Skip to content

[Internal]: improvements to threshold rule documentation #2110

New issue
New issue
Open
Open
[Internal]: improvements to threshold rule documentation#2110
Assignees
nastasha-solomon
Labels
Team:ExperienceIssues owned by the Experience Docs TeamdocumentationImprovements or additions to documentation
@denar50

Description

@denar50
denar50
opened on Jul 11, 2025

Description

Following the epic that proposes removing the limit of the group by fields for threshold rules, we have decided to instead increase the limit from 3 to 5. Therefore the documentation should be updated accordingly.
Here is an image showcasing the new limit during rule creation:

Image

Since the performance of the rule execution depends greatly on the cardinality (number of unique values) of the selected group by fields, as well as the amount of documents that the query matches (see https://github.com/elastic/security-team/issues/8240#issuecomment-3036285731), we would like to add a tip/note in the docs pointing out at this, in case users have performance issues during the execution of a rule (e.g timeouts).

Resources

Existing threshold rule documentation

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

No differences.

What release is this request related to?

9.2

Serverless release

N/A

Collaboration model

The documentation team

Point of contact.

Main contact: @denar50 (author)

Stakeholders: @yctercero @approksiu

Metadata

Metadata

Assignees

Labels

Team:ExperienceIssues owned by the Experience Docs TeamdocumentationImprovements or additions to documentation

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions