From 23a9ea9bace51f730c37505bd3689bdcb20a377d Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Tue, 21 Jan 2025 20:27:26 -0500 Subject: [PATCH] [8.x] Update rules-ui-create.asciidoc - fallback behavior in timestamp overrides (backport #6425) (#6463) * Update rules-ui-create.asciidoc - fallback behavior in timestamp overrides (#6425) * Update rules-ui-create.asciidoc - Note fallback behavior in timestamp overrides Explicitly state the fallback behavior on timestamp overrides. * Serverless updates * Update docs/detections/rules-ui-create.asciidoc * Update docs/detections/rules-ui-create.asciidoc * formatting fix * Update docs/detections/rules-ui-create.asciidoc Co-authored-by: Yara Tercero * Update docs/serverless/rules/rules-ui-create.asciidoc Co-authored-by: Yara Tercero --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha.solomon Co-authored-by: Yara Tercero (cherry picked from commit e9f0d81a638cd70ebb1922486366be079bd19214) # Conflicts: # docs/serverless/rules/rules-ui-create.asciidoc * Delete docs/serverless directory and its contents --------- Co-authored-by: Roberto Seldner Co-authored-by: github-actions[bot] Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/detections/rules-ui-create.asciidoc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 2302d127d9..fc626627a7 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -587,8 +587,9 @@ Suricata, selecting `event.action` lets you see what action (Suricata category) caused the event directly in the Alerts table. + NOTE: For threshold rules, not all source event values can be used for overrides; only the fields that were aggregated over (the `Group by` fields) will contain data. -.. *Timestamp override* (optional): Select a source event timestamp field. When selected, the rule's query uses the selected field, instead of the default `@timestamp` field, to search for alerts. This can help reduce missing alerts due to network or server outages. Specifically, if your ingest pipeline adds a timestamp when events are sent to {es}, this avoids missing alerts due to ingestion delays. -However, if you know your data source has an inaccurate `@timestamp` value, it is recommended you select the *Do not use @timestamp as a fallback timestamp field* option to ignore the `@timestamp` field entirely. +.. *Timestamp override* (optional): Select a source event timestamp field. When selected, the rule's query uses the selected field, instead of the default `@timestamp` field, to search for alerts. This can help reduce missing alerts due to network or server outages. Specifically, if your ingest pipeline adds a timestamp when events are sent to {es}, this can prevent missing alerts from ingestion delays. ++ +If the selected field is unavailable, the rule query will use the `@timestamp` field instead. In the case that you don't want to use the `@timestamp` field because you know your data source has an inaccurate `@timestamp` value, we recommend selecting the **Do not use @timestamp as a fallback timestamp field** option instead. This will ensure that the rule query ignores the `@timestamp` field entirely. + TIP: The {filebeat-ref}/filebeat-module-microsoft.html[Microsoft] and {filebeat-ref}/filebeat-module-google_workspace.html[Google Workspace] {filebeat} modules have an `event.ingested` timestamp field that can be used instead of the default `@timestamp` field.