elastic · vitaliidm · Oct 26, 2023 · Oct 17, 2023 · Oct 17, 2023 · Oct 17, 2023
@@ -34,6 +34,9 @@ mappings should be {ecs-ref}[ECS-compliant].
 * *{ml-cap} rules*: Creates an alert when a {ml} job discovers an anomaly above
 the defined threshold (see <<machine-learning>>).
 * *New terms*: Generates an alert for each new term detected in source documents within a specified time range.
+* *ES|QL*: Uses the Elasticsearch Query Language (ES|QL) rule to find events and aggregate search results.
+
+NOTE: ES|QL rule is in technical preview stage
 
 IMPORTANT: To create {ml} rules, you must have the
 https://www.elastic.co/subscriptions[appropriate license] or use a
@@ -102,11 +105,13 @@ A JSON object that defines the rule's values:
 * <<req-fields-ml>>
 * <<req-fields-threat-match>>
 * <<req-fields-new-terms>>
+* <<req-fields-esql>>
 * <<opt-fields-all>>
 * <<opt-fields-query-eql>>
 * <<opt-fields-threat-match>>
 * <<opt-fields-query-threshold>>
 * <<opt-fields-eql-query-threshold>>
+* <<opt-fields-eql-query-threshold-new_terms-esql>>
 
 [[ref-fields-all]]
 ===== Required fields for all rule types
@@ -140,6 +145,7 @@ occurred
 |type |String a|Data type on which the rule is based:
 
 * `eql`: EQL query (see {ref}/eql.html[Event Query Language]).
+* `esql`: ES\|QL query (see {ref}/esql.html[Elasticsearch Query Language]).
 * `query`: query with or without additional filters.
 * `saved_query`: saved search, identified in the `saved_id` field.
 * `machine_learning`: rule based on a {ml} job's anomaly scores.
@@ -152,7 +158,7 @@ specified field.
 |==============================================
 
 [[req-fields-query-threshold]]
-===== Required field for query, indicator match, threshold, and new terms rules
+===== Required field for query, indicator match, threshold, new terms, event correlation, and ES|QL rules
 
 [width="100%",options="header"]
 |==============================================
@@ -209,6 +215,17 @@ generated.
 
 |==============================================
 
+[[req-fields-esql]]
+===== Required field for ES|QL rules
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|language |String |Must be `esql`.
+
+|==============================================
+
 [[req-fields-ml]]
 ===== Required fields for machine learning rules
 
@@ -417,6 +434,15 @@ Security Solution indices defined on the {kib} Advanced Settings page
 (*Kibana* → *Stack Management* → *Advanced Settings* →
 `securitySolution:defaultIndex`).
 
+|==============================================
+
+[[opt-fields-eql-query-threshold-new_terms-esql]]
+===== Optional fields for event correlation, query, threshold, new terms, and ES|QL rules
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
 |risk_score_mapping |Object[] a|Overrides generated alerts' `risk_score` with
 a value from the source event:
 
@@ -969,6 +995,29 @@ POST api/detection_engine/rules
 `200`::
     Indicates a successful call.
 
+*Example 7*
+
+ES|QL rule that creates alerts from events that match an Excel parent process:
+
+[source,json]
+--------------------------------------------------
+POST api/detection_engine/rules
+{
+   "type":"esql",
+   "language":"esql",
+   "query":"from auditbeat-8.10.2 [metadata _id] | where process.parent.name == \"EXCEL.EXE\"",
+   "name":"Find Excel events",
+   "description":"Find Excel events",
+   "tags":[],
+   "interval":"5m",
+   "from":"now-360s",
+   "to":"now",
+   "enabled":false,
+   "risk_score": 21,
+   "severity": "low"
+}
+--------------------------------------------------
+
 ==== Response payload
 
 A JSON object that includes a unique ID, the time the rule was created, and its
@@ -1327,3 +1376,46 @@ Example response for a new terms rule:
 }
 --------------------------------------------------
 <1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`.
+
+Example response for an ES|QL rule:
+
+[source,json]
+--------------------------------------------------
+{
+    "name": "Find Excel events",
+    "description": "Find Excel events",
+    "risk_score": 21,
+    "severity": "low",
+    "output_index": "",
+    "tags": [],
+    "interval": "5m",
+    "enabled": false,
+    "author": [],
+    "false_positives": [],
+    "from": "now-360s",
+    "max_signals": 100,
+    "risk_score_mapping": [],
+    "severity_mapping": [],
+    "threat": [],
+    "to": "now",
+    "references": [],
+    "version": 1,
+    "exceptions_list": [],
+    "actions": [],
+    "id": "d0f20490-6da4-11ee-b85e-09e9b661f2e2",
+    "updated_at": "2023-10-18T10:55:14.269Z",
+    "updated_by": "elastic",
+    "created_at": "2023-10-18T10:55:14.269Z",
+    "created_by": "elastic",
+    "revision": 0,
+    "rule_id": "e4b53a89-debd-4a0d-a3e3-20606952e589",
+    "immutable": false,
+    "related_integrations": [],     <1>
+    "required_fields": [],          <1>
+    "setup": "",                    <1>
+    "type": "esql",
+    "language": "esql",
+    "query": "from auditbeat-8.10.2 [metadata _id] | where process.parent.name == \"EXCEL.EXE\""
+}
+--------------------------------------------------
+<1> dev:[] These fields are under development and their usage may change: `related_integrations`, `required_fields`, and `setup`.
@@ -60,6 +60,7 @@ occurred
 |type |String a|Data type on which the rule is based:
 
 * `eql`: EQL query (see {ref}/eql.html[Event Query Language]).
+* `esql`: ES\|QL query (see {ref}/esql.html[Elasticsearch Query Language]).
 * `query`: query with or without additional filters.
 * `saved_query`: saved search, identified in the `saved_id` field.
 * `machine_learning`: rule based on a {ml} job's anomaly scores.
@@ -125,6 +126,16 @@ generated.
 
 |==============================================
 
+===== Field required for ES|QL rules `PUT` calls
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|language |String |Must be `esql`.
+
+|==============================================
+
 ===== Fields required for machine-learning rules `PUT` calls
 
 [width="100%",options="header"]
@@ -319,6 +330,14 @@ Security Solution indices defined on the {kib} Advanced Settings page
 (*Kibana* → *Stack Management* → *Advanced Settings* →
 `securitySolution:defaultIndex`).
 
+|==============================================
+
+===== Optional fields for EQL, query, threshold, new terms, and ES|QL rules
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
 |risk_score_mapping |Object[] a|Overrides generated alerts' `risk_score` with
 a value from the source event: