Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOCS] Add DSL Filters to Event Correlation (EQL) rule creation #2208

Closed
Tracked by #2258
joepeeples opened this issue Jul 19, 2022 · 1 comment · Fixed by #2339
Closed
Tracked by #2258

[DOCS] Add DSL Filters to Event Correlation (EQL) rule creation #2208

joepeeples opened this issue Jul 19, 2022 · 1 comment · Fixed by #2339
Assignees
@jmikell821
Labels
Feature: Rules Team: Detections/Response Detections and Response Team: Docs v8.4.0

Comments

@joepeeples
Copy link
Contributor

joepeeples commented Jul 19, 2022
edited
Loading

Description

PR elastic/kibana#132507 adds filters to event correlations within the Security Detection rules.

Screenshot 2022-05-19 at 13 43 23

From issue elastic/kibana#101047:

Describe the feature: Add filters to event correlations within the Security Detection rules, this is possible inside EQL but does not seem to be supported inside Detections.

Describe a specific use case for the feature: If I need to search for the same values across multiple documents, with only a couple of those fields changing each time but more than one field across the documents staying the same, the EQL is less efficient than the DSL is.

Notes

  • Filters are applied to both rule preview (while creating rule) and during actual rule execution.
@joepeeples joepeeples self-assigned this Jul 19, 2022
This was referenced Aug 4, 2022
Closed
Closed
@joepeeples joepeeples assigned jmikell821 and unassigned joepeeples Aug 5, 2022
@joepeeples
Copy link
Contributor Author

Reassigning to @jmikell821 since she's documenting rule creation for 8.4 in #2258.

@jmikell821 jmikell821 mentioned this issue Aug 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmikell821 jmikell821

Labels
Feature: Rules Team: Detections/Response Detections and Response Team: Docs v8.4.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[DOCS] Create rule updates 8.4 elastic/security-docs
2 participants
@jmikell821 @joepeeples