Description

It'd be useful to include the following best practices, limitations, and gotchas in the ES|QL rule docs:

From @vitaliidm:

• If the LIMIT value is greater than max_signals, the number of generated alerts will be capped by max_signals. For example:
  • When LIMIT is lesser than max signals, number of alerts will be equal to LIMIT
  • When LIMIT is greater than max signals, number of alerts will be equal to max_signals

From @paulewing:

• If you create a new field via ES|QL, you will not be able to filter/search for that field on the alerts page (or any security page) unless you create a runtime field for the new field name. This is possible via our field browser, but could be a nice note to the user.
• Similar to above, currently its not possible to add custom highlighted fields for a new field created by ES|QL. A runtime field does NOT solve this, its just a limitation for now.
• For aggregation ES|QL queries (e.g. STATS), it is beneficial for the user to keep fields that they want to search/filter on in the alerts page (e.g. host.name, user.name, process.name, etc.)

Notes

• Thread with more info on the LIMIT vs max_signals case.
• Might make sense to add a new section, or two, for this information (e.g., "Limitations" and "Best practices").