From 144a2b0edc0c6226d5f04bbf72d00d62c5a57478 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Thu, 15 Feb 2024 16:04:19 -0500
Subject: [PATCH 1/4] [Known Issue] Add docs to describe a known
 issue/limitation of EQL rule cross-cluster search (#4813)

# Conflicts:
#	docs/detections/api/rules/rules-api-create.asciidoc
#	docs/detections/rules-ui-create.asciidoc
---
 docs/detections/api/rules/rules-api-create.asciidoc |  9 +++++++++
 docs/detections/rules-ui-create.asciidoc            | 10 ++++++++++
 2 files changed, 19 insertions(+)

diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc
index 360161ecd4..7b601d8245 100644
--- a/docs/detections/api/rules/rules-api-create.asciidoc
+++ b/docs/detections/api/rules/rules-api-create.asciidoc
@@ -404,6 +404,15 @@ Security Solution indices defined on the {kib} Advanced Settings page
 (*Kibana* → *Stack Management* → *Advanced Settings* →
 `securitySolution:defaultIndex`).
 
+<<<<<<< HEAD
+=======
+[NOTE]
+======
+- This field is not supported for ES\|QL rules.
+- Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<rules-cross-cluster-search,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
+======
+
+>>>>>>> 01ec37b9 ([Known Issue] Add docs to describe a known issue/limitation of EQL rule cross-cluster search (#4813))
 |risk_score_mapping |Object[] a|Overrides generated alerts' `risk_score` with
 a value from the source event:
 
diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
index f6a4bc29f4..7152ad3eda 100644
--- a/docs/detections/rules-ui-create.asciidoc
+++ b/docs/detections/rules-ui-create.asciidoc
@@ -189,8 +189,18 @@ IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not re
 [[create-eql-rule]]
 ==== Create an event correlation rule
 . To create an event correlation rule using EQL, select *Event Correlation*, then:
+<<<<<<< HEAD
 .. Define which {es} indices or data view the rule searches for alerts.
 .. Add an {ref}/eql-syntax.html[EQL statement] used to detect alerts.
+=======
+.. Define which {es} indices or data view the rule searches when querying for events.
++
+NOTE: Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<rules-cross-cluster-search,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
+
+.. Write an {ref}/eql-syntax.html[EQL query] that searches for matching events or a series of matching events.
++
+TIP: To find events that are missing in a sequence, use the {ref}/eql-syntax.html#eql-missing-events[missing events] syntax.  
+>>>>>>> 01ec37b9 ([Known Issue] Add docs to describe a known issue/limitation of EQL rule cross-cluster search (#4813))
 +
 For example, the following rule detects when `msxsl.exe` makes an outbound
 network connection:

From b2499bcdb514e1e05b469eb2023bd3d8eeef8586 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Sat, 16 Mar 2024 16:48:57 -0400
Subject: [PATCH 2/4] Removed merge markers

---
 docs/detections/api/rules/rules-api-create.asciidoc |  8 ++------
 docs/detections/rules-ui-create.asciidoc            | 10 +---------
 2 files changed, 3 insertions(+), 15 deletions(-)

diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc
index 7b601d8245..d427ac6e2f 100644
--- a/docs/detections/api/rules/rules-api-create.asciidoc
+++ b/docs/detections/api/rules/rules-api-create.asciidoc
@@ -399,20 +399,16 @@ documents from the {es} index containing the threat values.
 context] array used to define the conditions for when alerts are created from
 events. Defaults to an empty array.
 
-|index |String[] |Indices on which the rule functions. Defaults to the
+|index |String[] a|Indices on which the rule functions. Defaults to the
 Security Solution indices defined on the {kib} Advanced Settings page
 (*Kibana* → *Stack Management* → *Advanced Settings* →
 `securitySolution:defaultIndex`).
 
-<<<<<<< HEAD
-=======
 [NOTE]
 ======
-- This field is not supported for ES\|QL rules.
-- Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<rules-cross-cluster-search,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
+Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<rules-cross-cluster-search,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
 ======
 
->>>>>>> 01ec37b9 ([Known Issue] Add docs to describe a known issue/limitation of EQL rule cross-cluster search (#4813))
 |risk_score_mapping |Object[] a|Overrides generated alerts' `risk_score` with
 a value from the source event:
 
diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
index 7152ad3eda..a9b6db2eb9 100644
--- a/docs/detections/rules-ui-create.asciidoc
+++ b/docs/detections/rules-ui-create.asciidoc
@@ -189,18 +189,10 @@ IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not re
 [[create-eql-rule]]
 ==== Create an event correlation rule
 . To create an event correlation rule using EQL, select *Event Correlation*, then:
-<<<<<<< HEAD
 .. Define which {es} indices or data view the rule searches for alerts.
-.. Add an {ref}/eql-syntax.html[EQL statement] used to detect alerts.
-=======
-.. Define which {es} indices or data view the rule searches when querying for events.
 +
 NOTE: Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<rules-cross-cluster-search,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
-
-.. Write an {ref}/eql-syntax.html[EQL query] that searches for matching events or a series of matching events.
-+
-TIP: To find events that are missing in a sequence, use the {ref}/eql-syntax.html#eql-missing-events[missing events] syntax.  
->>>>>>> 01ec37b9 ([Known Issue] Add docs to describe a known issue/limitation of EQL rule cross-cluster search (#4813))
+.. Add an {ref}/eql-syntax.html[EQL statement] used to detect alerts.
 +
 For example, the following rule detects when `msxsl.exe` makes an outbound
 network connection:

From de7a90197b1a6efd5e287caf99e8428bdd9a1800 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Sat, 16 Mar 2024 17:03:20 -0400
Subject: [PATCH 3/4] Update
 docs/detections/api/rules/rules-api-create.asciidoc

---
 docs/detections/api/rules/rules-api-create.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc
index d427ac6e2f..1562b28398 100644
--- a/docs/detections/api/rules/rules-api-create.asciidoc
+++ b/docs/detections/api/rules/rules-api-create.asciidoc
@@ -406,7 +406,7 @@ Security Solution indices defined on the {kib} Advanced Settings page
 
 [NOTE]
 ======
-Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<rules-cross-cluster-search,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
+Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<sec-requirements,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
 ======
 
 |risk_score_mapping |Object[] a|Overrides generated alerts' `risk_score` with

From 63c124e0ca3bdbe4493bea55af7913c851f5e71e Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Sat, 16 Mar 2024 17:03:25 -0400
Subject: [PATCH 4/4] Update docs/detections/rules-ui-create.asciidoc

---
 docs/detections/rules-ui-create.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
index a9b6db2eb9..cf4ab529b8 100644
--- a/docs/detections/rules-ui-create.asciidoc
+++ b/docs/detections/rules-ui-create.asciidoc
@@ -191,7 +191,7 @@ IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not re
 . To create an event correlation rule using EQL, select *Event Correlation*, then:
 .. Define which {es} indices or data view the rule searches for alerts.
 +
-NOTE: Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<rules-cross-cluster-search,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
+NOTE: Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<sec-requirements,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
 .. Add an {ref}/eql-syntax.html[EQL statement] used to detect alerts.
 +
 For example, the following rule detects when `msxsl.exe` makes an outbound