You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: solutions/security/get-started/automatic-migration.md
+13-13Lines changed: 13 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -85,11 +85,11 @@ The table's fields are as follows:
85
85
*`Partially translated`: Part of the query could not be translated. You may need to specify an index pattern for the rule query, upload missing macros or lookups, or fix broken rule syntax.
86
86
*`Not translated`: None of the original query could be translated.
87
87
*`Error`: Rule translation failed. Refer to the the error details.
88
-
***Risk Score:** For Elasticauthored rules, risk scores are predefined. For custom translated rules, risk scores are defined as follows:
89
-
* If the source rule has a field comparable to Elastic's risk score, we use that value.
90
-
* Otherwise, if the source rule has a field comparable to Elastic's rule severity field, we base the risk score on that value according to these [guidelines](/solutions/security/detect-and-alert/create-detection-rule.md#custom-highlighted-esql-fields).
91
-
*Otherwise, a default value is assigned.
92
-
***Rule severity:** For Elasticauthored rules, severity scores are predefined. For custom translated rules, risk scores are based on the source rule's severity field. Splunk severity scores are translated to Elastic rule severity scores as follows:
88
+
***Risk Score:** For Elastic-authored rules, risk scores are predefined. For custom translated rules, risk scores are defined as follows:
89
+
* If the source rule has a field comparable to Elastic's `risk score`, we use that value.
90
+
* Otherwise, if the source rule has a field comparable to Elastic's `rule severity` field, we base the risk score on that value according to [these guidelines](/solutions/security/detect-and-alert/create-detection-rule.md#rule-ui-basic-params).
91
+
*If neither of the above apply, we assign a default value.
92
+
***Rule severity:** For Elastic-authored rules, severity scores are predefined. For custom translated rules, risk scores are based on the source rule's severity field. Splunk severity scores are translated to Elastic rule severity scores as follows:
93
93
94
94
| Splunk severity | Elastic rule severity |
95
95
| ------- | ----------- |
@@ -99,7 +99,7 @@ The table's fields are as follows:
99
99
| 4 (High) | High |
100
100
| 5 (Critical) | Critical |
101
101
102
-
***Author:** Shows one of two possible values: `Elastic`, or `Custom`. Elasticauthored rules are created by Elastic and update automatically. Custom rules are translated by the Automatic Migration tool or your team, and do not update automatically.
102
+
***Author:** Shows one of two possible values: `Elastic`, or `Custom`. Elastic-authored rules are created by Elastic and update automatically. Custom rules are translated by the Automatic Migration tool or your team, and do not update automatically.
103
103
***Integrations:** Shows the number of Elastic integrations that must be installed to provide data for the rule to run successfully.
104
104
***Actions:** Allows you to click **Install** to add a rule to Elastic. Installed rules must also be enabled before they will run. To install rules in bulk, select the check box at the top of the table before clicking **Install**.
105
105
@@ -108,7 +108,7 @@ The table's fields are as follows:
108
108
Once you're on the **Translated rules** page, to install any rules that were partially translated or not translated, you will need to edit them. Optionally, you can also edit custom rules that were successfully translated to finetune them.
109
109
110
110
:::{note}
111
-
You cannot edit Elasticauthored rules using this interface, but after they are installed you can [edit them](/solutions/security/detect-and-alert/manage-detection-rules.md) from the **Rules** page.
111
+
You cannot edit Elastic-authored rules using this interface, but after they are installed you can [edit them](/solutions/security/detect-and-alert/manage-detection-rules.md) from the **Rules** page.
112
112
:::
113
113
114
114
### Edit a custom rule
@@ -127,7 +127,7 @@ If you haven't yet ingested your data, you will likely encounter `Unknown index`
127
127
128
128
### View rule details
129
129
130
-
The rule details flyout (which appears when you click on a rule's name in the **Translate rules** table) has two other tabs, **Overview** and **Summary**. The **Overview** tab displays information such as the rule's severity, risk score, rule type, and how frequently it runs. The **Summary** tab explains the logic behind how the rule was translated, such as why specific {{esql}} commands were used, or why a source rule was mapped to a particular Elasticauthored rule.
130
+
The rule details flyout (which appears when you click on a rule's name in the **Translate rules** table) has two other tabs, **Overview** and **Summary**. The **Overview** tab displays information such as the rule's severity, risk score, rule type, and how frequently it runs. The **Summary** tab explains the logic behind how the rule was translated, such as why specific {{esql}} commands were used, or why a source rule was mapped to a particular Elastic-authored rule.
131
131
132
132
::::{important}
133
133
All the details about your migrations is stored in the `.kibana-siem-rule-migrations-rules-default` index. You can use [Discover](/explore-analyze/discover.md) to review a variety of metrics, analyze metrics, and more.
@@ -139,10 +139,6 @@ All the details about your migrations is stored in the `.kibana-siem-rule-migrat
139
139
140
140
After translation, rules that can't be translated appear with a status of either partially translated (yellow) or not translated (red). From there, you can address them individually.
141
141
142
-
**How does Automatic Migration handle Splunk rules which lookup other indices?**
143
-
144
-
Rules that fall into this category will typically appear with a status of partially translated. `LOOKUP JOIN`s are currently a tech preview {{esql}} which can help in this situation.
145
-
146
142
**Are nested macros supported?**
147
143
148
144
Yes, Automatic Migration can handle nested macros.
@@ -153,4 +149,8 @@ Automatic Migration maps your rules to Elastic-authored rules whenever possible,
153
149
154
150
**What index does information about each migration appear in?**
155
151
156
-
No matter how many times you use Automatic Migration, migration data will continue to appear in `.kibana-siem-rule-migrations-rules-default`.
152
+
No matter how many times you use Automatic Migration, migration data will continue to appear in `.kibana-siem-rule-migrations-rules-default`.
153
+
154
+
**How does Automatic Migration handle Splunk rules which lookup other indices?**
155
+
156
+
Rules that fall into this category will typically appear with a status of partially translated. You can use the [`LOOKUP JOIN](elasticsearch://reference/query-languages/esql/esql-lookup-join.md) capability to help in this situation.
0 commit comments