You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md
+20-9Lines changed: 20 additions & 9 deletions
Original file line number
Diff line number
Diff line change
@@ -22,7 +22,8 @@ Follow these guidelines to start using the {{security-app}}'s [prebuilt rules](s
22
22
23
23
::::{note}
24
24
* Most prebuilt rules don’t start running by default. You can use the **Install and enable** option to start running rules as you install them, or first install the rules, then enable them manually. After installation, only a few prebuilt rules will be enabled by default, such as the Endpoint Security rule.
25
-
* You can’t modify most settings on Elastic prebuilt rules. You can only edit [rule actions](/solutions/security/detect-and-alert/create-detection-rule.md#rule-notifications) and [add exceptions](/solutions/security/detect-and-alert/add-manage-exceptions.md). If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. However, your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated.
25
+
26
+
* Without an [Enterprise subscription](https://www.elastic.co/pricing) subscription on {{stack}} or a [Complete project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md) subscription on {{serverless-short}}, you can't modify most settings on Elastic prebuilt rules. You must first duplicate them, then make your changes to the duplicated rules. Refer to [Select and duplicate all prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#select-all-prebuilt-rules) to learn more.
26
27
* On {{stack}}, automatic updates of Elastic prebuilt rules are supported for the current {{elastic-sec}} version and the latest three previous minor releases. For example, if you’re on {{elastic-sec}} 9.0, you’ll be able to use the Rules UI to update your prebuilt rules until {{elastic-sec}} 9.4 is released. After that point, you can still manually download and install updated prebuilt rules, but you must upgrade to the latest {{elastic-sec}} version to receive automatic updates.
27
28
28
29
::::
@@ -70,6 +71,7 @@ Follow these guidelines to start using the {{security-app}}'s [prebuilt rules](s
70
71
71
72
Once you enable a rule, it starts running on its configured schedule. To confirm that it’s running successfully, check its **Last response** status in the rules table, or open the rule’s details page and check the [**Execution results**](/solutions/security/detect-and-alert/monitor-rule-executions.md#rule-execution-logs) tab.
72
73
74
+
If you have an [Enterprise subscription](https://www.elastic.co/pricing) subscription on {{stack}} or a [Complete project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md) subscription on {{serverless-short}}, you can also [edit the prebuilt rules](/solutions/security/detect-and-alert/manage-detection-rules.md#edit-rules-settings) that you've installed.
73
75
74
76
## Prebuilt rule tags [prebuilt-rule-tags]
75
77
@@ -96,19 +98,28 @@ Each prebuilt rule includes several tags identifying the rule’s purpose, detec
96
98
97
99
98
100
99
-
## Select and duplicate all prebuilt rules [select-all-prebuilt-rules]
101
+
## Select and duplicate prebuilt rules [select-all-prebuilt-rules]
102
+
103
+
Without an [Enterprise subscription](https://www.elastic.co/pricing) subscription on {{stack}} or a [Complete project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md) subscription on {{serverless-short}}, you can't modify most settings on Elastic prebuilt rules. You can only edit [rule actions](/solutions/security/detect-and-alert/create-detection-rule.md#rule-schedule) and [add exceptions](/solutions/security/detect-and-alert/add-manage-exceptions.md). If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. Note that your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated.
100
104
101
105
1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
102
106
2. In the **Rules** table, select the **Elastic rules** filter.
103
-
3.Click **Select all *x* rules** above the rules table.
107
+
3.Select one or more rules, or click **Select all *x* rules** above the Rules table.
104
108
4. Click **Bulk actions** → **Duplicate**.
105
-
5. Select whether to duplicate the rules' exceptions, then click **Duplicate**.
109
+
5.(Optional) Select whether to duplicate the rules' exceptions, then click **Duplicate**.
106
110
107
-
You can then modify the duplicated rules and, if required, delete the prebuilt ones. However, your customized rules are entirely separate from the original prebuilt rules, and will not get updates from Elastic if the prebuilt rules are updated.
111
+
You can then modify the duplicated rules and, if required, delete the prebuilt ones.
The following steps are only applicable if you have a [Platinum](https://www.elastic.co/pricing) subscription or lower on {{stack}} or an [Essentials project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md) subscription on {{serverless-short}}.
119
+
120
+
If you have an Enterprise subscription on {{stack}} or a Complete project tier subscription on {{serverless-short}}, follow the guidelines in [Update modified and unmodified Elastic prebuilt rules](/solutions/security/detect-and-alert/prebuilt-rules-update-modified-unmodified.md) instead.
121
+
::::
122
+
112
123
Elastic regularly updates prebuilt rules to optimize their performance and ensure they detect the latest threats and techniques. When updated versions are available for your installed prebuilt rules, the **Rule Updates** tab appears on the **Rules** page, allowing you to update your installed rules with the latest versions.
113
124
114
125
1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
@@ -126,11 +137,11 @@ Elastic regularly updates prebuilt rules to optimize their performance and ensur
126
137
127
138
3. (Optional) To examine the details of a rule’s latest version before you update it, select the rule name. This opens the rule details flyout.
128
139
129
-
Select the **Updates** tab to view rule changes field by field, or the **JSON view** tab to view changes for the entire rule in JSON format. Both tabs display side-by-side comparisons of the **Current rule** (what you currently have installed) and the **Elastic update** version (what you can choose to install). Deleted characters are highlighted in red; added characters are highlighted in green.
140
+
Select the **Elastic update overview** tab to view rule changes field by field, or the **JSON view** tab to view changes for the entire rule in JSON format. Both tabs display side-by-side comparisons of the **Current rule** (what you currently have installed) and the **Elastic update** version (what you can choose to install). Deleted characters are highlighted in red; added characters are highlighted in green.
130
141
131
-
To accept the changes and install the updated version, select **Update**.
142
+
To accept the changes and install the updated version, select **Update rule**.
@@ -143,4 +154,4 @@ Elastic regularly updates prebuilt rules to optimize their performance and ensur
143
154
144
155
::::{tip}
145
156
Use the search bar and **Tags** filter to find the rules you want to update. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to [Prebuilt rule tags](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#prebuilt-rule-tags).
* You can edit custom rules and bulk-modify them with any [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). Editing [rule notifications](/solutions/security/detect-and-alert/create-detection-rule.md#rule-notifications)(notifications and response actions) for prebuilt rules can also be done with any {{stack}} subscription or {{serverless-short}} project tier.
69
-
* You must have an [Enterprise subscription](https://www.elastic.co/pricing) to edit all prebuilt rule settings (except for the **Author** and **License** fields) and bulk-modify them.
67
+
* You can edit custom rules and bulk-modify them with any [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
68
+
* You can edit [rule notifications](/solutions/security/detect-and-alert/create-detection-rule.md#rule-notifications) (notifications and response actions) for prebuilt rules with any {{stack}} subscription or {{serverless-short}} project tier.
69
+
* You must have an [Enterprise subscription](https://www.elastic.co/pricing) {{stack}} or a [Complete project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md) subscription on {{serverless-short}} to edit all prebuilt rule settings (except for the **Author** and **License** fields) and bulk-modify them.
70
70
71
71
::::
72
72
@@ -179,6 +179,7 @@ You can snooze rule notifications from the **Installed Rules** tab, the rule det
# Update modified and unmodified Elastic prebuilt rules [prebuilt-rules-update-modified-unmodified]
9
+
10
+
::::{admonition} Requirements
11
+
12
+
You must have an [Enterprise subscription](https://www.elastic.co/pricing) on {{stack}} or a [Complete project tier subscription](../../../deploy-manage/deploy/elastic-cloud/project-settings.md) on {{serverless-short}} to access this feature.
13
+
14
+
If you have a Platinum subscription or lower on {{stack}} or an Essentials project tier subscription on {{serverless-short}}, follow the guidelines in [Update Elastic prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#update-prebuilt-rules) instead.
15
+
16
+
::::
17
+
18
+
This page provides instructions for updating modified and unmodified prebuilt rules. You can also find information about [statuses](/solutions/security/detect-and-alert/prebuilt-rules-update-modified-unmodified.md#rule-field-update-statuses) or [conflicts](/solutions/security/detect-and-alert/prebuilt-rules-update-modified-unmodified.md#resolve-reduce-rule-conflicts) that you might encounter when updating rules.
19
+
20
+
To update rules:
21
+
22
+
1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
23
+
2. In the **Rules** table, select the **Rule Updates** tab.
24
+
25
+
::::{note}
26
+
The **Rule Updates** tab doesn't appear if all your installed prebuilt rules are up to date.
3. (Optional) To examine the details of a rule's latest version before you update it, select the rule name. This opens the rule update flyout, where you can:
35
+
36
+
* Preview incoming updates: Select the **Elastic update overview** tab to view rule changes field by field, or the **JSON view** tab to view changes for the entire rule in JSON format.
37
+
38
+
* Compare different versions of a rule field: Use the **Diff view** drop-down menu to compare different versions of a rule field. For example, compare the changes that you made to the current version of the field with changes that will be applied from the incoming Elastic update.
39
+
40
+
::::{note}
41
+
If you haven't updated the rule in a while, its original version might be unavailable for comparison. Instead, you will only have access to the rule's current version and the incoming Elastic update. You can avoid this by updating prebuilt rules more often.
42
+
::::
43
+
44
+
* Check the update status: View the status of the entire rule update and for [each field that's being changed](/solutions/security/detect-and-alert/prebuilt-rules-update-modified-unmodified.md#rule-field-update-statuses).
45
+
46
+
* Address update conflicts: Find and address conflicts that [need additional attention](/solutions/security/detect-and-alert/prebuilt-rules-update-modified-unmodified.md#resolve-reduce-rule-conflicts).
47
+
48
+
* Edit the final update: Change the update that will be applied to the field when you update the rule. To change the update, go to the **Final update** section, make your changes, and then save them.
49
+
50
+
::::{important}
51
+
Elastic updates containing a rule type change cannot be edited. Before updating the rule, duplicate it if you need to record changes that you made to the rule fields.
4. From the **Rule Updates** tab, do one of the following to update prebuilt rules:
61
+
62
+
* Update all available rules: Click **Update all**. If any rules have conflicts, you will be prompted to take [additional action](/solutions/security/detect-and-alert/prebuilt-rules-update-modified-unmodified.md#resolve-reduce-rule-conflicts).
63
+
* Update a single rule without conflicts: Click **Update rule** for that rule.
64
+
* Update multiple rules: Select the rules and click **Update _x_ selected rule(s)**. If any rules have conflicts, you will be prompted to take additional action.
65
+
66
+
67
+
::::{tip}
68
+
69
+
To find specific rules to update:
70
+
71
+
* Use the **Modified/Unmodified** drop-down menu to only display modified or unmodified prebuilt rules.
72
+
* Use the search bar and **Tags** filter to find the rules you want to update. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to [Prebuilt rule tags](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#prebuilt-rule-tags).
73
+
74
+
::::
75
+
76
+
## Understand rule field update statuses [rule-field-update-statuses]
77
+
78
+
This table describes statuses that might appear for rule fields being updated.
79
+
80
+
| Status | Description |
81
+
| --- | --- |
82
+
|**Ready for update**| Displays when there are no conflicts to resolve.<br><br>Further action is not required for the field. It is ready to be updated.<br> |
83
+
|**No update**| Displays when the field is not being updated by Elastic, but the current field value differs from the original one. This typically happens when the field's value was changed after the prebuilt rule was initially installed.<br><br>Further action is not required for the field. It is ready to be updated.<br><br> **Tip**: You can still change the final field update, if needed. To do so, make your changes in the **Final update** section and save them.<br><br> |
84
+
|**Review required**| Displays when Elastic auto-resolves a conflict between the current field value and the value from the incoming Elastic update.<br><br>You must accept or edit the field's final update and save the changes. Refer to [Resolve and reduce update conflicts](/solutions/security/detect-and-alert/prebuilt-rules-update-modified-unmodified.md#resolve-reduce-rule-conflicts) to learn more about auto-resolved conflicts and how to reduce future conflicts.<br> |
85
+
|**Action required**| Displays when Elastic could not auto-resolve the conflict between the current field value and the value from the incoming Elastic update.<br><br>You must manually set and save the field's final update. Refer to Refer to [Resolve and reduce update conflicts](/solutions/security/detect-and-alert/prebuilt-rules-update-modified-unmodified.md#resolve-reduce-rule-conflicts) to learn more about conflicts that need manual fixes and how to reduce future conflicts.<br> |
86
+
87
+
88
+
## Resolve and reduce update conflicts [resolve-reduce-rule-conflicts]
89
+
90
+
Keeping prebuilt rules up to date might help you minimize the frequency and complexity of conflicts that occur during rule updates.
91
+
92
+
When a conflict does happen, Elastic attempts to resolve it and will suggest a fix for your review. This is called an _auto-resolved conflict_. You can still update rules with auto-resolved conflicts, but we advise against bulk-updating multiple rules as it's risky and can sometimes lead to lost rule modifications and other issues. Instead, we recommend carefully reviewing each rule with auto-resolved conflicts from the rule update flyout.
93
+
94
+
If Elastic can't resolve a conflict, you must manually fix it before updating the rule. This is called an _unresolved conflict_. To fix unresolved conflicts in a rule, do the following:
95
+
96
+
1. From the **Rule update** tab, click on the rule name or click **Review**. This opens the rule update flyout, where you can find rule fields with unresolved conflicts.
97
+
98
+
::::{tip}
99
+
Fields with unresolved conflicts have the `Action required` status.
100
+
::::
101
+
102
+
2. Go to the **Final update** section and do any of the following:
103
+
104
+
* Keep the current value instead of accepting the Elastic update.
105
+
* Accept the Elastic update and overwrite the current value.
106
+
* Edit the final field value by combining the current value with the Elastic update or making the appropriate changes.
107
+
108
+
3. Click **Save and accept** to apply your changes. The field's status changes to `Ready for update`.
109
+
110
+
After you've resolved the remaining conflicts, click **Update rule** to accept the changes and install the updated version.
0 commit comments