Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. This functionality is in technical preview and may be changed or removed in a future release. If the saved query is later changed, the rule will not inherit those changes. This copies the settings from the saved query to the rule, so you can then further adjust the rule’s query and filters as needed. To make changes, modify the saved query itself.ĭeselect this to load the saved query as a one-time way of populating the rule’s Custom query field and filters. This links the rule to the saved query, and you won’t be able to modify the rule’s Custom query field or filters because the rule will only use settings from the saved query. Select this to use the saved query every time the rule runs.
See Explore the data in Kibana and use the Import Data option to import your indicators.
If you have indicators in a standard file format, such as CSV or JSON, you can also use the Machine Learning Data Visualizer to import your indicators into an indicator index. For information on creating Elasticsearch indices and field types, seeįield data types. Indicator index field mappings should be ECS-compliant. For example, you can create an indicator index for IP addresses and use this index to create an alert whenever an event’s destination.ip equals a value in the index. Indicator match: Creates an alert when Elastic Security index field values match field values defined in the specified indicator index patterns.
0 kommentar(er)
