elastic · nastasha-solomon · Oct 19, 2024 · Oct 19, 2024
@@ -86,7 +86,7 @@ Indicator match rules provide a powerful capability to search your security data
 
 In addition, the following support restrictions are in place:
 
-* {elastic-sec} does not support the use of either cold or frozen {ref}/data-tiers.html[tier data] with indicator match rules.
+* Indicator match rules don't support cold or frozen data, but will query cold and frozen {ref}/data-tiers.html[data tiers] if they exist. To exclude query results from cold and frozen tiers, configure the `excludedDataTiersForRuleExecution` <<exclude-cold-frozen-data-rule-executions,advanced setting>> (which applies to all rules in a space), or add a <<exclude-cold-frozen-data-individual-rules,Query DSL filter>> to individual rules. 
 * Indicator match rules with an additional look-back time value greater than 24 hours are not supported.
 
 [float]

@@ -1,18 +1,18 @@
 [[exclude-cold-frozen-data-individual-rules]]
-== Exclude cold and frozen data from a rule
+== Exclude cold and frozen data from rule executions
 
 :frontmatter-description: Configure a rule to ignore cold and frozen data during execution. 
 :frontmatter-tags-products: [security]
 :frontmatter-tags-content-type: [how-to]
 :frontmatter-tags-user-goals: [manage]
 
-Rules that query cold and frozen data might perform more slowly. To exclude cold and frozen data, add a Query DSL filter that ignores cold and frozen {ref}/data-tiers.html[data tiers] when executing. You can add the filter when creating a new rule or updating an existing one. 
+Rules that query cold and frozen {ref}/data-tiers.html[data tiers] might perform more slowly. To exclude query results from cold and frozen tiers, add a Query DSL filter that ignores cold and frozen documents when executing. This can help Elasticsearch exclude cold and frozen data more efficiently. You can add the filter when creating a new rule or updating an existing one.
 
 NOTE: This method is not supported for {esql} and {ml} rules.
 
-TIP: To ensure that _all_ rules in a {kib} space exclude cold and frozen data when executing, configure the `excludedDataTiersForRuleExecution` <<exclude-cold-frozen-data-rule-executions,advanced setting>>.
+TIP: To ensure that _all_ rules in a {kib} space exclude cold and frozen documents when executing, configure the `excludedDataTiersForRuleExecution` <<exclude-cold-frozen-data-rule-executions,advanced setting>>.
 
-Here is a sample Query DSL filter that excludes frozen tier data from a rule's execution:
+Here is a sample Query DSL filter that excludes documents from a frozen tier during a rule's execution:
 
 [source,console]
 ----
@@ -29,7 +29,7 @@ Here is a sample Query DSL filter that excludes frozen tier data from a rule's e
 }
 ----
 
-Here is another sample Query DSL filter that excludes cold and frozen tier data from a rule's execution:
+Here is another sample Query DSL filter that excludes documents from cold and frozen tiers during a rule’s execution:
 
 [source,console]
 ----

@@ -180,7 +180,7 @@ The `securitySolution:alertTags` field determines which options display in the a
 [[exclude-cold-frozen-data-rule-executions]]
 == Exclude cold and frozen data from rule executions 
 
-To ensure rules don't search cold and frozen data when executing, specify cold and frozen {ref}/data-tiers.html[data tiers] in the `excludedDataTiersForRuleExecution` field. Multiple data tiers must be separated by commas, for example: `data_frozen`, `data_cold`. This setting is turned off by default; turning it on can improve rule performance and reduce execution time. 
+To ensure rules exclude query results from cold and frozen tiers when executing, specify cold and frozen {ref}/data-tiers.html[data tiers] in the `excludedDataTiersForRuleExecution` field. Multiple data tiers must be separated by commas, for example: `data_frozen`, `data_cold`. This setting is turned off by default; turning it on can improve rule performance and reduce execution time. 
 
 This setting does not apply to {esql} or {ml} rules.