Skip to content

[Internal]: Clarify the docs on detection rules' related integrations #3994

@banderror

Description

@banderror

Description

This documentation that explains the Related integrations field of a detection rule is a bit misleading:

https://www.elastic.co/docs/solutions/security/detect-and-alert/manage-detection-rules#rule-prerequisites

Many detection rules are designed to work with specific Elastic integrations and data fields. These prerequisites are identified in Related integrations and Required fields on a rule’s details page. Related integrations also displays each integration’s installation status and includes links for installing and configuring the listed integrations.

Please keep in mind that, for a given rule, users don't have to install all the rule's related integrations to make it work. It could be enough to install just one of them. Also, some rules can point to the legacy indices created by beats, in which case there won't be a corresponding Fleet integration to install. A rule that points to both beats' indices and integrations' data streams can work just fine if only there's a beat working and ingesting data to the cluster.

This is why Related integrations are called "related" and not "required". And it could be misleading to call them "prerequisites" without elaborating on that.

Another thing worth mentioning is that the source of truth for what a given rule will be querying when enabled is its index patterns or data view fields. This is what's used by the rule execution logic at run time. The Related integrations and Required fields, on the other hand, are both purely informational properties that don't affect the rule's execution.

Let's clarify these nuances in the docs to avoid causing any user confusion.

You can find a linked SDH where the user and the support engineer were confused about the role of Related integrations vs Data Source: tags vs index patterns of prebuilt rules and which integrations they should install based on the values of these properties.

Resources

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

N/A

What release is this request related to?

N/A

Serverless release

N/A

Collaboration model

The documentation team

Point of contact.

Main contact: @banderror

Stakeholders: @approksiu, @Mikaayenson

Metadata

Metadata

Assignees

No one assigned

    Labels

    Team:ExperienceIssues owned by the Experience Docs Team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions