[Suggestion][Detection Engine] Cold/frozen filter

[yctercero]

What can we change to make the docs better?

During team sync we discussed updating the language of the docs to try to clarify that addition of a tier filter would help ES better optimize not returning docs from those tiers, but it does not exclude the tiers in the way you might expect. That is, cold and frozen are still part of the search process. Some suggestions that were floated around during sync:

• Updating Here is a sample Query DSL filter that excludes frozen tier data from a rule’s execution: to something like Here is a sample Query DSL filter that excludes documents from frozen tier being returned during a rule’s execution:
• Updating Rules that query cold and frozen data might perform more slowly. To exclude cold and frozen data, add a Query DSL filter that ignores cold and frozen [data tiers](https://www.elastic.co/guide/en/elasticsearch/reference/master/data-tiers.html) when executing. You can add the filter when creating a new rule or updating an existing one. to Rules that query cold and frozen data might perform more slowly. To exclude cold and frozen documents from being returned, add a Query DSL filter that ignores cold and frozen [data tiers](https://www.elastic.co/guide/en/elasticsearch/reference/master/data-tiers.html) when executing. You can add the filter when creating a new rule or updating an existing one.
• Updating Here is another sample Query DSL filter that excludes cold and frozen tier data from a rule’s execution: to Here is another sample Query DSL filter that excludes documents from cold and frozen tier from being returned during rule’s execution:

Doc URL

https://www.elastic.co/guide/en/security/master/exclude-cold-frozen-data-individual-rules.html

Which documentation set needs improvement?

ESS only

Software version

8.15+

[yctercero]

cc @marshallmain could you take a look at the suggestions and 👍🏽 or 👎🏽

[marshallmain]

I would suggest instead of

Rules that query cold and frozen data might perform more slowly. To exclude cold and frozen documents from being returned, add a Query DSL filter that ignores cold and frozen data tiers when executing. You can add the filter when creating a new rule or updating an existing one.

to say (changes in bold)

Rules that query cold and frozen data might perform more slowly. To exclude cold and frozen documents from being returned, add a Query DSL filter that ignores cold and frozen data tiers when executing. This can help Elasticsearch exclude cold and frozen data more efficiently. You can add the filter when creating a new rule or updating an existing one.

The wording

... excludes documents from cold and frozen tier from being returned during ...

seems awkward to me. Maybe just

... excludes documents from cold and frozen tier during...

[nastasha-solomon]

@yctercero @marshallmain does the description for the excludedDataTiersForRuleExecution advanced setting need to be revised as well?
https://www.elastic.co/guide/en/security/8.16/advanced-settings.html#exclude-cold-frozen-data-rule-executions

cc: @vitaliidm

[marshallmain]

We'll definitely want to update the part This setting does not apply to ES|QL or machine learning rules. once we add support for that setting in the ES|QL rule implementation.

As far as language around To ensure rules don’t search cold and frozen data when executing, I think we should also center it on the results of the query instead of the "search" process - something like To exclude results from cold and frozen data when executing. The last phrase we have there turning it on can improve rule performance and reduce execution time. is good.