elastic · nastasha-solomon · Jul 23, 2024 · Jun 21, 2024 · Jun 21, 2024 · Jun 24, 2024
@@ -111,8 +111,7 @@ The Investigation section provides the following information:
 +
 TIP: Add an <<add-ig-actions-rule,investigation guide>> to a rule when creating a new custom rule or modifying an existing custom rule's settings.
 
-* **Highlighted fields**: Shows relevant fields for the alert and any custom highlighted fields you added to the rule. 
-//link to custom highlighted fields docs
+* **Highlighted fields**: Shows relevant fields for the alert and any custom highlighted fields you added to the rule. Custom highlighted fields with values are added to this section. Those without values aren't added.
 
 [discrete]
 [[visualizations-section]]

@@ -330,6 +330,9 @@ IMPORTANT: Dry run mode is not supported for the `export` bulk action. A `400` e
 | `add_tags` | String[] | Add tags to rules
 | `delete_tags` | String[] | Delete rules' tags
 | `set_tags` | String[] | Overwrite rules' tags
+| `add_investigation_fields` | { field_names: String[] } | Add custom highlighted fields to rules
+| `delete_investigation_fields` | { field_names: String[] } | Delete rules' custom highlighted fields
+| `set_investigation_fields` | { field_names: String[] } | Overwrite rules' custom highlighted fields
 | `add_index_patterns` | String[] | Add index patterns to rules
 | `delete_index_patterns` | String[] | Delete rules' index patterns
 | `set_index_patterns` | String[] | Overwrite rules' index patterns

@@ -536,9 +536,10 @@ the rule. For example, links to background information.
 .. *False positive examples* (optional): List of common scenarios that may produce
 false-positive alerts.
 .. *MITRE ATT&CK^TM^ threats* (optional): Add relevant https://attack.mitre.org/[MITRE] framework tactics, techniques, and subtechniques.
-.. *Custom highlighted fields* (optional): Specify highlighted fields for personalized alert investigation flows. Fields with values are added to the <<investigation-section,Highlighted fields>> section within the alert details flyout. Fields without values aren't added. After you create the rule, you can find all custom highlighted fields in the About section of the rule details page.
+.. *Custom highlighted fields* (optional): Specify one or more highlighted fields for personalized alert investigation flows. You can choose any fields that are available in the indices you selected for the rule's data source.  
 +
-NOTE: There's no limit to the number of custom highlighted fields you can add.  
+After you create the rule, you can find all custom highlighted fields in the About section of the rule details page. If the rule has alerts, you can find custom highlighted fields in the <<investigation-section,Highlighted fields>> section of the alert details flyout. 
+
 .. *Setup guide* (optional): Instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
 .. *Investigation guide* (optional): Information for analysts investigating
 alerts created by the rule. You can also add action buttons to <<invest-guide-run-osquery, run Osquery>> or <<interactive-investigation-guides, launch Timeline investigations>> using alert data.

@@ -72,6 +72,7 @@ Similarly, rules will be skipped if they can't be modified by a bulk edit. For e
 * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu:
 ** *Index patterns*: Add or delete the index patterns used by all selected rules.
 ** *Tags*: Add or delete tags on all selected rules.
+** *Custom highlighted fields*: Add custom highlighted fields on all selected rules. You can choose any fields that are available in the <<update-sec-indices,default {elastic-sec} indices>>. To overwrite a rule's current set of custom highlighted fields, select the **Overwrite all selected rules' custom highlighted fields** option, then click **Save**. 
 ** *Add rule actions*: Add <<rule-notifications,rule actions>> on all selected rules. If you add multiple actions, you can specify an action frequency for each of them. To overwrite the frequency of existing actions select the option to **Overwrite all selected rules actions**.
 
 +

@@ -112,8 +112,7 @@ The Investigation section provides the following information:
     Add an <DocLink slug="/serverless/security/interactive-investigation-guides" section="add-investigation-guide-actions-to-a-rule">investigation guide</DocLink> to a rule when creating a new custom rule or modifying an existing custom rule's settings.
     </DocCallOut>
 
-* **Highlighted fields**: Shows relevant fields for the alert and any custom highlighted fields you added to the rule. 
-    {/* link to custom highlighted fields docs */}
+* **Highlighted fields**: Shows relevant fields for the alert and any custom highlighted fields you added to the rule. Custom highlighted fields with values are added to this section. Those without values aren't added.
 
 <div id="visualizations-section"></div>
 

@@ -575,11 +575,9 @@ When configuring an ((esql)) rule's **<DocLink slug="/serverless/security/rules-
         false-positive alerts.
 
     1. **MITRE ATT&CK<sup>TM</sup> threats** (optional): Add relevant [MITRE](https://attack.mitre.org/) framework tactics, techniques, and subtechniques.
-    1. **Custom highlighted fields** (optional): Specify highlighted fields for personalized alert investigation flows. Fields with values are added to the <DocLink slug="/serverless/security/view-alert-details" section="investigation">Highlighted fields</DocLink> section within the alert details flyout. Fields without values aren't added. After you create the rule, you can find all custom highlighted fields in the About section of the rule details page.
+    1. **Custom highlighted fields** (optional): Specify highlighted fields for personalized alert investigation flows. You can choose any fields that are available in the you selected for the rule's data source.
 
-        <DocCallOut title="Note">
-        There's no limit to the number of custom highlighted fields you can add.  
-        </DocCallOut>
+        After you create the rule, you can find all custom highlighted fields in the About section of the rule details page. If the rule has alerts, you can find custom highlighted fields in the <DocLink slug="/serverless/security/view-alert-details" section="investigation">Highlighted fields</DocLink> section of the alert details flyout. 
 
     1. **Setup guide** (optional): Instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
 

@@ -76,6 +76,7 @@ Similarly, rules will be skipped if they can't be modified by a bulk edit. For e
    * **Bulk edit multiple rules**: Select the rules you want to edit, then select an action from the **Bulk actions** menu:
        * **Index patterns**: Add or delete the index patterns used by all selected rules.
        * **Tags**: Add or delete tags on all selected rules.
+       * **Custom highlighted fields**: Add custom highlighted fields on all selected rules. You can choose any fields that are available in the <DocLink slug="/serverless/security/advanced-settings" section="update-sec-indices">default ((elastic-sec)) indices</DocLink>. To overwrite a rule's current set of custom highlighted fields, select the **Overwrite all selected rules' custom highlighted fields** option, then click **Save**. 
        * **Add rule actions**: Add <DocLink slug="/serverless/security/rules-create" section="set-up-alert-notifications-optional">rule actions</DocLink> on all selected rules. If you add multiple actions, you can specify an action frequency for each of them. To overwrite the frequency of existing actions select the option to **Overwrite all selected rules actions**.
 
           <DocCallOut title="Note">