From c9c6b858db7a09cc64ff443eb65883caa3a393d8 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 15 Jun 2022 16:30:14 -0400 Subject: [PATCH 1/2] Remove workaround from create rule docs --- docs/detections/rules-ui-create.asciidoc | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index e5b496dae1..222ec7fd40 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -163,19 +163,7 @@ alerts. For example, if `Group by` is `source.ip`, `destination.ip` and its `Threshold` is `10`, an alert is generated for every pair of source and destination IP addresses that appear in at least 10 of the rule's search results. + You can also leave the `Group by` field undefined. The rule then creates an alert when the number of search results is equal to or greater than the threshold value. If you set `Count` to limit the results by `process.name` >= 2, an alert will only be generated for source/destination IP pairs that appear with at least 2 unique process names across all events. -+ -[IMPORTANT] -============== -Signals created by *threshold* rules are synthetic signals that do not resemble the source documents. The signal itself only contains data about the fields that were aggregated over (the `Group by` fields). Additionally, the signal contains "lookup" data for retrieving a *Timeline* of all of the source events that caused the threshold to be exceeded. -If you wish to create an <> based on a threshold rule, you can obtain values of the fields that were aggregated over by entering the following: -``` -{{#context.alerts}} - {{#signal.threshold_result.terms}} - {{value}} - {{/signal.threshold_result.terms}} -{{/context.alerts}} -``` -============== + . Continue with <> (optional) or click *Continue* to <>. [discrete] From ceb1afa1bf165723ebcf296cc8e25e7ba8c0af54 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Mon, 20 Jun 2022 13:59:33 -0400 Subject: [PATCH 2/2] Restore admonition, with revisions from Madison --- docs/detections/rules-ui-create.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 222ec7fd40..91fc51bbf5 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -163,6 +163,8 @@ alerts. For example, if `Group by` is `source.ip`, `destination.ip` and its `Threshold` is `10`, an alert is generated for every pair of source and destination IP addresses that appear in at least 10 of the rule's search results. + You can also leave the `Group by` field undefined. The rule then creates an alert when the number of search results is equal to or greater than the threshold value. If you set `Count` to limit the results by `process.name` >= 2, an alert will only be generated for source/destination IP pairs that appear with at least 2 unique process names across all events. ++ +IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not resemble the source documents. The alert itself only contains data about the fields that were aggregated over (the `Group by` fields). Other fields are omitted, because they can vary across all source documents that were counted toward the threshold. Additionally, you can reference the actual count of documents that exceeded the threshold from the `kibana.alert.threshold_result.count` field. . Continue with <> (optional) or click *Continue* to <>.