Index patterns global and per rule?


I know, that I have to set in Stack Management/Kibana/Advanced which Indices are considered when SIEM is doing it's magic.

But I just recently realised there are another "index patterns" per rule. Are these mere recommendations where the events are to be expected or are these rules that have to match?

I found some hints in other threads here that they are rules that can be changed but that has to be done per rule which is quite cumbersome (and not update safe)

I make heavy use of renamed indices for multi tenancy and the like - does this mean, if I want to use predefined rules, I have to either change the index pattern in every rule or rename my indices?


Hi Thomas!

The index patterns defined in a rule are the only places that a rule will query for possible alerts. The default indices in Stack Management/Kibana/Advanced Settings are used to initially populate the "Index patterns" field when you start the "Create new rule" process. However, once the rule is created it will not track any new changes to the default indices in Stack Management/Kibana/Advanced Settings.

For renamed indices, this does mean that each rule has to be updated to contain the correct index patterns or the indices need to be renamed.

Hope that helps!


1 Like

Thanks. That was exactly what I was looking for.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.