Skip to content

[DOCS] Add DSL Filters to Event Correlation (EQL) rule creation #2208

New issue
New issue
Closed
#2339
Closed
[DOCS] Add DSL Filters to Event Correlation (EQL) rule creation#2208
#2339
Assignees
jmikell821
Labels
Feature: RulesTeam: Detections/ResponseDetections and ResponseTeam: Docsv8.4.0
@joepeeples

Description

@joepeeples
joepeeples
opened on Jul 19, 2022

Description

PR elastic/kibana#132507 adds filters to event correlations within the Security Detection rules.

Screenshot 2022-05-19 at 13 43 23

From issue elastic/kibana#101047:

Describe the feature: Add filters to event correlations within the Security Detection rules, this is possible inside EQL but does not seem to be supported inside Detections.

Describe a specific use case for the feature: If I need to search for the same values across multiple documents, with only a couple of those fields changing each time but more than one field across the documents staying the same, the EQL is less efficient than the DSL is.

Notes

  • Filters are applied to both rule preview (while creating rule) and during actual rule execution.

Metadata

Metadata

Assignees

Labels

Feature: RulesTeam: Detections/ResponseDetections and ResponseTeam: Docsv8.4.0

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions