diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index e943664b74..55ba07b896 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -413,6 +413,24 @@ must be an {es} date data type. |============================================== +[[opt-fields-eql-create]] +===== Optional fields for event correlation rules + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|event_category_field |String +|Contains the event classification, such as `process`, `file`, or `network`. This field is typically mapped as a field type in the {ref}/keyword.html[keyword family]. Defaults to the `event.category` ECS field. + +|tiebreaker_field |String +|Sets a secondary field for sorting events (in ascending, lexicographic order) if they have the same timestamp. + +|timestamp_field |String +|Contains the event timestamp used for sorting a sequence of events. This is different from `timestamp_override`, which is used for querying events within a range. Defaults to the `@timestamp` ECS field. + +|============================================== + [[actions-object-schema]] ===== `actions` schema diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index 93efe77b60..ee05e91a18 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -329,6 +329,24 @@ must be an {es} date data type. |============================================== +[[opt-fields-eql-update]] +===== Optional fields for EQL rules + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|event_category_field |String +|Contains the event classification, such as `process`, `file`, or `network`. This field is typically mapped as a field type in the {ref}/keyword.html[keyword family]. Defaults to the `event.category` ECS field. + +|tiebreaker_field |String +|Sets a secondary field for sorting events (in ascending, lexicographic order) if they have the same timestamp. + +|timestamp_field |String +|Contains the event timestamp used for sorting a sequence of events. This is different from `timestamp_override`, which is used for querying events within a range. Defaults to the `@timestamp` ECS field. + +|============================================== + [[actions-object-schema-update]] ===== `actions` schema diff --git a/docs/detections/images/eql-rule-query-example.png b/docs/detections/images/eql-rule-query-example.png index 7c71f2610d..91600ff923 100644 Binary files a/docs/detections/images/eql-rule-query-example.png and b/docs/detections/images/eql-rule-query-example.png differ diff --git a/docs/detections/images/eql-settings-icon.png b/docs/detections/images/eql-settings-icon.png new file mode 100644 index 0000000000..caa4b8e913 Binary files /dev/null and b/docs/detections/images/eql-settings-icon.png differ diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 91fc51bbf5..73f37bb615 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -180,7 +180,7 @@ network connection: + ** *Index patterns*: `winlogbeat-*` + -> Winlogbeat ships Windows events to {elastic-sec}. +Winlogbeat ships Windows events to {elastic-sec}. ** *EQL query*: + @@ -205,6 +205,11 @@ image::images/eql-rule-query-example.png[] + NOTE: For sequence events, the {security-app} generates a single alert when all events listed in the sequence are detected. To see the matched sequence events in more detail, you can view the alert in the Timeline, and, if all events came from the same process, open the alert in Analyze Event view. + +. (Optional) Click the EQL settings icon (image:images/eql-settings-icon.png[EQL settings icon,16,16]) to configure additional fields used by {ref}/eql.html#specify-a-timestamp-or-event-category-field[EQL search]: + * *Event category field*: Contains the event classification, such as `process`, `file`, or `network`. This field is typically mapped as a field type in the {ref}/keyword.html[keyword family]. Defaults to the `event.category` ECS field. + * *Tiebreaker field*: Sets a secondary field for sorting events (in ascending, lexicographic order) if they have the same timestamp. + * *Timestamp field*: Contains the event timestamp used for sorting a sequence of events. This is different from the *Timestamp override* advanced setting, which is used for querying events within a range. Defaults to the `@timestamp` ECS field. ++ . Continue with <> (optional) or click *Continue* to <>. [discrete]