From 50a3e513dc32afc378b57dd59ed1194b8d487627 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 4 Oct 2023 22:41:28 -0400 Subject: [PATCH] First draft --- docs/detections/rules-ui-create.asciidoc | 36 ++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index da5e6f0f4f..ef81e989db 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -259,6 +259,42 @@ IMPORTANT: When checking multiple fields, each unique combination of values from For example, if a rule has an interval of 5 minutes, no additional look-back time, and a history window size of 7 days, a term will be considered new only if the time it appears within the last 7 days is also within the last 5 minutes. Configure the rule interval and additional look-back time when you <>. . Click *Continue* to <>. +[discrete] +[[create-esql-rule]] +=== Create an ES|QL rule + +IMPORTANT: This is a placeholder for future documentation. The following content is incomplete. + +The Elasticsearch Query Language (ES|QL) is a query language that enables the iterative exploration of data. Here are two types of common ES|QL Security queries: + +**Aggregating query** + +This is a query that uses the STATS...BY grouping commands. Query results cannot be matched with a particular document in Elasticsearch. + +Example: + +[esql] +----- +FROM logs* +| STATS count = COUNT(host.name) BY host.name +| SORT host.name +----- + +**Non-aggregating query** + +This is a query that _does not_ use the STATS...BY grouping commands. Each row in the query results can be tracked to a source document in Elasticsearch. + +For this type of query, use the operator `[metadata _id, _index, _version]` after defining the index source. This will allow for alerts to be deduplicated and linked to the source documents. + +Example: + +[esql] +----- +FROM logs* [metadata _id, _index, _version] +| WHERE event.id == "test" +| LIMIT 10 +----- + [float] [[rule-ui-basic-params]]