[8.1] [BUG] The output_index field is not supported in 8.x (backport #…

…3178) (#3234)

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

docs/detections/api/rules/rules-api-bulk-actions.asciidoc

@@ -339,7 +339,6 @@ For `enable`, `disable`, `delete`, `edit`, and `duplicate` actions, a JSON objec
                "risk_score":21,
                "severity":"low",
                "license":"Elastic License v2",
-               "output_index":".siem-signals-default",
                "author":[
                   "Elastic"
                ],
@@ -484,7 +483,6 @@ If processing of any rule fails, a partial error outputs the ID and/or name of t
                     "risk_score": 47,
                     "severity": "medium",
                     "license": "Elastic License v2",
-                    "output_index": ".siem-signals-default",
                     "rule_name_override": "message",
                     "timestamp_override": "event.ingested",
                     "author": [

docs/detections/api/rules/rules-api-create.asciidoc

@@ -291,10 +291,6 @@ single execution. Defaults to `100`.
 
 |note |String |Notes to help investigate alerts produced by the rule.
 
-|output_index |String |Index to which alerts created by the rule are saved.
-If unspecified alerts are saved to `.siem-signals-<space_name>` index,
-where `<space_name>` is the name of the {kib} space in which the rule exists.
-
 |references |String[] |Array containing notes about or references to
 relevant information about the rule. Defaults to an empty array.
 
@@ -486,7 +482,6 @@ rules only)
 * `{{context.rule.max_signals}}`: Maximum allowed number of alerts per rule
 execution
 * `{{context.rule.name}}`: Rule name
-* `{{context.rule.output_index}}`: Index to which alerts are written
 * `{{context.rule.query}}`: Rule query (query rules only)
 * `{{context.rule.references}}`: Rule references
 * `{{context.rule.risk_score}}`: Rule risk score
@@ -816,7 +811,6 @@ Example response for a query rule:
   "immutable": false,
   "interval": "1h",
   "rule_id": "process_started_by_ms_office_program",
-  "output_index": ".siem-signals-default",
   "max_signals": 100,
   "risk_score": 50,
   "name": "MS Office child process",
@@ -866,7 +860,6 @@ Example response for a {ml} job rule:
   "immutable": false,
   "interval": "5m",
   "rule_id": "ml_linux_network_high_threshold",
-  "output_index": ".siem-signals-default",
   "max_signals": 100,
   "risk_score": 70,
   "name": "Anomalous Linux network activity",
@@ -917,7 +910,6 @@ Example response for a threshold rule:
   "immutable": false,
   "interval": "2m",
   "rule_id": "liv-win-ser-logins",
-  "output_index": ".siem-signals-default",
   "max_signals": 100,
   "risk_score": 30,
   "risk_score_mapping": [],
@@ -996,7 +988,6 @@ Example response for an EQL rule:
   "immutable": false,
   "interval": "5m",
   "rule_id": "eql-outbound-rundll32-connections",
-  "output_index": ".siem-signals-default",
   "max_signals": 100,
   "risk_score": 21,
   "risk_score_mapping": [],
@@ -1039,7 +1030,6 @@ Example response for an indicator match rule:
   "immutable": false,
   "interval": "5m",
   "rule_id": "608501e4-c768-4f64-9326-cec55b5d439b",
-  "output_index": ".siem-signals-default",
   "max_signals": 100,
   "risk_score": 50,
   "risk_score_mapping": [],

docs/detections/api/rules/rules-api-find.asciidoc

@@ -86,7 +86,6 @@ Example response:
       "interval": "5m",
       "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
       "language": "kuery",
-      "output_index": ".siem-signals-siem-test",
       "max_signals": 33,
       "risk_score": 21,
       "name": "Windows Script Executing PowerShell",

docs/detections/api/rules/rules-api-get.asciidoc

@@ -64,7 +64,6 @@ Example response:
   "interval": "1h",
   "rule_id": "process_started_by_ms_office_user_folder",
   "language": "kuery",
-  "output_index": ".siem-signals-siem-test",
   "max_signals": 100,
   "risk_score": 21,
   "name": "MS Office child process",

docs/detections/api/rules/rules-api-update.asciidoc

@@ -211,10 +211,6 @@ single execution. Defaults to `100`.
 
 |note |String |Notes to help investigate alerts produced by the rule.
 
-|output_index |String |Index to which alerts created by the rule are saved.
-If unspecified alerts are saved to `.siem-signals-<space_name>` index,
-where `<space_name>` is the name of the {kib} space in which the rule exists.
-
 |references |String[] |Array containing notes about or references to
 relevant information about the rule. Defaults to an empty array.
 
@@ -482,7 +478,6 @@ Example response:
   "interval": "5m",
   "rule_id": "process_started_by_ms_office_program_possible_payload",
   "language": "kuery",
-  "output_index": ".siem-signals-default",
   "max_signals": 100,
   "risk_score": 50,
   "name": "MS Office child process",

docs/detections/rules-ui-create.asciidoc

@@ -475,7 +475,6 @@ rules only)
 * `{{context.rule.max_signals}}`: Maximum allowed number of alerts per rule
 execution
 * `{{context.rule.name}}`: Rule name
-* `{{context.rule.output_index}}`: Index to which alerts are written
 * `{{context.rule.query}}`: Rule query (query rules only)
 * `{{context.rule.references}}`: Rule references
 * `{{context.rule.risk_score}}`: Default rule risk score

docs/post-upgrade/template-script.asciidoc

@@ -1523,9 +1523,6 @@ PUT _template/temp-signals
               "language": {
                 "type": "keyword"
               },
-              "output_index": {
-                "type": "keyword"
-              },
               "type": {
                 "type": "keyword"
               },

docs/release-notes/8.0.asciidoc

@@ -113,6 +113,11 @@ A new Lucene 9 validation change may cause event correlation (EQL) rule errors w
 . Refresh the page to verify the deprecation was resolved, then return to the guided steps on the Upgrade Assistant page.
 // end::breaking-changes[]
 
+[discrete]
+[[deprecations-8.0.0]]
+==== Deprecations
+* The `output_index` parameter is no longer supported for the APIs that create and update rules. 
+
 [discrete]
 [[new-features-8.0.0]]
 ==== Features