I know, that I have to set in
Stack Management/Kibana/Advanced which Indices are considered when SIEM is doing it's magic.
But I just recently realised there are another "index patterns" per rule. Are these mere recommendations where the events are to be expected or are these rules that have to match?
I found some hints in other threads here that they are rules that can be changed but that has to be done per rule which is quite cumbersome (and not update safe)
I make heavy use of renamed indices for multi tenancy and the like - does this mean, if I want to use predefined rules, I have to either change the index pattern in every rule or rename my indices?