You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -193,12 +193,13 @@ IMPORTANT: Data in indicator indices must be <<ecs-compliant-reqs, ECS compatibl
+
.. *Indicator index query*: The query and filters used to filter the fields from
the indicator index patterns. The default query `@timestamp > "now-30d/d"` searches specified indicator indices for indicators ingested during the past 30 days and rounds the start time down to the nearest day (resolves to UTC `00:00:00`).
.. *Indicator mapping*: Compares the values of the specified event and indicator field
values. When the field values are identical, an alert is generated. To define
which field values are compared from the indices add the following:
.. *Indicator mapping*: Compares the values of the specified event and indicator fields, and generates an alert if the values are identical.
+
NOTE: Only single-value fields are supported.
+
To define
which field values are compared from the indices add the following:
** *Field*: The field used for comparing values in the {elastic-sec} event
indices.
** *Indicator index field*: The field used for comparing values in the indicator
