initial commit

elastic · Oct 17, 2023 · 3dc8d32 · 3dc8d32
1 parent ed89c0e
commit 3dc8d32
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc
@@ -34,6 +34,7 @@ mappings should be {ecs-ref}[ECS-compliant].
 * *{ml-cap} rules*: Creates an alert when a {ml} job discovers an anomaly above
 the defined threshold (see <<machine-learning>>).
 * *New terms*: Generates an alert for each new term detected in source documents within a specified time range.
+* *ES|QL*: Uses the Elasticsearch Query Language (ES|QL) rule to find events and aggregate search results.
 
 IMPORTANT: To create {ml} rules, you must have the
 https://www.elastic.co/subscriptions[appropriate license] or use a
@@ -140,6 +141,7 @@ occurred
 |type |String a|Data type on which the rule is based:
 
 * `eql`: EQL query (see {ref}/eql.html[Event Query Language]).
+* `esql`: ES|QL query (see {ref}/esql.html[Elasticsearch Query Language]).
 * `query`: query with or without additional filters.
 * `saved_query`: saved search, identified in the `saved_id` field.
 * `machine_learning`: rule based on a {ml} job's anomaly scores.
@@ -152,7 +154,7 @@ specified field.
 |==============================================
 
 [[req-fields-query-threshold]]
-===== Required field for query, indicator match, threshold, and new terms rules
+===== Required field for query, indicator match, threshold, new terms, event correlation and, ES|QL rules
 
 [width="100%",options="header"]
 |==============================================
@@ -209,6 +211,17 @@ generated.
 
 |==============================================
 
+[[req-fields-esql]]
+===== Required field for ES|QL rules
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|language |String |Must be `esql`.
+
+|==============================================
+
 [[req-fields-ml]]
 ===== Required fields for machine learning rules