From a5bf7f311172e2e82b692660a6a8e0c3916ecba6 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Thu, 23 May 2024 11:17:10 -0400 Subject: [PATCH 1/2] First draft: add step to rule procedures --- docs/detections/rules-ui-create.asciidoc | 54 ++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 1ffb0900e1..7554237e03 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -82,6 +82,15 @@ When you use a saved query, the *Load saved query "_query name_" dynamically on * Deselect this to load the saved query as a one-time way of populating the rule's *Custom query* field and filters. This copies the settings from the saved query to the rule, so you can then further adjust the rule's query and filters as needed. If the saved query is later changed, the rule will not inherit those changes. . (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. ++ + +//// +The following steps are repeated across multiple rule types. If you change anything +in these steps or sub-steps, apply the change to the other rule types, too. +//// +. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. +.. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Enter the field's data type. . Click **Continue** to <>. @@ -109,6 +118,15 @@ You can also leave the *Group by* field undefined. The rule then creates an aler IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not resemble the source documents. The alert itself only contains data about the fields that were aggregated over (the *Group by* fields). Other fields are omitted, because they can vary across all source documents that were counted toward the threshold. Additionally, you can reference the actual count of documents that exceeded the threshold from the `kibana.alert.threshold_result.count` field. . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Select *Suppress alerts* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. ++ + +//// +The following steps are repeated across multiple rule types. If you change anything +in these steps or sub-steps, apply the change to the other rule types, too. +//// +. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. +.. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Enter the field's data type. . Click *Continue* to <>. @@ -159,6 +177,15 @@ NOTE: For sequence events, the {security-app} generates a single alert when all + . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. ++ + +//// +The following steps are repeated across multiple rule types. If you change anything +in these steps or sub-steps, apply the change to the other rule types, too. +//// +. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. +.. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Enter the field's data type. . Click *Continue* to <>. @@ -213,6 +240,15 @@ in the Timeline, Timeline query values are replaced with their corresponding ale field values. + . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Select *Suppress alerts* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. ++ + +//// +The following steps are repeated across multiple rule types. If you change anything +in these steps or sub-steps, apply the change to the other rule types, too. +//// +. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. +.. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Enter the field's data type. . Click *Continue* to <>. @@ -259,6 +295,15 @@ IMPORTANT: When checking multiple fields, each unique combination of values from For example, if a rule has an interval of 5 minutes, no additional look-back time, and a history window size of 7 days, a term will be considered new only if the time it appears within the last 7 days is also within the last 5 minutes. Configure the rule interval and additional look-back time when you <>. . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. ++ + +//// +The following steps are repeated across multiple rule types. If you change anything +in these steps or sub-steps, apply the change to the other rule types, too. +//// +. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. +.. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Enter the field's data type. . Click *Continue* to <>. @@ -277,6 +322,15 @@ NOTE: Refer to the sections below to learn more about <>. [float] From b8830267b7aa75cc53899c9e050e3f42d035d15c Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Fri, 31 May 2024 13:14:04 -0400 Subject: [PATCH 2/2] Edit step (both serverless & classic) --- docs/detections/rules-ui-create.asciidoc | 12 ++++++------ docs/serverless/rules/rules-ui-create.mdx | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 7554237e03..110c9fcac1 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -89,7 +89,7 @@ The following steps are repeated across multiple rule types. If you change anyth in these steps or sub-steps, apply the change to the other rule types, too. //// . (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. -.. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. .. Enter the field's data type. . Click **Continue** to <>. @@ -125,7 +125,7 @@ The following steps are repeated across multiple rule types. If you change anyth in these steps or sub-steps, apply the change to the other rule types, too. //// . (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. -.. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. .. Enter the field's data type. . Click *Continue* to <>. @@ -184,7 +184,7 @@ The following steps are repeated across multiple rule types. If you change anyth in these steps or sub-steps, apply the change to the other rule types, too. //// . (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. -.. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. .. Enter the field's data type. . Click *Continue* to <>. @@ -247,7 +247,7 @@ The following steps are repeated across multiple rule types. If you change anyth in these steps or sub-steps, apply the change to the other rule types, too. //// . (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. -.. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. .. Enter the field's data type. . Click *Continue* to <>. @@ -302,7 +302,7 @@ The following steps are repeated across multiple rule types. If you change anyth in these steps or sub-steps, apply the change to the other rule types, too. //// . (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. -.. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. .. Enter the field's data type. . Click *Continue* to <>. @@ -328,7 +328,7 @@ The following steps are repeated across multiple rule types. If you change anyth in these steps or sub-steps, apply the change to the other rule types, too. //// . (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. -.. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. +.. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. .. Enter the field's data type. . Click *Continue* to <>. diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index adc73a45b6..47f349daf8 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -100,7 +100,7 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, in these steps or sub-steps, apply the change to the other rule types, too. */} 1. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. - 1. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. + 1. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. 1. Enter the field's data type. @@ -142,7 +142,7 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, in these steps or sub-steps, apply the change to the other rule types, too. */} 1. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. - 1. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. + 1. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. 1. Enter the field's data type. @@ -208,7 +208,7 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, in these steps or sub-steps, apply the change to the other rule types, too. */} 1. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. - 1. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. + 1. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. 1. Enter the field's data type. @@ -286,7 +286,7 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, in these steps or sub-steps, apply the change to the other rule types, too. */} 1. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. - 1. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. + 1. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. 1. Enter the field's data type. @@ -353,7 +353,7 @@ You uploaded a value list of known ransomware domains, and you want to be notifi in these steps or sub-steps, apply the change to the other rule types, too. */} 1. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. - 1. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. + 1. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. 1. Enter the field's data type. @@ -388,7 +388,7 @@ To create an ((esql)) rule: in these steps or sub-steps, apply the change to the other rule types, too. */} 1. (Optional) Create a list of **Required fields** that the rule needs to function. This list is informational only, to help users understand the rule; it doesn't affect how the rule actually runs. - 1. Click **Add required field**, then select a field from the index patterns or data view you specified in the rule's **Source** above. You can also start typing a field's name to find it faster, or type in an entirely new custom field. + 1. Click **Add required field**, then select a field from the index patterns or data view you specified for the rule. You can also start typing a field's name to find it faster, or type in an entirely new custom field. 1. Enter the field's data type.