Skip to content

Commit

Permalink
Document the behavior of IM rules and multi-value indicator documents (
Browse files Browse the repository at this point in the history 
…#4326)

(cherry picked from commit ed4d816)

# Conflicts:
#	docs/detections/rules-ui-create.asciidoc
  • Loading branch information
@nastasha-solomon @mergify
nastasha-solomon authored and mergify[bot] committed Dec 6, 2023
1 parent 8d6b083 commit d4e6e8b
Showing 1 changed file with 17 additions and 2 deletions.
19 changes: 17 additions & 2 deletions docs/detections/rules-ui-create.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -213,8 +213,15 @@ NOTE: For sequence events, the {security-app} generates a single alert when all

NOTE: {es-sec} provides limited support for indicator match rules. See <<support-indicator-rules>> for more information.

<<<<<<< HEAD
. To create an indicator match rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields:
.. *Index patterns*: The {es-sec} event indices on which the rule runs.
=======
. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays.
. To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields:
.. *Source*: The individual index patterns or data view that specifies what data to search.
>>>>>>> ed4d816 (Document the behavior of IM rules and multi-value indicator documents (#4326))
.. *Custom query*: The query and filters used to retrieve the required results from
the {es-sec} event indices. For example, if you want to match documents that only contain a `destination.ip` address field, add `destination.ip : *`.
+
Expand All @@ -226,10 +233,18 @@ IMPORTANT: Data in indicator indices must be <<ecs-compliant-reqs, ECS compatibl
+
.. *Indicator index query*: The query and filters used to filter the fields from
the indicator index patterns. The default query `@timestamp > "now-30d/d"` searches specified indicator indices for indicators ingested during the past 30 days and rounds the start time down to the nearest day (resolves to UTC `00:00:00`).
.. *Indicator mapping*: Compares the values of the specified event and indicator field
values. When the field values are identical, an alert is generated. To define
.. *Indicator mapping*: Compares the values of the specified event and indicator fields, and generates an alert if the values are identical.
+
NOTE: Only single-value fields are supported.
+
To define
which field values are compared from the indices add the following:
<<<<<<< HEAD
** *Field*: The field used for comparing values in the {es-sec} event
=======

** *Field*: The field used for comparing values in the {elastic-sec} event
>>>>>>> ed4d816 (Document the behavior of IM rules and multi-value indicator documents (#4326))
indices.
** *Indicator index field*: The field used for comparing values in the indicator
indices.
Expand Down

0 comments on commit d4e6e8b

Please sign in to comment.