[Serverless][8.17][8.16]: Security – Alerts section bugs (#6240)

* First draft * Update docs/detections/alerts-reduce.asciidoc * Removes outdated content * more changes * Removes docs for the enableCcsWarning setting * Oops - readds sections (cherry picked from commit 0cec577) # Conflicts: # docs/serverless/alerts/alerts-ui-manage.asciidoc # docs/serverless/alerts/reduce-notifications-alerts.asciidoc # docs/serverless/alerts/view-alert-details.asciidoc # docs/serverless/images/view-alert-details/-detections-about-section-rp.png
elastic · Dec 19, 2024 · 1feaa05 · 1feaa05
1 parent 0f5548b
commit 1feaa05
Show file tree

Hide file tree

Showing 8 changed files with 669 additions and 7 deletions.
diff --git a/docs/detections/alerts-reduce.asciidoc b/docs/detections/alerts-reduce.asciidoc
@@ -9,7 +9,7 @@
 | <<snooze-rule-actions,Rule action snoozing>>
 a| *_Stops a specific rule's notification actions from running_*. 
 
-Use to avoid unnecessary notifications from a specific rule. The rule continues to run and generate alerts during the snooze period, but its <<rule-notifications,notification actions>> don't run.
+Use to avoid unnecessary notifications from a specific rule. The rule continues to run and generate alerts during the snooze period, but its <<rule-response-action,notification actions>> don't run.
 
 | {kibana-ref}/maintenance-windows.html[Maintenance window]
 a| *_Prevents all rules' notification actions from running_*. 

diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc
@@ -22,7 +22,7 @@ The Alerts page offers various ways for you to organize and triage detection ale
 [role="screenshot"]
 image::images/view-alert-details.png[View details button, 200]
 
-* View the rule that created an alert. Click a name in the *Rule* column to open the rule's details page.
+* View the rule that created an alert. Click a name in the *Rule* column to open the rule's details.
 
 * View the details of the host and user associated with the alert. In the Alerts table, click a host name to open the <<host-details-flyout, host details flyout>>, or a user name to open the <<user-details-flyout, user details flyout>>.
 
@@ -115,7 +115,7 @@ image::images/group-alerts-expand.png[Expanded alert group with alerts table]
 Use the toolbar buttons in the upper-left of the Alerts table to customize the columns you want displayed:
 
 * **Columns**: Reorder the columns.
-* **_x_ fields sorted**: Sort the table by one or more columns.
+* **Sort fields _x_**: Sort the table by one or more columns.
 * **Fields**: Select the fields to display in the table. You can also add <<runtime-fields, runtime fields>> to detection alerts and display them in the Alerts table.
 
 Click the *Full screen* button in the upper-right to view the table in full-screen mode.

diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc
@@ -94,10 +94,6 @@ The About section has the following information:
 +
 NOTE: The event renderer only displays if an event renderer exists for the alert type. Fields are interactive; hover over them to access the available actions.
 
-* **Last alert status change**: Shows the last time the alert's status was changed, along with the user who changed it.
-
-* **MITRE ATT&CK**: Provides relevant https://attack.mitre.org/[MITRE ATT&CK] framework tactics, techniques, and sub-techniques.
-
 [discrete]
 [[investigation-section]]
 == Investigation 

diff --git a/docs/detections/images/about-section-rp.png b/docs/detections/images/about-section-rp.png
diff --git a/docs/serverless/alerts/alerts-ui-manage.asciidoc b/docs/serverless/alerts/alerts-ui-manage.asciidoc
diff --git a/docs/serverless/alerts/reduce-notifications-alerts.asciidoc b/docs/serverless/alerts/reduce-notifications-alerts.asciidoc
@@ -0,0 +1,32 @@
+[[security-reduce-notifications-alerts]]
+= Reduce notifications and alerts
+
+// :description: A comparison of alert-reduction features.
+// :keywords: serverless, security, how-to
+
+
+{elastic-sec} offers several features to help reduce the number of notifications and alerts generated by your detection rules. This table provides a general comparison of these features, with links for more details:
+
+|===
+|  |
+
+| <<snooze-rule-actions,Rule action snoozing>>
+a| **_Stops a specific rule's notification actions from running_**.
+
+Use to avoid unnecessary notifications from a specific rule. The rule continues to run and generate alerts during the snooze period, but its <<rule-response-action,notification actions>> don't run.
+
+| <<maintenance-windows,Maintenance window>>
+a| **_Prevents all rules' notification actions from running_**.
+
+Use to avoid false alarms and unnecessary notifications during planned outages. All rules continue to run and generate alerts during the maintenance window, but their <<security-rules-create,notification actions>> don't run.
+
+| <<security-alert-suppression,Alert suppression>>
+a| **_Reduces repeated or duplicate alerts_**.
+
+Use to reduce the number of alerts created when a rule meets its criteria repeatedly. Duplicate qualifying events are grouped, and only one alert is created for each group.
+
+| <<security-rule-exceptions,Rule exception>>
+a| **_Prevents a rule from creating alerts under specific conditions_**.
+
+Use to reduce false positive alerts by preventing trusted processes and network activity from generating unnecessary alerts. You can configure an exception to be used by a single rule or shared among multiple rules, but they typically don't affect _all_ rules.
+|===
diff --git a/docs/serverless/alerts/view-alert-details.asciidoc b/docs/serverless/alerts/view-alert-details.asciidoc
diff --git a/docs/serverless/images/view-alert-details/-detections-about-section-rp.png b/docs/serverless/images/view-alert-details/-detections-about-section-rp.png