[8.16] Updates docs for and related to the excludedDataTiersForRuleExecution advanced setting#5962
Merged
nastasha-solomon merged 38 commits intomainfrom Nov 14, 2024
Merged
Conversation
nastasha-solomon
added
Feature: Rules
Team: Detection Engine
Priority: High
|
A documentation preview will be available soon. Request a new doc build by commenting
If your PR continues to fail for an unknown reason, the doc build pipeline may be broken. Elastic employees can check the pipeline status here. |
This was referenced Nov 7, 2024
Closed
nastasha-solomon
changed the title
excludedDataTiersForRuleExecution advanced setting
yctercero
reviewed
Nov 12, 2024
yctercero
reviewed
Nov 12, 2024
yctercero
reviewed
Nov 12, 2024
yctercero
reviewed
Nov 12, 2024
Contributor
marshallmain
left a comment
marshallmain
left a comment
There was a problem hiding this comment.
With the phrase The best path forward continues to be modifying the index patterns to only use hot tier data., are we specifically intending to reference guidance that we've provided before? An alternative might be The best path forward is to modify the index patterns to only use hot tier data..
Also @yctercero do we have a specific modification we can provide that works across the board, e.g. -partial* to exclude frozen indices? Do we know if that would work everywhere? Users might read "just modify your index patterns" and think that's a monumental task unless we have an easy specific change they can make.
peluja1012
reviewed
Nov 12, 2024
peluja1012
reviewed
Nov 12, 2024
Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>
Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>
benironside
reviewed
Nov 14, 2024
Contributor
benironside
left a comment
benironside
left a comment
There was a problem hiding this comment.
Left a few minor comments which may or may not be helpful! Lmk when you're ready for an approval
…idoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
…idoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
…idoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com>
benironside
approved these changes
Nov 14, 2024
nastasha-solomon
added
Effort: Large
mergify Bot
pushed a commit
that referenced
this pull request
Nov 14, 2024
…xecution` advanced setting (#5962) * First draft * Updating IM rules * disclaimer about certain rule types and shards * Minor tweak to dsl query docs * Update docs/detections/detection-engine-intro.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/getting-started/advanced-setting.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Marshall's suggestion * Update docs/detections/detection-engine-intro.asciidoc * Removes note that's no longer needed * Moves file back to remove this change from the PR * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Updates what's new * Fixed title * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/getting-started/advanced-setting.asciidoc * Update docs/getting-started/advanced-setting.asciidoc * Update docs/whats-new.asciidoc * Update docs/whats-new.asciidoc * Update docs/release-notes/8.16.asciidoc * Fixes a typo * Minor wording adjustments * Update docs/whats-new.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/getting-started/advanced-setting.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detection-engine-intro.asciidoc Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com> --------- Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com> (cherry picked from commit cd4f12b)
mergify Bot
pushed a commit
that referenced
this pull request
Nov 14, 2024
…xecution` advanced setting (#5962) * First draft * Updating IM rules * disclaimer about certain rule types and shards * Minor tweak to dsl query docs * Update docs/detections/detection-engine-intro.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/getting-started/advanced-setting.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Marshall's suggestion * Update docs/detections/detection-engine-intro.asciidoc * Removes note that's no longer needed * Moves file back to remove this change from the PR * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Updates what's new * Fixed title * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/getting-started/advanced-setting.asciidoc * Update docs/getting-started/advanced-setting.asciidoc * Update docs/whats-new.asciidoc * Update docs/whats-new.asciidoc * Update docs/release-notes/8.16.asciidoc * Fixes a typo * Minor wording adjustments * Update docs/whats-new.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/getting-started/advanced-setting.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detection-engine-intro.asciidoc Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com> --------- Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com> (cherry picked from commit cd4f12b)
nastasha-solomon
added a commit
that referenced
this pull request
Nov 14, 2024
…orRuleExecution` advanced setting (backport #5962) (#6174) * First draft * Updating IM rules * disclaimer about certain rule types and shards * Minor tweak to dsl query docs * Update docs/detections/detection-engine-intro.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/getting-started/advanced-setting.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Marshall's suggestion * Update docs/detections/detection-engine-intro.asciidoc * Removes note that's no longer needed * Moves file back to remove this change from the PR * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Updates what's new * Fixed title * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/getting-started/advanced-setting.asciidoc * Update docs/getting-started/advanced-setting.asciidoc * Update docs/whats-new.asciidoc * Update docs/whats-new.asciidoc * Update docs/release-notes/8.16.asciidoc * Fixes a typo * Minor wording adjustments * Update docs/whats-new.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/getting-started/advanced-setting.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detection-engine-intro.asciidoc Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com> --------- Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com> (cherry picked from commit cd4f12b) Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
nastasha-solomon
added a commit
that referenced
this pull request
Nov 14, 2024
…rRuleExecution` advanced setting (backport #5962) (#6173) * First draft * Updating IM rules * disclaimer about certain rule types and shards * Minor tweak to dsl query docs * Update docs/detections/detection-engine-intro.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/getting-started/advanced-setting.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Marshall's suggestion * Update docs/detections/detection-engine-intro.asciidoc * Removes note that's no longer needed * Moves file back to remove this change from the PR * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Updates what's new * Fixed title * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/getting-started/advanced-setting.asciidoc * Update docs/getting-started/advanced-setting.asciidoc * Update docs/whats-new.asciidoc * Update docs/whats-new.asciidoc * Update docs/release-notes/8.16.asciidoc * Fixes a typo * Minor wording adjustments * Update docs/whats-new.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/getting-started/advanced-setting.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detection-engine-intro.asciidoc Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com> --------- Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com> (cherry picked from commit cd4f12b) Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
acorretti
pushed a commit
that referenced
this pull request
Nov 19, 2024
…orRuleExecution` advanced setting (backport #5962) (#6174) * First draft * Updating IM rules * disclaimer about certain rule types and shards * Minor tweak to dsl query docs * Update docs/detections/detection-engine-intro.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/getting-started/advanced-setting.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Marshall's suggestion * Update docs/detections/detection-engine-intro.asciidoc * Removes note that's no longer needed * Moves file back to remove this change from the PR * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Updates what's new * Fixed title * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc * Update docs/getting-started/advanced-setting.asciidoc * Update docs/getting-started/advanced-setting.asciidoc * Update docs/whats-new.asciidoc * Update docs/whats-new.asciidoc * Update docs/release-notes/8.16.asciidoc * Fixes a typo * Minor wording adjustments * Update docs/whats-new.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Update docs/getting-started/advanced-setting.asciidoc * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update docs/detections/detection-engine-intro.asciidoc Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com> --------- Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com> (cherry picked from commit e6d6ec9) Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #5925 and https://github.com/elastic/security-docs-internal/issues/47 by updating the explanation for filtering out cold and frozen documents during rule executions and adding the disclaimer about certain rule types and cold/frozen shards.
Previews:
excludedDataTiersForRuleExecutionadvanced setting