From 46c33873a34a5059048af364f1d45abea965186d Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Thu, 14 Sep 2023 11:09:28 +0100
Subject: [PATCH] Alert suppression clarification (#3879) (#3948)

* Alert suppression clarification

* Review updates

* Updates note phrasing

(cherry picked from commit 16b6c65f8cfb9dd5ad78b1ba205428ec27c1cc57)

Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>
---
 docs/detections/alert-suppression.asciidoc | 4 +++-
 docs/detections/rules-ui-create.asciidoc   | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc
index 07c399de92..1ffd70a53b 100644
--- a/docs/detections/alert-suppression.asciidoc
+++ b/docs/detections/alert-suppression.asciidoc
@@ -21,7 +21,9 @@ NOTE: Alert suppression is not available for Elastic prebuilt rules. However, if
 
 You can configure alert suppression when you create or edit a custom query rule. Refer to <<create-custom-rule>> for detailed instructions.
 
-. When configuring the rule type (the *Define rule* step for a new rule, or the *Definition* tab for an existing rule), enter one or more field names in *Suppress alerts by*. 
+. When configuring the rule type (the *Define rule* step for a new rule, or the *Definition* tab for an existing rule), enter one or more field names in *Suppress alerts by*.
++
+NOTE: If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each matching value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. 
 . Select how often to create alerts for duplicate events:
 +
 --
diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
index 29b22ecc89..1e33006dd7 100644
--- a/docs/detections/rules-ui-create.asciidoc
+++ b/docs/detections/rules-ui-create.asciidoc
@@ -167,6 +167,8 @@ When you use a saved query, the *Load saved query "_query name_" dynamically on
 . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule.
 
 .. Enter a field name to group matching source events by the field's unique values; only one alert will be created for each group of events. You can also enter multiple fields to group events by unique combinations of values.
++
+NOTE: If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each matching value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. 
 
 .. Select how often to create alerts for duplicate events:
 +