[8.3] Document the behavior of IM rules and multi-value indicator doc…

…uments (backport #4326) (#4404) Co-authored-by: Nastasha Solomon <[email protected]> Co-authored-by: nastasha.solomon <[email protected]>
elastic · Dec 7, 2023 · c76a83d · c76a83d
1 parent a8cf44a
commit c76a83d
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
@@ -221,4 +221,4 @@ To learn how to connect {elastic-sec} to {jira}, check out the following tutoria
 />
 </br>
 ++++
-=======
+=======
diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
@@ -231,10 +231,14 @@ IMPORTANT: Data in indicator indices must be <<ecs-compliant-reqs, ECS compatibl
 +
 .. *Indicator index query*: The query and filters used to filter the fields from
 the indicator index patterns. The default query `@timestamp > "now-30d/d"` searches specified indicator indices for indicators ingested during the past 30 days and rounds the start time down to the nearest day (resolves to UTC `00:00:00`).
-.. *Indicator mapping*: Compares the values of the specified event and indicator field
-values. When the field values are identical, an alert is generated. To define
+.. *Indicator mapping*: Compares the values of the specified event and indicator fields, and generates an alert if the values are identical.
++
+NOTE: Only single-value fields are supported.
++
+To define
 which field values are compared from the indices add the following:
-** *Field*: The field used for comparing values in the {es-sec} event
+
+** *Field*: The field used for comparing values in the {elastic-sec} event
 indices.
 ** *Indicator index field*: The field used for comparing values in the indicator
 indices.
-Original file line number
+Diff line change
@@ Expand Up @@
     />
     </br>
     ++++
-    =======
+    =======