Create rule from timeline #2951

nastasha-solomon · 2023-01-27T21:47:46Z

Description

Two new options (Create query rule from timeline and Create EQL rule from timeline) that allow users to create a rule from Timeline are being added to the overflow menu in the Timelines table. Users will have the option to create a query or EQL rule from a custom Timeline or from a Timeline template.

Update sections for managing existing timelines and managing existing Timeline templates.

Notes

Will be available by default (GA) in 8.7.
If Timeline has a custom query and an EQL query, both options appear in the overflow menu.
@stephmilovic is checking out possible bug that prevents users from creating a rule from a Timeline template. Issue/PR incoming.

To-do

Verify what the final copy for these options are. In 8.7.0 BC3, the option for creating a query rule is Create rule from timeline. In siem.dev, the copy is Create query rule from timeline.
Check whether there will also be an option to create a rule from within the Timeline view. - there is none

The text was updated successfully, but these errors were encountered:

nastasha-solomon added Team: Threat Hunting Formerly Data Visibility v8.7.0 labels Jan 27, 2023

nastasha-solomon self-assigned this Jan 30, 2023

nastasha-solomon mentioned this issue Feb 27, 2023

Create rule from Timeline #3023

Merged

nastasha-solomon closed this as completed in #3023 Mar 28, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Create rule from timeline #2951

Create rule from timeline #2951

nastasha-solomon commented Jan 27, 2023 •

edited

Loading

Create rule from timeline #2951

Create rule from timeline #2951

Comments

nastasha-solomon commented Jan 27, 2023 • edited Loading

Description

Required doc updates

Notes

To-do

nastasha-solomon commented Jan 27, 2023 •

edited

Loading