From 172d3a73b79d0e279f6bbc1d5fc717bab9778508 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Thu, 15 Feb 2024 20:53:27 -0500
Subject: [PATCH] [Known Issue] Add docs to describe a known issue/limitation
 of EQL rule cross-cluster search  (backport #4813) (#4818)

* [Known Issue] Add docs to describe a known issue/limitation of EQL rule cross-cluster search (#4813)

(cherry picked from commit 01ec37b913d729a49985a6d7d518ce0e3057fb8e)

# Conflicts:
#	docs/detections/api/rules/rules-api-create.asciidoc
#	docs/detections/rules-ui-create.asciidoc

* Fixed conflict

* Fixed conflict

---------

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: nastasha.solomon <nastasha.solomon@elastic.co>
---
 docs/detections/api/rules/rules-api-create.asciidoc | 4 +++-
 docs/detections/rules-ui-create.asciidoc            | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc
index 8ea28aebd4..c605a8e66d 100644
--- a/docs/detections/api/rules/rules-api-create.asciidoc
+++ b/docs/detections/api/rules/rules-api-create.asciidoc
@@ -380,11 +380,13 @@ documents from the {es} index containing the threat values.
 context] array used to define the conditions for when alerts are created from
 events. Defaults to an empty array.
 
-|index |String[] |Indices on which the rule functions. Defaults to the
+|index |String[] a|Indices on which the rule functions. Defaults to the
 Security Solution indices defined on the {kib} Advanced Settings page
 (*Kibana* → *Stack Management* → *Advanced Settings* →
 `securitySolution:defaultIndex`).
 
+NOTE: Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<sec-requirements,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
+
 |risk_score_mapping |Object[] a|Overrides generated alerts' `risk_score` with
 a value from the source event:
 
diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
index 78ba429088..17f7a2f6d3 100644
--- a/docs/detections/rules-ui-create.asciidoc
+++ b/docs/detections/rules-ui-create.asciidoc
@@ -172,7 +172,10 @@ IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not re
 [[create-eql-rule]]
 ==== Create an event correlation rule
 . To create an event correlation rule using EQL, select *Event Correlation*, then:
+
 .. Define which {es} indices the rule searches for alerts.
++
+NOTE: Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<sec-requirements,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
 .. Add an {ref}/eql-syntax.html[EQL statement] used to detect alerts.
 +
 For example, the following rule detects when `msxsl.exe` makes an outbound