From 3bb68526ba17d33c2f0da39dac27f291e3c20ef8 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 23 Apr 2024 09:27:21 -0400 Subject: [PATCH] First draft --- docs/detections/rules-ui-create.asciidoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index c854a77edf..43e8808cd5 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -476,6 +476,10 @@ also affect this rule. .. *Building block* (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See <> for more information. +.. **Max alerts per run** (optional): Specify the maximum number of alerts the rule will create each time it runs. Default is 100. ++ +NOTE: Do not set this value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[{kib} configuration setting] `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by _any_ rule in the {kib} alerting framework. + .. *Indicator prefix override*: Define the location of indicator data within the structure of indicator documents. When the indicator match rule executes, it queries specified indicator indices and references this setting to locate fields with indicator data. This data is used to enrich indicator match alerts with metadata about matched threat indicators. The default value for this setting is `threat.indicator`. + IMPORTANT: If your threat indicator data is at a different location, update this setting accordingly to ensure alert enrichment can still be performed.