[Internal]: Clarify the docs on detection rules' related integrations #3994
Description
Description
This documentation that explains the Related integrations field of a detection rule is a bit misleading:
Many detection rules are designed to work with specific Elastic integrations and data fields. These prerequisites are identified in Related integrations and Required fields on a rule’s details page. Related integrations also displays each integration’s installation status and includes links for installing and configuring the listed integrations.
Please keep in mind that, for a given rule, users don't have to install all the rule's related integrations to make it work. It could be enough to install just one of them. Also, some rules can point to the legacy indices created by beats, in which case there won't be a corresponding Fleet integration to install. A rule that points to both beats' indices and integrations' data streams can work just fine if only there's a beat working and ingesting data to the cluster.
This is why Related integrations are called "related" and not "required". And it could be misleading to call them "prerequisites" without elaborating on that.
Another thing worth mentioning is that the source of truth for what a given rule will be querying when enabled is its index patterns or data view fields. This is what's used by the rule execution logic at run time. The Related integrations and Required fields, on the other hand, are both purely informational properties that don't affect the rule's execution.
Let's clarify these nuances in the docs to avoid causing any user confusion.
You can find a linked SDH where the user and the support engineer were confused about the role of Related integrations vs Data Source: tags vs index patterns of prebuilt rules and which integrations they should install based on the values of these properties.
Resources
- https://www.elastic.co/docs/solutions/security/detect-and-alert/manage-detection-rules#rule-prerequisites
- You can find a link to the linked SDH (internal issue) in this ticket's timeline
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
N/A
What release is this request related to?
N/A
Serverless release
N/A
Collaboration model
The documentation team
Point of contact.
Main contact: @banderror
Stakeholders: @approksiu, @Mikaayenson