From d4e6e8b436454d55d31bd681ab18fcef8d3be5eb Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 6 Dec 2023 09:29:43 -0500 Subject: [PATCH 1/3] Document the behavior of IM rules and multi-value indicator documents (#4326) (cherry picked from commit ed4d8160ed133c768b7ac5523563cb24cbaa5f98) # Conflicts: # docs/detections/rules-ui-create.asciidoc --- docs/detections/rules-ui-create.asciidoc | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 90f252b59a..68aac96259 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -213,8 +213,15 @@ NOTE: For sequence events, the {security-app} generates a single alert when all NOTE: {es-sec} provides limited support for indicator match rules. See <> for more information. +<<<<<<< HEAD . To create an indicator match rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields: .. *Index patterns*: The {es-sec} event indices on which the rule runs. +======= +. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. +. To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields: + +.. *Source*: The individual index patterns or data view that specifies what data to search. +>>>>>>> ed4d816 (Document the behavior of IM rules and multi-value indicator documents (#4326)) .. *Custom query*: The query and filters used to retrieve the required results from the {es-sec} event indices. For example, if you want to match documents that only contain a `destination.ip` address field, add `destination.ip : *`. + @@ -226,10 +233,18 @@ IMPORTANT: Data in indicator indices must be < "now-30d/d"` searches specified indicator indices for indicators ingested during the past 30 days and rounds the start time down to the nearest day (resolves to UTC `00:00:00`). -.. *Indicator mapping*: Compares the values of the specified event and indicator field -values. When the field values are identical, an alert is generated. To define +.. *Indicator mapping*: Compares the values of the specified event and indicator fields, and generates an alert if the values are identical. ++ +NOTE: Only single-value fields are supported. ++ +To define which field values are compared from the indices add the following: +<<<<<<< HEAD ** *Field*: The field used for comparing values in the {es-sec} event +======= + +** *Field*: The field used for comparing values in the {elastic-sec} event +>>>>>>> ed4d816 (Document the behavior of IM rules and multi-value indicator documents (#4326)) indices. ** *Indicator index field*: The field used for comparing values in the indicator indices. From b23b1cb8a3f31dff0e2f0ddde0fe63a52050c14a Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 6 Dec 2023 10:36:07 -0500 Subject: [PATCH 2/3] Fixed conflict --- docs/detections/rules-ui-create.asciidoc | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 68aac96259..8084c6666b 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -239,12 +239,8 @@ NOTE: Only single-value fields are supported. + To define which field values are compared from the indices add the following: -<<<<<<< HEAD -** *Field*: The field used for comparing values in the {es-sec} event -======= ** *Field*: The field used for comparing values in the {elastic-sec} event ->>>>>>> ed4d816 (Document the behavior of IM rules and multi-value indicator documents (#4326)) indices. ** *Indicator index field*: The field used for comparing values in the indicator indices. From 86edd15639274671571c75bf9dc1a8b5a51306f7 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 7 Dec 2023 17:14:02 -0500 Subject: [PATCH 3/3] Fixed conflict --- docs/detections/rules-ui-create.asciidoc | 7 ------- 1 file changed, 7 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 8084c6666b..b97fb158e1 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -213,15 +213,8 @@ NOTE: For sequence events, the {security-app} generates a single alert when all NOTE: {es-sec} provides limited support for indicator match rules. See <> for more information. -<<<<<<< HEAD . To create an indicator match rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields: .. *Index patterns*: The {es-sec} event indices on which the rule runs. -======= -. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. -. To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields: - -.. *Source*: The individual index patterns or data view that specifies what data to search. ->>>>>>> ed4d816 (Document the behavior of IM rules and multi-value indicator documents (#4326)) .. *Custom query*: The query and filters used to retrieve the required results from the {es-sec} event indices. For example, if you want to match documents that only contain a `destination.ip` address field, add `destination.ip : *`. +