Skip to content

Commit

Permalink
Alert suppression clarification (#3879) (#3948)
Browse files Browse the repository at this point in the history 
* Alert suppression clarification

* Review updates

* Updates note phrasing

(cherry picked from commit 16b6c65)

Co-authored-by: natasha-moore-elastic <[email protected]>
  • Loading branch information
@mergify @natasha-moore-elastic
mergify[bot] and natasha-moore-elastic authored Sep 14, 2023
1 parent d4ca6b1 commit 46c3387
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
4 changes: 3 additions & 1 deletion docs/detections/alert-suppression.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,9 @@ NOTE: Alert suppression is not available for Elastic prebuilt rules. However, if

You can configure alert suppression when you create or edit a custom query rule. Refer to <<create-custom-rule>> for detailed instructions.

. When configuring the rule type (the *Define rule* step for a new rule, or the *Definition* tab for an existing rule), enter one or more field names in *Suppress alerts by*.
. When configuring the rule type (the *Define rule* step for a new rule, or the *Definition* tab for an existing rule), enter one or more field names in *Suppress alerts by*.
+
NOTE: If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each matching value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`.
. Select how often to create alerts for duplicate events:
+
--
Expand Down
2 changes: 2 additions & 0 deletions docs/detections/rules-ui-create.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,8 @@ When you use a saved query, the *Load saved query "_query name_" dynamically on
. preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule.

.. Enter a field name to group matching source events by the field's unique values; only one alert will be created for each group of events. You can also enter multiple fields to group events by unique combinations of values.
+
NOTE: If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each matching value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`.

.. Select how often to create alerts for duplicate events:
+
Expand Down

0 comments on commit 46c3387

Please sign in to comment.