diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index 07c399de92..1ffd70a53b 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -21,7 +21,9 @@ NOTE: Alert suppression is not available for Elastic prebuilt rules. However, if You can configure alert suppression when you create or edit a custom query rule. Refer to <> for detailed instructions. -. When configuring the rule type (the *Define rule* step for a new rule, or the *Definition* tab for an existing rule), enter one or more field names in *Suppress alerts by*. +. When configuring the rule type (the *Define rule* step for a new rule, or the *Definition* tab for an existing rule), enter one or more field names in *Suppress alerts by*. ++ +NOTE: If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each matching value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. . Select how often to create alerts for duplicate events: + -- diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 29b22ecc89..1e33006dd7 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -167,6 +167,8 @@ When you use a saved query, the *Load saved query "_query name_" dynamically on . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. .. Enter a field name to group matching source events by the field's unique values; only one alert will be created for each group of events. You can also enter multiple fields to group events by unique combinations of values. ++ +NOTE: If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each matching value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. .. Select how often to create alerts for duplicate events: +