« Launch Timeline from investigation guides Install and manage Elastic prebuilt rules »
Elastic Docs Elastic Security Solution [8.16] Detections and alerts Create a detection rule

Exclude cold and frozen data from a rule

edit

Exclude cold and frozen data from a rule

edit

Rules that query cold and frozen data might perform more slowly. To exclude cold and frozen data, add a Query DSL filter that ignores cold and frozen data tiers when executing. You can add the filter when creating a new rule or updating an existing one.

This method is not supported for ES|QL and machine learning rules.

To ensure that all rules in a Kibana space exclude cold and frozen data when executing, configure the excludedDataTiersForRuleExecution advanced setting.

Here is a sample Query DSL filter that excludes frozen tier data from a rule’s execution:

{
   "bool":{
      "must_not":{
         "terms":{
            "_tier":[
               "data_frozen"
            ]
         }
      }
   }
}

Here is another sample Query DSL filter that excludes cold and frozen tier data from a rule’s execution:

{
   "bool":{
      "must_not":{
         "terms":{
            "_tier":[
               "data_frozen", "data_cold"
            ]
         }
      }
   }
}
« Launch Timeline from investigation guides Install and manage Elastic prebuilt rules »