From fceb5ecd334f3ae8dec22505dd023c428942c25c Mon Sep 17 00:00:00 2001 From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 29 Mar 2023 10:07:09 -0400 Subject: [PATCH] Update docs to show that CCS Supported for IM rules in 8.7 (#3054) (cherry picked from commit 4e83fb06dcb8fe99ba8597d498bbde9e499197b3) --- docs/detections/detection-engine-intro.asciidoc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc index 5a5b9b7eb7..149d338c66 100644 --- a/docs/detections/detection-engine-intro.asciidoc +++ b/docs/detections/detection-engine-intro.asciidoc @@ -68,13 +68,12 @@ To make sure you can access Detections and manage rules, see Cold tier is a {ref}/data-tiers.html[data tier] that holds time series data that is accessed only occasionally. In {stack} version >=7.11.0, {es-sec} supports cold tier data for the following {es} indices: * Index patterns specified in `securitySolution:defaultIndex` -* Index patterns specified in the definitions of detection rules, except for indicator match rules +* Index patterns specified in the definitions of detection rules * Index patterns specified in the data sources selector on various {es-sec-app} pages {es-sec} does *NOT* support cold tier data for the following {es} indices: * Index patterns controlled by {elastic-sec}, including alerts and list indices -* Index patterns specified in indicator match rules Using cold tier data for unsupported indices may result in detection rule timeouts and overall performance degradation. @@ -87,7 +86,6 @@ Indicator match rules provide a powerful capability to search your security data In addition, the following support restrictions are in place: * {es-sec} does not support the use of frozen tier data with indicator match rules. -* The use of cross-cluster search with indicator match rules is not supported. * Indicator match rules with an additional look-back time value greater than 24 hours are not supported. [float]