Comments (5)
Serverless and ESS docs updated.
from security-docs.
In the docs, we broadly explain how indicator match (IM) rules work but we don’t go into detail about the following:
- The order in which the matching process happens: This can actually alternate and is based on the ratio of indicator documents to source event documents at any given time. Event-first search introduced this variability when it was added to IM rules in 8.2.
- How multi-value source events and indicators are handled during the matching process: This is influenced by the matching order and in some cases, documents are entirely ignored (read: excluded from the matching process). Also, from what I understand, it’s pretty uncommon for users to have multi-value source events and possibly multi-value indicators (@rylnd might be able to speak to this more).
As long as users are following the 1:1 matching ratio when setting up indicator match rules – as in, they're only matching one indicator value to one event source value – it’s less important for them to understand these under-the-hood details. They’re configuring the rule in the way that it was designed and shouldn’t run into any unexpected hiccups with the matching process.
If users are doing something different, such as setting up matches using multi-value source events and indicators, it might be useful for them to understand how the IM rule’s matching order and process works.
At the moment, @rylnd and I are at a juncture where we’re trying to decide whether to share this information and how it should be conveyed. To make this decision, we’re considering the following:
(@paulewing and @approksiu, any insight and opinions you can share on the following would be much appreciated. Thanks in advance!)
- Have a significant number of users/customers tried to set up IM rules with multi-value source events and indicators and then run into issues doing this?
- What type of content would help them in this situation? Would a brief explanation about the IM rule’s matching order and process help? Would troubleshooting docs help?
- Do we want to make a hard statement about how indicator matches should be configured? For example, do we want to encourage users to set up 1:1 matching for the best rule experience? Do we want to make the statement that multi-value indicators or source events may not be supported in certain cases?
from security-docs.
Confirmed with @rylnd that these doc updates aren't super urgent and can be addressed at a later time.
from security-docs.
Moving to backlog since 8.11 and Serverless are the priorities this sprint.
from security-docs.
Revisited this issue with @rylnd this week, and we decided to insert a note after step 2e of the “Create an indicator match rule” docs that says: Only single-value fields are supported.
Ryland also added to the knowledge article on IM rule troubleshooting to provide more direct assistance to support, so we're covered on that front as well.
from security-docs.
Related Issues (20)
- 8.15 Endpoint release notes
- 8.15.0 Release notes
- [BUG] Update D4C overview intro / tag
- [Request] Duplicate connector docs: cross-link and add any missing info
- [Request] Gen AI section, use-cases docs, parity
- [Detections] Placeholder for documenting new system actions feature for detection rules
- [Request] Document Sysdig falco integration
- [Request] Connect Elastic AI Assistant to Google Vertex HOT 1
- [UI copy]: Attack Discovery Notification HOT 1
- [UI copy]: Stack Management Security AI Assistant Settings
- [Enhancement]: Register as AV, now enabled by default
- Bring Your Own: Local Large Language Model (BYOL LLM) HOT 1
- Update Attack Discovery Docs Page[Request] HOT 1
- [Request] Document filtering out cold/frozen data tiers during rule execution
- [UI copy]: [Security Solution] Flyout navigation copy HOT 5
- [Enhancement]: Entity Analytics troubleshooting guide is outdated should be removed HOT 5
- [Request] Add note on alert suppression limitation for timeline HOT 2
- `7.17.23` Release Notes
- [Request] Permissions for alert suppression in machine learning rules HOT 1
- `8.15.1` Release Notes HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-docs.