From b46829a929e0aff21a152d9ea18c4833f95f8af0 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 15 Oct 2024 12:13:41 -0400 Subject: [PATCH 1/3] Updates label --- docs/detections/alert-suppression.asciidoc | 2 +- docs/detections/api/rules/rules-api-create.asciidoc | 2 +- docs/detections/api/rules/rules-api-update.asciidoc | 2 +- docs/serverless/alerts/alert-suppression.mdx | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index 73f0537840..650491cb20 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -6,7 +6,7 @@ -- Alert suppression requires a https://www.elastic.co/pricing[Platinum or higher subscription]. -preview::["Alert suppression is in technical preview for threshold, indicator match, event correlation, and new terms rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."] +preview::["Alert suppression is in technical preview for event correlation rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."] -- Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types: diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 5131205069..78958696fb 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -511,7 +511,7 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`). [[opt-fields-alert-suppression-create]] ===== Optional alert suppression fields for query, indicator match, threshold, event correlation (non-sequence queries only), new terms, {esql}, and {ml} rules -preview::["Alert suppression is in technical preview for threshold, indicator match, event correlation, new terms, {ml}, and {esql} rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."] +preview::["Alert suppression is in technical preview for event correlation rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."] ====== Query, indicator match, event correlation (non-sequence queries only), new terms, {esql}, and {ml} rules diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index e640580db4..a1a87feefd 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -540,7 +540,7 @@ in the UI (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*). [[opt-fields-alert-suppression-update]] ===== Optional alert suppression fields for query, indicator match, threshold, event correlation (non-sequence queries only), new terms, {esql}, and {ml} rules -preview::["Alert suppression is in technical preview for threshold, indicator match, event correlation, new terms, {ml}, and {esql} rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."] +preview::["Alert suppression is in technical preview for event correlation rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."] ====== Query, indicator match, event correlation (non-sequence queries only), new terms, {esql}, and {ml} rules diff --git a/docs/serverless/alerts/alert-suppression.mdx b/docs/serverless/alerts/alert-suppression.mdx index 462c03402e..80850d262b 100644 --- a/docs/serverless/alerts/alert-suppression.mdx +++ b/docs/serverless/alerts/alert-suppression.mdx @@ -10,7 +10,7 @@ status: in review
-Alert suppression is in technical preview for threshold, indicator match, event correlation, and new terms rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. +Alert suppression is in technical preview for event correlation rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types: From ab582f1ad453bf38415fb5b5c6cdfb15f4811243 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 15 Oct 2024 14:08:08 -0400 Subject: [PATCH 2/3] Updates create rule docs --- docs/detections/rules-ui-create.asciidoc | 10 +++++----- docs/serverless/rules/rules-ui-create.mdx | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 1c1f404baf..b2b6da3b4c 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -50,7 +50,7 @@ then select: NOTE: If a required job isn't currently running, it will automatically start when you finish configuring and enable the rule. .. The anomaly score threshold above which alerts are created. + -. preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. +. (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. + NOTE: Because {ml} rules generate alerts from anomalies, which don't contain source event fields, you can only use anomaly fields when configuring alert suppression. + @@ -139,7 +139,7 @@ You can also leave the *Group by* field undefined. The rule then creates an aler + IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not resemble the source documents. The alert itself only contains data about the fields that were aggregated over (the *Group by* fields). Other fields are omitted, because they can vary across all source documents that were counted toward the threshold. Additionally, you can reference the actual count of documents that exceeded the threshold from the `kibana.alert.threshold_result.count` field. -. preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Select *Suppress alerts* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. +. (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Select *Suppress alerts* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. + //// @@ -269,7 +269,7 @@ they can be selected here. When alerts generated by the rule are investigated in the Timeline, Timeline query values are replaced with their corresponding alert field values. + -. preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Select *Suppress alerts* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. +. (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Select *Suppress alerts* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. + //// @@ -328,7 +328,7 @@ IMPORTANT: When checking multiple fields, each unique combination of values from + For example, if a rule has an interval of 5 minutes, no additional look-back time, and a history window size of 7 days, a term will be considered new only if the time it appears within the last 7 days is also within the last 5 minutes. Configure the rule interval and additional look-back time when you <>. -. preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. +. (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. + //// @@ -361,7 +361,7 @@ NOTE: Refer to the sections below to learn more about <> for more information. +. (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. + //// diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx index 4189eb8bdf..9af43b3949 100644 --- a/docs/serverless/rules/rules-ui-create.mdx +++ b/docs/serverless/rules/rules-ui-create.mdx @@ -49,7 +49,7 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, 1. The anomaly score threshold above which alerts are created. -1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. +1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. Because ((ml)) rules generate alerts from anomalies, which don't contain source event fields, you can only use anomaly fields when configuring alert suppression. @@ -141,7 +141,7 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, Alerts created by threshold rules are synthetic alerts that do not resemble the source documents. The alert itself only contains data about the fields that were aggregated over (the **Group by** fields). Other fields are omitted, because they can vary across all source documents that were counted toward the threshold. Additionally, you can reference the actual count of documents that exceeded the threshold from the `kibana.alert.threshold_result.count` field. -1. (Optional) Select **Suppress alerts** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. +1. (Optional) Select **Suppress alerts** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. {/* The following steps are repeated across multiple rule types. If you change anything in these steps or sub-steps, apply the change to the other rule types, too. */} @@ -285,7 +285,7 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally, they can be selected here. When alerts generated by the rule are investigated in the Timeline, Timeline query values are replaced with their corresponding alert field values. -1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. +1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. {/* The following steps are repeated across multiple rule types. If you change anything in these steps or sub-steps, apply the change to the other rule types, too. */} @@ -352,7 +352,7 @@ You uploaded a value list of known ransomware domains, and you want to be notifi For example, if a rule has an interval of 5 minutes, no additional look-back time, and a history window size of 7 days, a term will be considered new only if the time it appears within the last 7 days is also within the last 5 minutes. Configure the rule interval and additional look-back time when you set the rule's schedule. -1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. +1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. {/* The following steps are repeated across multiple rule types. If you change anything in these steps or sub-steps, apply the change to the other rule types, too. */} @@ -389,7 +389,7 @@ To create an ((esql)) rule: Click the help icon () to open the in-product reference documentation for all ((esql)) commands and functions. -1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. +1. (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to Suppress detection alerts for more information. {/* The following steps are repeated across multiple rule types. If you change anything in these steps or sub-steps, apply the change to the other rule types, too. */} From 8fb62990a6b0717aa36c4aef361334010c72c2fd Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 16 Oct 2024 14:35:04 -0400 Subject: [PATCH 3/3] Fixed note --- docs/serverless/alerts/alert-suppression.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/serverless/alerts/alert-suppression.mdx b/docs/serverless/alerts/alert-suppression.mdx index f6cc5b08ef..35ac2030db 100644 --- a/docs/serverless/alerts/alert-suppression.mdx +++ b/docs/serverless/alerts/alert-suppression.mdx @@ -12,7 +12,7 @@ status: in review - ((ml-cap)) rules have additional requirements for alert suppression. - - Alert suppression is in technical preview for threshold, indicator match, event correlation, and new terms rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + - Alert suppression is in technical preview for event correlation rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types: