diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index fc626627a7..59790e57d5 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -827,9 +827,9 @@ TIP: Avoid setting long time ranges with short rule intervals, or the rule previ [[view-rule-es-queries]] ==== View your rule's {es} queries (optional) -NOTE: This option is only offered for {esql} and event correlation rules. +NOTE: This option is offered for all rule types except indicator match rules. -When previewing a rule, you can also learn about its {es} queries, which are submitted when the rule runs. This information can help you identify and troubleshoot potential rule issues. You can also use it to confirm that your rule is retrieving the expected data. +When previewing a rule, you can also examine the {es} queries that are submitted when the rule runs. Use this information to identify and troubleshoot potential rule issues and confirm that your rule is retrieving the expected data. To learn more about your rule's {es} queries, preview its results and do the following: @@ -838,6 +838,6 @@ To learn more about your rule's {es} queries, preview its results and do the fol . Expand each row to learn more about the {es} queries that the rule submits each time it executes. The following details are provided: ** When the rule execution started, and how long it took to complete ** A brief explanation of what the {es} queries do -** The actual {es} queries that the rule submits to indices containing events that are used during the rule execution +** The first two {es} queries that the rule submits to indices containing events that are used during the rule execution + TIP: Run the queries in {kibana-ref}/console-kibana.html[Console] to determine if your rule is retrieving the expected data. For example, to test your rule’s exceptions, run the rule’s {es} queries, which will also contain exceptions added to the rule. If your rule’s exceptions are working as intended, the query will not return events that should be ignored.