diff --git a/docs/detections/api/exceptions/api-create-exception-item.asciidoc b/docs/detections/api/exceptions/api-create-exception-item.asciidoc index f27c9c6d3c..98aff029e3 100644 --- a/docs/detections/api/exceptions/api-create-exception-item.asciidoc +++ b/docs/detections/api/exceptions/api-create-exception-item.asciidoc @@ -9,9 +9,7 @@ lists, such as a list of IP addresses or host names. NOTE: Before creating exception items, you must create an exception container. -[IMPORTANT] -============== -Endpoint rule exception items cannot use +IMPORTANT: Endpoint rule exception items cannot use <> (the `list` in the `entries` array), and the following fields cannot be used in exception queries (as `field` values in the `entries` object): @@ -21,7 +19,6 @@ following fields cannot be used in exception queries (as `field` values in the * `process.entity_id` * `process.parent.entity_id` * `process.ancestry` -============== ==== Request URL @@ -61,7 +58,7 @@ Must be the same value as its associated exception container. |No, defaults to `single`. |`tags` |String[] |String array containing words and phrases to help categorize -exception items. |No +exception items. |No |`type` |String a|Exception query type, must be `simple`. |Yes |`_tags` |String[] a|For endpoint rules only, defines the OS on which the exception is implemented. Valid values are: @@ -106,7 +103,7 @@ Can be: * `nested`: Array of `entries` objects. Nested conditions are required for excluding some Endpoint fields (<>). <> lists all Endpoint fields that require the `nested` -type. +type. |Yes @@ -124,16 +121,12 @@ a|Field value or values: |============================================== -[IMPORTANT] -============== -When you use <> +IMPORTANT: When you use <> (`"type": "list"`), you cannot use other types in the `entries` array (`match`, `match_any`, `exists`, or `nested`). For endpoint exceptions, you cannot create exception items based on excluded -values (`"operator": "excluded"`). -============== - +values (`"operator": "excluded"`). ===== Example requests @@ -334,9 +327,9 @@ POST api/lists/exception_lists/items ==== Response code -`200`:: +`200`:: Indicates a successful call. - + ==== Response payload [source,json] diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc index 45a9174607..290014e34d 100644 --- a/docs/detections/detection-engine-intro.asciidoc +++ b/docs/detections/detection-engine-intro.asciidoc @@ -88,6 +88,11 @@ Detection rules:: Background tasks that run periodically and produce alerts when suspicious activity is detected. +[[term-sec-indices]] +{es-sec} indices:: +Indices containing host and network source events (such as +`packetbeat-*`, `log-*`, and `winlogbeat-*`). When you <>, the default index pattern corresponds to the <> in the `securitySolution:defaultIndex`. + Endpoint exceptions:: <> added to both rules and Endpoint agents on hosts. Endpoint exceptions can only be added when: @@ -103,6 +108,11 @@ alerts. External alerts:: Alerts {es-sec} receives from external systems, such as Suricata. +Threat indices:: +Indices containing suspect field values. <> use these +indices to compare their field values with source event values contained in +<>. + [float] [[detections-permissions]] == Detections configuration and index privilege prerequisites diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc index 7e1ebde02a..b6f52d0470 100644 --- a/docs/detections/detections-ui-exceptions.asciidoc +++ b/docs/detections/detections-ui-exceptions.asciidoc @@ -2,8 +2,14 @@ [role="xpack"] == Rule exceptions and value lists -To prevent the creation of unwanted alerts, you can add exceptions to detection -rules. Exceptions contain the source event conditions that determine when +To prevent the creation of unwanted alerts, you can add exceptions to these +detection rule types: + +* Custom query +* Event Correlation +* Indicator match + +Exceptions contain the source event conditions that determine when alerts are not generated. They provide a convenient way of allowing trusted processes and network activity to function without producing unnecessary noise. @@ -39,10 +45,8 @@ act as value delimiters. NOTE: All values in the file must be of the same {es} type. . Go to *Security* -> *Detections* -> *Manage detection rules*. -. Click *Upload value lists*. +. Click *Upload value lists*. The *Upload value lists* window opens. + -The *Upload value lists* window opens. - [role="screenshot"] image::images/upload-lists-ui.png[] @@ -61,15 +65,28 @@ To view, delete, or export existing lists: [float] [[detection-rule-exceptions]] -=== Add detection exceptions to a rule +=== Add exceptions to a rule You can add exceptions to a rule via the Rule details page or the Alerts table. When you add an exception, you can also close all alerts that meet the exception's criteria. -IMPORTANT: When you select to close all alerts that meet the exception's -criteria, all matching alerts are closed, *including* alerts generated by other -rules. +[IMPORTANT] +============== +Be careful when adding exceptions to EQL sequence rules. Exceptions are +evaluated against every event in the sequence, and when the exception matches any +event(s) in the sequence, alerts are not generated. To exclude values from a +specific event in the sequence, update the rule's EQL statement. For example: + +[source,eql] +---- +`sequence + [file where file.extension == "exe" + and file.name != "app-name.exe"] + [process where true + and process.name != "process-name.exe"]` +---- +============== . To add an exception via the Rule details page: .. Go to the Rule details page of the rule to which you want to add the @@ -86,7 +103,6 @@ The *Add Exception* window opens (via Alerts table). + [role="screenshot"] image::images/add-exception-ui.png[] - . Add conditions that define when the exception prevents alerts. You can define multiple conditions with `OR` and `AND` relationships. In the example above, the exception prevents the rule from generating alerts when the @@ -97,7 +113,7 @@ the exception prevents the rule from generating alerts when the ============ You can use nested conditions. However, this is only required for <>. For all other fields, nested conditions -should not be used. +should not be used. ============ + If you have created value lists, you can use them to exclude or include all @@ -105,17 +121,16 @@ values in a list with `is in list` and `is not in list` operators: + [role="screenshot"] image::images/exceptions-ui-list.png[] - NOTE: When using a list, all exception statements must use `is in list` and `is not in list` operators. . You can select any of the following: -* _Close this alert_: Closes the alert when the exception is added. This option +* *Close this alert*: Closes the alert when the exception is added. This option is only available when adding exceptions via the Alerts table. -* _Close all alerts that match this exception, including alerts generated by other rules_: -Closes all alerts that match the exception's conditions. - +* *Close all alerts that match this exception and were generated by this rule*: +Closes all alerts that match the exception's conditions and were generated only by the current rule. ++ . Click *Add Exception*. [float] @@ -156,7 +171,6 @@ The *Add Endpoint Exception* window opens (via Alerts table). + [role="screenshot"] image::images/endpoint-add-exp.png[] - . If required, modify the conditions. + NOTE: <> describes when nested conditions are required. @@ -166,7 +180,7 @@ NOTE: <> describes when nested conditions are required. * _Close this alert_: Closes the alert when the exception is added. This option is only available when adding exceptions via the Alerts table. * _Close all alerts that match this exception, including alerts generated by other rules_: -Closes all alerts that match the exception's conditions. +Closes all alerts that match the exception's conditions. . Click *Add Exception*. + @@ -231,7 +245,7 @@ correctly: [discrete] ==== Nested condition example -Creates an exception that excludes all LFC-signed trusted processes: +Creates an exception that excludes all LFC-signed trusted processes: [role="screenshot"] -image::images/nested-exp.png[] \ No newline at end of file +image::images/nested-exp.png[] diff --git a/docs/detections/images/create-new-rule.png b/docs/detections/images/create-new-rule.png index 5488cd8780..8f22748880 100644 Binary files a/docs/detections/images/create-new-rule.png and b/docs/detections/images/create-new-rule.png differ diff --git a/docs/detections/images/eql-rule-query-example.png b/docs/detections/images/eql-rule-query-example.png new file mode 100644 index 0000000000..7c71f2610d Binary files /dev/null and b/docs/detections/images/eql-rule-query-example.png differ diff --git a/docs/detections/images/indicator-rule-example.png b/docs/detections/images/indicator-rule-example.png new file mode 100644 index 0000000000..4db28dd750 Binary files /dev/null and b/docs/detections/images/indicator-rule-example.png differ diff --git a/docs/detections/images/preview-rule.png b/docs/detections/images/preview-rule.png new file mode 100644 index 0000000000..d8ef7da210 Binary files /dev/null and b/docs/detections/images/preview-rule.png differ diff --git a/docs/detections/images/threat-math-rule-query-example.png b/docs/detections/images/threat-math-rule-query-example.png new file mode 100644 index 0000000000..2040ffd6c6 Binary files /dev/null and b/docs/detections/images/threat-math-rule-query-example.png differ diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 0321e0591b..978e328740 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -8,9 +8,9 @@ Rules run periodically and search for source events or {ml} job anomaly scores that meet their criteria. When a rule's criteria are met, a detections alert is created. -You can create these types of rules: +You can create the following types of rules: -* *Custom query*: Query-based rule, which searches the defined indices and +* <>: Query-based rule, which searches the defined indices and creates an alert when a document matches the rule's query. * *Machine learning*: {ml-cap} rule, which creates an alert when a {ml} job discovers an anomaly above the defined threshold (see <>). @@ -21,7 +21,7 @@ running, the rule will: ** Run and create alerts if existing anomaly scores above the defined threshold are discovered. ** Issue an error stating the {ml} job was not running when the rule executed. -* *Threshold rules*: Searches the defined indices and creates a detections alert +* <>: Searches the defined indices and creates a detections alert when the number of times the specified field's value meets the threshold during a single execution. When multiple values meet the threshold, an alert is generated for each value. @@ -29,12 +29,23 @@ generated for each value. For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. +* <>: Searches the defined indices and creates an alert when results match an +{ref}/eql.html[Event Query Language (EQL)] query. +* <>: Creates an alert when {es-sec} index field values match +field values defined in the specified indicator index patterns. For example, you +can create a threat index for IP addresses and use this index to create an alert +whenever an event's `destination.ip` equals a value in the index. Threat index +field mappings should be {ecs-ref}[ECS-compliant]. For information on creating +{es} indices and field types, see +{ref}/getting-started-index.html[Index some documents], +{ref}/indices-create-index.html[Create index API] and +{ref}/mapping-types.html[Field data types]. -When creating or modifying rules, you can add exceptions that prevent a rule -from generating an alert even when its criteria are met. This is useful for -reducing noise, such as preventing alerts from trusted processes and internal -IP addresses. <> describes how to add exceptions to a -rule. +When creating or modifying rules, you can add exceptions that prevent a rule from generating an alert even when its criteria are met. This is useful for reducing noise, such as preventing alerts from trusted processes and internal IP addresses. <> describes how to add exceptions to a rule. + +NOTE: You can add exceptions to custom query, event correlation, and indicator match rule types. + +If you are creating a custom query, threshold, or event correlation rule, you can preview the rule beforehand to see what kind of results you can expect. See <> in this topic for more information. For both prebuilt and custom rules, you can use the {kib} {kibana-ref}/alerting-getting-started.html[Alerting and Actions] feature @@ -42,9 +53,10 @@ to send notifications when alerts are created. Notifications can be sent via Email, PagerDuty, Slack, and Webhook, and can be configured when you create or edit a rule. -Creating a new rule is made up of a number of steps: +Creating a new rule requires the following steps: . <> +. <> . <> . <> . <> @@ -68,14 +80,14 @@ image::images/all-rules.png[] === Select rule type and scope . Go to *Security* -> *Detections* -> *Manage detection rules*. -. Click *Create new rule*. +. Click *Create new rule*. The *Create new rule* page displays. + -The *Create new rule* page is displayed. [role="screenshot"] image::images/create-new-rule.png[] ++ . Do *one* of the following: -* To create a rule based on a {ml} anomaly threshold, select _Machine Learning_ -and then: +* To create a rule based on a {ml} anomaly threshold, select *Machine Learning*, +then select: .. The required {ml} job. .. The anomaly score threshold above which alerts are created. + @@ -88,7 +100,10 @@ https://www.elastic.co/subscriptions[appropriate license] or use a {ml} job must be running for the rule to function correctly. ============== -* To create a rule based on a KQL or Lucene query, select _Custom query_ and +[discrete] +[[create-custom-rule]] +==== Create a custom rule +* To create a rule based on a KQL or Lucene query, select *Custom query* and then: .. Define which {es} indices the rule searches for alerts. .. Use the filter and query fields to create the criteria used for detecting @@ -99,12 +114,13 @@ NOTE: You can use {kib} saved queries (save icon) and queries from saved timelin For example, the following rule detects when the `vssadmin delete shadows` Windows command is executed: -** _Index patterns_: `winlogbeat-*` +** *Index patterns*: `winlogbeat-*` + -Winlogbeat ships Windows event logs to {es-sec}. -** _Custom query_: `event.action:"Process Create (rule: ProcessCreate)" and process.name:"vssadmin.exe" and process.args:("delete" and "shadows")` +> Winlogbeat ships Windows event logs to {es-sec}. + +** *Custom query*: `event.action:"Process Create (rule: ProcessCreate)" and process.name:"vssadmin.exe" and process.args:("delete" and "shadows")` + -Searches the `winlogbeat-*` indices for `vssadmin.exe` executions with +> Searches the `winlogbeat-*` indices for `vssadmin.exe` executions with the `delete` and `shadow` arguments, which are used to delete a volume's shadow copies. + @@ -114,28 +130,102 @@ image::images/rule-query-example.png[] TIP: This example is based on the <> prebuilt rule. -* To create a rule based on a source event field threshold, select _Threshold_ + +[discrete] +[[create-threshold-rule]] +==== Create a threshold rule +* To create a rule based on a source event field threshold, select *Threshold* and then: .. Define which {es} indices the rule analyzes for alerts. .. Use the filter and query fields to create the criteria used for detecting alerts. -.. Use the _Field_ and _Threshold_ fields to determine which source event field +.. Use the `Field` and `Threshold` fields to determine which source event field is used as a threshold and the threshold's value. + -For example, if the _Field_ is `source.ip` and its _Threshold_ is `10`, an +For example, if the `Field` is `source.ip` and its `Threshold` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. + -You can also leave the _Field_ undefined. The rule then creates an alert when -the number of search results is equal to or greater than the _Threshold_ value. +You can also leave the `Field` undefined. The rule then creates an alert when +the number of search results is equal to or greater than the `Threshold` value. + If you want an alert for 10 or more failed login attempts to a specific host -per rule execution: +per rule execution, enter the following rule parameters: + +** *Custom query*: `host.name : liv-win-19 and event.category : "authentication" and event.outcome : "failure"` +** *Field*: Leave blank +** *Threshold*: `10` -** _Custom query_: `host.name : liv-win-19 and event.category : "authentication" and event.outcome : "failure"` -** _Field_: Leave blank -** _Threshold_: `10` +[discrete] +[[create-eql-rule]] +==== Create an event correlation rule +* To create an event correlation rule using Event Query Language (EQL), select *Event Correlation* and then: +.. Define which {es} indices the rule searches for alerts. +.. Add an {ref}/eql-syntax.html[EQL statement] used to detect alerts. ++ +For example, the following rule detects when `msxsl.exe` makes an outbound +network connection: ++ +** *Index patterns*: `winlogbeat-*` ++ +> Winlogbeat ships Windows events to {es-sec}. +** *EQL query*: ++ +[source,eql] +---- +sequence by process.entity_id + [process + where event.type in ("start", "process_started") + and process.name == "msxsl.exe"] + [network + where event.type == "connection" + and process.name == "msxsl.exe" + and network.direction == "outgoing"` +---- ++ +Searches the `winlogbeat-*` indices for sequences of a `msxsl.exe` process start +event followed by an outbound network connection event that was started by the +`msxsl.exe` process. ++ +[role="screenshot"] +image::images/eql-rule-query-example.png[] ++ +NOTE: For sequence events, the {security-app} generates a single alert when all events listed in the sequence are detected. To see the matched sequence events in more detail, you can view the alert in the Timeline, and, if all events came from the same process, open the alert in Analyze Event view. + +[discrete] +[[create-indicator-rule]] +==== Create an indicator match rule +* To create an indicator match rule that searches the specified indicator index patterns for +field values, select *Indicator Match* and then fill in these fields: +.. *Index patterns*: The {es-sec} event indices on which the rules runs. +.. *Custom query*: The query and filters used to retrieve the required results from +the {es-sec} event indices. For example, if you only need to check +`destination.ip` event values, add `destination.ip : *`. ++ +TIP: If you want the rule to check every field in the indices, use this +wildcard expression: `*:*`. +.. *Indicator index patterns*: The indicator index patterns containing field values for which +you want to generate alerts. +.. *Indicator index query*: The query and filters used to filter the fields from +the indicator index patterns. +.. *Indicator Mapping*: Compares the values of the specified event and indicator field +values. When the field values are identical, an alert is generated. To define +which field values are compared from the indices: +** *Field*: The field used for comparing values in the {es-sec} event +indices. +** *Indicator index field*: The field used for comparing values in the threat +indices. +.. You can add `AND` and `OR` clauses to define when alerts are generated. ++ +For example, to create a rule that generates alerts when `host.name` *and* +`destination.ip` field values in the `logs-*` or `packetbeat-*` {es-sec} indices +are identical to the corresponding field values in the `mock-threat-list` threat +index, enter the rule parameters seen in the following image: ++ +[role="screenshot"] +image::images/indicator-rule-example.png[] +TIP: When an indicator match rule's conditions are met, the resulting detection alert does not contain explicit information about which event field(s) match which indicator field(s). As such, when you <>, it is recommended that you include a reference to the field(s) to be matched in the rule `Name` and rule `Description`, and ensure that the Timeline template associated with the rule includes pre-defined column(s) for these fields. For example, if you create an indicator match rule that looks for matches between the `file.extension` field in file events and the `threat.file.extension` field in an indicator index, you might name your rule *"file.extension matches ransomware file extension"*, so that when an analyst investigates the detection alerts, they will see the rule name and know to further investigate the `file.extension` field value. . Select the Timeline template used when you investigate an alert created by the rule in Timeline (optional). + @@ -143,23 +233,43 @@ TIP: Before you create rules, create <> so they can be selected here. When alerts generated by the rule are investigated in Timeline, Timeline query values are replaced with their corresponding alert field values. - -. Click *Continue*. + -The *About rule* pane is displayed. +. Click *Continue*. The *About rule* pane is displayed. ++ [role="screenshot"] image::images/about-rule-pane.png[] ++ +. Continue with <> (optional) or <>. + +[discrete] +[[preview-rules]] +=== Preview your rule (optional) + +You can preview a custom query, threshold, or EQL (Event Correlation) rule to get feedback on how noisy the rule will be before submitting it. This allows you to fine-tune the query, if needed, to reduce the amount of alerts that may come in. -. Continue with <>. +To preview a rule: + +. Write the rule query. ++ +. Select a timeframe of data to preview query results -- `Last hour`, `Last day`, or `Last month` -- from the *Quick query preview* drop-down. ++ +. Click *Preview results*. A histogram shows the number of alerts you can expect based on the defined rule parameters and historical events in your indices. + +A "noise warning" is displayed if the preview generates more than alert per hour. + +[role="screenshot"] +image::images/preview-rule.png[] + +NOTE: The preview excludes effects of rule exceptions and timestamp overrides. [float] [[rule-ui-basic-params]] === Configure basic rule settings . Fill in the following fields: -.. _Name_: The rule's name. -.. _Description_: A description of what the rule does. -.. _Default severity_: Select the severity level of alerts created by the rule: +.. *Name*: The rule's name. +.. *Description*: A description of what the rule does. +.. *Default severity*: Select the severity level of alerts created by the rule: * `Low`: Alerts that are of interest but generally not considered to be security incidents. Sometimes, a combination of low severity events can indicate suspicious activity. @@ -167,22 +277,22 @@ indicate suspicious activity. * `High`: Alerts that require an immediate investigation. * `Critical`: Alerts that indicate it is highly likely a security incident has occurred. -.. _Severity override_ (optional): Select to use source event values to -override the _Default severity_ in generated alerts. When selected, a UI +.. *Severity override* (optional): Select to use source event values to +override the *Default severity* in generated alerts. When selected, a UI component is displayed where you can map the source event field values to -severity levels. For example, if you want to map severity levels to `host.name` +severity levels. The following example shows how to map severity levels to `host.name` values: + [role="screenshot"] image::images/severity-mapping-ui.png[] -.. _Default risk score_: A numerical value between 0 and 100 that correlates -with the _Severity_ level. General guidelines are: +.. *Default risk score*: A numerical value between 0 and 100 that correlates +with the *Severity* level. General guidelines are: * `0` - `21` represents low severity. * `22` - `47` represents medium severity. * `48` - `73` represents high severity. * `74` - `100` represents critical severity. -.. _Risk score override_ (optional): Select to use a source event value to -override the _Default risk score_ in generated alerts. When selected, a UI +.. *Risk score override* (optional): Select to use a source event value to +override the *Default risk score* in generated alerts. When selected, a UI component is displayed where you can select the source field used for the risk score. For example, if you want to use the source event's risk score in alerts: @@ -199,49 +309,47 @@ image::images/risk-source-field-ui.png[] [[rule-ui-advanced-params]] === Configure advanced rule settings (optional) - . Click *Advanced settings* and fill in these fields: -.. _Reference URLs_ (optional): References to information that is relevant to +.. *Reference URLs* (optional): References to information that is relevant to the rule. For example, links to background information. -.. _False positives_ (optional): List of common scenarios that may produce +.. *False positives* (optional): List of common scenarios that may produce false-positive alerts. -.. _MITRE ATT&CK^TM^_ (optional): Relevant MITRE framework tactics and techniques. -.. _Tags_ (optional): Words and phrases used to categorize, filter, and search +.. *MITRE ATT&CK^TM^* (optional): Relevant MITRE framework tactics and techniques. +.. *Tags* (optional): Words and phrases used to categorize, filter, and search the rule. -.. _Investigation guide_ (optional): Information for analysts investigating +.. *Investigation guide* (optional): Information for analysts investigating alerts created by the rule. -.. _Author_ (optional): The rule's authors. -.. _License_ (optional): The rule's license. -.. _Elastic endpoint exceptions_ (optional): Adds all Elastic Endpoint Security +.. *Author* (optional): The rule's authors. +.. *License* (optional): The rule's license. +.. *Elastic endpoint exceptions* (optional): Adds all Elastic Endpoint Security rule exceptions to this rule (see <>). + NOTE: If you select this option, you can add <> on the Rule details page. Additionally, all future exceptions added to the Elastic Endpoint Security rule also affect this rule. - -.. _Building block_ (optional): Select to create a building-block rule. By ++ +.. *Building block* (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See <> for more information. -.. _Rule name override_ (optional): Select a source event field to use as the +.. *Rule name override* (optional): Select a source event field to use as the rule name in the UI (Alerts table). This is useful for exposing, at a glance, more information about an alert. For example, if the rule generates alerts from Suricata, selecting `event.action` lets you see what action (Suricata category) caused the event directly in the Alerts table. -.. _Timestamp override_ (optional): Select a source event timestamp field. When selected, the rule's query uses the selected field, instead of the default `@timestamp` field, to search for alerts. This can help reduce missing alerts due to network or server outages. Specifically, if your ingest pipeline adds a timestamp when events are sent to {es}, this avoids missing alerts due to ingestion delays. +.. *Timestamp override* (optional): Select a source event timestamp field. When selected, the rule's query uses the selected field, instead of the default `@timestamp` field, to search for alerts. This can help reduce missing alerts due to network or server outages. Specifically, if your ingest pipeline adds a timestamp when events are sent to {es}, this avoids missing alerts due to ingestion delays. + TIP: These Filebeat modules have an `event.ingested` timestamp field that can be used instead of the default `@timestamp` field: {filebeat-ref}/filebeat-module-microsoft.html[Microsoft] and {filebeat-ref}/filebeat-module-gsuite.html[GSuite]. -. Click *Continue*. +. Click *Continue*. The *Schedule rule* pane is displayed. + [role="screenshot"] image::images/schedule-rule.png[] -The *Schedule rule* pane is displayed. -. Continue with <>. +. Continue with <>. [float] [[rule-schedule]] @@ -264,16 +372,14 @@ run exactly at its scheduled time. The {es-sec-app} performs deduplication. Duplicate alerts discovered during the `Additional look-back time` are *not* created. ============== -. Click *Continue*. +. Click *Continue*. The *Rule actions* pane is displayed. + -[[rule-actions]] -The *Rule actions* pane is displayed. [role="screenshot"] image::images/rule-actions.png[] . Do *one* of the following: -* Continue with <>. +* Continue with <> (optional). * Create the rule (with or without activation). [float] @@ -288,11 +394,11 @@ https://www.elastic.co/subscriptions[appropriate license]. . Set when to send notifications: -* _On each rule execution_: Sends a notification every time new alerts are +* *On each rule execution*: Sends a notification every time new alerts are generated. -* _Hourly_: Sends a notification every hour. -* _Daily_: Sends a notification every day. -* _Weekly_: Sends a notification every week. +* `Hourly`: Sends a notification every hour. +* `Daily`: Sends a notification every day. +* `Weekly`: Sends a notification every week. + NOTE: Notifications are sent only when new alerts are generated. + @@ -311,12 +417,12 @@ information, see {kibana-ref}/action-types.html[Action and connector types]. The selected action type fields are displayed (Slack example). [role="screenshot"] image::images/selected-action-type.png[] - -.. Fill in the fields for the selected action types. For all action types, click ++ +. Fill in the fields for the selected action types. For all action types, click the icon above the `Message` field to add <> for rule and alert details to the notifications. - ++ . Create the rule with or without activation. + NOTE: When you activate a rule, it is queued and its schedule is determined by @@ -360,5 +466,5 @@ used as an identifier across systems * `{{context.rule.version}}`: Rule version NOTE: The `{{context.rule.severity}}` and `{{context.rule.risk_score}}` -placeholders contain the rule's default values even when the _Severity override_ -and _Risk score override_ options are used. +placeholders contain the rule's default values even when the *Severity override* +and *Risk score override* options are used. diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 94c23daa3c..88b3aa7cf4 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -14,7 +14,7 @@ On the Detection rules page, you can: === Load and activate prebuilt Elastic rules To load the {es-sec-app}'s <>, click -*Load Elastic prebuilt rules* on the *Detection rules* page (*Security* -> +*Load Elastic prebuilt rules* on the *Detection rules* page (*Security* -> *Detections* -> *Manage detection rules* -> *Load Elastic prebuilt rules and timeline templates*). @@ -44,7 +44,7 @@ In the All rules table: . Click _Bulk actions_ -> _Duplicate selected_. . Select the *Custom rules* tab. -You can then modify the duplicated rules and, if required, delete the prebuilt +You can then modify the duplicated rules and, if required, delete the prebuilt ones. [float] @@ -56,12 +56,12 @@ You can clone, edit, activate, deactivate, and delete rules: . Go to *Security* -> *Detections* -> *Manage detection rules*. . Do one of the following: * Click the actions icon (three dots) and then select the required action. -* In the *Rule* column, select all the rules you want to modify, and then the +* In the *Rule* column, select all the rules you want to modify, and then the required action from the `Bulk actions` menu. . To activate or deactivate a rule, click the Activate toggle button. NOTE: For prebuilt rules, you can only activate, deactivate, delete, edit -<>, and <>. +<>, and <>. [float] [[import-export-rules-ui]] @@ -79,4 +79,3 @@ NOTE: Imported rules must be in an `ndjson` file. .. Select *Bulk actions* -> *Export selected*. + NOTE: You cannot export prebuilt rules. - diff --git a/docs/getting-started/advanced-setting.asciidoc b/docs/getting-started/advanced-setting.asciidoc index 6897a3ba3e..bb921c6347 100644 --- a/docs/getting-started/advanced-setting.asciidoc +++ b/docs/getting-started/advanced-setting.asciidoc @@ -33,6 +33,7 @@ To access advanced settings: image::images/adv-settings.png[] [discrete] +[[update-sec-indices]] == Update default Elastic Security indices The `securitySolution:defaultIndex` field defines which {es} indices the @@ -51,14 +52,14 @@ NOTE: Index patterns use wildcards to specify a set of indices. For example, the `filebeat-*` index pattern means all indices starting with `filebeat-` are available in the {es-sec-app}. -All of the default index patterns match {beats-ref}/beats-reference.html[{beats}] and +All of the default index patterns match {beats-ref}/beats-reference.html[{beats}] and {ingest-guide}/ingest-management-overview.html[{agent}] indices. This means all data shipped via {beats} and the {agent} is automatically added to the {es-sec-app}. You can add or remove any indices and index patterns as required. For some background information on {es} indices, see -{ref}/documents-indices.html[Data in: documents and indices]. +{ref}/documents-indices.html[Data in: documents and indices]. IMPORTANT: {es-sec} requires {ecs-ref}[ECS-compliant data]. If you use third-party data @@ -93,7 +94,7 @@ default values. == Set machine learning score threshold When security <> are enabled, this setting -determines the threshold above which anomaly scores are displayed in {es-sec}: +determines the threshold above which anomaly scores are displayed in {es-sec}: * `securitySolution:defaultAnomalyScore`