From f74092e07cf54490fd10d1cfe659266f989215ac Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 3 Feb 2026 23:13:28 -0500 Subject: [PATCH 1/6] First draft --- .../install-manage-elastic-prebuilt-rules.md | 1 + .../prebuilt-rules-airgapped.md | 188 ++++++++++++++++++ solutions/toc.yml | 1 + 3 files changed, 190 insertions(+) create mode 100644 solutions/security/detect-and-alert/prebuilt-rules-airgapped.md diff --git a/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md b/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md index 48191c981d..d2bfe41419 100644 --- a/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md +++ b/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md @@ -20,6 +20,7 @@ Follow these guidelines to start using the {{security-app}}'s [prebuilt rules](d * [Prebuilt rule tags](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#prebuilt-rule-tags) * [Select and duplicate all prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#select-all-prebuilt-rules) * [Update Elastic prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#update-prebuilt-rules) +* [Prebuilt rules in air-gapped environments](/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md) * [Confirm rule prerequisites](/solutions/security/detect-and-alert/manage-detection-rules.md#rule-prerequisites) ::::{note} diff --git a/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md b/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md new file mode 100644 index 0000000000..e12b3872c3 --- /dev/null +++ b/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md @@ -0,0 +1,188 @@ +--- +navigation_title: Prebuilt rules in air-gapped environments +applies_to: + deployment: + self: ga + ece: ga + eck: ga +products: + - id: security +--- + +# Install and update prebuilt rules in air-gapped environments [prebuilt-rules-airgapped] + +{{kib}} downloads Elastic prebuilt rules from the {{package-registry}}. In air-gapped environments without internet access, you can use one of the following methods to install and update prebuilt rules: + +* **[Use a self-hosted {{package-registry}}](#install-prebuilt-rules-airgapped)**: Host your own {{package-registry}} to provide rules to your air-gapped environment. This is the recommended approach for ongoing rule management and updates. +* **[Manually transfer prebuilt rules](#import-export-airgapped)**: Export rules from an internet-connected {{elastic-sec}} instance and import them into your air-gapped environment. This is a simpler approach for one-time transfers or when container infrastructure isn't available. + +## Install prebuilt rules from your self-hosted registry [install-prebuilt-rules-airgapped] + +This method requires hosting your own {{package-registry}} to provide prebuilt rules to your air-gapped {{kib}} instance. After setting up your registry, you can install prebuilt rules the same way as in a connected environment. + +::::{note} +The versioned {{package-registry}} distribution images (such as `docker.elastic.co/package-registry/distribution:{{version.stack}}`) include prebuilt rules. However, rule updates are released continuously, so you might need to update your registry to get the latest rules. +:::: + +### Prerequisites + +Before you can install or update prebuilt rules using a self-hosted registry, you must: + +* Set up a self-hosted {{package-registry}}. Refer to [Host your own {{package-registry}}](/reference/fleet/air-gapped.md#air-gapped-diy-epr) for setup instructions. +* Configure {{kib}} to use your self-hosted {{package-registry}} and enable air-gapped mode. Add the following to your [`kibana.yml`](/deploy-manage/deploy/self-managed/configure-kibana.md) configuration file, then restart {{kib}}: + + ```yaml + xpack.fleet.registryUrl: "http://:8080" + xpack.fleet.isAirGapped: true + ``` + + * [`xpack.fleet.registryUrl`](https://www.elastic.co/docs/reference/kibana/configuration-reference/fleet-settings): Points {{kib}} to your self-hosted registry. Replace `` with the hostname or IP address of your registry. + * [`xpack.fleet.isAirGapped`](https://www.elastic.co/docs/reference/kibana/configuration-reference/fleet-settings#general-fleet-settings-kb): Enables air-gapped mode, which allows {{fleet}} to skip requests or operations that require internet access. + +### Install the rules + +1. In your air-gapped {{elastic-sec}} instance, find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to the Rules table. + +2. Click **Add Elastic rules**. The available prebuilt rules from your self-hosted registry are displayed. + +3. Install the rules you need: + + * To install all available rules, click **Install all**. + * To install specific rules, select them and click **Install *x* selected rule(s)**. + * To install and immediately enable rules, click the options menu (![Vertical boxes button](/solutions/images/security-boxesVertical.svg "")) and select **Install and enable**. + +For more details about enabling installed rules, refer to [Install and enable Elastic prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules). + +## Update prebuilt rules in an air-gapped environment [update-prebuilt-rules-airgapped] + +To update your prebuilt rules, first update your self-hosted {{package-registry}} with a newer distribution image, then install the rule updates in {{elastic-sec}}. + +::::{important} +Elastic releases prebuilt rule updates continuously. To receive the latest updates in an air-gapped environment, we recommend updating your self-hosted {{package-registry}} at least monthly. +:::: + +::::{note} +The following examples use Docker commands. You can adapt them for other container runtimes. +:::: + + +:::::{stepper} + +::::{step} Update your self-hosted {{package-registry}} +:anchor: update-air-gapped-epr + +1. On a system with internet access, pull the latest {{package-registry}} distribution image: + + ```sh subs=true + docker pull docker.elastic.co/package-registry/distribution:{{version.stack}} + ``` + + Alternatively, use the `production` or `lite` image tags to get the most recent package updates: + + ```sh + docker pull docker.elastic.co/package-registry/distribution:production + ``` + +2. Save the Docker image to a file: + + ```sh subs=true + docker save -o package-registry-{{version.stack}}.tar docker.elastic.co/package-registry/distribution:{{version.stack}} + ``` + +3. Transfer the image file to your air-gapped environment using your organization's approved file transfer method. + +4. Load the image into your container runtime: + + ```sh subs=true + docker load -i package-registry-{{version.stack}}.tar + ``` + +5. Restart the {{package-registry}} container with the updated image: + + ```sh + docker stop + docker rm + docker run -d -p 8080:8080 --name docker.elastic.co/package-registry/distribution: + ``` + + Replace `` with your container's name and `` with the appropriate version tag. +:::: + +::::{step} Install rule updates in {{elastic-sec}} +:anchor: install-rule-updates-airgapped + +After updating your registry, install the updated rules in your air-gapped {{elastic-sec}} instance: + +1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to the Rules table. + +2. If updates are available, the **Rule Updates** tab appears. Click it to view available updates. + +3. Review the updates and install them: + + * To update all rules, click **Update all**. + * To update specific rules, select them and click **Update *x* selected rule(s)**. + * To review changes before updating, click a rule name to open the rule details flyout and compare versions. + +For more details about updating prebuilt rules, refer to [Update Elastic prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#update-prebuilt-rules). +:::: + +::::: + +## Manually transfer prebuilt rules to an air-gapped environment [import-export-airgapped] + +If you cannot set up a self-hosted {{package-registry}}, you can manually export prebuilt rules from an internet-connected {{elastic-sec}} instance and import them into your air-gapped environment. + +This method can be useful if: + +* You don't have container infrastructure to host a {{package-registry}}. +* You need to transfer a specific subset of rules instead of the entire rule set. +* You want a simpler, one-time rule transfer without ongoing registry maintenance. + +:::::{stepper} + +::::{step} Export rules from an internet-connected instance +:anchor: export-rules-airgapped + +1. On an internet-connected {{elastic-sec}} instance, [install the prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules) you need. + +2. Export the rules: + + 1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to the Rules table. + 2. Select the rules you want to export (use **Select all** to select all rules). + 3. Click **Bulk actions** → **Export**. + +3. Transfer the exported `.ndjson` file to your air-gapped environment using your organization's approved file transfer method. +:::: + +::::{step} Import rules into your air-gapped instance +:anchor: import-rules-airgapped + +1. In your air-gapped {{elastic-sec}} instance, find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to the Rules table. + +2. Click **Import rules** above the Rules table. + +3. Drag and drop the `.ndjson` file containing the exported rules. + +4. (Optional) Select overwrite options if you're updating existing rules. + +5. Click **Import** to add the rules. +:::: + +::::: + +::::{note} +When using the export import method: + +* Rule actions and connectors are imported, but you must re-add sensitive connector credentials. +* Value lists that are used for rule exceptions are not included. You must export and import them separately. Refer to [Manage value lists](/solutions/security/detect-and-alert/create-manage-value-lists.md#edit-value-lists) for more details. +* You must repeat the export import process from an updated internet-connected instance to get rule updates. + +For more details on exporting and importing rules, refer to [Export and import rules](/solutions/security/detect-and-alert/manage-detection-rules.md#import-export-rules-ui). +:::: + +## Related documentation [prebuilt-rules-airgapped-related] + +* [Run {{agents}} in an air-gapped environment](/reference/fleet/air-gapped.md): Guidance for setting up {{fleet}} and integrations in air-gapped environments. +* [Air gapped install](/deploy-manage/deploy/self-managed/air-gapped-install.md): An overview of air-gapped setup for the entire {{stack}}. +* [Configure offline endpoints and air-gapped environments](/solutions/security/configure-elastic-defend/configure-offline-endpoints-air-gapped-environments.md): How to set up {{elastic-endpoint}} artifact updates in air-gapped environments. + diff --git a/solutions/toc.yml b/solutions/toc.yml index 3c2a9d12f9..00d668d3c3 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -576,6 +576,7 @@ toc: - file: security/detect-and-alert/install-manage-elastic-prebuilt-rules.md children: - file: security/detect-and-alert/prebuilt-rules-update-modified-unmodified.md + - file: security/detect-and-alert/prebuilt-rules-airgapped.md - file: security/detect-and-alert/manage-detection-rules.md - file: security/detect-and-alert/monitor-rule-executions.md - file: security/detect-and-alert/rule-exceptions.md From 0a22eb7a8aea99a3225302e77bc1a93368e55500 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 3 Feb 2026 23:41:25 -0500 Subject: [PATCH 2/6] More changes --- .../prebuilt-rules-airgapped.md | 32 ++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md b/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md index e12b3872c3..fc50ce0abe 100644 --- a/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md +++ b/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md @@ -108,10 +108,10 @@ The following examples use Docker commands. You can adapt them for other contain Replace `` with your container's name and `` with the appropriate version tag. :::: -::::{step} Install rule updates in {{elastic-sec}} +::::{step} Update rules :anchor: install-rule-updates-airgapped -After updating your registry, install the updated rules in your air-gapped {{elastic-sec}} instance: +After updating your registry, update the rules in your air-gapped {{elastic-sec}} instance: 1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to the Rules table. @@ -132,11 +132,16 @@ For more details about updating prebuilt rules, refer to [Update Elastic prebuil If you cannot set up a self-hosted {{package-registry}}, you can manually export prebuilt rules from an internet-connected {{elastic-sec}} instance and import them into your air-gapped environment. -This method can be useful if: +This method is useful when you don't have container infrastructure to host a {{package-registry}}, need to transfer a specific subset of rules, or want a simpler one-time transfer without ongoing registry maintenance. -* You don't have container infrastructure to host a {{package-registry}}. -* You need to transfer a specific subset of rules instead of the entire rule set. -* You want a simpler, one-time rule transfer without ongoing registry maintenance. +::::{note} +When using the export import method: + +* Rule actions and connectors are imported, but you must re-add sensitive connector credentials. +* Value lists that are used for rule exceptions are not included. You must export and import them separately. Refer to [Manage value lists](/solutions/security/detect-and-alert/create-manage-value-lists.md#edit-value-lists) for more details. + +For more details on exporting and importing rules, refer to [Export and import rules](/solutions/security/detect-and-alert/manage-detection-rules.md#import-export-rules-ui). +:::: :::::{stepper} @@ -168,18 +173,15 @@ This method can be useful if: 5. Click **Import** to add the rules. :::: -::::: - -::::{note} -When using the export import method: +::::{step} Update rules +:anchor: update-rules-export-import -* Rule actions and connectors are imported, but you must re-add sensitive connector credentials. -* Value lists that are used for rule exceptions are not included. You must export and import them separately. Refer to [Manage value lists](/solutions/security/detect-and-alert/create-manage-value-lists.md#edit-value-lists) for more details. -* You must repeat the export import process from an updated internet-connected instance to get rule updates. - -For more details on exporting and importing rules, refer to [Export and import rules](/solutions/security/detect-and-alert/manage-detection-rules.md#import-export-rules-ui). +1. To get rule updates, repeat this export import process after [updating your prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#update-prebuilt-rules) on the internet-connected instance. +2. When importing rules, select **Overwrite existing detection rules with conflicting "rule_id"** to update existing rules. :::: +::::: + ## Related documentation [prebuilt-rules-airgapped-related] * [Run {{agents}} in an air-gapped environment](/reference/fleet/air-gapped.md): Guidance for setting up {{fleet}} and integrations in air-gapped environments. From b16ddf536b1ecbebb240472e957a9fce0f4b934b Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 3 Feb 2026 23:46:05 -0500 Subject: [PATCH 3/6] Added description to front matter --- solutions/security/detect-and-alert/prebuilt-rules-airgapped.md | 1 + 1 file changed, 1 insertion(+) diff --git a/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md b/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md index fc50ce0abe..0d6ecb5008 100644 --- a/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md +++ b/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md @@ -7,6 +7,7 @@ applies_to: eck: ga products: - id: security +description: Learn how to install and update Elastic prebuilt detection rules in air-gapped environments using a self-hosted Package Registry or manual export and import. --- # Install and update prebuilt rules in air-gapped environments [prebuilt-rules-airgapped] From 3e9131e507dcfb7ddaf8df08c4c6baf9c3d381c7 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Thu, 5 Feb 2026 09:49:29 -0500 Subject: [PATCH 4/6] Improvements to first half of page --- .../prebuilt-rules-airgapped.md | 127 +++++++++++------- 1 file changed, 82 insertions(+), 45 deletions(-) diff --git a/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md b/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md index 0d6ecb5008..ea88911583 100644 --- a/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md +++ b/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md @@ -19,66 +19,42 @@ description: Learn how to install and update Elastic prebuilt detection rules in ## Install prebuilt rules from your self-hosted registry [install-prebuilt-rules-airgapped] -This method requires hosting your own {{package-registry}} to provide prebuilt rules to your air-gapped {{kib}} instance. After setting up your registry, you can install prebuilt rules the same way as in a connected environment. +This method requires hosting your own {{package-registry}} to provide prebuilt rules to your air-gapped {{kib}} instance. After setting up your registry, you can install and update prebuilt rules the same way as in a connected environment. -::::{note} -The versioned {{package-registry}} distribution images (such as `docker.elastic.co/package-registry/distribution:{{version.stack}}`) include prebuilt rules. However, rule updates are released continuously, so you might need to update your registry to get the latest rules. -:::: - -### Prerequisites - -Before you can install or update prebuilt rules using a self-hosted registry, you must: - -* Set up a self-hosted {{package-registry}}. Refer to [Host your own {{package-registry}}](/reference/fleet/air-gapped.md#air-gapped-diy-epr) for setup instructions. -* Configure {{kib}} to use your self-hosted {{package-registry}} and enable air-gapped mode. Add the following to your [`kibana.yml`](/deploy-manage/deploy/self-managed/configure-kibana.md) configuration file, then restart {{kib}}: +### Set up your self-hosted {{package-registry}} [setup-self-hosted-epr] - ```yaml - xpack.fleet.registryUrl: "http://:8080" - xpack.fleet.isAirGapped: true - ``` - - * [`xpack.fleet.registryUrl`](https://www.elastic.co/docs/reference/kibana/configuration-reference/fleet-settings): Points {{kib}} to your self-hosted registry. Replace `` with the hostname or IP address of your registry. - * [`xpack.fleet.isAirGapped`](https://www.elastic.co/docs/reference/kibana/configuration-reference/fleet-settings#general-fleet-settings-kb): Enables air-gapped mode, which allows {{fleet}} to skip requests or operations that require internet access. - -### Install the rules - -1. In your air-gapped {{elastic-sec}} instance, find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to the Rules table. +Before you can install prebuilt rules, you need to set up and run a self-hosted {{package-registry}} in your air-gapped environment. -2. Click **Add Elastic rules**. The available prebuilt rules from your self-hosted registry are displayed. - -3. Install the rules you need: - - * To install all available rules, click **Install all**. - * To install specific rules, select them and click **Install *x* selected rule(s)**. - * To install and immediately enable rules, click the options menu (![Vertical boxes button](/solutions/images/security-boxesVertical.svg "")) and select **Install and enable**. - -For more details about enabling installed rules, refer to [Install and enable Elastic prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules). +::::{note} +The following examples use Docker commands. You can adapt them for other container runtimes. +:::: -## Update prebuilt rules in an air-gapped environment [update-prebuilt-rules-airgapped] +#### Choose your registry image -To update your prebuilt rules, first update your self-hosted {{package-registry}} with a newer distribution image, then install the rule updates in {{elastic-sec}}. +The {{package-registry}} is available as a Docker image with different tags. Choose the appropriate image based on your update strategy. ::::{important} -Elastic releases prebuilt rule updates continuously. To receive the latest updates in an air-gapped environment, we recommend updating your self-hosted {{package-registry}} at least monthly. +When choosing a {{package-registry}} image for production air-gapped environments, we recommend using one of the following options: + +* **Versioned images** (such as `docker.elastic.co/package-registry/distribution:{{version.stack}}`): Use images that match your {{stack}} version, as described in the [{{fleet}} documentation](/reference/fleet/air-gapped.md#air-gapped-diy-epr). This is the safest option for environments where you cannot immediately upgrade your {{stack}} when new versions are released. +* **Production images** (`docker.elastic.co/package-registry/distribution:production`): Use this image **only** if you keep your air-gapped {{stack}} up-to-date. If you want to rely on the `production` image for the most recent {{fleet}} packages and prebuilt detection rules, upgrade your {{stack}} as soon as new versions are released. This minimizes the risk of encountering breaking changes between the {{package-registry}} and your {{stack}} version. :::: ::::{note} The following examples use Docker commands. You can adapt them for other container runtimes. :::: - :::::{stepper} -::::{step} Update your self-hosted {{package-registry}} -:anchor: update-air-gapped-epr +::::{step} Pull and transfer the image -1. On a system with internet access, pull the latest {{package-registry}} distribution image: +1. On a system with internet access, pull your chosen {{package-registry}} distribution image: ```sh subs=true docker pull docker.elastic.co/package-registry/distribution:{{version.stack}} ``` - Alternatively, use the `production` or `lite` image tags to get the most recent package updates: + Or, if using the production image: ```sh docker pull docker.elastic.co/package-registry/distribution:production @@ -87,18 +63,79 @@ The following examples use Docker commands. You can adapt them for other contain 2. Save the Docker image to a file: ```sh subs=true - docker save -o package-registry-{{version.stack}}.tar docker.elastic.co/package-registry/distribution:{{version.stack}} + docker save -o package-registry.tar docker.elastic.co/package-registry/distribution: ``` + Replace `` with your chosen tag (for example, `{{version.stack}}` or `production`). + 3. Transfer the image file to your air-gapped environment using your organization's approved file transfer method. 4. Load the image into your container runtime: - ```sh subs=true - docker load -i package-registry-{{version.stack}}.tar + ```sh + docker load -i package-registry.tar ``` +:::: + +::::{step} Start the {{package-registry}} container -5. Restart the {{package-registry}} container with the updated image: +Run the {{package-registry}} container: + +```sh +docker run -d -p 8080:8080 --name package-registry docker.elastic.co/package-registry/distribution: +``` + +Replace `` with your chosen tag. + +For more setup options and details, refer to [Host your own {{package-registry}}](/reference/fleet/air-gapped.md#air-gapped-diy-epr). +:::: + +::::{step} Configure {{kib}} + +Configure {{kib}} to use your self-hosted {{package-registry}} and enable air-gapped mode. Add the following to your [`kibana.yml`](/deploy-manage/deploy/self-managed/configure-kibana.md) configuration file, then restart {{kib}}: + +```yaml +xpack.fleet.registryUrl: "http://:8080" +xpack.fleet.isAirGapped: true +``` + +* [`xpack.fleet.registryUrl`](https://www.elastic.co/docs/reference/kibana/configuration-reference/fleet-settings): Points {{kib}} to your self-hosted registry. Replace `` with the hostname or IP address of your registry. +* [`xpack.fleet.isAirGapped`](https://www.elastic.co/docs/reference/kibana/configuration-reference/fleet-settings#general-fleet-settings-kb): Enables air-gapped mode, which allows {{fleet}} to skip requests or operations that require internet access. +:::: + +::::{step} Install the rules + +1. In your air-gapped {{elastic-sec}} instance, find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to the Rules table. + +2. Click **Add Elastic rules**. The available prebuilt rules from your self-hosted registry are displayed. + +3. Install the rules you need: + + * To install all available rules, click **Install all**. + * To install specific rules, select them and click **Install *x* selected rule(s)**. + * To install and immediately enable rules, click the options menu (![Vertical boxes button](/solutions/images/security-boxesVertical.svg "")) and select **Install and enable**. + +For more details about enabling installed rules, refer to [Install and enable Elastic prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules). +:::: + +::::: + +## Update prebuilt rules in an air-gapped environment [update-prebuilt-rules-airgapped] + +To update your prebuilt rules, first update your self-hosted {{package-registry}} with a newer distribution image, then install the rule updates in {{elastic-sec}}. + +::::{important} +Elastic releases prebuilt rule updates continuously. To receive the latest updates in an air-gapped environment, we recommend updating your self-hosted {{package-registry}} at least monthly. +:::: + +:::::{stepper} + +::::{step} Update your self-hosted {{package-registry}} +:anchor: update-air-gapped-epr + +1. Follow the same process described in [Pull and transfer the image](#setup-self-hosted-epr) to pull a newer image version, save it, transfer it to your air-gapped environment, and load it. + +2. Restart the {{package-registry}} container with the updated image: ```sh docker stop @@ -109,10 +146,10 @@ The following examples use Docker commands. You can adapt them for other contain Replace `` with your container's name and `` with the appropriate version tag. :::: -::::{step} Update rules +::::{step} Install rule updates :anchor: install-rule-updates-airgapped -After updating your registry, update the rules in your air-gapped {{elastic-sec}} instance: +After updating your registry, install the rule updates in your air-gapped {{elastic-sec}} instance: 1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to the Rules table. From dc80b0a0fe9e83d86485c8da5c1cd3976f6b50e9 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Thu, 5 Feb 2026 10:00:37 -0500 Subject: [PATCH 5/6] minor editorial tweaks --- .../detect-and-alert/prebuilt-rules-airgapped.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md b/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md index ea88911583..8fe2619c49 100644 --- a/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md +++ b/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md @@ -26,7 +26,7 @@ This method requires hosting your own {{package-registry}} to provide prebuilt r Before you can install prebuilt rules, you need to set up and run a self-hosted {{package-registry}} in your air-gapped environment. ::::{note} -The following examples use Docker commands. You can adapt them for other container runtimes. +The examples in this section use Docker commands. You can adapt them for other container runtimes. :::: #### Choose your registry image @@ -36,12 +36,8 @@ The {{package-registry}} is available as a Docker image with different tags. Cho ::::{important} When choosing a {{package-registry}} image for production air-gapped environments, we recommend using one of the following options: -* **Versioned images** (such as `docker.elastic.co/package-registry/distribution:{{version.stack}}`): Use images that match your {{stack}} version, as described in the [{{fleet}} documentation](/reference/fleet/air-gapped.md#air-gapped-diy-epr). This is the safest option for environments where you cannot immediately upgrade your {{stack}} when new versions are released. -* **Production images** (`docker.elastic.co/package-registry/distribution:production`): Use this image **only** if you keep your air-gapped {{stack}} up-to-date. If you want to rely on the `production` image for the most recent {{fleet}} packages and prebuilt detection rules, upgrade your {{stack}} as soon as new versions are released. This minimizes the risk of encountering breaking changes between the {{package-registry}} and your {{stack}} version. -:::: - -::::{note} -The following examples use Docker commands. You can adapt them for other container runtimes. +* **Versioned images**: Use images that match your {{stack}} version (for example, `docker.elastic.co/package-registry/distribution:{{version.stack}}`), as described in the [{{fleet}} documentation](/reference/fleet/air-gapped.md#air-gapped-diy-epr). This is the safest option for environments where you cannot immediately upgrade your {{stack}} when new versions are released. +* **Production images**: Use an image like `docker.elastic.co/package-registry/distribution:production` _only_ if you keep your air-gapped {{stack}} up-to-date. If you want to rely on the `production` image for the most recent {{fleet}} packages and prebuilt detection rules, upgrade your {{stack}} as soon as new versions are released. This minimizes the risk of encountering breaking changes between the {{package-registry}} and your {{stack}} version. :::: :::::{stepper} @@ -191,7 +187,7 @@ For more details on exporting and importing rules, refer to [Export and import r 2. Export the rules: 1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to the Rules table. - 2. Select the rules you want to export (use **Select all** to select all rules). + 2. Select the rules you want to export, or click **Select all** to select all rules. 3. Click **Bulk actions** → **Export**. 3. Transfer the exported `.ndjson` file to your air-gapped environment using your organization's approved file transfer method. From 3985c66aa88bed540b82e7c83f1e8f00a12f6dda Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Thu, 5 Feb 2026 10:14:22 -0500 Subject: [PATCH 6/6] terminology --- .../prebuilt-rules-airgapped.md | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md b/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md index 8fe2619c49..7c1f10fd86 100644 --- a/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md +++ b/solutions/security/detect-and-alert/prebuilt-rules-airgapped.md @@ -29,7 +29,9 @@ Before you can install prebuilt rules, you need to set up and run a self-hosted The examples in this section use Docker commands. You can adapt them for other container runtimes. :::: -#### Choose your registry image +:::::{stepper} + +::::{step} Choose your registry image The {{package-registry}} is available as a Docker image with different tags. Choose the appropriate image based on your update strategy. @@ -39,8 +41,7 @@ When choosing a {{package-registry}} image for production air-gapped environment * **Versioned images**: Use images that match your {{stack}} version (for example, `docker.elastic.co/package-registry/distribution:{{version.stack}}`), as described in the [{{fleet}} documentation](/reference/fleet/air-gapped.md#air-gapped-diy-epr). This is the safest option for environments where you cannot immediately upgrade your {{stack}} when new versions are released. * **Production images**: Use an image like `docker.elastic.co/package-registry/distribution:production` _only_ if you keep your air-gapped {{stack}} up-to-date. If you want to rely on the `production` image for the most recent {{fleet}} packages and prebuilt detection rules, upgrade your {{stack}} as soon as new versions are released. This minimizes the risk of encountering breaking changes between the {{package-registry}} and your {{stack}} version. :::: - -:::::{stepper} +:::: ::::{step} Pull and transfer the image @@ -99,22 +100,23 @@ xpack.fleet.isAirGapped: true * [`xpack.fleet.isAirGapped`](https://www.elastic.co/docs/reference/kibana/configuration-reference/fleet-settings#general-fleet-settings-kb): Enables air-gapped mode, which allows {{fleet}} to skip requests or operations that require internet access. :::: -::::{step} Install the rules +::::: + +### Install the prebuilt rules + +After your self-hosted {{package-registry}} is running and {{kib}} is configured to use it, you can install prebuilt rules: 1. In your air-gapped {{elastic-sec}} instance, find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to the Rules table. 2. Click **Add Elastic rules**. The available prebuilt rules from your self-hosted registry are displayed. -3. Install the rules you need: +3. Install the prebuilt rules you need: * To install all available rules, click **Install all**. * To install specific rules, select them and click **Install *x* selected rule(s)**. * To install and immediately enable rules, click the options menu (![Vertical boxes button](/solutions/images/security-boxesVertical.svg "")) and select **Install and enable**. For more details about enabling installed rules, refer to [Install and enable Elastic prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules). -:::: - -::::: ## Update prebuilt rules in an air-gapped environment [update-prebuilt-rules-airgapped] @@ -184,7 +186,7 @@ For more details on exporting and importing rules, refer to [Export and import r 1. On an internet-connected {{elastic-sec}} instance, [install the prebuilt rules](/solutions/security/detect-and-alert/install-manage-elastic-prebuilt-rules.md#load-prebuilt-rules) you need. -2. Export the rules: +2. Export the prebuilt rules: 1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to the Rules table. 2. Select the rules you want to export, or click **Select all** to select all rules.