elastic · nastasha-solomon · Sep 25, 2024 · Sep 19, 2024 · Sep 22, 2024 · Sep 22, 2024
@@ -0,0 +1,48 @@
+[[exclude-cold-frozen-data-individual-rules]]
+== Exclude cold and frozen data from a rule
+
+:frontmatter-description: Configure a rule to ignore cold and frozen data during execution. 
+:frontmatter-tags-products: [security]
+:frontmatter-tags-content-type: [how-to]
+:frontmatter-tags-user-goals: [manage]
+
+Rules that query cold and frozen data might perform more slowly. To exclude cold and frozen data, add a Query DSL filter that ignores cold and frozen {ref}/data-tiers.html[data tiers] when executing. You can add the filter when creating a new rule or updating an existing one. 
+
+NOTE: This method is not supported for {esql} and {ml} rules.
+
+TIP: To ensure that _all_ rules in a {kib} space exclude cold and frozen data when executing, configure the `excludedDataTiersForRuleExecution` <<exclude-cold-frozen-data-rule-executions,advanced setting>>.
+
+Here is a sample Query DSL filter that excludes frozen tier data from a rule's execution:
+
+[source,console]
+----
+{
+   "bool":{
+      "must_not":{
+         "terms":{
+            "_tier":[
+               "data_frozen"
+            ]
+         }
+      }
+   }
+}
+----
+
+Here is another sample Query DSL filter that excludes cold and frozen tier data from a rule's execution:
+
+[source,console]
+----
+{
+   "bool":{
+      "must_not":{
+         "terms":{
+            "_tier":[
+               "data_frozen", "data_cold"
+            ]
+         }
+      }
+   }
+}
+----
+
@@ -11,6 +11,8 @@ include::rules-cross-cluster-search.asciidoc[leveloffset=+1]
 
 include::investigation-guide-actions.asciidoc[leveloffset=+1]
 
+include::detections-exclude-cold-frozen-data-tiers.asciidoc[leveloffset=+1]
+
 include::prebuilt-rules-management.asciidoc[]
 
 include::rules-ui-manage.asciidoc[]

@@ -24,7 +24,11 @@ To create a new detection rule, follow these steps:
 * You'll also need permissions to enable and view detections, manage rules, manage alerts, and preview rules. These permissions depend on the user role. Refer to <<detections-permissions-section>> for more information.
 --
 
-TIP: At any step, you can <<preview-rules,preview the rule>> before saving it to see what kind of results you can expect.
+[TIP]
+==============
+* At any step, you can <<preview-rules,preview the rule>> before saving it to see what kind of results you can expect.
+* To ensure rules don't search cold and frozen data when executing, either configure the `excludedDataTiersForRuleExecution` <<exclude-cold-frozen-data-rule-executions,advanced setting>> (which applies to all rules in a space), or add a <<exclude-cold-frozen-data-individual-rules,Query DSL filter>> to individual rules. 
+==============
 
 NOTE: Additional configuration is required for detection rules using cross-cluster search. Refer to <<rules-cross-cluster-search>>.
 

@@ -175,3 +175,18 @@ By default, Elastic prebuilt rules in the *Rules* and *Rule Monitoring* tables i
 == Manage alert tag options
 
 The `securitySolution:alertTags` field determines which options display in the alert tag menu. The default alert tag options are `Duplicate`, `False Positive`, and `Further investigation required`. You can update the alert tag menu by editing these options or adding more. To learn more about using alert tags, refer to <<apply-alert-tags>>.
+
+[discrete]
+[[exclude-cold-frozen-data-rule-executions]]
+== Exclude cold and frozen data from rule executions 
+
+To ensure rules don't search cold and frozen data when executing, specify cold and frozen {ref}/data-tiers.html[data tiers] in the `excludedDataTiersForRuleExecution` field. Multiple data tiers must be separated by commas, for example: `data_frozen`, `data_cold`. This setting is turned off by default; turning it on can improve rule performance and reduce execution time. 
+
+This setting does not apply to {esql} or {ml} rules. 
+
+[TIP]
+====
+
+This setting applies to all rules in a {kib} space. To only exclude cold and frozen data from specific rules, add a <<exclude-cold-frozen-data-individual-rules,Query DSL filter>> to the rules you want affected. 
+
+====