[Detection Engine][ES|QL] - ES|QL support for partial results #211622

yctercero · 2025-02-18T17:18:11Z

Summary

ES|QL will support partial results by default in 8.19/9.1. We need to ensure that we are dealing with these changes appropriately.

Requirements

Rule shows as partial failure if there are partial results, rule error clearly communicates partial results and what shards were not searched.
Test for possible false positive scenarios with ES|QL. For EQL, it was clear that we cannot support partial results for sequence queries, it's not as clear with ES|QL.

elasticmachine · 2025-02-18T17:18:13Z

Pinging @elastic/security-detection-engine (Team:Detection Engine)

elasticmachine · 2025-02-18T17:18:13Z

Pinging @elastic/security-detections-response (Team:Detections and Resp)

yctercero added Feature: ES|QL Rule Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team v8.19.0 v9.1.0 labels Feb 18, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Detection Engine][ES|QL] - ES|QL support for partial results #211622

[Detection Engine][ES|QL] - ES|QL support for partial results #211622

yctercero commented Feb 18, 2025

elasticmachine commented Feb 18, 2025

elasticmachine commented Feb 18, 2025

[Detection Engine][ES|QL] - ES|QL support for partial results #211622

[Detection Engine][ES|QL] - ES|QL support for partial results #211622

Comments

yctercero commented Feb 18, 2025

Summary

Requirements

elasticmachine commented Feb 18, 2025

elasticmachine commented Feb 18, 2025