First draft

Author: nastasha-solomon

docs/detections/rules-ui-create.asciidoc

@@ -42,9 +42,8 @@ To create or edit {ml} rules, you must have the https://www.elastic.co/subscript
 {ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user
 role, and the selected {ml} job must be running for the rule to function correctly.
 ==============
-. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays.
-. To create a rule based on a {ml} anomaly threshold, select *Machine Learning*,
-then select:
+. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <<kibana-navigation-search,global search field>>.
+. To create a rule based on a {ml} anomaly threshold, select *Machine Learning* on the *Create new rule*, then select:
 .. The required {ml} jobs. 
 +
 NOTE: If a required job isn't currently running, it will automatically start when you finish configuring and enable the rule.
@@ -68,9 +67,8 @@ in the step or its sub-steps, apply the change to the other rule types, too.
 [discrete]
 [[create-custom-rule]]
 === Create a custom query rule
-. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays.
-. To create a rule based on a KQL or Lucene query, select *Custom query*,
-then:
+. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <<kibana-navigation-search,global search field>>.
+. To create a rule based on a KQL or Lucene query, select *Custom query* on the *Create new rule* page, then:
 .. Define which {es} indices or data view the rule searches for alerts.
 .. Use the filter and query fields to create the criteria used for detecting
 alerts.
@@ -119,8 +117,8 @@ in these steps or sub-steps, apply the change to the other rule types, too.
 [discrete]
 [[create-threshold-rule]]
 === Create a threshold rule
-. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays.
-. To create a rule based on a source event field threshold, select *Threshold*, then:
+. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <<kibana-navigation-search,global search field>>.
+. To create a rule based on a source event field threshold, select *Threshold* on the *Create new rule* page, then:
 .. Define which {es} indices the rule analyzes for alerts.
 .. Use the filter and query fields to create the criteria used for detecting
 alerts.
@@ -159,7 +157,8 @@ in these steps or sub-steps, apply the change to the other rule types, too.
 [discrete]
 [[create-eql-rule]]
 === Create an event correlation rule
-. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays.
+. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <<kibana-navigation-search,global search field>>.
+. To create an event correlation rule using EQL, select *Event Correlation* on the *Create new rule* page, then:
 . To create an event correlation rule using EQL, select *Event Correlation*, then:
 .. Define which {es} indices or data view the rule searches when querying for events.
 .. Write an {ref}/eql-syntax.html[EQL query] that searches for matching events or a series of matching events.
@@ -225,9 +224,8 @@ in these steps or sub-steps, apply the change to the other rule types, too.
 
 NOTE: {elastic-sec} provides limited support for indicator match rules. See <<support-indicator-rules>> for more information.
 
-. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays.
-. To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields:
-
+. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <<kibana-navigation-search,global search field>>.
+. To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match* on the *Create new rule* page, then fill in the following fields:
 .. *Source*: The individual index patterns or data view that specifies what data to search.
 .. *Custom query*: The query and filters used to retrieve the required results from
 the {elastic-sec} event indices. For example, if you want to match documents that only contain a `destination.ip` address field, add `destination.ip : *`.
@@ -306,15 +304,19 @@ You uploaded a value list of known ransomware domains, and you want to be notifi
 +
 TIP: If you don't remember this information, go to *Rules* -> *Detection rules (SIEM)* -> *Manage value lists*. Locate the appropriate value list and note the field in the corresponding `Type` column. (Examples include keyword, text, and IP.)
 
+////
+Revisit this tip ^
+////
+
 [role="screenshot"]
 image::images/indicator_value_list.png[]
 
 [discrete]
 [[create-new-terms-rule]]
 === Create a new terms rule
 
-. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays.
-. To create a rule that searches for each new term detected in source documents, select *New Terms*, then:
+. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <<kibana-navigation-search,global search field>>.
+. To create a rule that searches for each new term detected in source documents, select *New Terms* on the *Create new rule* page, then:
 .. Specify what data to search by entering individual {es} index patterns or selecting an existing data view.
 .. Use the filter and query fields to create the criteria used for detecting
 alerts.
@@ -353,8 +355,8 @@ Use {ref}/esql.html[{esql}] to query your source events and aggregate event data
 
 To create an {esql} rule:
 
-. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page appears.
-. Select **{esql}**, then write a query. 
+. Go to the *Rules* page. To access the it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the <<kibana-navigation-search,global search field>>.
+. Select **{esql}**, then write a query.
 +
 NOTE: Refer to the sections below to learn more about <<esql-rule-query-types,{esql} query types>>, <<esql-query-design,query design considerations>>, and <<esql-rule-limitations,rule limitations>>.
 +