This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« Launch Timeline from investigation guides Install and manage Elastic prebuilt rules »
Elastic Docs Elastic Security Solution [8.x] Detections and alerts Create a detection rule

Exclude cold and frozen data from a rule

edit

Exclude cold and frozen data from a rule

edit

Rules that query cold and frozen data might perform more slowly. To exclude cold and frozen data, add a Query DSL filter that ignores cold and frozen data tiers when executing. You can add the filter when creating a new rule or updating an existing one.

This method is not supported for ES|QL and machine learning rules.

To ensure that all rules in a Kibana space exclude cold and frozen data when executing, configure the excludedDataTiersForRuleExecution advanced setting.

Here is a sample Query DSL filter that excludes frozen tier data from a rule’s execution:

{
   "bool":{
      "must_not":{
         "terms":{
            "_tier":[
               "data_frozen"
            ]
         }
      }
   }
}

Here is another sample Query DSL filter that excludes cold and frozen tier data from a rule’s execution:

{
   "bool":{
      "must_not":{
         "terms":{
            "_tier":[
               "data_frozen", "data_cold"
            ]
         }
      }
   }
}
« Launch Timeline from investigation guides Install and manage Elastic prebuilt rules »