DOCS: Clarification for using filters array (#426) (#444)

jmikell821 · web-flow · commit 14ee1a8efed4 · 2021-01-11T16:41:54.000-05:00
diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
@@ -468,3 +468,12 @@ used as an identifier across systems
 NOTE: The `{{context.rule.severity}}` and `{{context.rule.risk_score}}`
 placeholders contain the rule's default values even when the *Severity override*
 and *Risk score override* options are used.
+
+To understand which fields to parse, see the <<rule-api-overview>> to view the JSON representation of rules. The following is an example of http://mustache.github.io/[mustache syntax] to display the list of enabled filters:
+
+[source,json]
+--------------------------------------------------
+{{#context.rule.filters}}
+{{^meta.disabled}}{{meta.key}} {{#meta.negate}}NOT {{/meta.negate}}{{meta.type}} {{^exists}}{{meta.value}}{{meta.params.query}}{{/exists}}{{/meta.disabled}}
+{{/context.rule.filters}}
+--------------------------------------------------
