.asciidoc * Delete docs/serverless directory and its contents --------- Co-authored-by: Nastasha Solomon <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
elastic · Nov 8, 2024 · bb73fbf · bb73fbf
1 parent a032631
commit bb73fbf
Show file tree

Hide file tree

Showing 12 changed files with 74 additions and 57 deletions.
diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc
@@ -38,24 +38,24 @@ specific event in the sequence, update the rule's EQL statement. For example:
 +
 --
 * To add an exception from the rule details page:
-.. Go to the rule details page of the rule to which you want to add an
-exception (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*).
+.. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+.. In the Rules table, search for the rule that you want to add an exception to, then click its name to open the rule details.
 .. Scroll down the rule details page, select the *Rule exceptions* tab, then click *Add rule exception*.
 +
 [role="screenshot"]
 image::images/rule-exception-tab.png[Detail of rule exceptions tab]
 
 * To add an exception from the Alerts table:
-.. Go to *Alerts*.
+.. Find **Alerts** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 .. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the *More Actions* menu (*...*), then select *Add rule exception*.
 
 * To add an exception from the alert details flyout:
-.. Go to *Alerts*.
+.. Find **Alerts** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 .. Click the *View details* button from the Alerts table. 
 .. In the alert details flyout, click *Take action -> Add rule exception*. 
 
 * To add an exception from the Shared Exception Lists page:
-.. Go to *Rules* -> *Shared exception lists*.
+.. Find the **Shared exception lists** page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 .. Click *Create shared exception list* -> *Create exception item*. 
 --
 
@@ -157,16 +157,17 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there
 --
 
 * To add an Endpoint exception from the rule details page:
-.. Go to the rule details page (*Rules* -> *Detection rules (SIEM)*), and then search for and select the Elastic *Endpoint Security* rule.
+.. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+.. In the Rules table, search for and select the Elastic *Endpoint Security* rule.
 .. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*.
 
 * To add an Endpoint exception from the Alerts table:
-.. Go to *Alerts*.
+.. Find **Alerts** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 .. Scroll down to the Alerts table, and from an {elastic-endpoint}
 alert, click the *More actions* menu (*...*), then select *Add Endpoint exception*.
 
 * To add an Endpoint exception from Shared Exception Lists page:
-.. Go to *Rules* -> *Shared exception lists*.
+.. Find the *Shared exception lists* page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 .. Expand the Endpoint Security Exception List or click the list name to open the list's details page. Next, click *Add endpoint exception*. 
 +
 NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option selected.
@@ -264,8 +265,13 @@ image::images/nested-exp.png[]
 [[manage-exception]]
 === View and manage exceptions 
 
-To view a rule's exceptions, open the rule's details page (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*), then scroll down and select the *Rule exceptions* or *Endpoint exceptions* tab. All exceptions that belong to the rule will display in a list. From the list, you can filter, edit, and delete exceptions. You can also toggle between *Active exceptions* and *Expired exceptions*.
+To view a rule's exceptions:
 
+. Open the rule's details page. To do this, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for the rule that you want to examine, then click the rule's name to open its details.
+. Scroll down and select the *Rule exceptions* or *Endpoint exceptions* tab. All exceptions that belong to the rule will display in a list. 
++
+From the list, you can filter, edit, and delete exceptions. You can also toggle between *Active exceptions* and *Expired exceptions*.
++
 [role="screenshot"]
 image::images/manage-default-rule-list.png[A default rule list]
 

diff --git a/docs/detections/building-block-rule.asciidoc b/docs/detections/building-block-rule.asciidoc
@@ -25,7 +25,7 @@ image::images/alert-indices-ui.png[]
 By default, building block alerts are excluded from the Overview and Alerts pages.
 You can choose to include building block alerts on the Alerts page, which expands the number of alerts.
 
-. Go to *Alerts*.
+. Find **Alerts** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 . In the Alerts table, select *Additional filters* ->
 *Include building block alerts*, located on the far-right.
 

diff --git a/docs/detections/prebuilt-rules-management.asciidoc b/docs/detections/prebuilt-rules-management.asciidoc
@@ -27,7 +27,9 @@ Follow these guidelines to start using the {security-app}'s <<prebuilt-rules, pr
 [[load-prebuilt-rules]]
 === Install and enable Elastic prebuilt rules
 
-. Go to *Rules* -> *Detection rules (SIEM)*. The badge next to *Add Elastic rules* shows the number of prebuilt rules available for installation. 
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to the Rules table.
++
+The badge next to *Add Elastic rules* shows the number of prebuilt rules available for installation. 
 +
 [role="screenshot"]
 image::images/prebuilt-rules-add-badge.png[The Add Elastic Rules page]
@@ -81,7 +83,8 @@ Each prebuilt rule includes several tags identifying the rule's purpose, detecti
 [[select-all-prebuilt-rules]]
 === Select and duplicate all prebuilt rules
 
-. Go to *Rules* -> *Detection rules (SIEM)*, then select the *Elastic rules* filter.
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. In the *Rules* table, select the *Elastic rules* filter.
 . Click *Select all _x_ rules* above the rules table.
 . Click *Bulk actions* -> *Duplicate*.
 . Select whether to duplicate the rules' exceptions, then click *Duplicate*.
@@ -94,7 +97,8 @@ You can then modify the duplicated rules and, if required, delete the prebuilt o
 
 Elastic regularly updates prebuilt rules to optimize their performance and ensure they detect the latest threats and techniques. When updated versions are available for your installed prebuilt rules, the *Rule Updates* tab appears on the *Rules* page, allowing you to update your installed rules with the latest versions.
 
-. Go to *Rules* -> *Detection rules (SIEM)*, then select the *Rule Updates* tab.
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. In the *Rules* table, select the *Rule Updates* tab.
 +
 NOTE: The *Rule Updates* tab doesn't appear if all your installed prebuilt rules are up to date.
 +

diff --git a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc
@@ -35,8 +35,8 @@ add an exception for the required application.
 For example, to prevent the <<unusual-process-execution-path-alternate-data-stream>> rule from
 producing alerts for an in-house application named `myautomatedbuild`:
 
-. Go to *Rules* -> *Detection rules (SIEM)*.
-. Search for and then click on the *Unusual Process Execution Path - Alternate Data Stream* rule.
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. In the Rules table, search for and then click on the *Unusual Process Execution Path - Alternate Data Stream* rule.
 +
 The *Unusual Process Execution Path - Alternate Data Stream* rule details page is displayed.
 [role="screenshot"]

diff --git a/docs/detections/rules-coverage.asciidoc b/docs/detections/rules-coverage.asciidoc
@@ -6,10 +6,12 @@
 :frontmatter-tags-content-type: [how-to]
 :frontmatter-tags-user-goals: [manage, analyze, visualize]
 
-The **MITRE ATT&CK® coverage** page (**Rules** -> **MITRE ATT&CK® Coverage**) shows which https://attack.mitre.org[MITRE ATT&CK®] adversary tactics and techniques are covered by your installed and enabled detection rules. This includes both Elastic prebuilt rules and custom rules.
+The **MITRE ATT&CK® coverage** page shows which https://attack.mitre.org[MITRE ATT&CK®] adversary tactics and techniques are covered by your installed and enabled detection rules. This includes both Elastic prebuilt rules and custom rules.
 
 Mirroring the MITRE ATT&CK® framework, columns represent major tactics, and cells within each column represent a tactic's related techniques. Cells are darker when a technique has more rules matching the current filters, as indicated in the **Legend** at the top.
 
+To access the **MITRE ATT&CK® coverage** page, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to **MITRE ATT&CK® coverage**.
+
 [NOTE]
 ====
 This page only includes the detection rules you currently have installed, and only rules that are mapped to MITRE ATT&CK®. The coverage page maps detections to the following https://attack.mitre.org/resources/updates/updates-april-2024[MITRE ATT&CK® version] used by {elastic-sec}: `v15.1`. Elastic prebuilt rules that aren't installed and custom rules that are either unmapped or mapped to a deprecated tactic or technique will not appear on the coverage map.

diff --git a/docs/detections/rules-cross-cluster-search.asciidoc b/docs/detections/rules-cross-cluster-search.asciidoc
@@ -66,7 +66,8 @@ To update a rule's API key, log into the local cluster as a user with the privil
 
 * Edit and save the rule.
 * Update the rule's API key manually:
-. Go to {kib} -> *Stack Management* -> *Rules*.
+. Find **Stack Management** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to 
+*Rules*.
 . Use the search box and filters to find the rules you want to update. For example, use the *Type* filter to find rules under the *Security* category.
 . Select the rule's actions menu (*...*), then *Update API key*.
 +

diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
@@ -42,9 +42,9 @@ To create or edit {ml} rules, you must have the https://www.elastic.co/subscript
 {ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user
 role, and the selected {ml} job must be running for the rule to function correctly.
 ==============
-. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays.
-. To create a rule based on a {ml} anomaly threshold, select *Machine Learning*,
-then select:
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Click *Create new rule*.
+. To create a rule based on a {ml} anomaly threshold, select *Machine Learning* on the *Create new rule* page, then select:
 .. The required {ml} jobs. 
 +
 NOTE: If a required job isn't currently running, it will automatically start when you finish configuring and enable the rule.
@@ -68,9 +68,9 @@ in the step or its sub-steps, apply the change to the other rule types, too.
 [discrete]
 [[create-custom-rule]]
 === Create a custom query rule
-. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays.
-. To create a rule based on a KQL or Lucene query, select *Custom query*,
-then:
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Click *Create new rule*.
+. To create a rule based on a KQL or Lucene query, select *Custom query* on the *Create new rule* page, then:
 .. Define which {es} indices or data view the rule searches for alerts.
 .. Use the filter and query fields to create the criteria used for detecting
 alerts.
@@ -119,8 +119,9 @@ in these steps or sub-steps, apply the change to the other rule types, too.
 [discrete]
 [[create-threshold-rule]]
 === Create a threshold rule
-. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays.
-. To create a rule based on a source event field threshold, select *Threshold*, then:
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Click *Create new rule*.
+. To create a rule based on a source event field threshold, select *Threshold* on the *Create new rule* page, then:
 .. Define which {es} indices the rule analyzes for alerts.
 .. Use the filter and query fields to create the criteria used for detecting
 alerts.
@@ -159,7 +160,9 @@ in these steps or sub-steps, apply the change to the other rule types, too.
 [discrete]
 [[create-eql-rule]]
 === Create an event correlation rule
-. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays.
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Click *Create new rule*.
+. To create an event correlation rule using EQL, select *Event Correlation* on the *Create new rule* page, then:
 . To create an event correlation rule using EQL, select *Event Correlation*, then:
 .. Define which {es} indices or data view the rule searches when querying for events.
 .. Write an {ref}/eql-syntax.html[EQL query] that searches for matching events or a series of matching events.
@@ -225,9 +228,9 @@ in these steps or sub-steps, apply the change to the other rule types, too.
 
 NOTE: {elastic-sec} provides limited support for indicator match rules. See <<support-indicator-rules>> for more information.
 
-. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays.
-. To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields:
-
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Click *Create new rule*.
+. To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match* on the *Create new rule* page, then fill in the following fields:
 .. *Source*: The individual index patterns or data view that specifies what data to search.
 .. *Custom query*: The query and filters used to retrieve the required results from
 the {elastic-sec} event indices. For example, if you want to match documents that only contain a `destination.ip` address field, add `destination.ip : *`.
@@ -304,7 +307,7 @@ You uploaded a value list of known ransomware domains, and you want to be notifi
 * *Field*: Enter the field from the Elastic Security event indices to be used for comparing values.
 * *Indicator index field*: Enter the type of value list you created (i.e., `keyword`, `text`, or `IP`).
 +
-TIP: If you don't remember this information, go to *Rules* -> *Detection rules (SIEM)* -> *Manage value lists*. Locate the appropriate value list and note the field in the corresponding `Type` column. (Examples include keyword, text, and IP.)
+TIP: If you don't remember this information, refer to the appropriate <<value-lists-exceptions, value list>> and find the list's type in the *Type* column (for example, the type can be `Keywords`, `Text`, or `IP`).
 
 [role="screenshot"]
 image::images/indicator_value_list.png[]
@@ -313,8 +316,9 @@ image::images/indicator_value_list.png[]
 [[create-new-terms-rule]]
 === Create a new terms rule
 
-. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays.
-. To create a rule that searches for each new term detected in source documents, select *New Terms*, then:
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Click *Create new rule*.
+. To create a rule that searches for each new term detected in source documents, select *New Terms* on the *Create new rule* page, then:
 .. Specify what data to search by entering individual {es} index patterns or selecting an existing data view.
 .. Use the filter and query fields to create the criteria used for detecting
 alerts.
@@ -353,8 +357,9 @@ Use {ref}/esql.html[{esql}] to query your source events and aggregate event data
 
 To create an {esql} rule:
 
-. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page appears.
-. Select **{esql}**, then write a query. 
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Click *Create new rule*.
+. Select **{esql}**, then write a query.
 +
 NOTE: Refer to the sections below to learn more about <<esql-rule-query-types,{esql} query types>>, <<esql-query-design,query design considerations>>, and <<esql-rule-limitations,rule limitations>>.
 +