Updates Update Rule docs for Threshold + Indicator Match rules

This ports the changes made in elastic#522 to analogous updates to the Rule Update API docs.
rylnd · Mar 10, 2021 · d4abebc · d4abebc
1 parent f2f027b
commit d4abebc
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc
@@ -89,8 +89,13 @@ whether an alert is generated.
 |threshold |Object a|Defines the field and threshold value for when alerts
 are generated, where:
 
-* `field` (string, required): The field on which the threshold is applied. If
-you specify an empty field (`""`), alerts are generated when the query returns
+* `cardinality` (Array of length 1): The field on which the cardinality is applied.
+* `cardinality.field` (string, required): The field on which to calculate and compare the
+cardinality.
+* `cardinality.value` (integer, required): The threshold value from which an alert is
+generated based on unique number of values of `cardinality.field`.
+* `field` (string or string[], required): The field on which the threshold is applied. If
+you specify an empty array (`[]`), alerts are generated when the query returns
 at least the number of results specified in the `value` field.
 * `value` (integer, required): The threshold value from which an alert is
 generated.
@@ -258,9 +263,12 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`).
 |==============================================
 |Name |Type |Description
 
-|threat_filter |Object[]
+|threat_filters |Object[]
 |{ref}/query-filter-context.html[Query and filter context] array used to filter
 documents from the {es} index containing the threat values.
+
+|threat_indicator_path |String
+|Much like an ingest processor, users can use this field to define where their threat indicator can be found on their indicator documents. Defaults to `threatintel.indicator`.
 |==============================================
 
 ===== Optional fields for query, threat-match and threshold rules
@@ -500,4 +508,4 @@ Example response:
   ],
   "version": 2
 }
---------------------------------------------------
+--------------------------------------------------