Skip to content

[DOCS] "New terms" rule type #2257

New issue
New issue
Closed
#2339
Closed
[DOCS] "New terms" rule type#2257
#2339
Labels
Feature: RulesTeam: Detections/ResponseDetections and Responsev8.4.0
@jmikell821

Description

@jmikell821
jmikell821
opened on Aug 4, 2022

PRs: elastic/kibana#134526, elastic/kibana#131010

Description

The "New Terms" rule type generates an alert for each new term it detects in source documents.
image

The rule accepts 2 new parameters that are unique to the new_terms rule type, in addition to common Security rule parameters such as query, index, and filters, to, from, etc. The new parameters are

  • new_terms_fields: an array of field names, currently limited to an array of size 1. In the future we will likely allow multiple field names to be specified here.
    • Example: ['host.ip']
  • history_window_start: defines the additional time range to search over when determining if a term is "new". If a term is found between the times history_window_start and from then it will not be classified as a new term.
    • Example: now-30d

Notes

New terms alerts have one special field at the moment: kibana.alert.new_terms. This field contains the detected term that caused the alert. A single source document may have multiple new terms if the source document contains an array of values in the specified field. In that case, multiple alerts will be generated from the single source document - one for each new value.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Feature: RulesTeam: Detections/ResponseDetections and Responsev8.4.0

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions