Skip to content

Commit

Permalink
[8.15] [DE Team][8.15][Serverless] Bulk-update a rule's custom highli…
Browse files Browse the repository at this point in the history
…ghted fields (backport #5460) (#5595)

* [DE Team][8.15][Serverless] Bulk-update a rule's custom highlighted fields (#5460)

* First draft

* Fixes

* API params

* Update docs/detections/rules-ui-create.asciidoc

* Update docs/serverless/rules/rules-ui-create.mdx

* Update docs/detections/rules-ui-manage.asciidoc

* Update docs/serverless/rules/rules-ui-management.mdx

* Update docs/detections/alerts-view-details.asciidoc

* Update docs/serverless/alerts/view-alert-details.mdx

* Update docs/detections/rules-ui-create.asciidoc

* Update docs/serverless/rules/rules-ui-create.mdx

* Fixed ref

* Update docs/detections/rules-ui-manage.asciidoc

Co-authored-by: Joe Peeples <[email protected]>

* Update docs/serverless/rules/rules-ui-management.mdx

---------

Co-authored-by: Joe Peeples <[email protected]>
(cherry picked from commit cfac679)

# Conflicts:
#	docs/serverless/alerts/view-alert-details.mdx
#	docs/serverless/rules/rules-ui-create.mdx
#	docs/serverless/rules/rules-ui-management.mdx

* Delete docs/serverless directory and its contents

---------

Co-authored-by: Nastasha Solomon <[email protected]>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
  • Loading branch information
3 people authored Jul 23, 2024
1 parent 7ee0b1d commit 573dd5e
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 4 deletions.
3 changes: 1 addition & 2 deletions docs/detections/alerts-view-details.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,7 @@ The Investigation section provides the following information:
+
TIP: Add an <<add-ig-actions-rule,investigation guide>> to a rule when creating a new custom rule or modifying an existing custom rule's settings.

* **Highlighted fields**: Shows relevant fields for the alert and any custom highlighted fields you added to the rule.
//link to custom highlighted fields docs
* **Highlighted fields**: Shows relevant fields for the alert and any <<rule-ui-advanced-params,custom highlighted fields>> you added to the rule. Custom highlighted fields with values are added to this section. Those without values aren't added.

[discrete]
[[visualizations-section]]
Expand Down
3 changes: 3 additions & 0 deletions docs/detections/api/rules/rules-api-bulk-actions.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,9 @@ IMPORTANT: Dry run mode is not supported for the `export` bulk action. A `400` e
| `add_tags` | String[] | Add tags to rules
| `delete_tags` | String[] | Delete rules' tags
| `set_tags` | String[] | Overwrite rules' tags
| `add_investigation_fields` | { field_names: String[] } | Add custom highlighted fields to rules
| `delete_investigation_fields` | { field_names: String[] } | Delete rules' custom highlighted fields
| `set_investigation_fields` | { field_names: String[] } | Overwrite rules' custom highlighted fields
| `add_index_patterns` | String[] | Add index patterns to rules
| `delete_index_patterns` | String[] | Delete rules' index patterns
| `set_index_patterns` | String[] | Overwrite rules' index patterns
Expand Down
5 changes: 3 additions & 2 deletions docs/detections/rules-ui-create.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -536,9 +536,10 @@ the rule. For example, links to background information.
.. *False positive examples* (optional): List of common scenarios that may produce
false-positive alerts.
.. *MITRE ATT&CK^TM^ threats* (optional): Add relevant https://attack.mitre.org/[MITRE] framework tactics, techniques, and subtechniques.
.. *Custom highlighted fields* (optional): Specify highlighted fields for personalized alert investigation flows. Fields with values are added to the <<investigation-section,Highlighted fields>> section within the alert details flyout. Fields without values aren't added. After you create the rule, you can find all custom highlighted fields in the About section of the rule details page.
.. *Custom highlighted fields* (optional): Specify one or more highlighted fields for unique alert investigation flows. You can choose any fields that are available in the indices you selected for the rule's data source.
+
NOTE: There's no limit to the number of custom highlighted fields you can add.
After you create the rule, you can find all custom highlighted fields in the About section of the rule details page. If the rule has alerts, you can find custom highlighted fields in the <<investigation-section,Highlighted fields>> section of the alert details flyout.

.. *Setup guide* (optional): Instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
.. *Investigation guide* (optional): Information for analysts investigating
alerts created by the rule. You can also add action buttons to <<invest-guide-run-osquery, run Osquery>> or <<interactive-investigation-guides, launch Timeline investigations>> using alert data.
Expand Down
1 change: 1 addition & 0 deletions docs/detections/rules-ui-manage.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ Similarly, rules will be skipped if they can't be modified by a bulk edit. For e
* Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu:
** *Index patterns*: Add or delete the index patterns used by all selected rules.
** *Tags*: Add or delete tags on all selected rules.
** *Custom highlighted fields*: Add custom highlighted fields on all selected rules. You can choose any fields that are available in the <<update-sec-indices,default {elastic-sec} indices>>, or enter field names from other indices. To overwrite a rule's current set of custom highlighted fields, select the **Overwrite all selected rules' custom highlighted fields** option, then click **Save**.
** *Add rule actions*: Add <<rule-notifications,rule actions>> on all selected rules. If you add multiple actions, you can specify an action frequency for each of them. To overwrite the frequency of existing actions select the option to **Overwrite all selected rules actions**.

+
Expand Down

0 comments on commit 573dd5e

Please sign in to comment.