The tracking containment rule alerts when an entity is contained or no longer contained within a boundary.
To create a tracking containment rule, the following requirements must be present:
Entities index: An index containing a
datefield, and entity identifier. An entity identifier is a
ipfield that identifies the entity. Entity data is expected to be updating so that there are entity movements to alert upon.
Boundaries index: An index containing
geo_shapedata. Boundaries data is expected to be static (not updating). Boundaries are collected once when the rule is created and anytime after when boundary configuration is modified.
Entity locations are queried to determine if they are contained within any monitored boundaries.
Entity data should be somewhat "real time", meaning the dates of new documents aren’t older
than the current time minus the amount of the interval. If data older than
now - <current interval> is ingested, it won’t trigger a rule.
A rule can be triggered either when a containment condition is met or when an entity is no longer contained.