Skip to content
Merged
Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
0683d9c
First draft
nastasha-solomon Aug 21, 2025
f488cf1
More updates
nastasha-solomon Aug 21, 2025
9aa775a
advanced setting
nastasha-solomon Aug 21, 2025
c3dc97b
More changes
nastasha-solomon Aug 21, 2025
f5e33d8
Revisions
nastasha-solomon Aug 22, 2025
3a9fd75
Merge branch 'main' into issue-2295-im-not-match-9.2-serv
nastasha-solomon Aug 22, 2025
14a22dc
cleanup
nastasha-solomon Aug 22, 2025
39f0c9d
Updates screenshot and example
nastasha-solomon Aug 22, 2025
72ba122
Update create-detection-rule.md
nastasha-solomon Aug 22, 2025
5667a71
small tweak to image
nastasha-solomon Aug 22, 2025
3ea767d
revised mapping docs
nastasha-solomon Aug 22, 2025
20ea890
Merge branch 'main' into issue-2295-im-not-match-9.2-serv
nastasha-solomon Aug 22, 2025
2005ca0
applies to tag
nastasha-solomon Aug 22, 2025
779ae31
Merge branch 'issue-2295-im-not-match-9.2-serv' of https://github.com…
nastasha-solomon Aug 22, 2025
5499799
Remove s
nastasha-solomon Aug 22, 2025
68e6d6e
style
nastasha-solomon Aug 22, 2025
670be52
missing word
nastasha-solomon Aug 22, 2025
1708800
Update solutions/security/detect-and-alert/create-detection-rule.md
nastasha-solomon Aug 22, 2025
ab9c19c
Update solutions/security/detect-and-alert/create-detection-rule.md
nastasha-solomon Aug 23, 2025
19cc68b
Merge branch 'main' into issue-2295-im-not-match-9.2-serv
nastasha-solomon Aug 25, 2025
8b3dca5
Merge branch 'main' into issue-2295-im-not-match-9.2-serv
nastasha-solomon Aug 26, 2025
278e21a
Merge branch 'main' into issue-2295-im-not-match-9.2-serv
nastasha-solomon Sep 1, 2025
fb53067
Merge branch 'main' into issue-2295-im-not-match-9.2-serv
nastasha-solomon Sep 2, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified solutions/images/security-indicator-rule-example.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
44 changes: 25 additions & 19 deletions solutions/security/detect-and-alert/create-detection-rule.md
Original file line number Diff line number Diff line change
Expand Up @@ -235,47 +235,53 @@ To filter noisy {{ml}} rules, use [rule exceptions](/solutions/security/detect-a
## Create an indicator match rule [create-indicator-rule]

::::{note}
{{elastic-sec}} provides limited support for indicator match rules. See [Limited support for indicator match rules](/solutions/security/detect-and-alert.md#support-indicator-rules) for more information.
{{elastic-sec}} provides [limited support](/solutions/security/detect-and-alert.md#support-indicator-rules) for indicator match rules.
::::


1. Find **Detection rules (SIEM)** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then click **Create new rule**.
2. To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select **Indicator Match**, then fill in the following fields:

1. **Source**: The individual index patterns or data view that specifies what data to search.
2. **Custom query**: The query and filters used to retrieve the required results from the {{elastic-sec}} event indices. For example, if you want to match documents that only contain a `destination.ip` address field, add `destination.ip : *`.
2. To create a rule that continually compares your security source events with threat indicators and generates alerts when they meet the rule criteria that you specify, select **Indicator Match**, then configure the following:

::::{tip}
If you want the rule to check every field in the indices, use this wildcard expression: `*:*`.
::::
1. **Source**: The index patterns or data view that store your source event documents. The **Index patterns** field is prepopulated with indices that are set in the [default {{elastic-sec}} indices](/solutions/security/get-started/configure-advanced-settings.md#update-sec-indices). If you choose to use a **Data View**, you must specify one from the drop-down.

2. **Custom query**: The query and filters used to retrieve documents from your source event indices. Field values in these documents are compared against indicator values, according to the threat mapping conditions that you set.

The default KQL query `*:*` retrieves every document in the specified event indices. You can modify the query as needed. For example, if you only want to retrieve documents that contain a `destination.ip` address field, enter `destination.ip : *`.


::::{note}
::::{tip}
You can use saved queries and queries from saved Timelines (**Import query from saved Timeline**) as rule conditions.
::::

3. **Indicator index patterns**: The indicator index patterns containing field values for which you want to generate alerts. This field is automatically populated with indices specified in the `securitySolution:defaultThreatIndex` advanced setting. For more information, see [Update default Elastic Security threat intelligence indices](/solutions/security/get-started/configure-advanced-settings.md#update-threat-intel-indices).
3. **Indicator index patterns**: The index patterns that store your threat indicator documents. This field is automatically populated with indices specified in the [`securitySolution:defaultThreatIndex`](/solutions/security/get-started/configure-advanced-settings.md#update-threat-intel-indices) advanced setting.

::::{important}
Data in indicator indices must be [ECS compatible](/reference/security/fields-and-object-schemas/siem-field-reference.md), and so it must contain a `@timestamp` field.
Data in threat indicator indices must be [ECS compatible](/reference/security/fields-and-object-schemas/siem-field-reference.md), and must contain a `@timestamp` field.
::::

4. **Indicator index query**: The query and filters used to filter the fields from the indicator index patterns. The default query `@timestamp > "now-30d/d"` searches specified indicator indices for indicators ingested during the past 30 days and rounds the start time down to the nearest day (resolves to UTC `00:00:00`).
5. **Indicator mapping**: Compares the values of the specified event and indicator fields, and generates an alert if the values are identical.
4. **Indicator index query**: The query used to retrieve documents from your threat indicator indicies. Field values in these documents are compared against indicator values, according to the threat mapping conditions that you set.

The default KQL query `@timestamp > "now-30d/d"` searches the threat indicator indicies for threat intelligence indicators that were ingested during the past 30 days. The start time is rounded down to the nearest day (resolves to UTC `00:00:00`).

5. **Indicator mapping**: Set threat mapping conditions that compare values in source event fields with values in threat indicator fields. Alerts are generated if the conditions are met.

::::{note}
Only single-value fields are supported.
::::

To specify fields to compare from your specified source event and threat indicator indices, create a threat mapping entry and configure the following:

* **Field**: Select a field from your source event indices for comparison.
* {applies_to}`stack: ga 9.2` **MATCHES/DOES NOT MATCH**: Choose whether the source event field value should match or not match the threat indicator field value that it's being compared to.

To define which field values are compared from the indices, add the following:
::::{note}
Define matching (`MATCHES`) conditions first, narrow down your results even more by adding `DOES NOT MATCH` conditions to exclude field values that you want to ignore. Mapping entries that _only_ use the `DOES NOT MATCH` condition are not supported. When configuring your threat mappings, at least one entry must have a `MATCHES` condition.
::::

* **Field**: The field used for comparing values in the {{elastic-sec}} event indices.
* **Indicator index field**: The field used for comparing values in the indicator indices.
* **Indicator index field**: Select a field from your threat indicator index for comparison.

6. You can add `AND` and `OR` clauses to define when alerts are generated.
6. (Optional) Add more threat mapping entries and combine them with `AND` and `OR` clauses.

For example, to create a rule that generates alerts when `host.name` **and** `destination.ip` field values in the `logs-*` or `packetbeat-*` {{elastic-sec}} indices are identical to the corresponding field values in the `mock-threat-list` indicator index, enter the rule parameters seen in the following image:
For example, to create a rule that generates alerts when `host.name` **and** `destination.ip` field values in the `logs-*` or `packetbeat-*` {{elastic-sec}} indices are identical to the corresponding field values in the `logs-ti_*` indicator index, enter the rule parameters seen in the following image:

:::{image} /solutions/images/security-indicator-rule-example.png
:alt: Indicator match rule settings
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ The `securitySolution:defaultThreatIndex` advanced setting specifies threat inte



You can specify one or more threat intelligence indices; multiple indices must be separated by commas. By default, only the `logs-ti*` index pattern is specified. Do not remove or overwrite this index pattern, as it is used by {{agent}} integrations.
You can specify one or more threat intelligence indices; multiple indices must be separated by commas. By default, only the `logs-ti_*` index pattern is specified. Do not remove or overwrite this index pattern, as it is used by {{agent}} integrations.

::::{important}
Threat intelligence indices aren’t required to be ECS-compatible for use in indicator match rules. However, we strongly recommend compatibility if you want your alerts to be enriched with relevant threat indicator information. When searching for threat indicator data, indicator match rules use the threat indicator path specified in the **Indicator prefix override** advanced setting. Visit [Configure advanced rule settings](/solutions/security/detect-and-alert/create-detection-rule.md#rule-ui-advanced-params) for more information.
Expand Down
Loading