Skip to content

[7.11] [DOCS] Detection engine/cold tier data - 7.11 (#487) #506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jmikell821 merged 1 commit into from
Feb 9, 2021
Merged

[7.11] [DOCS] Detection engine/cold tier data - 7.11 (#487) #506

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion docs/detections/detection-engine-intro.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,23 @@ To make sure you can access Detections and manage rules, see
<<detections-permissions-section>>.
==============

[float]
[[cold-tier-detections]]
== Compatibility with cold tier nodes

Cold tier is a {ref}/data-tiers.html[data tier] that holds time series data that is accessed only occasionally. In {stack} version >=7.11.0, {es-sec} supports cold tier data for the following {es} indices:

* Index patterns specified in `securitySolution:defaultIndex`
* Index patterns specified in the definitions of detection rules
* Index patterns specified in the data sources selector on various {security-app} pages

{es-sec} does NOT support cold tier data for the following {es} indices:

* Index patterns controlled by {es-sec}, including signals and list indices
* Index patterns specified in indicator match rules as indicator index patterns

Using cold tier data for unsupported indices may result in detection rule timeouts and overall performance degradation.

[float]
[[det-engine-terminology]]
== Terminology
Expand Down Expand Up @@ -108,7 +125,7 @@ alerts.
External alerts::
Alerts {es-sec} receives from external systems, such as Suricata.

Threat indices::
Indicator indices::
Indices containing suspect field values. <<create-indicator-rule, Indicator match rules>> use these
indices to compare their field values with source event values contained in
<<term-sec-indices, {es-sec} indices>>.
Expand Down
16 changes: 16 additions & 0 deletions docs/es-overview.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,22 @@ view, and interact with data stored in {es} indices. You can easily perform
advanced data analysis and visualize your data in a variety of charts, tables,
and maps.

[discrete]
=== Compatibility with cold tier nodes

Cold tier is a {ref}/data-tiers.html[data tier] that holds time series data that is accessed only occasionally. In {stack} version >=7.11.0, {es-sec} supports cold tier data for the following {es} indices:

* Index patterns specified in `securitySolution:defaultIndex`
* Index patterns specified in the definitions of detection rules
* Index patterns specified in the data sources selector on various {security-app} pages

{es-sec} does NOT support cold tier data for the following {es} indices:

* Index patterns controlled by {es-sec}, including signals and list indices
* Index patterns specified in indicator match rules as indicator index patterns

Using cold tier data for unsupported indices may result in detection rule timeouts and overall performance degradation.

[discrete]
=== Additional Elastic Endpoint Security information

Expand Down