[8.6] [Known Issue] Add docs to describe a known issue/limitation of EQL rule cross-cluster search (#4813) (#4925)

nastasha-solomon · web-flow · commit 94144468a5f4 · 2024-03-18T10:28:04.000-04:00
* [Known Issue] Add docs to describe a known issue/limitation of EQL rule cross-cluster search (#4813) # Conflicts: # docs/detections/api/rules/rules-api-create.asciidoc # docs/detections/rules-ui-create.asciidoc * Removed merge markers
diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc
@@ -399,11 +399,16 @@ documents from the {es} index containing the threat values.
 context] array used to define the conditions for when alerts are created from
 events. Defaults to an empty array.
 
-|index |String[] |Indices on which the rule functions. Defaults to the
+|index |String[] a|Indices on which the rule functions. Defaults to the
 Security Solution indices defined on the {kib} Advanced Settings page
 (*Kibana* → *Stack Management* → *Advanced Settings* →
 `securitySolution:defaultIndex`).
 
+[NOTE]
+======
+Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<rules-cross-cluster-search,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
+======
+
 |risk_score_mapping |Object[] a|Overrides generated alerts' `risk_score` with
 a value from the source event:
 
diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
@@ -193,6 +193,8 @@ IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not re
 ==== Create an event correlation rule
 . To create an event correlation rule using EQL, select *Event Correlation*, then:
 .. Define which {es} indices or data view the rule searches for alerts.
++
+NOTE: Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<rules-cross-cluster-search,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
 .. Add an {ref}/eql-syntax.html[EQL statement] used to detect alerts.
 +
 For example, the following rule detects when `msxsl.exe` makes an outbound

Original file line number	Diff line number	Diff line change
`@@ -193,6 +193,8 @@ IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not re`
`193`	`193`	`==== Create an event correlation rule`
`194`	`194`	`. To create an event correlation rule using EQL, select Event Correlation, then:`
`195`	`195`	`.. Define which {es} indices or data view the rule searches for alerts.`
	`196`	`++`
	`197`	+NOTE: Event correlation rules have a limitation that prevents them from querying multiple indices from different clusters (local and remote). To enable this, a user with the {ref}/built-in-roles.html[`superuser`] role must modify the EQL rules that are configured to use <<rules-cross-cluster-search,cross-cluster search>>. This updates the rule's API key to use `superuser` privileges and allows the rule to use cross-cluster search.
`196`	`198`	`.. Add an {ref}/eql-syntax.html[EQL statement] used to detect alerts.`
`197`	`199`	`+`
`198`	`200`	For example, the following rule detects when `msxsl.exe` makes an outbound