[Serverless] Manual rule run docs

docs/detections/api/rules/rules-api-bulk-actions.asciidoc

@@ -283,17 +283,25 @@ to apply.
 * `duplicate`
 * `export`
 * `edit`
+* `run`
 
 | Yes
+
+| `run` | <<bulk-manual-rule-run, BulkManualRuleRun[]>>
+| Object that describes applying a manual rule run action.
+|No.
+
+Yes, if action is `run`.
+
 | `edit` | <<bulk-edit-object-schema, BulkEditAction[]>>
 | Edit object that describes applying an update action.
-
 |No.
 
 Yes, if action is `edit`.
+
+
 | `duplicate` | <<bulk-duplicate-object-schema, BulkDuplicateAction[]>>
 | Duplicate object that describes applying an update action.
-
 |No.
 
 |==============================================
@@ -308,6 +316,13 @@ To enable dry run mode on a request, add the query parameter `dry_run=true` to t
 
 IMPORTANT: Dry run mode is not supported for the `export` bulk action. A `400` error will be returned in the request response.
 
+[[bulk-manual-rule-run]]
+[discrete]
+==== BulkManualRuleRun object
+
+* `start_date` field: (String, Required) Defines the start date of the manual rule run.
+* `end_date` field: (String, Optional) Defines the end date of the manual rule run.
+
 [[bulk-duplicate-object-schema]]
 [discrete]
 ==== BulkDuplicateAction object
@@ -364,7 +379,6 @@ Both `interval` and `lookback` have a format of `"{integer}{time_unit}"`, where
 
 <<bulk-edit-object-schema, Actions>> are shown in order of oldest to newest in the `edit` array payload's property.
 
-
 [discrete]
 [[actions-object-schema-bulk]]
 ===== `actions` schema
@@ -519,14 +533,14 @@ POST api/detection_engine/rules/_bulk_action
 [discrete]
 ===== Response payload
 
-For `enable`, `disable`, `delete`, `edit`, and `duplicate` actions, a JSON object containing the action's outcome:
+For `enable`, `disable`, `delete`, `edit`, `duplicate`, and `run` actions, a JSON object containing the action's outcome:
 
 - `attributes.summary.total`: Total number of rules matching the bulk action
 - `attributes.summary.succeeded`: Number of successful outcomes (number of rules that were enabled, deleted, or updated)
 - `attributes.summary.failed`: Number of failed outcomes
 - `attributes.summary.skipped`: Number of rules that were skipped due to various reasons (explained below)
 - `attributes.results.created`: Rule objects that were created during the action's execution
-- `attributes.results.updated`: Rule objects that were updated during the action's execution
+- `attributes.results.updated`: Rule objects that were updated during the action's execution. If the action execution is `run`, it returns rule objects that were scheduled for manual rule runs.
 - `attributes.results.deleted`: Rule objects that were deleted during the action's execution
 - `attributes.results.skipped`: Rules that were skipped during the action's execution
 

docs/detections/rules-ui-manage.asciidoc

@@ -17,6 +17,7 @@ On the Rules page, you can:
 * <<rule-status>>
 * <<edit-rules-settings>>
 * <<manage-rules-ui>>
+* <<manually-run-rules>>
 * <<snooze-rule-actions>>
 * <<import-export-rules-ui>>
 * <<rule-prerequisites>>
@@ -104,6 +105,21 @@ NOTE: When duplicating a rule with exceptions, you can choose to duplicate the r
 * To enable or disable a single rule, switch on the rule's *Enabled* toggle.
 * To <<snooze-rule-actions,snooze>> actions for rules, click the bell icon.
 
+[float]
+[[manually-run-rules]]
+=== Run rules manually
+
+Manually run enabled rules during a specfied time range. 
+
+. Go to **Rules** -> **Detection rules (SIEM)**.
+. Do one of the following:
+* Select the **All actions** menu on a rule (**...** → **All actions** in the rules list), then select **Manual run**.
+* Select all the rules you want to manually run, select the **Bulk actions** menu, then select **Manual run**.
+. Specify when the manual run starts and ends. The default selection is the current day starting three hours in the past. The rule will search for events during the selected time range.
+. Click **Run** to manually run the rule.
+
+The manual run's details are recorded in the <<manual-runs-table,Manual runs>> table on the the *Execution results* tab. 
+
 [float]
 [[snooze-rule-actions]]
 === Snooze rule actions

docs/detections/rules-ui-monitor.asciidoc

@@ -37,28 +37,62 @@ For detailed information on a rule, the alerts it generated, and associated erro
 [[rule-execution-logs]]
 === Execution results
 
-Each detection rule execution is logged, including its success or failure, any warning or error messages, and how long it took to search for data, create alerts, and complete. This can help you troubleshoot a particular rule if it isn't behaving as expected (for example, if it isn't creating alerts or takes a long time to run).
+Each detection rule execution is logged, including the execution type, the execution's success or failure, any warning or error messages, how long it took to search for data, create alerts, and complete. This can help you troubleshoot a particular rule if it isn't behaving as expected (for example, if it isn't creating alerts or takes a long time to run).
 
-To access a rule's execution log, go to *Rules* -> *Detection rules (SIEM)*, click the rule's name to open its details, then scroll down and select the *Execution results* tab. You can expand a long warning or error message by clicking the arrow at the end of a row.
+To access a rule's execution log, go to **Rules** → **Detection rules (SIEM)**, click the rule's name to open its details, then scroll down and select the **Execution results** tab. Within the Execution log table, you can click the arrow at the end of a row to expand a long warning or error message.
 
 [role="screenshot"]
-image::images/rule-execution-logs.png[Rule execution results tab]
+image::images/rule-execution-logs.png[Execution log table on the rule execution results tab]
 
 You can hover over each column heading to display a tooltip about that column's data. Click a column heading to sort the table by that column.
 
 Use these controls to filter what's included in the logs table:
 
+* The **Run type** drop-down filters the table by rule execution type: 
+** **Scheduled**: Rule executions that the detection engine automatically ran according to the rule's schedule.
+** **Manual**: Rule executions that were <<manually-run-rules,started manually>>.
+
 * The *Status* drop-down filters the table by rule execution status: 
 ** *Succeeded*: The rule completed its defined search. This doesn't necessarily mean it generated an alert, just that it ran without error.
 ** *Failed*: The rule encountered an error that prevented it from running. For example, a {ml} rule whose corresponding {ml} job wasn't running.
 ** *Warning*: Nothing prevented the rule from running, but it might have returned unexpected results. For example, a custom query rule tried to search an index pattern that couldn't be found in {es}.
 
 * The date and time picker sets the time range of rule executions included in the table. This is separate from the global date and time picker at the top of the rule details page.
 
+* The **Source event time range** toggle includes more or less data in the table, pertaining to the time range of a manual run.
+
 * The *Show metrics columns* toggle includes more or less data in the table, pertaining to the timing of each rule execution.
 
 * The *Actions* column allows you to show alerts generated from a given rule execution. Click the filter icon (image:images/filter-icon.png[Filter icon,18,17]) to create a global search filter based on the rule execution's ID value. This replaces any previously applied filters, changes the global date and time range to 24 hours before and after the rule execution, and displays a confirmation notification. You can revert this action by clicking *Restore previous filters* in the notification.
 
+[float]
+[[manual-runs-table]]
+==== Manual runs table
+
+preview::[]
+
+Execution details of active manual runs are logged in the Manual runs table. To access the table, go to **Rules** -> **Detection rules (SIEM)**, click the rule's name to open its details, then scroll down and select the **Execution results** tab. Scroll down again to find the Manual runs table. 
+
+To stop an active run, go to the appropriate row and click **Stop run** in the **Actions** column.
+
+NOTE: When a manual run is stopped or completed, it's logged in the Execution log table and no longer displayed in the Manual runs table.
+
+[role="screenshot"]
+image::images/manual-rule-run-table.png[Manual rule runs table on the rule execution results tab]
+
+The Manual runs table displays important details such as:
+
+* The status of each manual run:
+** **Pending**: The rule is not yet running. 
+** **Running**: The rule is executing during the time range you specified. Some rules, such as indicator match rules, can take longer to run.
+** **Error**: The rule has encountered an error during its execution. 
+
+* When a manual run started and the time in which it will run
+
+* The number of rule executions that are failing, pending, running, and completed for a manual run
+
+* The total number of rule executions that are occurring for a manual run
+
 [float]
 [[troubleshoot-signals]]
 === Troubleshoot missing alerts

docs/serverless/rules/alerts-ui-monitor.mdx

@@ -41,27 +41,62 @@ For detailed information on a rule, the alerts it generated, and associated erro
 
 ## Execution results
 
-Each detection rule execution is logged, including its success or failure, any warning or error messages, and how long it took to search for data, create alerts, and complete. This can help you troubleshoot a particular rule if it isn't behaving as expected (for example, if it isn't creating alerts or takes a long time to run).
+Each detection rule execution is logged, including the execution type, the execution's success or failure, any warning or error messages, how long it took to search for data, create alerts, and complete. This can help you troubleshoot a particular rule if it isn't behaving as expected (for example, if it isn't creating alerts or takes a long time to run).
 
-To access a rule's execution log, go to **Rules** → **Detection rules (SIEM)**, click the rule's name to open its details, then scroll down and select the **Execution results** tab. You can expand a long warning or error message by clicking the arrow at the end of a row.
+To access a rule's execution log, go to **Rules** → **Detection rules (SIEM)**, click the rule's name to open its details, then scroll down and select the **Execution results** tab. Within the Execution log table, you can click the arrow at the end of a row to expand a long warning or error message.
 
-![Rule execution results tab](../images/alerts-ui-monitor/-detections-rule-execution-logs.png)
+![Rule execution log on the rule execution results tab](../images/alerts-ui-monitor/-detections-rule-execution-logs.png)
 
 You can hover over each column heading to display a tooltip about that column's data. Click a column heading to sort the table by that column.
 
 Use these controls to filter what's included in the logs table:
 
+* The **Run type** drop-down filters the table by rule execution type: 
+    * **Scheduled**: Rule executions that the detection engine automatically ran according to the rule's schedule.
+    * **Manual**: Rule executions that were <DocLink slug="/serverless/security/rules-ui-management" section="manually-run-rules">started manually</DocLink>.
+
 * The **Status** drop-down filters the table by rule execution status: 
     * **Succeeded**: The rule completed its defined search. This doesn't necessarily mean it generated an alert, just that it ran without error.
     * **Failed**: The rule encountered an error that prevented it from running. For example, a ((ml)) rule whose corresponding ((ml)) job wasn't running.
     * **Warning**: Nothing prevented the rule from running, but it might have returned unexpected results. For example, a custom query rule tried to search an index pattern that couldn't be found in ((es)).
 
 * The date and time picker sets the time range of rule executions included in the table. This is separate from the global date and time picker at the top of the rule details page.
 
+* The **Source event time range** toggle includes more or less data in the table, pertaining to the time range of a manual run.
+
 * The **Show metrics columns** toggle includes more or less data in the table, pertaining to the timing of each rule execution.
 
 * The **Actions** column allows you to show alerts generated from a given rule execution. Click the filter icon (<DocIcon type="filterInCircle" title="Filter" size="s"/>) to create a global search filter based on the rule execution's ID value. This replaces any previously applied filters, changes the global date and time range to 24 hours before and after the rule execution, and displays a confirmation notification. You can revert this action by clicking **Restore previous filters** in the notification.
 
+<div id="manual-runs-table"></div>
+
+### Manual runs table
+
+<DocBadge template="technical preview" />
+
+Execution details of active manual runs are logged in the Manual runs table. To access the table, go to **Rules** -> **Detection rules (SIEM)**, click the rule's name to open its details, then scroll down and select the **Execution results** tab. Scroll down again to find the Manual runs table. 
+
+To stop an active run, go to the appropriate row and click **Stop run** in the **Actions** column.
+
+<DocCallOut title="Note">
+When a manual run is stopped or completed, it's logged in the Execution log table and no longer displayed in the Manual runs table.
+</DocCallOut>
+
+![Manual rule runs table on the rule execution results tab](../images/alerts-ui-monitor/-detections-manual-rule-run-table.png)
+
+The Manual runs table displays important details such as:
+
+* The status of each manual run:
+   * **Pending**: The rule is not yet running. 
+   *  **Running**: The rule is executing during the time range you specified. Some rules, such as indicator match rules, can take longer to run.
+   * **Error**: The rule has encountered an error during its execution. 
+
+* When a manual run started and the time in which it will run
+
+* The number of rule executions that are failing, pending, running, and completed for a manual run
+
+* The total number of rule executions that are occurring for a manual run
+
 <div id="troubleshoot-signals"></div>
 
 ## Troubleshoot missing alerts

docs/serverless/rules/rules-ui-management.mdx

@@ -19,6 +19,7 @@ On the Rules page, you can:
 * <DocLink slug="/serverless/security/rules-ui-management" section="check-the-current-status-of-rules">Check the current status of rules</DocLink>
 * <DocLink slug="/serverless/security/rules-ui-management" section="modify-existing-rules-settings">Modify existing rules settings</DocLink>
 * <DocLink slug="/serverless/security/rules-ui-management" section="manage-rules">Manage rules</DocLink>
+* <DocLink slug="/serverless/security/rules-ui-management" section="manually-run-rules">Manually run rules</DocLink>
 * <DocLink slug="/serverless/security/rules-ui-management" section="snooze-rule-actions">Snooze rule actions</DocLink>
 * <DocLink slug="/serverless/security/rules-ui-management" section="export-and-import-rules">Export and import rules</DocLink>
 * <DocLink slug="/serverless/security/rules-ui-management" section="confirm-rule-prerequisites">Confirm rule prerequisites</DocLink>
@@ -111,6 +112,23 @@ When duplicating a rule with exceptions, you can choose to duplicate the rule an
     * To enable or disable a single rule, switch on the rule's **Enabled** toggle.
     * To <DocLink slug="/serverless/security/rules-ui-management" section="snooze-rule-actions">snooze</DocLink> actions for rules, click the bell icon.
 
+<div id="manually-run-rules"></div>
+
+## Run rules manually
+
+<DocBadge template="technical preview" />
+
+Manually run enabled rules during a specfied time range. 
+
+1. Go to **Rules** -> **Detection rules (SIEM)**.
+1. Do one of the following:
+    * Select the **All actions** menu on a rule (**...** → **All actions** in the rules list), then select **Manual run**.
+    * Select all the rules you want to manually run, select the **Bulk actions** menu, then select **Manual run**.
+1. Specify when the manual run starts and ends. The default selection is the current day starting three hours in the past. The rule will search for events during the selected time range.
+1. Click **Run** to manually run the rule.
+
+The manual run's details are recorded in the <DocLink slug="/serverless/security/alerts-ui-monitor" section="manual-runs-table">Manual runs</DocLink> table on the the **Execution results** tab.  
+
 <div id="snooze-rule-actions"></div>
 
 ## Snooze rule actions