diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 572aed55fb..c42d753089 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -255,7 +255,7 @@ uses both `and` and `or` logic. |============================================== |Name |Type |Description -|new_terms_fields |String[] |Fields to monitor for new values. Must contain 1–3 field names. +|new_terms_fields |String[] |Fields to monitor for new values. Must contain 1 field name. |history_window_start |String |Start date to use when checking if a term has been seen before. Supports relative dates – for example, `now-30d` will search the last 30 days of data when checking if a term @@ -833,7 +833,7 @@ POST api/detection_engine/rules "type": "new_terms", "language": "kuery", "query": "*", - "new_terms_fields": ["user.id", "source.ip"], + "new_terms_fields": ["user.id"], "history_window_start": "now-30d", "index": ["auditbeat*"] } @@ -1196,7 +1196,7 @@ Example response for a new terms rule: ], "query": "*", "language": "kuery", - "new_terms_fields": ["user.id", "source.ip"], + "new_terms_fields": ["user.id"], "history_window_start": "now-30d", "related_integrations": [], <1> "required_fields": [], <1> diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index 0b2b47d266..128ed67279 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -173,7 +173,7 @@ uses both `and` and `or` logic. |============================================== |Name |Type |Description -|new_terms_fields |String[] |Fields to monitor for new values. Must contain 1–3 field names. +|new_terms_fields |String[] |Fields to monitor for new values. Must contain 1 field name. |history_window_start |String |Start date to use when checking if a term has been seen before. Supports relative dates – for example, `now-30d` will search the last 30 days of data when checking if a term