From 1a332ec439350a9baa24b7ae7865c865999a3a7d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Fri, 27 Jun 2025 15:04:45 -0400 Subject: [PATCH 1/3] Adds ref to runtime fields --- reference/security/fields-and-object-schemas/alert-schema.md | 2 +- solutions/security/detect-and-alert/about-detection-rules.md | 2 +- solutions/security/detect-and-alert/query-alert-indices.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/reference/security/fields-and-object-schemas/alert-schema.md b/reference/security/fields-and-object-schemas/alert-schema.md index aaa752fa0b..a7258089c5 100644 --- a/reference/security/fields-and-object-schemas/alert-schema.md +++ b/reference/security/fields-and-object-schemas/alert-schema.md @@ -17,7 +17,7 @@ products: ::::{important} -* System indices, such as the alerts indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. +* System indices, such as the alert indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. Use runtime fields instead, which allow you to add fields to existing alert and event documents. Refer to [runtime fields](/solutions/security/get-started/create-runtime-fields-in-elastic-security.md) to learn more. * Users are advised NOT to use the `_source` field in alert documents, but rather to use the `fields` option in the search API to programmatically obtain the list of fields used in these documents. Learn more about [retrieving selected fields from a search](elasticsearch://reference/elasticsearch/rest-apis/retrieve-selected-fields.md). :::: diff --git a/solutions/security/detect-and-alert/about-detection-rules.md b/solutions/security/detect-and-alert/about-detection-rules.md index 9ab7079b28..4301d30c50 100644 --- a/solutions/security/detect-and-alert/about-detection-rules.md +++ b/solutions/security/detect-and-alert/about-detection-rules.md @@ -63,7 +63,7 @@ To access data views in {{stack}}, you must have the [required permissions](/exp ::::{important} -System indices, such as the alerts indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. +System indices, such as the alert indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. Use runtime fields instead, which allow you to add fields to existing alert and event documents. Refer to [runtime fields](/solutions/security/get-started/create-runtime-fields-in-elastic-security.md) to learn more. :::: diff --git a/solutions/security/detect-and-alert/query-alert-indices.md b/solutions/security/detect-and-alert/query-alert-indices.md index 6efd0ea1bf..91411201d8 100644 --- a/solutions/security/detect-and-alert/query-alert-indices.md +++ b/solutions/security/detect-and-alert/query-alert-indices.md @@ -17,7 +17,7 @@ This page explains how you should query alert indices, for example, when buildin ::::{important} -System indices, such as the alerts indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. +System indices, such as the alert indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. Use runtime fields instead, which allow you to add fields to existing alert and event documents. Refer to [runtime fields](/solutions/security/get-started/create-runtime-fields-in-elastic-security.md) to learn more. :::: From f5ed6cf9d489e9a98e77aca43329a56e4c701157 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Fri, 27 Jun 2025 15:16:51 -0400 Subject: [PATCH 2/3] cleanup --- reference/security/fields-and-object-schemas/alert-schema.md | 2 +- solutions/security/detect-and-alert/about-detection-rules.md | 2 +- solutions/security/detect-and-alert/query-alert-indices.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/reference/security/fields-and-object-schemas/alert-schema.md b/reference/security/fields-and-object-schemas/alert-schema.md index a7258089c5..a57c09730a 100644 --- a/reference/security/fields-and-object-schemas/alert-schema.md +++ b/reference/security/fields-and-object-schemas/alert-schema.md @@ -17,7 +17,7 @@ products: ::::{important} -* System indices, such as the alert indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. Use runtime fields instead, which allow you to add fields to existing alert and event documents. Refer to [runtime fields](/solutions/security/get-started/create-runtime-fields-in-elastic-security.md) to learn more. +* System indices, such as the alert indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. Use [runtime fields](/solutions/security/get-started/create-runtime-fields-in-elastic-security.md) instead, which allow you to add fields to existing alert and event documents. * Users are advised NOT to use the `_source` field in alert documents, but rather to use the `fields` option in the search API to programmatically obtain the list of fields used in these documents. Learn more about [retrieving selected fields from a search](elasticsearch://reference/elasticsearch/rest-apis/retrieve-selected-fields.md). :::: diff --git a/solutions/security/detect-and-alert/about-detection-rules.md b/solutions/security/detect-and-alert/about-detection-rules.md index 4301d30c50..8da5b67dec 100644 --- a/solutions/security/detect-and-alert/about-detection-rules.md +++ b/solutions/security/detect-and-alert/about-detection-rules.md @@ -63,7 +63,7 @@ To access data views in {{stack}}, you must have the [required permissions](/exp ::::{important} -System indices, such as the alert indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. Use runtime fields instead, which allow you to add fields to existing alert and event documents. Refer to [runtime fields](/solutions/security/get-started/create-runtime-fields-in-elastic-security.md) to learn more. +System indices, such as the alert indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. Use [runtime fields](/solutions/security/get-started/create-runtime-fields-in-elastic-security.md) instead, which allow you to add fields to existing alert and event documents. :::: diff --git a/solutions/security/detect-and-alert/query-alert-indices.md b/solutions/security/detect-and-alert/query-alert-indices.md index 91411201d8..8f9bd45ceb 100644 --- a/solutions/security/detect-and-alert/query-alert-indices.md +++ b/solutions/security/detect-and-alert/query-alert-indices.md @@ -17,7 +17,7 @@ This page explains how you should query alert indices, for example, when buildin ::::{important} -System indices, such as the alert indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. Use runtime fields instead, which allow you to add fields to existing alert and event documents. Refer to [runtime fields](/solutions/security/get-started/create-runtime-fields-in-elastic-security.md) to learn more. +System indices, such as the alert indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. Use [runtime fields](/solutions/security/get-started/create-runtime-fields-in-elastic-security.md) instead, which allow you to add fields to existing alert and event documents. :::: From 3bf19ebb1130ca5c809a151ed33639a00f449e32 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Fri, 27 Jun 2025 15:44:27 -0400 Subject: [PATCH 3/3] Janeen's input --- reference/security/fields-and-object-schemas/alert-schema.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reference/security/fields-and-object-schemas/alert-schema.md b/reference/security/fields-and-object-schemas/alert-schema.md index a57c09730a..e40a2af433 100644 --- a/reference/security/fields-and-object-schemas/alert-schema.md +++ b/reference/security/fields-and-object-schemas/alert-schema.md @@ -18,7 +18,7 @@ products: ::::{important} * System indices, such as the alert indices, contain important configuration and internal data; do not change their mappings. Changes can lead to rule execution and alert indexing failures. Use [runtime fields](/solutions/security/get-started/create-runtime-fields-in-elastic-security.md) instead, which allow you to add fields to existing alert and event documents. -* Users are advised NOT to use the `_source` field in alert documents, but rather to use the `fields` option in the search API to programmatically obtain the list of fields used in these documents. Learn more about [retrieving selected fields from a search](elasticsearch://reference/elasticsearch/rest-apis/retrieve-selected-fields.md). +* We recommend to NOT to use the `_source` field in alert documents, but rather to use the `fields` option in the search API to programmatically obtain the list of fields used in these documents. Learn more about [retrieving selected fields from a search](elasticsearch://reference/elasticsearch/rest-apis/retrieve-selected-fields.md). ::::