Skip to content

Commit

Permalink
Merge branch 'main' into 5474-byo-llm-guide
Browse files Browse the repository at this point in the history
  • Loading branch information
benironside authored Jul 5, 2024
2 parents a34282f + ff8d574 commit ca12785
Show file tree
Hide file tree
Showing 11 changed files with 160 additions and 35 deletions.
2 changes: 1 addition & 1 deletion .backportrc.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"upstream": "elastic/security-docs",
"branches": [{ "name": "7.x", "checked": true }, "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"],
"branches": [{ "name": "7.x", "checked": true }, "8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"],
"labels": ["backport"]
}
14 changes: 14 additions & 0 deletions .mergify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,20 @@ pull_request_rules:
git merge upstream/{{base}}
git push upstream {{head}}
```
- name: backport patches to 8.15 branch
conditions:
- merged
- base=main
- label=v8.15.0
actions:
backport:
assignees:
- "{{ author }}"
branches:
- "8.15"
title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
labels:
- backport
- name: backport patches to 8.14 branch
conditions:
- merged
Expand Down
4 changes: 2 additions & 2 deletions docs/detections/alert-suppression.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -113,5 +113,5 @@ image::images/timeline-button.png[Investigate in timeline button, 200]

Some rule types have a maximum number of alerts that can be suppressed (custom query rules don't have a suppression limit):

* **Threshold and event correlation (non-sequence queries only)** - The maximum number of alerts is the value you choose for the <<opt-fields-all,`max_signals`>> setting, which is `100` by default.
* **Indicator match and new terms** - The maximum number is five times the value you choose for the <<opt-fields-all,`max_signals`>> setting. The default `max_signals` value is `100`, which means the default maximum limit for indicator match rules and new term rules is `500`.
* **Threshold and event correlation (non-sequence queries only)** - The maximum number of alerts is the value you choose for the rule's **Max alerts per run** <<rule-ui-advanced-params,advanced setting>>, which is `100` by default.
* **Indicator match and new terms** - The maximum number is five times the value you choose for the rule's **Max alerts per run** <<rule-ui-advanced-params,advanced setting>>. The default value is `100`, which means the default maximum limit for indicator match rules and new term rules is `500`.
4 changes: 2 additions & 2 deletions docs/detections/api/rules/rules-api-create.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -329,9 +329,9 @@ means the rule runs every hour. Defaults to `5m` (5 minutes).
|license |String |The rule's license.

|max_signals |Integer a|Maximum number of alerts the rule can create during a
single execution. Defaults to `100`.
single run (the rule's **Max alerts per run** <<rule-ui-advanced-params,advanced setting>> value). Defaults to `100`.

*NOTE*: To avoid rule failures, do not set the `max_signals` value higher than the value of {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`].
NOTE: This setting can be superseded by the {kibana-ref}/alert-action-settings-kb.html#alert-settings[{kib} configuration setting] `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by _any_ rule in the {kib} alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to `1000`, the rule can generate no more than 1000 alerts even if `max_signals` is set higher.

|meta |Object a|Placeholder for metadata about the rule.

Expand Down
6 changes: 4 additions & 2 deletions docs/detections/api/rules/rules-api-update.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -232,8 +232,10 @@ means the rule runs every hour. Defaults to `5m` (5 minutes).

|license |String |The rule's license.

|max_signals |Integer |Maximum number of alerts the rule can create during a
single execution. Defaults to `100`.
|max_signals |Integer a|Maximum number of alerts the rule can create during a
single run (the rule's **Max alerts per run** <<rule-ui-advanced-params,advanced setting>> value). Defaults to `100`.

NOTE: This setting can be superseded by the {kibana-ref}/alert-action-settings-kb.html#alert-settings[{kib} configuration setting] `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by _any_ rule in the {kib} alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to `1000`, the rule can generate no more than 1000 alerts even if `max_signals` is set higher.

|meta |Object a|Placeholder for metadata about the rule.

Expand Down
18 changes: 0 additions & 18 deletions docs/detections/prebuilt-rules-management.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -116,21 +116,3 @@ image::images/prebuilt-rules-update-diff.png[Prebuilt rule comparison,75%]
* Update multiple rules: Select the rules and click *Update _x_ selected rule(s)*.
+
TIP: Use the search bar and *Tags* filter to find the rules you want to update. For example, filter by `OS: Windows` if your environment only includes Windows endpoints. For more on tag categories, refer to <<prebuilt-rule-tags>>.

[float]
[[rule-prerequisites]]
=== Confirm rule prerequisites

Many Elastic prebuilt rules are designed to work with specific Elastic integrations and data fields. These prerequisites are identified in the *Related integrations* and *Required fields* fields on a rule's details page (*Rules* -> *Detection rules (SIEM)*, then click a rule's name). *Related integrations* also displays each integration's installation status and includes links for installing and configuring the listed integrations.

Additionally, the *Setup guide* section provides guidance on setting up the rule's requirements.

[role="screenshot"]
image::images/rule-details-prerequisites.png[Rule details page with Related integrations, Required fields, and Setup guide highlighted]

You can also check rules' related integrations in the *Installed Rules* and *Rule Monitoring* tables. Click the *integrations* badge to display the related integrations in a popup.

[role="screenshot"]
image::images/rules-table-related-integrations.png[Rules table with related integrations popup,75%]

TIP: You can hide the *integrations* badge in the rules tables. Go to *{kib}* -> *Stack Management* -> *Advanced Settings*, then turn off `securitySolution:showRelatedIntegrations`.
Loading

0 comments on commit ca12785

Please sign in to comment.