[DOCS] Document to set limitations on what we support for Indicator Match rules in 7.12

[dontcallmesherryli]

Description

Don't use cold storage, make sure your indicator index doesn't have X, don't use cross cluster search
mostly elastic search; item search 9000
SDH troubleshooting guide

Acceptance Test Criteria

List all the ATC of each action and its intended result.
As a user, when [action (e.g., viewing, clicking, selecting, etc.)] the [insert the expected result].
If the doc issue includes a procedure, number the steps in sequential order.

Notes

• Add the "Team:Docs" label to new issues.
• Be sure to add the version number label.
• Be sure to add any necessary screenshots for clarity.
• Include any conditions or caveats that may affect customers.

[jmikell821]

@dontcallmesherryli can I have some more context around what needs to be documented? Here is what we say about cold tier storage. Here is our topic on indicator match rules.

[dontcallmesherryli]

Hi @jmikell821 I'm working on this ticket still adding details. That's why I didn't tag this ticket with any labels or assignees yet. Will tag you when it's ready! Thank you

[MikePaquette]

Note: Cold Tier Storage documentation change requests are listed in this Issue #562

This ticket includes changes to four sections related to Indicator Match rules:

• 1. On the Detections and Alerts page - Add a new section (probably after the compatibility with cold tier data section and before the Terminology section) called "Limited Support for Indicator Match Rules". The section would have the following points:

Indicator Match rules provide a powerful capability to search your security data, however, their queries can consume significant deployment resources. Therefore the following support restrictions are in place:

• Elastic Security does not support the use of Cold Tier Data with Indicator Match rules.
• The use of Cross Cluster Search (CCS) with Indicator Match rules is not supported.
• Indicator Match rules with an Additional Look-back time value of greater than 24 hours are not supported.
• Indicator indices with more than 90,000 items are not supported.

• 2. On the Create an indicator match rule section - Make the following changes:

• Add a Note up front that says" Elastic Security provides limited support for Indicator Match rules. Please see <link to "Limited Support for Indicator Match Rules" section>. (Item 1. above)

• Change: b. Custom query: The query and filters used to retrieve the required results from the Elastic Security event indices. For example, if you only need to check destination.ip event values, want to match only documents that contain a destination ip address field, add destination.ip : *.

• Change: tip: If you want the rule to check every field in the indices, attempt to match every document in the indices, use this wildcard expression: *:*.

• Change: Indicator index query: The query and filters used to filter the fields results from the indicator index patterns. Since the number of query results affects the performance of indicator match rules, avoid using the wildcard expression *.* in this field.

• Remove: tip: When an indicator match rule’s conditions are met, the resulting detection alert does not contain explicit information about which event field(s) match which indicator field(s). As such, when you configure basic rule settings, it is recommended that you include a reference to the field(s) to be matched in the rule Name and rule Description, and ensure that the Timeline template associated with the rule includes pre-defined column(s) for these fields. For example, if you create an indicator match rule that looks for matches between the file.extension field in file events and the threat.file.extension field in an indicator index, you might name your rule "file.extension matches ransomware file extension", so that when an analyst investigates the detection alerts, they will see the rule name and know to further investigate the file.extension field value.

• 3. In the Tuning prebuilt detection rules section - Add a sub section containing: "Take the following steps to tune indicator match rules:

• Specify a detailed query as part of the indicator index query. Every result returned from the indicator index query will be used by the detection engine to subsequently query the index patterns defined in your rule definition. Using no query or the wildcard *.* query will result in your rule causing the execution of potentially very large queries.

• Limit your rule additional look-back time to as short a duration as practical, and not more than 24 hours.

• Add the following sentence/link - "Note: Elastic Security provides limited support for Indicator Match rules. Please see <link to "Limited Support for Indicator Match Rules" section>. (Item 1. above)

• 4. In the Monitoring and troubleshooting rule executions section -

• Add the following sentence/link in the Troubleshoot missing alerts section: Note: If the rule that experiences gaps is an indicator match rule, please see the section on Tuning prebuilt detection rules. (Item 3. above)

• Add the following sentence/link - "Note: Elastic Security provides limited support for Indicator Match rules. Please see <link to "Limited Support for Indicator Match Rules" section>. (Item 1. above)

cc: @dontcallmesherryli @jmikell821

[jmikell821]

Merged #582.