elastic · nastasha-solomon · Mar 25, 2025 · Mar 3, 2025 · Mar 4, 2025 · Mar 5, 2025
@@ -17,6 +17,8 @@ include::detections-exclude-cold-frozen-data-tiers.asciidoc[leveloffset=+1]
 
 include::prebuilt-rules-management.asciidoc[]
 
+include::prebuilt-rules-update-modified-unmodified.asciidoc[leveloffset=+1]
+
 include::rules-ui-manage.asciidoc[]
 
 include::rules-ui-monitor.asciidoc[]

@@ -17,9 +17,7 @@ Follow these guidelines to start using the {security-app}'s <<prebuilt-rules, pr
 [NOTE]
 ====
 * Most prebuilt rules don't start running by default. You can use the **Install and enable** option to start running rules as you install them, or first install the rules, then enable them manually. After installation, only a few prebuilt rules will be enabled by default, such as the Endpoint Security rule.
-
-* You can't modify most settings on Elastic prebuilt rules. You can only edit <<rule-notifications, rule actions>> and <<add-exceptions, add exceptions>>. If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. However, your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated.
-
+* Without an https://www.elastic.co/subscriptions/cloud[Enterprise] subscription, you can't modify most settings on Elastic prebuilt rules. You must first duplicate them, then make your changes to the duplicated rules. Refer to <<select-all-prebuilt-rules>> to learn more. 
 * Automatic updates of Elastic prebuilt rules are supported for the current {elastic-sec} version and the latest three previous minor releases. For example, if you’re on {elastic-sec} 8.10, you’ll be able to use the Rules UI to update your prebuilt rules until {elastic-sec} 8.14 is released. After that point, you can still manually download and install updated prebuilt rules, but you must upgrade to the latest {elastic-sec} version to receive automatic updates.
 ====
 
@@ -56,7 +54,9 @@ image::images/prebuilt-rules-add.png[The Add Elastic Rules page]
 * Enable a single rule: Turn on the rule's *Enabled* switch.
 * Enable multiple rules: Select the rules, then click *Bulk actions* -> *Enable*.
 
-Once you enable a rule, it starts running on its configured schedule. To confirm that it's running successfully, check its *Last response* status in the rules table, or open the rule's details page and check the <<rule-execution-logs, *Execution results*>> tab.
+Once you enable a rule, it starts running on its configured schedule. To confirm that it's running successfully, check its *Last response* status in the Rules table, or open the rule's details page and check the <<rule-execution-logs, *Execution results*>> tab.
+
+If you have an https://www.elastic.co/subscriptions/cloud[Enterprise] subscription, you can also <<edit-rules-settings,edit the prebuilt rules>> that you've installed.
 
 [float]
 [[prebuilt-rule-tags]]
@@ -84,22 +84,26 @@ Each prebuilt rule includes several tags identifying the rule's purpose, detecti
 
 [float]
 [[select-all-prebuilt-rules]]
-=== Select and duplicate all prebuilt rules
+=== Select and duplicate prebuilt rules
+
+Without an https://www.elastic.co/subscriptions/cloud[Enterprise] subscription, you can't modify most settings on Elastic prebuilt rules. You can only edit <<rule-notifications, rule actions>> and <<add-exceptions, add exceptions>>. If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. Note that your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated.
 
 . Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 . In the *Rules* table, select the *Elastic rules* filter.
-. Click *Select all _x_ rules* above the rules table.
+. Select one or more rules, or click *Select all _x_ rules* above the rules table.
 . Click *Bulk actions* -> *Duplicate*.
-. Select whether to duplicate the rules' exceptions, then click *Duplicate*.
+. (Optional) Select whether to duplicate the rules' exceptions, then click *Duplicate*.
 
-You can then modify the duplicated rules and, if required, delete the prebuilt ones. However, your customized rules are entirely separate from the original prebuilt rules, and will not get updates from Elastic if the prebuilt rules are updated.
+You can then modify the duplicated rules and, if required, delete the prebuilt ones. 
 
 [float]
 [[update-prebuilt-rules]]
 === Update Elastic prebuilt rules
 
 Elastic regularly updates prebuilt rules to optimize their performance and ensure they detect the latest threats and techniques. When updated versions are available for your installed prebuilt rules, the *Rule Updates* tab appears on the *Rules* page, allowing you to update your installed rules with the latest versions.
 
+IMPORTANT: The following steps are only applicable if you have a https://www.elastic.co/subscriptions/cloud[Platinum] subscription or lower. If you have an Enterprise subscription, follow the guidelines in <<prebuilt-rules-update-modified-unmodified>> instead. 
+
 . Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 . In the *Rules* table, select the *Rule Updates* tab.
 +
@@ -110,16 +114,16 @@ image::images/prebuilt-rules-update.png[The Rule Updates tab on the Rules page]
 
 . (Optional) To examine the details of a rule's latest version before you update it, select the rule name. This opens the rule details flyout.
 +
-Select the *Updates* tab to view rule changes field by field, or the *JSON view* tab to view changes for the entire rule in JSON format. Both tabs display side-by-side comparisons of the *Current rule* (what you currently have installed) and the *Elastic update* version (what you can choose to install). Deleted characters are highlighted in red; added characters are highlighted in green.
+Select the *Elastic update overview* tab to view rule changes field by field, or the *JSON view* tab to view changes for the entire rule in JSON format. Both tabs display side-by-side comparisons of the *Current rule* (what you currently have installed) and the *Elastic update* version (what you can choose to install). Deleted characters are highlighted in red; added characters are highlighted in green.
 +
-To accept the changes and install the updated version, select *Update*.
+To accept the changes and install the updated version, select *Update rule*.
 +
 [role="screenshot"]
-image::images/prebuilt-rules-update-diff.png[Prebuilt rule comparison,75%]
+image::images/prebuilt-rules-update-diff-basic.png[Prebuilt rule comparison,75%]
 
-. Do one of the following to update prebuilt rules on the *Rules* page:
+. Do one of the following to update prebuilt rules on the *Rule Updates* tab:
 * Update all available rules: Click *Update all*.
 * Update a single rule: Click *Update rule* for that rule.
 * Update multiple rules: Select the rules and click *Update _x_ selected rule(s)*.
 +
-TIP: Use the search bar and *Tags* filter to find the rules you want to update. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to <<prebuilt-rule-tags>>.
+TIP: Use the search bar and *Tags* filter to find the rules you want to update. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to <<prebuilt-rule-tags>>.
@@ -0,0 +1,109 @@
+[[prebuilt-rules-update-modified-unmodified]]
+== Update modified and unmodified Elastic prebuilt rules
+
+.Requirements
+[sidebar]
+--
+You must have an https://www.elastic.co/subscriptions/cloud[Enterprise] subscription to access this feature. If you have a Platinum subscription or lower, follow the guidelines in <<update-prebuilt-rules>> instead.
+--
+
+This page provides instructions for updating modified and unmodified prebuilt rules. You can also find information about <<rule-field-update-statuses,statuses>> or <<resolve-reduce-rule-conflicts,conflicts>> that you might encounter when updating rules. 
+
+To update rules:
+
+. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. In the *Rules* table, select the *Rule Updates* tab.
++
+NOTE: The *Rule Updates* tab doesn't appear if all your installed prebuilt rules are up to date.
++
+[role="screenshot"]
+image::images/prebuilt-rules-update-advanced.png[The Rule Updates tab on the Rules page]
+
+. (Optional) To examine the details of a rule's latest version before you update it, select the rule name. This opens the rule update flyout, where you can: 
+
+** Preview incoming updates: Select the *Elastic update overview* tab to view rule changes field by field, or the *JSON view* tab to view changes for the entire rule in JSON format. 
+
+** Compare different versions of a rule field: Use the **Diff view** drop-down menu to compare different versions of a rule field. For example, compare the changes that you made to the current version of the field with changes that will be applied from the incoming Elastic update.
++
+NOTE: If you haven't updated the rule in a while, its original version might be unavailable for comparison. Instead, you will only have access to the rule's current version and the incoming Elastic update. You can avoid this by updating prebuilt rules more often. 
+
+** Check the update status: View the status of the entire rule update and for <<rule-field-update-statuses,each field that's being changed>>. 
+
+** Address update conflicts: Find and address conflicts that <<resolve-reduce-rule-conflicts, need additional attention>>. 
+
+** Edit the final update: Change the update that will be applied to the field when you update the rule. To change the update, go to the *Final update* section, make your changes, and then save them.
++
+IMPORTANT: Elastic updates containing a rule type change cannot be edited. Before updating the rule, duplicate it if you need to record changes that you made to the rule fields. 
++
+[role="screenshot"]
+image::images/prebuilt-rules-update-diff-advanced.png[Prebuilt rule comparison,85%]
++
+
+. From the *Rule Updates* tab, do one of the following to update prebuilt rules:
++
+* Update all available rules: Click *Update all*. If any rules have conflicts, you will be prompted to take <<resolve-reduce-rule-conflicts,additional action>>.
+* Update a single rule without conflicts: Click *Update rule* for that rule. 
+* Update multiple rules: Select the rules and click *Update _x_ selected rule(s)*. If any rules have conflicts, you will be prompted to take additional action.
++
+[TIP] 
+====
+
+To find specific rules to update:
+
+* Use the **Modified/Unmodified** drop-down menu to only display modified or unmodified prebuilt rules.
+* Use the search bar and *Tags* filter to find the rules you want to update. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to <<prebuilt-rule-tags>>.
+
+====
+
+[float]
+[[rule-field-update-statuses]]
+=== Understand rule field update statuses
+
+This table describes statuses that might appear for rule fields being updated.  
+
+[width="100%",cols="2",options="header"]
+|==============================================
+|Status |Description 
+
+|*Ready for update* a|Displays when there are no conflicts to resolve. 
+
+Further action is not required for the field. It is ready to be updated.
+
+|*No update* a|Displays when the field is not being updated by Elastic, but the current field value differs from the original one. This typically happens when the field's value was changed after the prebuilt rule was initially installed.
+
+Further action is not required for the field. It is ready to be updated.
+
+TIP: You can still change the final field update, if needed. To do so, make your changes in the *Final update* section and save them.
+
+|*Review required* a|Displays when Elastic auto-resolves a conflict between the current field value and the value from the incoming Elastic update. 
+
+You must accept or edit the field's final update and save the changes. Refer to <<resolve-reduce-rule-conflicts>> to learn more about auto-resolved conflicts and how to reduce future conflicts.
+
+|*Action required* a|Displays when Elastic could not auto-resolve the conflict between the current field value and the value from the incoming Elastic update. 
+
+You must manually set and save the field's final update. Refer to <<resolve-reduce-rule-conflicts>> to learn more about conflicts that need manual fixes and how to reduce future conflicts.
+
+|==============================================
+
+
+[float]
+[[resolve-reduce-rule-conflicts]]
+=== Resolve and reduce update conflicts
+
+Keeping prebuilt rules up to date might help you minimize the frequency and complexity of conflicts that occur during rule updates.  
+
+When a conflict does happen, Elastic attempts to resolve it and will suggest a fix for your review. This is called an _auto-resolved conflict_. You can still update rules with auto-resolved conflicts, but we advise against bulk-updating multiple rules as it's risky and can sometimes lead to lost rule modifications and other issues. Instead, we recommend carefully reviewing each rule with auto-resolved conflicts from the rule update flyout.
+
+If Elastic can't resolve a conflict, you must manually fix it before updating the rule. This is called an _unresolved conflict_. To fix unresolved conflicts in a rule, do the following:
+
+. From the **Rule update** tab, click on the rule name or click **Review**. This opens the rule update flyout, where you can find rule fields with unresolved conflicts. 
++
+TIP: Fields with unresolved conflicts have the `Action required` status.
+
+. Go to the *Final update* section and do any of the following:
+** Keep the current value instead of accepting the Elastic update.
+** Accept the Elastic update and overwrite the current value.
+** Edit the final field value by combining the current value with the Elastic update or making the appropriate changes.
+. Click **Save and accept** to apply your changes. The field's status changes to `Ready for update`. 
+
+After you've resolved the remaining conflicts, click *Update rule* to accept the changes and install the updated version.