diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 14caac287b..fefc1ce9e5 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -413,11 +413,16 @@ documents from the {es} index containing the threat values. context] array used to define the conditions for when alerts are created from events. Defaults to an empty array. -|index |String[] |Indices on which the rule functions. Defaults to the +|index |String[] a|Indices on which the rule functions. Defaults to the Security Solution indices defined on the {kib} Advanced Settings page (*Kibana* → *Stack Management* → *Advanced Settings* → `securitySolution:defaultIndex`). +[NOTE] +====== +Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search. +====== + |risk_score_mapping |Object[] a|Overrides generated alerts' `risk_score` with a value from the source event: diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index f0f948a100..d9268ba45d 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -209,6 +209,9 @@ IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not re ==== Create an event correlation rule . To create an event correlation rule using EQL, select *Event Correlation*, then: .. Define which {es} indices or data view the rule searches when querying for events. ++ +NOTE: Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search. + .. Write an {ref}/eql-syntax.html[EQL query] that searches for matching events or a series of matching events. + TIP: To find events that are missing in a sequence, use the {ref}/eql-syntax.html#eql-missing-events[missing events] syntax.