You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: solutions/security/detect-and-alert/create-detection-rule.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -256,14 +256,14 @@ To filter noisy {{ml}} rules, use [rule exceptions](/solutions/security/detect-a
256
256
3. **Indicator index patterns**: The index patterns that stores your threat indicator documents. This field is automatically populated with indices specified in the [`securitySolution:defaultThreatIndex`](/solutions/security/get-started/configure-advanced-settings.md#update-threat-intel-indices) advanced setting.
257
257
258
258
::::{important}
259
-
Data in threat intelligence indicator indices must be [ECS compatible](/reference/security/fields-and-object-schemas/siem-field-reference.md), and must contain a `@timestamp` field.
259
+
Data in threat indicator indices must be [ECS compatible](/reference/security/fields-and-object-schemas/siem-field-reference.md), and must contain a `@timestamp` field.
260
260
::::
261
261
262
262
4. **Indicator index query**: The query used to retrieve documents from your threat indicator indicies. Field values in these documents are compared against indicator values, according to the threat mapping conditions that you set.
263
263
264
264
The default KQL query `@timestamp > "now-30d/d"` searches the threat indicator indicies for threat intelligence indicators that were ingested during the past 30 days. The start time is rounded down to the nearest day (resolves to UTC `00:00:00`).
265
265
266
-
5. **Indicator mapping**: Set threat mapping conditions that compare values in source event fields with values in threat indicator fields. Alerts are generated if the conditions are met.
266
+
5. **Indicator mapping**: Set threat mapping conditions that compare values in source event fields with values in threat indicator fields. Alerts are generated if the conditions are met.
267
267
268
268
::::{note}
269
269
Only single-value fields are supported.
@@ -272,7 +272,7 @@ To filter noisy {{ml}} rules, use [rule exceptions](/solutions/security/detect-a
272
272
To specify fields to compare from your specified source event and threat indicator indices, create a threat mapping entry and configure the following:
273
273
274
274
* **Field**: Select a field from your source event indices for comparison.
275
-
* **MATCHES/DOES NOT MATCH**: Choose whether the source event field value should match or not match the threat indicator field value that it's being compared to.
275
+
* {applies_to}`stack: ga 9.2` **MATCHES/DOES NOT MATCH**: Choose whether the source event field value should match or not match the threat indicator field value that it's being compared to.
276
276
277
277
::::{note}
278
278
Define matching (MATCHES) conditions first, narrow down your results even more by adding `DOES NOT MATCH` conditions to exclude field values that you want to ignore. Mapping entries that _only_ use the `DOES NOT MATCH` condition are not supported. When configuring your threat mappings, at least one entry must have a `MATCHES` condition.
0 commit comments