[DOCS] Revise workaround for aggregated fields in threshold rules #2074
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
joepeeples
added
Team: Docs
Team: Detections/Response
|
Thanks for this! Upon reading, I'm thinking we may want to leave some of this information... we could still point out that the generated signals/alerts are synthetic and don't contain all the fields (only those that appear in the Threshold field configuration of the rule). Something like: |
Contributor
Author
|
Thanks for the suggestion, @madirey! I added the note back in with your revisions; just let me know if anything else needs to be adjusted. |
Contributor
Author
|
Adding @elastic/security-docs for a quick review, whoever gets to it first. Full team review prob not necessary. |
joepeeples
changed the title
|
Hi @joepeeples , We tested the linked doc and found that the doc is correctly updated as per the latest UI. So we are good to go ahead and merge the changes. Marking this ticket as 'QA validated'. Thanks! |
ghost
added
QA:Validated
mergify bot
pushed a commit
that referenced
this pull request
Jun 22, 2022
) * Remove workaround from create rule docs * Restore admonition, with revisions from Madison (cherry picked from commit 6f0d069)
mergify bot
pushed a commit
that referenced
this pull request
Jun 22, 2022
) * Remove workaround from create rule docs * Restore admonition, with revisions from Madison (cherry picked from commit 6f0d069)
mergify bot
pushed a commit
that referenced
this pull request
Jun 22, 2022
) * Remove workaround from create rule docs * Restore admonition, with revisions from Madison (cherry picked from commit 6f0d069)
mergify bot
pushed a commit
that referenced
this pull request
Jun 22, 2022
) * Remove workaround from create rule docs * Restore admonition, with revisions from Madison (cherry picked from commit 6f0d069)
benironside
added a commit
that referenced
this pull request
Jun 28, 2022
* First draft * Add placeholder for instructions for self-hosted * updates formatting * updates format and image size * Updates formatting and annotates screenshots * updates to the main intro and some terms here and there * [DOCS] Revise workaround for aggregated fields in threshold rules (#2074) * Remove workaround from create rule docs * Restore admonition, with revisions from Madison * [DOCS][8.3] Updates "Endpoint Security" to "Endpoint and Cloud Security" screenshots (#2075) * Updates screenshots and replaces the old name with the new name. * Updates text, fixes image names * Update docs/getting-started/install-endpoint.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/getting-started/install-endpoint.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Fix bugs found by QA Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Add example response section (#2084) * [DOCS] Add new EQL search configuration options (#2061) * Update eql-rule-query-example.png * Update procedure for creating EQL rule * Update API docs: create rule, update rule * Align minor phrasing * Explain timestamp_field & timestamp_override * Updates based on review feedback * [DOCS] Adds warning about exceptions requiring mappings (#2110) * Move callout about endpoint exceptions to more appropriate section This not was previously at the top-level exceptions section, when it really only applies when adding to the Endpoint rule. * Add note about mappings being required for exceptions Wording is subject to change; just throwing something at the wall for now. * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * [DOCS] Removed ref to Stack GS (#2128) * Minor edits to Tin's work * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Matches order of sections to order they're mentioned in the intro * Changes bullets to numbers * Update docs/experimental-features/experimental-features-intro.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/experimental-features-intro.asciidoc * Incorporate Joe's and Janeen's feedback * fixes build error * troubleshoots build error * troubleshoots build error * troubleshoots build erors Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Ryland Herrick <ryalnd@gmail.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: debadair <debadair@elastic.co> Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com>
mergify bot
pushed a commit
that referenced
this pull request
Jun 28, 2022
* First draft * Add placeholder for instructions for self-hosted * updates formatting * updates format and image size * Updates formatting and annotates screenshots * updates to the main intro and some terms here and there * [DOCS] Revise workaround for aggregated fields in threshold rules (#2074) * Remove workaround from create rule docs * Restore admonition, with revisions from Madison * [DOCS][8.3] Updates "Endpoint Security" to "Endpoint and Cloud Security" screenshots (#2075) * Updates screenshots and replaces the old name with the new name. * Updates text, fixes image names * Update docs/getting-started/install-endpoint.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/getting-started/install-endpoint.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Fix bugs found by QA Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Add example response section (#2084) * [DOCS] Add new EQL search configuration options (#2061) * Update eql-rule-query-example.png * Update procedure for creating EQL rule * Update API docs: create rule, update rule * Align minor phrasing * Explain timestamp_field & timestamp_override * Updates based on review feedback * [DOCS] Adds warning about exceptions requiring mappings (#2110) * Move callout about endpoint exceptions to more appropriate section This not was previously at the top-level exceptions section, when it really only applies when adding to the Endpoint rule. * Add note about mappings being required for exceptions Wording is subject to change; just throwing something at the wall for now. * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * [DOCS] Removed ref to Stack GS (#2128) * Minor edits to Tin's work * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Matches order of sections to order they're mentioned in the intro * Changes bullets to numbers * Update docs/experimental-features/experimental-features-intro.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/experimental-features-intro.asciidoc * Incorporate Joe's and Janeen's feedback * fixes build error * troubleshoots build error * troubleshoots build error * troubleshoots build erors Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Ryland Herrick <ryalnd@gmail.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: debadair <debadair@elastic.co> Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> (cherry picked from commit edeecb9)
benironside
added a commit
that referenced
this pull request
Jun 28, 2022
* First draft * Add placeholder for instructions for self-hosted * updates formatting * updates format and image size * Updates formatting and annotates screenshots * updates to the main intro and some terms here and there * [DOCS] Revise workaround for aggregated fields in threshold rules (#2074) * Remove workaround from create rule docs * Restore admonition, with revisions from Madison * [DOCS][8.3] Updates "Endpoint Security" to "Endpoint and Cloud Security" screenshots (#2075) * Updates screenshots and replaces the old name with the new name. * Updates text, fixes image names * Update docs/getting-started/install-endpoint.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/getting-started/install-endpoint.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Fix bugs found by QA Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Add example response section (#2084) * [DOCS] Add new EQL search configuration options (#2061) * Update eql-rule-query-example.png * Update procedure for creating EQL rule * Update API docs: create rule, update rule * Align minor phrasing * Explain timestamp_field & timestamp_override * Updates based on review feedback * [DOCS] Adds warning about exceptions requiring mappings (#2110) * Move callout about endpoint exceptions to more appropriate section This not was previously at the top-level exceptions section, when it really only applies when adding to the Endpoint rule. * Add note about mappings being required for exceptions Wording is subject to change; just throwing something at the wall for now. * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * [DOCS] Removed ref to Stack GS (#2128) * Minor edits to Tin's work * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Matches order of sections to order they're mentioned in the intro * Changes bullets to numbers * Update docs/experimental-features/experimental-features-intro.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/security-posture-management.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/experimental-features/experimental-features-intro.asciidoc * Incorporate Joe's and Janeen's feedback * fixes build error * troubleshoots build error * troubleshoots build error * troubleshoots build erors Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Ryland Herrick <ryalnd@gmail.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: debadair <debadair@elastic.co> Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> (cherry picked from commit edeecb9) Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves #2016.
Preview: Create a detection rule | Create a threshold rule