ML rule update

elastic · Jul 18, 2024 · c0dcb1c · c0dcb1c
1 parent e2d5294
commit c0dcb1c
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
@@ -48,6 +48,8 @@ NOTE: If a required job isn't currently running, it will automatically start whe
 +
 . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <<alert-suppression>> for more information.
 +
+NOTE: Because {ml} rules generate alerts from anomalies, alert documents don't contain source event fields and you can only use anomaly fields when configuring alert suppression.
++
 
 ////
 The following step is repeated across all rule types. If you change anything 

diff --git a/docs/serverless/rules/rules-ui-create.mdx b/docs/serverless/rules/rules-ui-create.mdx
@@ -51,6 +51,10 @@ To create or edit ((ml)) rules, you need an appropriate user role. Additionally,
 
 1. <DocBadge template="technical preview" /> (Optional) Use **Suppress alerts by** to reduce the number of repeated or duplicate alerts created by the rule. Refer to <DocLink slug="/serverless/security/alert-suppression">Suppress detection alerts</DocLink> for more information.
 
+    <DocCallOut title="Note">
+    Because ((ml)) rules generate alerts from anomalies, alert documents don't contain source event fields and you can only use anomaly fields when configuring alert suppression.
+    </DocCallOut>
+
     {/* The following steps are repeated across multiple rule types. If you change anything 
     in these steps or sub-steps, apply the change to the other rule types, too. */}
 1. (Optional) Add **Related integrations** to associate the rule with one or more [Elastic integrations](((integrations-docs))). This indicates the rule's dependency on specific integrations and the data they generate, and allows users to confirm each integration's <DocLink slug="/serverless/security/rules-ui-management" section="confirm-rule-prerequisites">installation status</DocLink> when viewing the rule. 
@@ -504,7 +508,7 @@ When writing your query, consider the following:
 
 - When writing an aggregating query, use the [`STATS...BY`](((ref))/esql-commands.html#esql-stats-by) command with fields that you want to search and filter for after alerts are created. For example, using the `host.name`, `user.name`, `process.name` fields with the `BY` operator of the `STATS...BY` command returns these fields in alert documents, and allows you to search and filter for them from the Alerts table. 
 
--- When configuring alert suppression on a non-aggregating query, we recommend sorting results by ascending `@timestamp` order. Doing so ensures that alerts are properly suppressed, especially if the number of alerts generated is higher than the **Max alerts per run** value.
+- When configuring alert suppression on a non-aggregating query, we recommend sorting results by ascending `@timestamp` order. Doing so ensures that alerts are properly suppressed, especially if the number of alerts generated is higher than the **Max alerts per run** value.
 
 <div id="esql-rule-limitations"></div>
-Original file line number
+Diff line change
@@ Expand Up @@
     +
     . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <<alert-suppression>> for more information.
     +
+    NOTE: Because {ml} rules generate alerts from anomalies, alert documents don't contain source event fields and you can only use anomaly fields when configuring alert suppression.
+    +
     ////
     The following step is repeated across all rule types. If you change anything
@@ Expand Down @@