From 61ce251d585f3caa8a96e23db84b910765e29f4a Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 6 Dec 2023 09:29:43 -0500 Subject: [PATCH 1/9] Document the behavior of IM rules and multi-value indicator documents (#4326) (cherry picked from commit ed4d8160ed133c768b7ac5523563cb24cbaa5f98) # Conflicts: # docs/detections/rules-ui-create.asciidoc --- docs/detections/rules-ui-create.asciidoc | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index b6b1e8b11d..7622682440 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -218,8 +218,15 @@ NOTE: For sequence events, the {security-app} generates a single alert when all NOTE: {es-sec} provides limited support for indicator match rules. See <> for more information. +<<<<<<< HEAD . To create an indicator match rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields: .. *Index patterns*: The {es-sec} event indices on which the rule runs. +======= +. Go to *Rules* -> *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. +. To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields: + +.. *Source*: The individual index patterns or data view that specifies what data to search. +>>>>>>> ed4d816 (Document the behavior of IM rules and multi-value indicator documents (#4326)) .. *Custom query*: The query and filters used to retrieve the required results from the {es-sec} event indices. For example, if you want to match documents that only contain a `destination.ip` address field, add `destination.ip : *`. + @@ -231,10 +238,18 @@ IMPORTANT: Data in indicator indices must be < "now-30d/d"` searches specified indicator indices for indicators ingested during the past 30 days and rounds the start time down to the nearest day (resolves to UTC `00:00:00`). -.. *Indicator mapping*: Compares the values of the specified event and indicator field -values. When the field values are identical, an alert is generated. To define +.. *Indicator mapping*: Compares the values of the specified event and indicator fields, and generates an alert if the values are identical. ++ +NOTE: Only single-value fields are supported. ++ +To define which field values are compared from the indices add the following: +<<<<<<< HEAD ** *Field*: The field used for comparing values in the {es-sec} event +======= + +** *Field*: The field used for comparing values in the {elastic-sec} event +>>>>>>> ed4d816 (Document the behavior of IM rules and multi-value indicator documents (#4326)) indices. ** *Indicator index field*: The field used for comparing values in the indicator indices. From 281f58e3129294d184fe9f533b58fb0c4cb45975 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 6 Dec 2023 10:35:42 -0500 Subject: [PATCH 2/9] Fixed conflict --- docs/detections/rules-ui-create.asciidoc | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 7622682440..09f25a797e 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -244,12 +244,8 @@ NOTE: Only single-value fields are supported. + To define which field values are compared from the indices add the following: -<<<<<<< HEAD -** *Field*: The field used for comparing values in the {es-sec} event -======= ** *Field*: The field used for comparing values in the {elastic-sec} event ->>>>>>> ed4d816 (Document the behavior of IM rules and multi-value indicator documents (#4326)) indices. ** *Indicator index field*: The field used for comparing values in the indicator indices. From 195a74e60fb8a8addf72914ed40a3c371d38e28e Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 6 Dec 2023 11:21:10 -0500 Subject: [PATCH 3/9] Trying to fix issue --- docs/cases/cases-ui-integrations.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc index 05c65c4e8b..5da6b075df 100644 --- a/docs/cases/cases-ui-integrations.asciidoc +++ b/docs/cases/cases-ui-integrations.asciidoc @@ -219,6 +219,6 @@ To learn how to connect {elastic-sec} to {jira}, check out the following tutoria data-v="4" data-type="inline" /> -
+ ++++ ======= From c35b9f46dab780ff3d2d7e428c95f703526d8709 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 6 Dec 2023 12:30:22 -0500 Subject: [PATCH 4/9] Re-adding break tag --- docs/cases/cases-ui-integrations.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc index 5da6b075df..05c65c4e8b 100644 --- a/docs/cases/cases-ui-integrations.asciidoc +++ b/docs/cases/cases-ui-integrations.asciidoc @@ -219,6 +219,6 @@ To learn how to connect {elastic-sec} to {jira}, check out the following tutoria data-v="4" data-type="inline" /> - +
++++ ======= From 11a23cfb701e027ffec528b127f9398543eb25b6 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 6 Dec 2023 12:30:51 -0500 Subject: [PATCH 5/9] Removing extra line --- docs/cases/cases-ui-integrations.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc index 05c65c4e8b..11c84e845a 100644 --- a/docs/cases/cases-ui-integrations.asciidoc +++ b/docs/cases/cases-ui-integrations.asciidoc @@ -221,4 +221,4 @@ To learn how to connect {elastic-sec} to {jira}, check out the following tutoria />
++++ -======= +======= \ No newline at end of file From c780726b17c8afcb324c399a42794e3b76b001b0 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 7 Dec 2023 16:45:16 -0500 Subject: [PATCH 6/9] Update docs/detections/rules-ui-create.asciidoc --- docs/detections/rules-ui-create.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 09f25a797e..afb06dc719 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -218,7 +218,6 @@ NOTE: For sequence events, the {security-app} generates a single alert when all NOTE: {es-sec} provides limited support for indicator match rules. See <> for more information. -<<<<<<< HEAD . To create an indicator match rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields: .. *Index patterns*: The {es-sec} event indices on which the rule runs. ======= From df885517ad43b1a2a18f9eb16dc243c0f2607933 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 7 Dec 2023 16:45:34 -0500 Subject: [PATCH 7/9] Update docs/detections/rules-ui-create.asciidoc --- docs/detections/rules-ui-create.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index afb06dc719..c7322898c0 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -225,7 +225,6 @@ NOTE: {es-sec} provides limited support for indicator match rules. See <>>>>>> ed4d816 (Document the behavior of IM rules and multi-value indicator documents (#4326)) .. *Custom query*: The query and filters used to retrieve the required results from the {es-sec} event indices. For example, if you want to match documents that only contain a `destination.ip` address field, add `destination.ip : *`. + From 50fd2a5ddb8393ae18f85f224a58557588f00e84 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 7 Dec 2023 16:50:05 -0500 Subject: [PATCH 8/9] Removed extra chars --- docs/detections/rules-ui-create.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index c7322898c0..7808c57dd1 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -220,7 +220,7 @@ NOTE: {es-sec} provides limited support for indicator match rules. See < *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. . To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields: From 4b1d79f7b188d2ff70779bafe03e990abba85a83 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 7 Dec 2023 17:16:01 -0500 Subject: [PATCH 9/9] Got rid of extra content --- docs/detections/rules-ui-create.asciidoc | 5 ----- 1 file changed, 5 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 7808c57dd1..fb10e22137 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -220,11 +220,6 @@ NOTE: {es-sec} provides limited support for indicator match rules. See < *Detection rules (SIEM)* -> *Create new rule*. The *Create new rule* page displays. -. To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields: - -.. *Source*: The individual index patterns or data view that specifies what data to search. .. *Custom query*: The query and filters used to retrieve the required results from the {es-sec} event indices. For example, if you want to match documents that only contain a `destination.ip` address field, add `destination.ip : *`. +