[Security Solution][Detection Engine] ES|QL rule type generates less alerts than expected with MV_EXPAND #197130
Assignees
Labels
Feature:Detection Rules
Anything related to Security Solution's Detection Rules
Team:Detection Engine
Security Solution Detection Engine Area
Comments
marshallmain
added
Feature:Detection Rules
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
MV_EXPANDcommand is in preview and was added to ES|QL for 8.11 (https://www.elastic.co/guide/en/elasticsearch/reference/8.15/esql-commands.html#esql-mv_expand). This command takes a multi-valued column and produces a separate row in the results for each value. As a consequence, the results can have multiple rows with the same_idand_indexvalues but the DE rule logic will only create an alert for one of these rows due to deduplication. We should investigate what the correct handling is in this scenario.The text was updated successfully, but these errors were encountered: