elastic · nastasha-solomon · Mar 25, 2025 · Mar 3, 2025 · Mar 4, 2025 · Mar 5, 2025
diff --git a/docs/detections/images/prebuilt-rules-update-diff.png b/docs/detections/images/prebuilt-rules-update-diff.png
diff --git a/docs/detections/prebuilt-rules-management.asciidoc b/docs/detections/prebuilt-rules-management.asciidoc
@@ -17,9 +17,6 @@ Follow these guidelines to start using the {security-app}'s <<prebuilt-rules, pr
 [NOTE]
 ====
 * Most prebuilt rules don't start running by default. You can use the **Install and enable** option to start running rules as you install them, or first install the rules, then enable them manually. After installation, only a few prebuilt rules will be enabled by default, such as the Endpoint Security rule.
-
-* You can't modify most settings on Elastic prebuilt rules. You can only edit <<rule-notifications, rule actions>> and <<add-exceptions, add exceptions>>. If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. However, your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated.
-
 * Automatic updates of Elastic prebuilt rules are supported for the current {elastic-sec} version and the latest three previous minor releases. For example, if you’re on {elastic-sec} 8.10, you’ll be able to use the Rules UI to update your prebuilt rules until {elastic-sec} 8.14 is released. After that point, you can still manually download and install updated prebuilt rules, but you must upgrade to the latest {elastic-sec} version to receive automatic updates.
 ====
 
@@ -42,7 +39,7 @@ TIP: To examine the details of a rule before you install it, select the rule nam
 +
 --
 * Install all available rules: Click *Install all* at the top of the page. (This doesn't enable the rules; you still need to do that manually.)
-* Install a single rule: In the rules table, either click **Install** to install a rule without enabling it, or click image:images/boxesVertical.svg[Vertical boxes button] → **Install and enable** to start running the rule once it's installed.
+* Install a single rule: In the Rules table, either click **Install** to install a rule without enabling it, or click image:images/boxesVertical.svg[Vertical boxes button] → **Install and enable** to start running the rule once it's installed.
 * Install multiple rules: Select the rules, and then at the top of the page either click *Install _x_ selected rule(s)* to install without enabling the rules, or click image:images/boxesVertical.svg[Vertical boxes button] → **Install and enable** to install and start running the rules.
 --
 +
@@ -56,7 +53,7 @@ image::images/prebuilt-rules-add.png[The Add Elastic Rules page]
 * Enable a single rule: Turn on the rule's *Enabled* switch.
 * Enable multiple rules: Select the rules, then click *Bulk actions* -> *Enable*.
 
-Once you enable a rule, it starts running on its configured schedule. To confirm that it's running successfully, check its *Last response* status in the rules table, or open the rule's details page and check the <<rule-execution-logs, *Execution results*>> tab.
+Once you enable a rule, it starts running on its configured schedule. To confirm that it's running successfully, check its *Last response* status in the Rules table, or open the rule's details page and check the <<rule-execution-logs, *Execution results*>> tab.
 
 [float]
 [[prebuilt-rule-tags]]
@@ -84,22 +81,24 @@ Each prebuilt rule includes several tags identifying the rule's purpose, detecti
 
 [float]
 [[select-all-prebuilt-rules]]
-=== Select and duplicate all prebuilt rules
+=== Select and duplicate prebuilt rules
 
 . Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 . In the *Rules* table, select the *Elastic rules* filter.
-. Click *Select all _x_ rules* above the rules table.
+. Select one or more rules, or click *Select all _x_ rules* above the rules table.
 . Click *Bulk actions* -> *Duplicate*.
 . Select whether to duplicate the rules' exceptions, then click *Duplicate*.
 
-You can then modify the duplicated rules and, if required, delete the prebuilt ones. However, your customized rules are entirely separate from the original prebuilt rules, and will not get updates from Elastic if the prebuilt rules are updated.
+You can then modify the duplicated rules and, if required, delete the prebuilt ones. Be aware that your modified rules are entirely separate from the original prebuilt rules, and will not get updates from Elastic if the prebuilt rules are updated.
 
 [float]
 [[update-prebuilt-rules]]
 === Update Elastic prebuilt rules
 
 Elastic regularly updates prebuilt rules to optimize their performance and ensure they detect the latest threats and techniques. When updated versions are available for your installed prebuilt rules, the *Rule Updates* tab appears on the *Rules* page, allowing you to update your installed rules with the latest versions.
 
+NOTE: Rules with conflicts require additional attention before they can be updated. Refer to <<resolve-reduce-rule-conflicts>> to learn more.
+
 . Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 . In the *Rules* table, select the *Rule Updates* tab.
 +
@@ -108,18 +107,85 @@ NOTE: The *Rule Updates* tab doesn't appear if all your installed prebuilt rules
 [role="screenshot"]
 image::images/prebuilt-rules-update.png[The Rule Updates tab on the Rules page]
 
-. (Optional) To examine the details of a rule's latest version before you update it, select the rule name. This opens the rule details flyout.
+. (Optional) To examine the details of a rule's latest version before you update it, select the rule name. This opens the rule details flyout, where you can: 
+
+** Preview incoming updates: Select the *Elastic update overview* tab to view rule changes field by field, or the *JSON view* tab to view changes for the entire rule in JSON format. 
 +
-Select the *Updates* tab to view rule changes field by field, or the *JSON view* tab to view changes for the entire rule in JSON format. Both tabs display side-by-side comparisons of the *Current rule* (what you currently have installed) and the *Elastic update* version (what you can choose to install). Deleted characters are highlighted in red; added characters are highlighted in green.
+Both tabs display side-by-side comparisons of the *Current rule* (what you currently have installed) and the *Elastic update* version (what you can choose to install). Deleted characters are highlighted in red; added characters are highlighted in green.
 +
-To accept the changes and install the updated version, select *Update*.
+TIP: Use the **Diff view** drop-down menu to compare different versions of the rule field. For example, compare the changes that you made to the current version of the field with changes that will be applied from the incoming Elastic update.
+
+** Check the update status: View the status of the entire rule update and for <<rule-update-statuses,each field that's being changed>>. 
+
+** Address update conflicts: Find and address conflicts that <<resolve-reduce-rule-conflicts, need additional attention>>. 
++
+IMPORTANT: Elastic updates to a rule's type cannot be changed. Before updating the rule, duplicate it if you need to record changes that you made to other rule fields. 
+
+** Edit the final update: Change the update that will be applied to the field when you update the rule. To change the update, go to the *Final update* section, make your changes, and then save them.
 +
 [role="screenshot"]
-image::images/prebuilt-rules-update-diff.png[Prebuilt rule comparison,75%]
+image::images/prebuilt-rules-update-diff.png[Prebuilt rule comparison,85%]
++
 
-. Do one of the following to update prebuilt rules on the *Rules* page:
+. From the *Rule Updates* tab, do one of the following to update prebuilt rules:
 * Update all available rules: Click *Update all*.
-* Update a single rule: Click *Update rule* for that rule.
+* Update a single rule: Click *Update rule* for that rule. 
 * Update multiple rules: Select the rules and click *Update _x_ selected rule(s)*.
 +
 TIP: Use the search bar and *Tags* filter to find the rules you want to update. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to <<prebuilt-rule-tags>>.
+
+[float]
+[[rule-update-statuses]]
+==== Rule update statuses
+
+This table describes statuses that might appear for rule fields being updated.  
+
+[cols="2"]
+|===
+
+| *Ready for update*
+a| Displays when there are no conflicts to resolve. 
+
+Further action is not required for the field. It is ready to be updated.
+
+| *No update*
+a| Displays when the field is not being updated by Elastic, but the current field value differs from the original one. This typically happens when the field's value was changed after the prebuilt rule was initially installed.
+
+Further action is not required for the field. It is ready to be updated.
+
+TIP: You can still change the final field update, if needed. To do so, make your changes in the *Final update* section and save them.
+
+| *Review required*
+a| Displays when Elastic auto-resolves a conflict between the current field value and the value from the incoming Elastic update. 
+
+You must accept or edit the field's final update and save the changes. Refer to <<resolve-reduce-rule-conflicts>> to learn more about auto-resolved conflicts and how to reduce future conflicts.
+
+| *Action required*
+a| Displays when Elastic could not auto-resolve the conflict between the current field value and the value from the incoming Elastic update. 
+
+You must manually set and save the field's final update. Refer to <<resolve-reduce-rule-conflicts>> to learn more about conflicts that need manual fixes and how to reduce future conflicts.
+
+|===
+
+
+[float]
+[[resolve-reduce-rule-conflicts]]
+==== Resolve and reduce update conflicts
+
+Keeping prebuilt rule updated might help you minimize the frequency and complexity of conflicts that occur during rule updates.
+
+When a conflict does happen, Elastic attempts to resolve it and will suggest a fix for your review. In these cases, you can accept or edit the suggested fix, then update the rule. If Elastic can't resolve the conflict, you must manually fix it before updating the rule. 
+
+To manually fix a conflict:
+
+. Find the rule field with the unresolved conflict. 
++
+TIP: Fields with unresolved conflicts will have the `Action required` badge next to their names.
++
+. Go to the *Final update* section and do any of the following:
+** Keep your changes and reject the Elastic update.
+** Accept the Elastic update and overwrite your changes.
+** Edit the final field value by combining your changes with the Elastic update or making the appropriate changes.
+. Click **Save and accept** to apply your changes. The field's status changes to `Ready for update`. 
+
+After you've resolved the remaining conflicts, click *Update rule* to accept the changes and install the updated version.