Skip to content

Commit

Permalink
Expand on ES|QL rule docs (#4235)
Browse files Browse the repository at this point in the history
Co-authored-by: Joe Peeples <[email protected]>
(cherry picked from commit e463c8d)
  • Loading branch information
nastasha-solomon authored and mergify[bot] committed Nov 28, 2023
1 parent 59edf53 commit 11f79f8
Showing 1 changed file with 27 additions and 1 deletion.
28 changes: 27 additions & 1 deletion docs/detections/rules-ui-create.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -270,7 +270,9 @@ Use {ref}/esql.html[{esql}] to query your source events and aggregate event data
To create an {esql} rule:

. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page appears.
. Select **{esql}**, then write a <<esql-rule-query-types,query>>.
. Select **{esql}**, then write a query.
+
NOTE: Refer to the sections below to learn more about <<esql-rule-query-types,{esql} query types>>, <<esql-query-design,query design considerations>>, and <<esql-rule-limitations,rule limitations>>.
+
TIP: Click the help icon (image:images/esql-ref-button.png[Click the ES|QL help icon,20,20]) to open the in-product reference documentation for all {esql} commands and functions.
+
Expand Down Expand Up @@ -358,6 +360,30 @@ FROM logs-* [metadata _id, _index, _version]
| LIMIT 10
-----

[float]
[[esql-query-design]]
==== Query design considerations

When writing your query, consider the following:

- The {ref}/esql-commands.html#esql-limit[`LIMIT`] command specifies the number of rows an {esql} query returns and the number of alerts created per rule execution. Similarly, a detection rule's <<opt-fields-all,`max_signals`>> setting specifies the maximum number of alerts it can create every time it runs.
+
If the `LIMIT` value is lower than the `max_signals` value, the rule uses the `LIMIT` value to determine the maximum number of alerts the rule generates. If the `LIMIT` value is higher than the `max_signals` value, the rule uses the `max_signals` value.
+
NOTE: The `max_signals` default value is 100. You can modify it using the <<rules-api-create,Create rule API>>.
+

- When writing an aggregating query, use the {ref}/esql-commands.html#esql-stats-by[`STATS...BY`] command with fields that you want to search and filter for after alerts are created. For example, using the `host.name`, `user.name`, `process.name` fields with the `BY` operator of the `STATS...BY` command returns these fields in alert documents, and allows you to search and filter for them from the Alerts table.

[float]
[[esql-rule-limitations]]
==== {esql} rule limitations

The {esql} rule has the following limitations:

- If your {esql} query creates new fields that aren’t part of the ECS schema, they won’t be mapped to the alerts index and you can't search or filter for them from the Alerts table. As a workaround, create <<runtime-fields,runtime fields>>.
- If your {esql} query creates new fields that aren’t in the query’s source index, they can’t be added to the rule’s <<rule-ui-advanced-params,custom highlighted fields>>.

[float]
[[rule-ui-basic-params]]
=== Configure basic rule settings
Expand Down

0 comments on commit 11f79f8

Please sign in to comment.