[DOCS] Value list exceptions for all rule types #2471
Description
Description
PR elastic/kibana#133254 adds support for value list exceptions to all rule types (previously not supported for event correlation and threshold rule types).
The dev PR mentions several caveats and details, which I'll just paste here:
Adds value list exception support to every rule type with a few caveats. Structurally, this PR adds the definition of a "small" list that is able to be included directly in the rule executor's elasticsearch query instead of filtering out large lists in the post-execution process. This allows us to add value list exceptions for every rule type given some constraints, but still keep the post-execution logic and not degrade any current expected functionality.
Definitions
- "Small" value lists are defined as Keyword, IP value, or IP range* type lists that are under 65,536 items
- Small value lists are able to be used for every rule type
- Large value lists are defined as Keyword, IP value, or IP range* type lists that are over 65,536 items OR any sized text type list
- Large value lists are only able to be used for Query, Saved Query, ML, and Threat match rule types
- IP range value lists have two value types: slash notation (127.0.0.1/32) and dash notation (127.0.0.1-127.0.0.4)
Caveats
- IP range value lists are considered small only if the slash notation values are under 65,536, dash notation values require us to build the exception clauses differently and thus are limited to 200 for a small list size
- Text type value lists are currently not supported by small value lists
Additional notes
- Large lists will still display in the drop-down for selecting a value list, but will be grayed out. Might want to explain in docs what that means (UI may also provide info)