From 91148ff59ffb4ae5cdc0a7f2fb80a8baeed39a8b Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Wed, 24 Apr 2024 00:21:20 -0400 Subject: [PATCH] [8.14] [BUG][ESS][8.13-8.14] Add that suppression is supported for indicator match rules and other cleanup (backport #5116) (#5117) (cherry picked from commit 5df4b8a28d0dd55432aafdafe1fa700bf1b4e904) Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/detections/rules-ui-create.asciidoc | 21 ++------------------- 1 file changed, 2 insertions(+), 19 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index c854a77edf..619b6081dc 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -83,17 +83,6 @@ When you use a saved query, the *Load saved query "_query name_" dynamically on . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. -.. Enter a field name to group qualifying source events by the field's unique values; only one alert will be created for each group of events. You can also enter up to 3 fields to group events by unique combinations of values. -+ -NOTE: If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. - -.. Select how often to create alerts for duplicate events: - -* *Per rule execution*: Create an alert each time the rule runs and meets its criteria. -* *Per time period*: Create one alert for all qualifying events within a specified time window, beginning when the rule first meets its criteria and creates the alert. -+ -For example, if a rule runs every 5 minutes but you don't need alerts that frequently, you can set the suppression time period to a longer time, such as 1 hour. If the rule meets its criteria, it creates an alert at that time, and for the next hour, it'll suppress any subsequent qualifying events. - . Click **Continue** to <>. [discrete] @@ -121,14 +110,6 @@ IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not re . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Select *Suppress alerts* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. -.. Enter field names in *Group by* to group qualifying source events by the fields' unique values; only one alert will be created for each group of events. You can enter up to 3 fields to group events by unique combinations of values. You can also leave *Group by* empty to group all qualifying events together. -+ -NOTE: If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. - -.. In *Per time period*, specify how often to create alerts for duplicate events. This will create one alert for all qualifying events within the specified time window, beginning when the rule first meets its criteria and creates the alert. -+ -For example, if a rule runs every 5 minutes but you don't need alerts that frequently, you can set the suppression time period to a longer time, such as 1 hour. If the rule meets its criteria, it creates an alert at that time, and for the next hour, it'll suppress any subsequent qualifying events. - . Click *Continue* to <>. [discrete] @@ -228,6 +209,8 @@ they can be selected here. When alerts generated by the rule are investigated in the Timeline, Timeline query values are replaced with their corresponding alert field values. + +. preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Select *Suppress alerts* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. + . Click *Continue* to <>. [float]