Description
Description
Following the epic that proposes removing the limit of the group by fields for threshold rules, we have decided to instead increase the limit from 3 to 5. Therefore the documentation should be updated accordingly.
Here is an image showcasing the new limit during rule creation:
Since the performance of the rule execution depends greatly on the cardinality (number of unique values) of the selected group by fields, as well as the amount of documents that the query matches (see https://github.com/elastic/security-team/issues/8240#issuecomment-3036285731), we would like to add a tip/note in the docs pointing out at this, in case users have performance issues during the execution of a rule (e.g timeouts).
Resources
Existing threshold rule documentation
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
No differences.
What release is this request related to?
9.2
Serverless release
N/A
Collaboration model
The documentation team
Point of contact.
Main contact: @denar50 (author)
Stakeholders: @yctercero @approksiu