[Internal]: add DOES NOT MATCH condition to Indicator Match rule

[vitaliidm]

Description

Users want to be able to refine indicator match rules statement with "DOES NOT MATCH" condition.

Example:
This match will occur when there is a list of users mapped to geographic regions in an indicator index. If the username matches in the logs but the geographic region does not match then a detection should fire. index1.username == indicator_index.username AND index1.geo.city != indicator_index.city

Resources

PR: elastic/kibana#227084
Issue: https://github.com/elastic/security-team/issues/13022

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

N/A

What release is this request related to?

9.2

Serverless release

When merged and docs ready

Collaboration model

The documentation team

Point of contact.

Main contact: @vitaliidm

Stakeholders: @yctercero @approksiu

[nastasha-solomon]

UI copy review: https://docs.google.com/document/d/15uCXDwsf2yZJI7iiE1NFLdBbvg_XYBafdAnyC3_2khA/edit?tab=t.0

cc: @approksiu @vitaliidm

[nastasha-solomon]

Couple of status updates:

• The copy review for this feature is tentatively complete. I'll need to sync with @approksiu about new terminology and the current copy when she's back from PTO . The potential terms to formalize and define are:
  • Entry/entries
  • Condition
  • Clause
  • Statement
• Moving this issue to the next sprint because I'll need meet with Kseniia about new terminology before starting docs.

cc: @vitaliidm