[Request] improved ES|QL investigation(highlighted) fields #5054
Assignees
Labels
Docset: ESS
Issues that apply to docs in the Stack release
Effort: Small
Issues that can be resolved quickly
Feature: ES|QL
Feature: Rules
Priority: High
Issues that are time-sensitive and/or are of high customer importance
Team: Detection Engine
v8.14.0
Comments
jmikell821
added
Docset: ESS
nastasha-solomon
added
Team: Detection Engine
Priority: High
|
Note to self: I'll need to update the Serverless ES|QL rule docs once merge https://github.com/elastic/staging-serverless-security-docs/pull/340. Can re-use the ESS changes I'm adding in #5182. |
|
ESS and Serverless docs are updated. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
allows to select custom created fields in ES|QL query as investigation(highlighted) fields
shows only ES|QL fields for aggregating queries
shows ES|QL fields + index fields for non-aggregating queries. Since results are enriched with source documents in that case
Background & resources
PRs:
[Security Solution][Detection Engine] improves ES|QL investigation fields for detection rules kibana#177746
Issues/metas:
[Meta] https://github.com/elastic/security-team/issues/7944
https://github.com/elastic/security-team/issues/8771
Point of contact:
@vitaliidm
Test environments:
Which documentation set does this change impact?
ESS only
ESS release
8.14
Serverless release
N/A
Feature differences
Available only on ESS
API docs impact
No impact on API
Prerequisites, privileges, feature flags
N/A
The text was updated successfully, but these errors were encountered: