From 9630c4385901f5c7007340f3502a6398668d8c3b Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 7 May 2024 17:05:55 -0400 Subject: [PATCH 1/8] First draft --- docs/detections/api/rules/rules-api-create.asciidoc | 3 +++ docs/detections/rules-ui-create.asciidoc | 2 ++ docs/events/timeline-ui-overview.asciidoc | 2 ++ 3 files changed, 7 insertions(+) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 621d3fe102..54d2893c96 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -38,6 +38,9 @@ an event's `destination.ip` equals a value in the index. The index's field mappings should be {ecs-ref}[ECS-compliant]. * *New terms*: Generates an alert for each new term detected in source documents within a specified time range. * *{esql}*: Uses {ref}/esql.html[Elasticsearch Query Language ({esql})] to find events and aggregate search results. ++ +NOTE: The {esql} rule type is available by default. Turn this option off by toggling the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting off. + * *{ml-cap} rules*: Creates an alert when a {ml} job discovers an anomaly above the defined threshold (see <>). diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index bf8e964672..7a269dbcf6 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -266,6 +266,8 @@ For example, if a rule has an interval of 5 minutes, no additional look-back tim [[create-esql-rule]] === Create an {esql} rule +NOTE: The {esql} rule type option is available by default. To hide and turn the option off, toggle the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting off. + Use {ref}/esql.html[{esql}] to query your source events and aggregate event data. Query results are returned in a table with rows and columns. Each row becomes an alert. To create an {esql} rule: diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index 27ccc06304..c4c5e1adac 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -196,6 +196,8 @@ From the *Correlation* tab, you can also do the following: [[esql-in-timeline]] == Use {esql} to investigate events +NOTE: The **{esql}** Timeline tab is available by default. To hide the tab and turn it off, toggle the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting off. + preview::["Do not use {esql} on production environments. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."] NOTE: The {esql} tab is available by default. Since it's in technical preview, you can remove it by editing your {cloud}/ec-manage-kibana-settings.html#ec-manage-kibana-settings[{kib} user settings] and adding the `xpack.securitySolution.enableExperimental: ["timelineEsqlTabDisabled"]` feature flag. From cbb63e4bd102c823c89db7c2c9f447b850aa5647 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 7 May 2024 17:13:47 -0400 Subject: [PATCH 2/8] Minor edits --- docs/detections/api/rules/rules-api-create.asciidoc | 2 +- docs/detections/rules-ui-create.asciidoc | 2 +- docs/events/timeline-ui-overview.asciidoc | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 54d2893c96..e8b0241740 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -39,7 +39,7 @@ mappings should be {ecs-ref}[ECS-compliant]. * *New terms*: Generates an alert for each new term detected in source documents within a specified time range. * *{esql}*: Uses {ref}/esql.html[Elasticsearch Query Language ({esql})] to find events and aggregate search results. + -NOTE: The {esql} rule type is available by default. Turn this option off by toggling the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting off. +NOTE: The {esql} rule type is available by default. Turn it off by toggling the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting off. * *{ml-cap} rules*: Creates an alert when a {ml} job discovers an anomaly above the defined threshold (see <>). diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 7a269dbcf6..bfa094aad0 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -266,7 +266,7 @@ For example, if a rule has an interval of 5 minutes, no additional look-back tim [[create-esql-rule]] === Create an {esql} rule -NOTE: The {esql} rule type option is available by default. To hide and turn the option off, toggle the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting off. +NOTE: The {esql} rule type is available by default. Turn it off by toggling the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting off. Use {ref}/esql.html[{esql}] to query your source events and aggregate event data. Query results are returned in a table with rows and columns. Each row becomes an alert. diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index c4c5e1adac..23ef12610f 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -196,7 +196,7 @@ From the *Correlation* tab, you can also do the following: [[esql-in-timeline]] == Use {esql} to investigate events -NOTE: The **{esql}** Timeline tab is available by default. To hide the tab and turn it off, toggle the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting off. +NOTE: The **{esql}** Timeline tab is available by default. Turn it off by toggling the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting off. preview::["Do not use {esql} on production environments. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."] From 96e39a485181aa56a318a7ba4bfadd0fee3b43d5 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 10 May 2024 16:12:27 -0400 Subject: [PATCH 3/8] Updated note --- docs/assistant/security-assistant.asciidoc | 2 ++ docs/detections/about-rules.asciidoc | 2 ++ docs/detections/api/rules/rules-api-create.asciidoc | 3 --- docs/detections/rules-ui-create.asciidoc | 2 -- docs/events/timeline-ui-overview.asciidoc | 2 +- 5 files changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/assistant/security-assistant.asciidoc b/docs/assistant/security-assistant.asciidoc index bd0b9ae059..8f52284f71 100644 --- a/docs/assistant/security-assistant.asciidoc +++ b/docs/assistant/security-assistant.asciidoc @@ -185,6 +185,8 @@ The **Knowledge base** tab of the AI Assistant settings menu allows you to enabl [[rag-for-esql]] ==== Knowledge base for {esql} +NOTE: {esql} features are turned on by default and are controlled by the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting. + IMPORTANT: {esql} queries generated by AI Assistant might require additional validation. To ensure they're correct, refer to the {ref}/esql-language.html[{esql} documentation]. When this feature is enabled, AI Assistant can help you write an {esql} query for a particular use case, or answer general questions about {esql} syntax and usage. To enable AI Assistant to answer questions about {esql}: diff --git a/docs/detections/about-rules.asciidoc b/docs/detections/about-rules.asciidoc index f27d0c6f6a..2332db32d4 100644 --- a/docs/detections/about-rules.asciidoc +++ b/docs/detections/about-rules.asciidoc @@ -43,6 +43,8 @@ TIP: You can also use value lists as the indicator match index. See <>: Generates an alert for each new term detected in source documents within a specified time range. You can also detect a combination of up to three new terms (for example, a `host.ip` and `host.id` that have never been observed together before). * <>: Searches the defined indices and creates an alert when results match an {ref}/esql.html[Elasticsearch Query Language (ES|QL)] query. ++ +NOTE: {esql} features are turned on by default and are controlled by the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting. [role="screenshot"] image::images/all-rules.png[Shows the Rules page] diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index e8b0241740..621d3fe102 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -38,9 +38,6 @@ an event's `destination.ip` equals a value in the index. The index's field mappings should be {ecs-ref}[ECS-compliant]. * *New terms*: Generates an alert for each new term detected in source documents within a specified time range. * *{esql}*: Uses {ref}/esql.html[Elasticsearch Query Language ({esql})] to find events and aggregate search results. -+ -NOTE: The {esql} rule type is available by default. Turn it off by toggling the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting off. - * *{ml-cap} rules*: Creates an alert when a {ml} job discovers an anomaly above the defined threshold (see <>). diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index bfa094aad0..bf8e964672 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -266,8 +266,6 @@ For example, if a rule has an interval of 5 minutes, no additional look-back tim [[create-esql-rule]] === Create an {esql} rule -NOTE: The {esql} rule type is available by default. Turn it off by toggling the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting off. - Use {ref}/esql.html[{esql}] to query your source events and aggregate event data. Query results are returned in a table with rows and columns. Each row becomes an alert. To create an {esql} rule: diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index 23ef12610f..089db2a30a 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -196,7 +196,7 @@ From the *Correlation* tab, you can also do the following: [[esql-in-timeline]] == Use {esql} to investigate events -NOTE: The **{esql}** Timeline tab is available by default. Turn it off by toggling the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting off. +NOTE: {esql} features are turned on by default and are controlled by the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting. preview::["Do not use {esql} on production environments. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."] From c3b8aa60054b83ec84045891a0ebf5d0689dd1ac Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 13 May 2024 15:36:06 -0400 Subject: [PATCH 4/8] Removing outdated content --- docs/events/timeline-ui-overview.asciidoc | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index 089db2a30a..772ffc550b 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -198,10 +198,6 @@ From the *Correlation* tab, you can also do the following: NOTE: {esql} features are turned on by default and are controlled by the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting. -preview::["Do not use {esql} on production environments. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."] - -NOTE: The {esql} tab is available by default. Since it's in technical preview, you can remove it by editing your {cloud}/ec-manage-kibana-settings.html#ec-manage-kibana-settings[{kib} user settings] and adding the `xpack.securitySolution.enableExperimental: ["timelineEsqlTabDisabled"]` feature flag. - The {ref}/esql.html[Elasticsearch Query Language ({esql})] provides a powerful way to filter, transform, and analyze event data stored in {es}. {esql} queries use "pipes" to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis. You can use {esql} in Timeline by opening the **{esql}** tab. From there, you can: From 6148ded99fe3391061f90224cd3d66b69e77b4c6 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 17 May 2024 16:03:47 -0400 Subject: [PATCH 5/8] Update docs/assistant/security-assistant.asciidoc --- docs/assistant/security-assistant.asciidoc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/assistant/security-assistant.asciidoc b/docs/assistant/security-assistant.asciidoc index 0d410fb5be..3191aa702b 100644 --- a/docs/assistant/security-assistant.asciidoc +++ b/docs/assistant/security-assistant.asciidoc @@ -185,7 +185,12 @@ The **Knowledge base** tab of the AI Assistant settings menu allows you to enabl [[rag-for-esql]] ==== Knowledge base for {esql} -NOTE: {esql} features are turned on by default and are controlled by the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting. +NOTE: {esql} is enabled by default in {kib}. It can be +disabled using the `enableESQL` setting from the +{kibana-ref}/advanced-options.html[Advanced Settings]. ++ +This will hide the {esql} user interface from various applications. +However, users will be able to access existing {esql} artifacts like saved searches and visualizations. IMPORTANT: {esql} queries generated by AI Assistant might require additional validation. To ensure they're correct, refer to the {ref}/esql-language.html[{esql} documentation]. From 4257abbaa297d5eec599ceca940ac52df3ceeb22 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 17 May 2024 16:03:54 -0400 Subject: [PATCH 6/8] Update docs/detections/about-rules.asciidoc --- docs/detections/about-rules.asciidoc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/detections/about-rules.asciidoc b/docs/detections/about-rules.asciidoc index 2332db32d4..723fb04926 100644 --- a/docs/detections/about-rules.asciidoc +++ b/docs/detections/about-rules.asciidoc @@ -44,7 +44,12 @@ TIP: You can also use value lists as the indicator match index. See <>: Searches the defined indices and creates an alert when results match an {ref}/esql.html[Elasticsearch Query Language (ES|QL)] query. + -NOTE: {esql} features are turned on by default and are controlled by the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting. +NOTE: {esql} is enabled by default in {kib}. It can be +disabled using the `enableESQL` setting from the +{kibana-ref}/advanced-options.html[Advanced Settings]. ++ +This will hide the {esql} user interface from various applications. +However, users will be able to access existing {esql} artifacts like saved searches and visualizations. [role="screenshot"] image::images/all-rules.png[Shows the Rules page] From 7956bc3cb7d418b6bac0aa98dd26df9d1b87b140 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 17 May 2024 16:04:00 -0400 Subject: [PATCH 7/8] Update docs/events/timeline-ui-overview.asciidoc --- docs/events/timeline-ui-overview.asciidoc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc index 772ffc550b..c951bf6e9a 100644 --- a/docs/events/timeline-ui-overview.asciidoc +++ b/docs/events/timeline-ui-overview.asciidoc @@ -196,7 +196,12 @@ From the *Correlation* tab, you can also do the following: [[esql-in-timeline]] == Use {esql} to investigate events -NOTE: {esql} features are turned on by default and are controlled by the {kibana-ref}/advanced-options.html#kibana-general-settings[`enableESQL`] advanced setting. +NOTE: {esql} is enabled by default in {kib}. It can be +disabled using the `enableESQL` setting from the +{kibana-ref}/advanced-options.html[Advanced Settings]. ++ +This will hide the {esql} user interface from various applications. +However, users will be able to access existing {esql} artifacts like saved searches and visualizations. The {ref}/esql.html[Elasticsearch Query Language ({esql})] provides a powerful way to filter, transform, and analyze event data stored in {es}. {esql} queries use "pipes" to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis. From bdcdb964f9d14bde5f1e55ab81b2e23a2c6d9b00 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sun, 19 May 2024 16:33:08 -0400 Subject: [PATCH 8/8] Fixed formatting --- docs/assistant/security-assistant.asciidoc | 5 +---- docs/detections/about-rules.asciidoc | 5 +---- docs/events/timeline-ui-overview.asciidoc | 5 +---- 3 files changed, 3 insertions(+), 12 deletions(-) diff --git a/docs/assistant/security-assistant.asciidoc b/docs/assistant/security-assistant.asciidoc index 3191aa702b..85cc31fe8d 100644 --- a/docs/assistant/security-assistant.asciidoc +++ b/docs/assistant/security-assistant.asciidoc @@ -187,10 +187,7 @@ The **Knowledge base** tab of the AI Assistant settings menu allows you to enabl NOTE: {esql} is enabled by default in {kib}. It can be disabled using the `enableESQL` setting from the -{kibana-ref}/advanced-options.html[Advanced Settings]. -+ -This will hide the {esql} user interface from various applications. -However, users will be able to access existing {esql} artifacts like saved searches and visualizations. +{kibana-ref}/advanced-options.html[Advanced Settings]. This will hide the {esql} user interface from various applications. However, users will be able to access existing {esql} artifacts like saved searches and visualizations. IMPORTANT: {esql} queries generated by AI Assistant might require additional validation. To ensure they're correct, refer to the {ref}/esql-language.html[{esql} documentation]. diff --git a/docs/detections/about-rules.asciidoc b/docs/detections/about-rules.asciidoc index 723fb04926..b241b82013 100644 --- a/docs/detections/about-rules.asciidoc +++ b/docs/detections/about-rules.asciidoc @@ -46,10 +46,7 @@ TIP: You can also use value lists as the indicator match index. See <