[Known Issue] Add docs to describe a known issue/limitation of EQL ru…

…le cross-cluster search (#4813) # Conflicts: # docs/detections/api/rules/rules-api-create.asciidoc # docs/detections/rules-ui-create.asciidoc
elastic · Mar 16, 2024 · 4d8ae57 · 4d8ae57
1 parent abfab39
commit 4d8ae57
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc
@@ -418,7 +418,15 @@ Security Solution indices defined on the {kib} Advanced Settings page
 (*Kibana* → *Stack Management* → *Advanced Settings* →
 `securitySolution:defaultIndex`).
 
+<<<<<<< HEAD
 NOTE: Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<rules-cross-cluster-search,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
+=======
+[NOTE]
+======
+- This field is not supported for ES\|QL rules.
+- Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<rules-cross-cluster-search,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
+======
+>>>>>>> 01ec37b9 ([Known Issue] Add docs to describe a known issue/limitation of EQL rule cross-cluster search (#4813))
 
 |risk_score_mapping |Object[] a|Overrides generated alerts' `risk_score` with
 a value from the source event:

diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
@@ -130,6 +130,10 @@ IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not re
 .. Define which {es} indices or data view the rule searches when querying for events.
 +
 NOTE: Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<rules-cross-cluster-search,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
+<<<<<<< HEAD
+=======
+
+>>>>>>> 01ec37b9 ([Known Issue] Add docs to describe a known issue/limitation of EQL rule cross-cluster search (#4813))
 .. Write an {ref}/eql-syntax.html[EQL query] that searches for matching events or a series of matching events.
 +
 TIP: To find events that are missing in a sequence, use the {ref}/eql-syntax.html#eql-missing-events[missing events] syntax.