diff --git a/.backportrc.json b/.backportrc.json index 64f896c835..558a4c70f3 100644 --- a/.backportrc.json +++ b/.backportrc.json @@ -1,5 +1,5 @@ { "upstream": "elastic/security-docs", - "branches": [{ "name": "7.x", "checked": true }, "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"], + "branches": [{ "name": "7.x", "checked": true }, "8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"], "labels": ["backport"] } diff --git a/.mergify.yml b/.mergify.yml index bbea8d26dd..52352bba3c 100644 --- a/.mergify.yml +++ b/.mergify.yml @@ -13,6 +13,20 @@ pull_request_rules: git merge upstream/{{base}} git push upstream {{head}} ``` + - name: backport patches to 8.15 branch + conditions: + - merged + - base=main + - label=v8.15.0 + actions: + backport: + assignees: + - "{{ author }}" + branches: + - "8.15" + title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})" + labels: + - backport - name: backport patches to 8.14 branch conditions: - merged diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index d1489cb710..d620f7bd4e 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -113,5 +113,5 @@ image::images/timeline-button.png[Investigate in timeline button, 200] Some rule types have a maximum number of alerts that can be suppressed (custom query rules don't have a suppression limit): -* **Threshold and event correlation (non-sequence queries only)** - The maximum number of alerts is the value you choose for the <> setting, which is `100` by default. -* **Indicator match and new terms** - The maximum number is five times the value you choose for the <> setting. The default `max_signals` value is `100`, which means the default maximum limit for indicator match rules and new term rules is `500`. \ No newline at end of file +* **Threshold and event correlation (non-sequence queries only)** - The maximum number of alerts is the value you choose for the rule's **Max alerts per run** <>, which is `100` by default. +* **Indicator match and new terms** - The maximum number is five times the value you choose for the rule's **Max alerts per run** <>. The default value is `100`, which means the default maximum limit for indicator match rules and new term rules is `500`. \ No newline at end of file diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 0b60cba3de..440d335a4b 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -329,9 +329,9 @@ means the rule runs every hour. Defaults to `5m` (5 minutes). |license |String |The rule's license. |max_signals |Integer a|Maximum number of alerts the rule can create during a -single execution. Defaults to `100`. +single run (the rule's **Max alerts per run** <> value). Defaults to `100`. -*NOTE*: To avoid rule failures, do not set the `max_signals` value higher than the value of {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`]. +NOTE: This setting can be superseded by the {kibana-ref}/alert-action-settings-kb.html#alert-settings[{kib} configuration setting] `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by _any_ rule in the {kib} alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to `1000`, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. |meta |Object a|Placeholder for metadata about the rule. diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index 6171e426e2..a3fdddf55d 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -232,8 +232,10 @@ means the rule runs every hour. Defaults to `5m` (5 minutes). |license |String |The rule's license. -|max_signals |Integer |Maximum number of alerts the rule can create during a -single execution. Defaults to `100`. +|max_signals |Integer a|Maximum number of alerts the rule can create during a +single run (the rule's **Max alerts per run** <> value). Defaults to `100`. + +NOTE: This setting can be superseded by the {kibana-ref}/alert-action-settings-kb.html#alert-settings[{kib} configuration setting] `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by _any_ rule in the {kib} alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to `1000`, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. |meta |Object a|Placeholder for metadata about the rule. diff --git a/docs/detections/prebuilt-rules-management.asciidoc b/docs/detections/prebuilt-rules-management.asciidoc index 12a6635633..7adb34db43 100644 --- a/docs/detections/prebuilt-rules-management.asciidoc +++ b/docs/detections/prebuilt-rules-management.asciidoc @@ -116,21 +116,3 @@ image::images/prebuilt-rules-update-diff.png[Prebuilt rule comparison,75%] * Update multiple rules: Select the rules and click *Update _x_ selected rule(s)*. + TIP: Use the search bar and *Tags* filter to find the rules you want to update. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to <>. - -[float] -[[rule-prerequisites]] -=== Confirm rule prerequisites - -Many Elastic prebuilt rules are designed to work with specific Elastic integrations and data fields. These prerequisites are identified in the *Related integrations* and *Required fields* fields on a rule's details page (*Rules* -> *Detection rules (SIEM)*, then click a rule's name). *Related integrations* also displays each integration's installation status and includes links for installing and configuring the listed integrations. - -Additionally, the *Setup guide* section provides guidance on setting up the rule's requirements. - -[role="screenshot"] -image::images/rule-details-prerequisites.png[Rule details page with Related integrations, Required fields, and Setup guide highlighted] - -You can also check rules' related integrations in the *Installed Rules* and *Rule Monitoring* tables. Click the *integrations* badge to display the related integrations in a popup. - -[role="screenshot"] -image::images/rules-table-related-integrations.png[Rules table with related integrations popup,75%] - -TIP: You can hide the *integrations* badge in the rules tables. Go to *{kib}* -> *Stack Management* -> *Advanced Settings*, then turn off `securitySolution:showRelatedIntegrations`. diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 1ffb0900e1..d9274bf131 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -45,6 +45,16 @@ then select: + NOTE: If a required job isn't currently running, it will automatically start when you finish configuring and enable the rule. .. The anomaly score threshold above which alerts are created. ++ + +//// +The following step is repeated across all rule types. If you change anything +in the step or its sub-steps, apply the change to the other rule types, too. +//// +. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <> when viewing the rule. +.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster. +.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. + . Click **Continue** to <>. [discrete] @@ -82,6 +92,19 @@ When you use a saved query, the *Load saved query "_query name_" dynamically on * Deselect this to load the saved query as a one-time way of populating the rule's *Custom query* field and filters. This copies the settings from the saved query to the rule, so you can then further adjust the rule's query and filters as needed. If the saved query is later changed, the rule will not inherit those changes. . (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. ++ + +//// +The following steps are repeated across multiple rule types. If you change anything +in these steps or sub-steps, apply the change to the other rule types, too. +//// +. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. +.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Enter the field's data type. + +. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <> when viewing the rule. +.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster. +.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. . Click **Continue** to <>. @@ -109,6 +132,19 @@ You can also leave the *Group by* field undefined. The rule then creates an aler IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not resemble the source documents. The alert itself only contains data about the fields that were aggregated over (the *Group by* fields). Other fields are omitted, because they can vary across all source documents that were counted toward the threshold. Additionally, you can reference the actual count of documents that exceeded the threshold from the `kibana.alert.threshold_result.count` field. . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Select *Suppress alerts* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. ++ + +//// +The following steps are repeated across multiple rule types. If you change anything +in these steps or sub-steps, apply the change to the other rule types, too. +//// +. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. +.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Enter the field's data type. + +. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <> when viewing the rule. +.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster. +.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. . Click *Continue* to <>. @@ -159,6 +195,19 @@ NOTE: For sequence events, the {security-app} generates a single alert when all + . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. ++ + +//// +The following steps are repeated across multiple rule types. If you change anything +in these steps or sub-steps, apply the change to the other rule types, too. +//// +. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. +.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Enter the field's data type. + +. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <> when viewing the rule. +.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster. +.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. . Click *Continue* to <>. @@ -213,6 +262,19 @@ in the Timeline, Timeline query values are replaced with their corresponding ale field values. + . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Select *Suppress alerts* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. ++ + +//// +The following steps are repeated across multiple rule types. If you change anything +in these steps or sub-steps, apply the change to the other rule types, too. +//// +. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. +.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Enter the field's data type. + +. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <> when viewing the rule. +.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster. +.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. . Click *Continue* to <>. @@ -259,6 +321,19 @@ IMPORTANT: When checking multiple fields, each unique combination of values from For example, if a rule has an interval of 5 minutes, no additional look-back time, and a history window size of 7 days, a term will be considered new only if the time it appears within the last 7 days is also within the last 5 minutes. Configure the rule interval and additional look-back time when you <>. . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. ++ + +//// +The following steps are repeated across multiple rule types. If you change anything +in these steps or sub-steps, apply the change to the other rule types, too. +//// +. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. +.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Enter the field's data type. + +. (Optional) Add *Related integrations* to associate the rule with one or more {integrations-docs}[Elastic integrations]. This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <> when viewing the rule. +.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster. +.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. . Click *Continue* to <>. @@ -277,6 +352,19 @@ NOTE: Refer to the sections below to learn more about <> when viewing the rule. +.. Click *Add integration*, then select an integration from the list. You can also start typing an integration's name to find it faster. +.. Enter the version of the integration you want to associate with the rule, using https://semver.org[semantic versioning]. For version ranges, you must use tilde or caret syntax. For example, `~1.2.3` is from 1.2.3 to any patch version less than 1.3.0, and `^1.2.3` is from 1.2.3 to any minor and patch version less than 2.0.0. + . Click *Continue* to <>. [float] @@ -371,11 +459,9 @@ FROM logs-* METADATA _id, _index, _version When writing your query, consider the following: -- The {ref}/esql-commands.html#esql-limit[`LIMIT`] command specifies the maximum number of rows an {esql} query returns and the maximum number of alerts created per rule execution. Similarly, a detection rule's <> setting specifies the maximum number of alerts it can create every time it runs. +- The {ref}/esql-commands.html#esql-limit[`LIMIT`] command specifies the maximum number of rows an {esql} query returns and the maximum number of alerts created per rule execution. Similarly, a detection rule's **Max alerts per run** setting specifies the maximum number of alerts it can create every time it runs. + -If the `LIMIT` value is lower than the `max_signals` value, the rule uses the `LIMIT` value to determine the maximum number of alerts the rule generates. If the `LIMIT` value is higher than the `max_signals` value, the rule uses the `max_signals` value. -+ -NOTE: The `max_signals` default value is 100. You can modify it using the <>. +If the `LIMIT` value and **Max alerts per run** value are different, the rule uses the lower value to determine the maximum number of alerts the rule generates. + - When writing an aggregating query, use the {ref}/esql-commands.html#esql-stats-by[`STATS...BY`] command with fields that you want to search and filter for after alerts are created. For example, using the `host.name`, `user.name`, `process.name` fields with the `BY` operator of the `STATS...BY` command returns these fields in alert documents, and allows you to search and filter for them from the Alerts table. @@ -470,6 +556,10 @@ also affect this rule. .. *Building block* (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See <> for more information. +.. **Max alerts per run** (optional): Specify the maximum number of alerts the rule can create each time it runs. Default is 100. ++ +NOTE: This setting can be superseded by the {kibana-ref}/alert-action-settings-kb.html#alert-settings[{kib} configuration setting] `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by _any_ rule in the {kib} alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to `1000`, the rule can generate no more than 1000 alerts even if **Max alerts per run** is set higher. + .. *Indicator prefix override*: Define the location of indicator data within the structure of indicator documents. When the indicator match rule executes, it queries specified indicator indices and references this setting to locate fields with indicator data. This data is used to enrich indicator match alerts with metadata about matched threat indicators. The default value for this setting is `threat.indicator`. + IMPORTANT: If your threat indicator data is at a different location, update this setting accordingly to ensure alert enrichment can still be performed. diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 9e83a61de4..2b2227e598 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -19,6 +19,7 @@ On the Rules page, you can: * <> * <> * <> +* <> * <> [float] @@ -159,3 +160,21 @@ NOTE: Imported rules must be in an `.ndjson` file. .. (Optional) Select *Overwrite existing connectors with conflicting action "id"* to update existing connectors if they match the `action id` value of any rule actions in the import file. Configuration data included with the actions is also overwritten. .. Click *Import rule*. .. (Optional) If a connector is missing sensitive information after the import, a warning displays and you're prompted to fix the connector. In the warning, click *Go to connector*. On the Connectors page, find the connector that needs to be updated, click *Fix*, then add the necessary details. + +[float] +[[rule-prerequisites]] +=== Confirm rule prerequisites + +Many detection rules are designed to work with specific {integrations-docs}[Elastic integrations] and data fields. These prerequisites are identified in *Related integrations* and *Required fields* on a rule's details page (*Rules* -> *Detection rules (SIEM)*, then click a rule's name). *Related integrations* also displays each integration's installation status and includes links for installing and configuring the listed integrations. + +Additionally, the *Setup guide* section provides guidance on setting up the rule's requirements. + +[role="screenshot"] +image::images/rule-details-prerequisites.png[Rule details page with Related integrations, Required fields, and Setup guide highlighted] + +You can also check rules' related integrations in the *Installed Rules* and *Rule Monitoring* tables. Click the *integrations* badge to display the related integrations in a popup. + +[role="screenshot"] +image::images/rules-table-related-integrations.png[Rules table with related integrations popup,75%] + +TIP: You can hide the *integrations* badge in the rules tables. Go to *{kib}* -> *Stack Management* -> *Advanced Settings*, then turn off `securitySolution:showRelatedIntegrations`. diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc index 8da977cd3d..821034bbb9 100644 --- a/docs/management/admin/response-actions.asciidoc +++ b/docs/management/admin/response-actions.asciidoc @@ -106,10 +106,18 @@ Required privilege: *Process Operations* Example: `suspend-process --pid 123 --comment "Suspend suspicious process"` [discrete] +[[get-file]] === `get-file` Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. +[NOTE] +==== +Files retrieved from third-party-protected hosts require a different password. Refer to the following: + +* <> +==== + You must include the following parameter to specify the file's location on the host: * `--path` : The file's full path (including the file name). diff --git a/docs/management/admin/third-party-actions.asciidoc b/docs/management/admin/third-party-actions.asciidoc index cb50f31128..a544666a75 100644 --- a/docs/management/admin/third-party-actions.asciidoc +++ b/docs/management/admin/third-party-actions.asciidoc @@ -14,6 +14,12 @@ preview::[] You can direct SentinelOne to perform response actions on protected hosts without leaving the {elastic-sec} UI. Prior <> is required to connect {elastic-sec} with SentinelOne. +.Requirements +[sidebar] +-- +Third-party response actions require an https://www.elastic.co/pricing[Enterprise subscription], and each response action type has its own user role privilege requirements. Refer to <> for more information. +-- + The following response actions and related features are supported for SentinelOne-protected hosts: * **Isolate and release a host** using any of these methods: @@ -25,4 +31,8 @@ The following response actions and related features are supported for SentinelOn + Refer to the instructions on <> and <> hosts for more details. +* **Retrieve a file from a host** with the <>. ++ +NOTE: For SentinelOne-protected hosts, you must use the password `Elastic@123` to open the retrieved file. + * **View past response action activity** in the <> log. diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index 4658e9ab05..984d0c3cb4 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -99,7 +99,7 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, in these steps or sub-steps, apply the change to the other rule types, too. */} 1. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. - 1. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. + 1. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. 1. Enter the field's data type. @@ -141,7 +141,7 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, in these steps or sub-steps, apply the change to the other rule types, too. */} 1. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. - 1. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. + 1. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. 1. Enter the field's data type. @@ -207,7 +207,7 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, in these steps or sub-steps, apply the change to the other rule types, too. */} 1. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. - 1. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. + 1. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. 1. Enter the field's data type. @@ -285,7 +285,7 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, in these steps or sub-steps, apply the change to the other rule types, too. */} 1. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. - 1. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. + 1. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. 1. Enter the field's data type. @@ -352,7 +352,7 @@ You uploaded a value list of known ransomware domains, and you want to be notifi in these steps or sub-steps, apply the change to the other rule types, too. */} 1. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. - 1. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. + 1. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. 1. Enter the field's data type. @@ -387,7 +387,7 @@ To create an ((esql)) rule: in these steps or sub-steps, apply the change to the other rule types, too. */} 1. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. - 1. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. + 1. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. 1. Enter the field's data type.