From 5edea4fc125113fb595947e9845b1cdde5ce8b76 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Tue, 13 Aug 2024 13:44:24 -0400 Subject: [PATCH] [8.15] (Doc+) SIEM + frozen tier compatibility (backport #5564) (#5696) * (Doc+) Frozen tier compatibility * feedback Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * feedback p2 * Update docs/detections/detection-engine-intro.asciidoc * feedback --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit 9d063548de012f5044f1e5eea681a080cf9966ca) Co-authored-by: Stef Nestor <26751266+stefnestor@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/detections/detection-engine-intro.asciidoc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc index aef2fdf46d..fb2cae91a0 100644 --- a/docs/detections/detection-engine-intro.asciidoc +++ b/docs/detections/detection-engine-intro.asciidoc @@ -63,19 +63,20 @@ To make sure you can access Detections and manage rules, see [float] [[cold-tier-detections]] -== Compatibility with cold tier nodes +== Compatibility with cold and frozen tier nodes -Cold tier is a {ref}/data-tiers.html[data tier] that holds time series data that is accessed only occasionally. In {stack} version >=7.11.0, {elastic-sec} supports cold tier data for the following {es} indices: +Cold and frozen {ref}/data-tiers.html[data tiers] hold time series data that is only accessed occasionally. In {stack} version >=7.11.0, {elastic-sec} supports cold but not frozen tier data for the following {es} indices: * Index patterns specified in `securitySolution:defaultIndex` -* Index patterns specified in the definitions of detection rules +* Index patterns specified in the definitions of detection rules, except for indicator match rules * Index patterns specified in the data sources selector on various {security-app} pages -{elastic-sec} does *NOT* support cold tier data for the following {es} indices: +{elastic-sec} does *NOT* support either cold or frozen tier data for the following {es} indices: * Index patterns controlled by {elastic-sec}, including alerts and list indices +* Index patterns specified in the definition of indicator match rules -Using cold tier data for unsupported indices may result in detection rule timeouts and overall performance degradation. +Using either cold or frozen tier data for unsupported indices may result in detection rule timeouts and overall performance degradation. [float] [[support-indicator-rules]] @@ -85,7 +86,7 @@ Indicator match rules provide a powerful capability to search your security data In addition, the following support restrictions are in place: -* {elastic-sec} does not support the use of frozen tier data with indicator match rules. +* {elastic-sec} does not support the use of either cold or frozen {ref}/data-tiers.html[tier data] with indicator match rules. * Indicator match rules with an additional look-back time value greater than 24 hours are not supported. [float]