From d9170340af7e0cf629bbbbba9c53af4d387ec468 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Wed, 6 Dec 2023 10:55:59 -0500
Subject: [PATCH] [8.4] Document the behavior of IM rules and multi-value
 indicator documents (backport #4326) (#4403)

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: nastasha.solomon <nastasha.solomon@elastic.co>
---
 docs/detections/rules-ui-create.asciidoc | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
index 92148e5f13..23cb4ff9a1 100644
--- a/docs/detections/rules-ui-create.asciidoc
+++ b/docs/detections/rules-ui-create.asciidoc
@@ -230,6 +230,7 @@ NOTE: For sequence events, the {security-app} generates a single alert when all
 NOTE: {elastic-sec} provides limited support for indicator match rules. See <<support-indicator-rules>> for more information.
 
 . To create a rule that searches for events whose specified field value matches the specified indicator field value in the indicator index patterns, select *Indicator Match*, then fill in the following fields:
+
 .. *Source*: The individual index patterns or data view that specifies what data to search.
 .. *Custom query*: The query and filters used to retrieve the required results from
 the {elastic-sec} event indices. For example, if you want to match documents that only contain a `destination.ip` address field, add `destination.ip : *`.
@@ -242,10 +243,14 @@ IMPORTANT: Data in indicator indices must be <<ecs-compliant-reqs, ECS compatibl
 +
 .. *Indicator index query*: The query and filters used to filter the fields from
 the indicator index patterns. The default query `@timestamp > "now-30d/d"` searches specified indicator indices for indicators ingested during the past 30 days and rounds the start time down to the nearest day (resolves to UTC `00:00:00`).
-.. *Indicator mapping*: Compares the values of the specified event and indicator field
-values. When the field values are identical, an alert is generated. To define
+.. *Indicator mapping*: Compares the values of the specified event and indicator fields, and generates an alert if the values are identical.
++
+NOTE: Only single-value fields are supported.
++
+To define
 which field values are compared from the indices add the following:
-** *Field*: The field used for comparing values in the {es-sec} event
+
+** *Field*: The field used for comparing values in the {elastic-sec} event
 indices.
 ** *Indicator index field*: The field used for comparing values in the indicator
 indices.