From e7328dc4a6a011062f37bf12184a5bbc0e7bc361 Mon Sep 17 00:00:00 2001 From: Stef Nestor <26751266+stefnestor@users.noreply.github.com> Date: Mon, 15 Jul 2024 14:45:49 -0600 Subject: [PATCH 1/5] (Doc+) Frozen tier compatibility --- docs/detections/detection-engine-intro.asciidoc | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc index aef2fdf46d..b97547fdc0 100644 --- a/docs/detections/detection-engine-intro.asciidoc +++ b/docs/detections/detection-engine-intro.asciidoc @@ -62,20 +62,21 @@ To make sure you can access Detections and manage rules, see ============== [float] -[[cold-tier-detections]] -== Compatibility with cold tier nodes +[[data-tier-detections]] +== Compatibility with cold and frozen tier nodes -Cold tier is a {ref}/data-tiers.html[data tier] that holds time series data that is accessed only occasionally. In {stack} version >=7.11.0, {elastic-sec} supports cold tier data for the following {es} indices: +Cold and frozen tier are {ref}/data-tiers.html[data tier] that holds time series data that are accessed only occasionally and rarely, respectively. In {stack} version >=7.11.0, {elastic-sec} supports cold tier data for the following {es} indices: * Index patterns specified in `securitySolution:defaultIndex` -* Index patterns specified in the definitions of detection rules +* Index patterns specified in the definitions of detection rules, except for indicator match rules * Index patterns specified in the data sources selector on various {security-app} pages -{elastic-sec} does *NOT* support cold tier data for the following {es} indices: +{elastic-sec} does *NOT* support either cold or frozen tier data for the following {es} indices: * Index patterns controlled by {elastic-sec}, including alerts and list indices +* Index patterns specified in indicator match rules -Using cold tier data for unsupported indices may result in detection rule timeouts and overall performance degradation. +Using either cold or frozen tier data for unsupported indices may result in detection rule timeouts and overall performance degradation. [float] [[support-indicator-rules]] @@ -85,7 +86,7 @@ Indicator match rules provide a powerful capability to search your security data In addition, the following support restrictions are in place: -* {elastic-sec} does not support the use of frozen tier data with indicator match rules. +* {elastic-sec} does not support the use of either cold or frozen {ref}/data-tiers.html[tier data] with indicator match rules. * Indicator match rules with an additional look-back time value greater than 24 hours are not supported. [float] From 773a8d264a450e8bb815e3c9b7826a183f9f92d7 Mon Sep 17 00:00:00 2001 From: Stef Nestor <26751266+stefnestor@users.noreply.github.com> Date: Mon, 5 Aug 2024 14:31:23 -0600 Subject: [PATCH 2/5] feedback Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/detections/detection-engine-intro.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc index b97547fdc0..c923591dd9 100644 --- a/docs/detections/detection-engine-intro.asciidoc +++ b/docs/detections/detection-engine-intro.asciidoc @@ -65,7 +65,7 @@ To make sure you can access Detections and manage rules, see [[data-tier-detections]] == Compatibility with cold and frozen tier nodes -Cold and frozen tier are {ref}/data-tiers.html[data tier] that holds time series data that are accessed only occasionally and rarely, respectively. In {stack} version >=7.11.0, {elastic-sec} supports cold tier data for the following {es} indices: +Cold and frozen {ref}/data-tiers.html[data tiers] hold time series data that are only accessed occasionally. In {stack} version >=7.11.0, {elastic-sec} supports cold tier data for the following {es} indices: * Index patterns specified in `securitySolution:defaultIndex` * Index patterns specified in the definitions of detection rules, except for indicator match rules @@ -74,7 +74,7 @@ Cold and frozen tier are {ref}/data-tiers.html[data tier] that holds time series {elastic-sec} does *NOT* support either cold or frozen tier data for the following {es} indices: * Index patterns controlled by {elastic-sec}, including alerts and list indices -* Index patterns specified in indicator match rules +* Index patterns specified in the definition of indicator match rules Using either cold or frozen tier data for unsupported indices may result in detection rule timeouts and overall performance degradation. From 590a5828640fbeb04d332c30e9bbbceddeb6af26 Mon Sep 17 00:00:00 2001 From: Stef Nestor <26751266+stefnestor@users.noreply.github.com> Date: Mon, 5 Aug 2024 14:31:59 -0600 Subject: [PATCH 3/5] feedback p2 --- docs/detections/detection-engine-intro.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc index c923591dd9..d3dfbae217 100644 --- a/docs/detections/detection-engine-intro.asciidoc +++ b/docs/detections/detection-engine-intro.asciidoc @@ -62,7 +62,7 @@ To make sure you can access Detections and manage rules, see ============== [float] -[[data-tier-detections]] +[[cold-tier-detections]] == Compatibility with cold and frozen tier nodes Cold and frozen {ref}/data-tiers.html[data tiers] hold time series data that are only accessed occasionally. In {stack} version >=7.11.0, {elastic-sec} supports cold tier data for the following {es} indices: From d5bc9dc00087ddef4027add9e65781733edede35 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 5 Aug 2024 17:29:12 -0400 Subject: [PATCH 4/5] Update docs/detections/detection-engine-intro.asciidoc --- docs/detections/detection-engine-intro.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc index d3dfbae217..97bc611bdf 100644 --- a/docs/detections/detection-engine-intro.asciidoc +++ b/docs/detections/detection-engine-intro.asciidoc @@ -65,7 +65,7 @@ To make sure you can access Detections and manage rules, see [[cold-tier-detections]] == Compatibility with cold and frozen tier nodes -Cold and frozen {ref}/data-tiers.html[data tiers] hold time series data that are only accessed occasionally. In {stack} version >=7.11.0, {elastic-sec} supports cold tier data for the following {es} indices: +Cold and frozen {ref}/data-tiers.html[data tiers] hold time series data that is only accessed occasionally. In {stack} version >=7.11.0, {elastic-sec} supports cold tier data for the following {es} indices: * Index patterns specified in `securitySolution:defaultIndex` * Index patterns specified in the definitions of detection rules, except for indicator match rules From f0ecd9a8831ef351c5536b378f64a509e0441205 Mon Sep 17 00:00:00 2001 From: Stef Nestor <26751266+stefnestor@users.noreply.github.com> Date: Fri, 9 Aug 2024 07:54:46 -0600 Subject: [PATCH 5/5] feedback --- docs/detections/detection-engine-intro.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc index 97bc611bdf..fb2cae91a0 100644 --- a/docs/detections/detection-engine-intro.asciidoc +++ b/docs/detections/detection-engine-intro.asciidoc @@ -65,7 +65,7 @@ To make sure you can access Detections and manage rules, see [[cold-tier-detections]] == Compatibility with cold and frozen tier nodes -Cold and frozen {ref}/data-tiers.html[data tiers] hold time series data that is only accessed occasionally. In {stack} version >=7.11.0, {elastic-sec} supports cold tier data for the following {es} indices: +Cold and frozen {ref}/data-tiers.html[data tiers] hold time series data that is only accessed occasionally. In {stack} version >=7.11.0, {elastic-sec} supports cold but not frozen tier data for the following {es} indices: * Index patterns specified in `securitySolution:defaultIndex` * Index patterns specified in the definitions of detection rules, except for indicator match rules