Document the behavior of IM rules and multi-value indicator documents about security-docs HOT 5 CLOSED

Serverless and ESS docs updated.

from security-docs.

In the docs, we broadly explain how indicator match (IM) rules work but we don’t go into detail about the following:

• The order in which the matching process happens: This can actually alternate and is based on the ratio of indicator documents to source event documents at any given time. Event-first search introduced this variability when it was added to IM rules in 8.2.
• How multi-value source events and indicators are handled during the matching process: This is influenced by the matching order and in some cases, documents are entirely ignored (read: excluded from the matching process). Also, from what I understand, it’s pretty uncommon for users to have multi-value source events and possibly multi-value indicators (@rylnd might be able to speak to this more).

As long as users are following the 1:1 matching ratio when setting up indicator match rules – as in, they're only matching one indicator value to one event source value – it’s less important for them to understand these under-the-hood details. They’re configuring the rule in the way that it was designed and shouldn’t run into any unexpected hiccups with the matching process.

If users are doing something different, such as setting up matches using multi-value source events and indicators, it might be useful for them to understand how the IM rule’s matching order and process works.

At the moment, @rylnd and I are at a juncture where we’re trying to decide whether to share this information and how it should be conveyed. To make this decision, we’re considering the following:

(@paulewing and @approksiu, any insight and opinions you can share on the following would be much appreciated. Thanks in advance!)

• Have a significant number of users/customers tried to set up IM rules with multi-value source events and indicators and then run into issues doing this?
  • What type of content would help them in this situation? Would a brief explanation about the IM rule’s matching order and process help? Would troubleshooting docs help?
• Do we want to make a hard statement about how indicator matches should be configured? For example, do we want to encourage users to set up 1:1 matching for the best rule experience? Do we want to make the statement that multi-value indicators or source events may not be supported in certain cases?

from security-docs.

Confirmed with @rylnd that these doc updates aren't super urgent and can be addressed at a later time.

from security-docs.

Moving to backlog since 8.11 and Serverless are the priorities this sprint.

from security-docs.

Revisited this issue with @rylnd this week, and we decided to insert a note after step 2e of the “Create an indicator match rule” docs that says: Only single-value fields are supported.

Ryland also added to the knowledge article on IM rule troubleshooting to provide more direct assistance to support, so we're covered on that front as well.

from security-docs.