elastic · nastasha-solomon · Nov 14, 2024 · Oct 19, 2024 · Oct 19, 2024 · Oct 27, 2024
@@ -86,7 +86,9 @@ Indicator match rules provide a powerful capability to search your security data
 
 In addition, the following support restrictions are in place:
 
-* {elastic-sec} does not support the use of either cold or frozen {ref}/data-tiers.html[tier data] with indicator match rules.
+* Indicator match rules don't support cold or frozen data, but will query cold and frozen {ref}/data-tiers.html[data tiers] if they exist. To exclude query results from cold and frozen tiers, configure the `excludedDataTiersForRuleExecution` <<exclude-cold-frozen-data-rule-executions,advanced setting>> (which applies to all rules in a space), or add a <<exclude-cold-frozen-data-individual-rules,Query DSL filter>> to individual rules. 
++
+IMPORTANT: When the `excludedDataTiersForRuleExecution` advanced setting is enabled, some rule types (specifically the indicator match, event correlation, and {esql} rule types) might fail if a frozen or cold shard that matches the rule's specified index pattern is unavailable during rule executions. The best path forward continues to be modifying the index patterns to only use hot tier data.
 * Indicator match rules with an additional look-back time value greater than 24 hours are not supported.
 
 [float]

@@ -1,18 +1,24 @@
 [[exclude-cold-frozen-data-individual-rules]]
-== Exclude cold and frozen data from a rule
+== Exclude cold and frozen data from rule executions
 
 :frontmatter-description: Configure a rule to ignore cold and frozen data during execution. 
 :frontmatter-tags-products: [security]
 :frontmatter-tags-content-type: [how-to]
 :frontmatter-tags-user-goals: [manage]
 
-Rules that query cold and frozen data might perform more slowly. To exclude cold and frozen data, add a Query DSL filter that ignores cold and frozen {ref}/data-tiers.html[data tiers] when executing. You can add the filter when creating a new rule or updating an existing one. 
+Rules that query cold and frozen {ref}/data-tiers.html[data tiers] might perform more slowly. To exclude query results from cold and frozen tiers, add a Query DSL filter that ignores cold and frozen documents when executing. This can help Elasticsearch exclude cold and frozen data more efficiently. You can add the filter when creating a new rule or updating an existing one.
 
-NOTE: This method is not supported for {esql} and {ml} rules.
+TIP: To ensure that _all_ rules in a {kib} space exclude cold and frozen documents when executing, configure the `excludedDataTiersForRuleExecution` <<exclude-cold-frozen-data-rule-executions,advanced setting>>.
 
-TIP: To ensure that _all_ rules in a {kib} space exclude cold and frozen data when executing, configure the `excludedDataTiersForRuleExecution` <<exclude-cold-frozen-data-rule-executions,advanced setting>>.
+[IMPORTANT]
+====
 
-Here is a sample Query DSL filter that excludes frozen tier data from a rule's execution:
+* This method is not supported for {esql} and {ml} rules.
+* Some rule types (specifically the indicator match, event correlation, and {esql} rule types) might fail if a frozen or cold shard that matches the rule's specified index pattern is unavailable during rule executions. The best path forward continues to be modifying the index patterns to only use hot tier data.
+
+====
+
+Here is a sample Query DSL filter that excludes documents from a frozen tier during a rule's execution:
 
 [source,console]
 ----
@@ -29,7 +35,7 @@ Here is a sample Query DSL filter that excludes frozen tier data from a rule's e
 }
 ----
 
-Here is another sample Query DSL filter that excludes cold and frozen tier data from a rule's execution:
+Here is another sample Query DSL filter that excludes documents from cold and frozen tiers during a rule’s execution:
 
 [source,console]
 ----

diff --git a/...etections/notes-page-timeline-details.png → ...ns/images/notes-page-timeline-details.png b/...etections/notes-page-timeline-details.png → ...ns/images/notes-page-timeline-details.png
@@ -189,7 +189,7 @@ The `securitySolution:maxUnassociatedNotes` field determines the maximum number
 [[exclude-cold-frozen-data-rule-executions]]
 == Exclude cold and frozen data from rule executions 
 
-To ensure rules don't search cold and frozen data when executing, specify cold and frozen {ref}/data-tiers.html[data tiers] in the `excludedDataTiersForRuleExecution` field. Multiple data tiers must be separated by commas, for example: `data_frozen`, `data_cold`. This setting is turned off by default; turning it on can improve rule performance and reduce execution time. 
+To ensure rules exclude query results from cold and frozen tiers when executing, specify cold and frozen {ref}/data-tiers.html[data tiers] in the `excludedDataTiersForRuleExecution` field. Multiple data tiers must be separated by commas, for example: `data_frozen`, `data_cold`. This setting is turned off by default; turning it on can improve rule performance and reduce execution time. 
 
 This setting does not apply to {ml} rules. 
 
@@ -198,4 +198,6 @@ This setting does not apply to {ml} rules.
 
 This setting applies to all rules in a {kib} space. To only exclude cold and frozen data from specific rules, add a <<exclude-cold-frozen-data-individual-rules,Query DSL filter>> to the rules you want affected. 
 
-====
+====
+
+IMPORTANT: When the `excludedDataTiersForRuleExecution` advanced setting is enabled, some rule types (specifically the indicator match, event correlation, and {esql} rule types) might fail if a frozen or cold shard that matches the rule's specified index pattern is unavailable during rule executions. The best path forward continues to be modifying the index patterns to only use hot tier data.
@@ -83,6 +83,8 @@ On November 12, 2024, it was discovered that manually running a custom query rul
 * Allows you to create and update a rule even when some data-related validation errors are present in the query field ({kibana-pull}191487[#191487]).
 * Introduces a new advanced setting, `securitySolution:enableVisualizationsInFlyout`. When enabled, you can examine alerts and events in the **Visualize** tab, which provides a more detailed view of the event analyzer and Session View ({kibana-pull}194012[#194012], {kibana-pull}192531[#192531], {kibana-pull}192643[#192643]).
 * Creates a new advanced setting `securitySolution:excludedDataTiersForRuleExecution` that allows you to exclude cold and frozen data from rule execution. This setting does not apply to {ml} rules ({kibana-pull}186908[#186908]). 
++
+IMPORTANT: When the `excludedDataTiersForRuleExecution` advanced setting is enabled, some rule types (specifically the indicator match, event correlation, and {esql} rule types) might fail if a frozen or cold shard that matches the rule's specified index pattern is unavailable during rule executions. The best path forward continues to be modifying the index patterns to only use hot tier data.
 * Enhances the Insights section of the alert and event details flyouts by providing available misconfiguration and vulnerabilities findings ({kibana-pull}195509[#195509]).
 * Turns off the host field size reduction setting on {elastic-defend}'s integration policy by default. To turn it on, configure the `[os].advanced.set_extended_host_information` <<adv-policy-settings,advanced policy setting>>.
 * Allows you to reduce CPU usage, I/O, and event sizes by turning on process event aggregation when configuring your {elastic-defend} integration policy. Related process events that occur in rapid succession are combined into fewer aggregate events. To turn on process event aggregation, configure the `advanced.events.aggregate_process` <<adv-policy-settings,advanced policy setting>>.