Revisiting instructions to rules page

nastasha-solomon · nastasha-solomon · commit b8828e26b9eb · 2024-11-04T13:54:25.000-05:00
diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc
@@ -38,8 +38,8 @@ specific event in the sequence, update the rule's EQL statement. For example:
 +
 --
 * To add an exception from the rule details page:
-.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
-.. Search for the rule that you want to add an exception to, then click its name to open the rule details.
+.. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+.. In the Rules table, search for the rule that you want to add an exception to, then click its name to open the rule details.
 .. Scroll down the rule details page, select the *Rule exceptions* tab, then click *Add rule exception*.
 +
 [role="screenshot"]
@@ -157,8 +157,8 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there
 --
 
 * To add an Endpoint exception from the rule details page:
-.. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
-.. Search for and select the Elastic *Endpoint Security* rule.
+.. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+.. In the Rules table, search for and select the Elastic *Endpoint Security* rule.
 .. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*.
 
 * To add an Endpoint exception from the Alerts table:
diff --git a/docs/detections/prebuilt-rules-management.asciidoc b/docs/detections/prebuilt-rules-management.asciidoc
@@ -27,7 +27,7 @@ Follow these guidelines to start using the {security-app}'s <<prebuilt-rules, pr
 [[load-prebuilt-rules]]
 === Install and enable Elastic prebuilt rules
 
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to the Rules table.
 +
 The badge next to *Add Elastic rules* shows the number of prebuilt rules available for installation. 
 +
@@ -83,8 +83,8 @@ Each prebuilt rule includes several tags identifying the rule's purpose, detecti
 [[select-all-prebuilt-rules]]
 === Select and duplicate all prebuilt rules
 
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
-. From the *Rules* page, select the *Elastic rules* filter.
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. In the *Rules* table, select the *Elastic rules* filter.
 . Click *Select all _x_ rules* above the rules table.
 . Click *Bulk actions* -> *Duplicate*.
 . Select whether to duplicate the rules' exceptions, then click *Duplicate*.
@@ -97,8 +97,8 @@ You can then modify the duplicated rules and, if required, delete the prebuilt o
 
 Elastic regularly updates prebuilt rules to optimize their performance and ensure they detect the latest threats and techniques. When updated versions are available for your installed prebuilt rules, the *Rule Updates* tab appears on the *Rules* page, allowing you to update your installed rules with the latest versions.
 
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
-. From the *Rules* page, select the *Rule Updates* tab.
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. In the *Rules* table, select the *Rule Updates* tab.
 +
 NOTE: The *Rule Updates* tab doesn't appear if all your installed prebuilt rules are up to date.
 +
diff --git a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc
@@ -35,8 +35,8 @@ add an exception for the required application.
 For example, to prevent the <<unusual-process-execution-path-alternate-data-stream>> rule from
 producing alerts for an in-house application named `myautomatedbuild`:
 
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
-. Search for and then click on the *Unusual Process Execution Path - Alternate Data Stream* rule.
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. In the Rules table, search for and then click on the *Unusual Process Execution Path - Alternate Data Stream* rule.
 +
 The *Unusual Process Execution Path - Alternate Data Stream* rule details page is displayed.
 [role="screenshot"]
diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
@@ -42,8 +42,9 @@ To create or edit {ml} rules, you must have the https://www.elastic.co/subscript
 {ess-trial}[cloud deployment]. Additionally, you must have the {ref}/built-in-roles.html[`machine_learning_admin`] user
 role, and the selected {ml} job must be running for the rule to function correctly.
 ==============
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
-. To create a rule based on a {ml} anomaly threshold, select *Machine Learning* on the *Create new rule*, then select:
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Click *Create new rule*.
+. To create a rule based on a {ml} anomaly threshold, select *Machine Learning* on the *Create new rule* page, then select:
 .. The required {ml} jobs. 
 +
 NOTE: If a required job isn't currently running, it will automatically start when you finish configuring and enable the rule.
@@ -67,7 +68,8 @@ in the step or its sub-steps, apply the change to the other rule types, too.
 [discrete]
 [[create-custom-rule]]
 === Create a custom query rule
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Click *Create new rule*.
 . To create a rule based on a KQL or Lucene query, select *Custom query* on the *Create new rule* page, then:
 .. Define which {es} indices or data view the rule searches for alerts.
 .. Use the filter and query fields to create the criteria used for detecting
@@ -117,7 +119,8 @@ in these steps or sub-steps, apply the change to the other rule types, too.
 [discrete]
 [[create-threshold-rule]]
 === Create a threshold rule
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Click *Create new rule*.
 . To create a rule based on a source event field threshold, select *Threshold* on the *Create new rule* page, then:
 .. Define which {es} indices the rule analyzes for alerts.
 .. Use the filter and query fields to create the criteria used for detecting
@@ -157,7 +160,8 @@ in these steps or sub-steps, apply the change to the other rule types, too.
 [discrete]
 [[create-eql-rule]]
 === Create an event correlation rule
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Click *Create new rule*.
 . To create an event correlation rule using EQL, select *Event Correlation* on the *Create new rule* page, then:
 . To create an event correlation rule using EQL, select *Event Correlation*, then:
 .. Define which {es} indices or data view the rule searches when querying for events.
@@ -224,7 +228,8 @@ in these steps or sub-steps, apply the change to the other rule types, too.
 
 NOTE: {elastic-sec} provides limited support for indicator match rules. See <<support-indicator-rules>> for more information.
 
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Click *Create new rule*.
 . To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match* on the *Create new rule* page, then fill in the following fields:
 .. *Source*: The individual index patterns or data view that specifies what data to search.
 .. *Custom query*: The query and filters used to retrieve the required results from
@@ -311,7 +316,8 @@ image::images/indicator_value_list.png[]
 [[create-new-terms-rule]]
 === Create a new terms rule
 
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Click *Create new rule*.
 . To create a rule that searches for each new term detected in source documents, select *New Terms* on the *Create new rule* page, then:
 .. Specify what data to search by entering individual {es} index patterns or selecting an existing data view.
 .. Use the filter and query fields to create the criteria used for detecting
@@ -351,7 +357,8 @@ Use {ref}/esql.html[{esql}] to query your source events and aggregate event data
 
 To create an {esql} rule:
 
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Click *Create new rule*.
 . Select **{esql}**, then write a query.
 +
 NOTE: Refer to the sections below to learn more about <<esql-rule-query-types,{esql} query types>>, <<esql-query-design,query design considerations>>, and <<esql-rule-limitations,rule limitations>>.
diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc
@@ -67,7 +67,7 @@ For prebuilt Elastic rules, you can't modify most settings. You can only edit <<
 Similarly, rules will be skipped if they can't be modified by a bulk edit. For example, if you try to apply a tag to rules that already have that tag, or apply an index pattern to rules that use data views.
 ====
 
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 . Do one of the following:
 * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. The *Edit rule settings* view opens, where you can modify the <<rules-ui-create, rule's settings>>.
 * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu:
@@ -98,8 +98,8 @@ You can duplicate, enable, disable, delete, and snooze actions for rules:
 
 NOTE: When duplicating a rule with exceptions, you can choose to duplicate the rule and its exceptions (active and expired), the rule and active exceptions only, or only the rule. If you duplicate the rule and its exceptions, copies of the exceptions are created and added to the duplicated rule's <<detections-ui-exceptions,default rule list>>. If the original rule used exceptions from a shared exception list, the duplicated rule will reference the same shared exception list.  
 
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
-. Do one of the following:
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. In the Rules table, do one of the following:
 * Select the *All actions* menu (*...*) on a rule, then select an action.
 * Select all the rules you want to modify, then select an action from the *Bulk actions* menu.
 * To enable or disable a single rule, switch on the rule's *Enabled* toggle.
@@ -115,8 +115,8 @@ Manually run enabled rules for a specified period of time for testing purposes o
 
 IMPORTANT: Before manually running rules, make sure you properly understand and plan for rule dependencies. Incorrect scheduling can lead to inconsistent rule results.
 
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
-. From the *Rules* page, do one of the following:
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
+. In the *Rules* table, do one of the following:
 * Select the **All actions** menu (**...**) on a rule, then select **Manual run**.
 * Select all the rules you want to manually run, select the **Bulk actions** menu, then select **Manual run**.
 . Specify when the manual run starts and ends. The default selection is the current day starting three hours in the past. The rule will search for events during the selected time range.
@@ -175,9 +175,9 @@ TIP: You can also use {kib}'s {kibana-ref}/managing-saved-objects.html#managing-
 
 To export and import detection rules:
 
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
 . To export rules:
-.. In the rules table, select the rules you want to export.
+.. In the Rules table, select the rules you want to export.
 .. Select *Bulk actions* -> *Export*, then save the exported file.
 . To import rules:
 +
diff --git a/docs/detections/value-list-exceptions.asciidoc b/docs/detections/value-list-exceptions.asciidoc
@@ -39,7 +39,7 @@ act as delimiters.
 * The maximum accepted file size is 9 million bytes.
 =========================
 
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 . Click *Manage value lists*. The *Manage value lists* window opens.
 +
 [role="screenshot"]
@@ -61,7 +61,7 @@ You can edit, remove, or export existing value lists.
 [discrete]
 ==== Edit value lists
 
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 . Click **Manage value lists**. The **Manage value lists** window opens. 
 . In the **Value lists** table, click the value list you want to edit.
 . Do any of the following:
@@ -83,7 +83,7 @@ TIP: You can also edit value lists while creating and managing exceptions that u
 [discrete]
 ==== Export or remove value lists
 
-. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 . Click *Manage value lists*. The *Manage value lists* window opens.
 . From the *Value lists* table, you can:
 .. Click the **Export value list** button (image:images/export-value-list.png[Export button from Manage value lists window,15,15]) to export the value list. 
