adds missing alert suppression API references

elastic · Dec 18, 2023 · d99033c · d99033c
1 parent 5d9325f
commit d99033c
Showing 1 changed file with 51 additions and 0 deletions.
diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc
@@ -484,6 +484,43 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`).
 |timestamp_field |String
 |Contains the event timestamp used for sorting a sequence of events. This is different from `timestamp_override`, which is used for querying events within a range. Defaults to the `@timestamp` ECS field.
 
+|==============================================
+
+[[opt-fields-alert-suppression]]
+===== Optional alert suppression fields for query, threshold rules
+
+====== Query rule
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|alert_suppression |Object |Defines alert suppression configuration. Fields:
+
+* `group_by` (string[], required): Field names to use for suppressing alerts by, maximum array size is 3.
+
+* `duration` (<<alert-suppression-duration-schema, duration object>>, optional): Defines time period, alerts will be suppressed on. Object takes values: If absent, alerts will be suppressed on rule execution only.
+
+* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields, fields don’t exist. Values:
+
+  - `doNotSuppress` - Create a separate alert for each matching event
+  - `suppress` - Create one alert for each group of events with missing fields
+
+
+|==============================================
+
+====== Threshold rule
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|alert_suppression |Object |Defines alert suppression configuration. Available fields:
+
+* `duration` (<<alert-suppression-duration-schema, duration object>>, required): Defines time period, alerts will be suppressed on
+cardinality.
+
+
 |==============================================
 
 [[actions-object-schema]]
@@ -712,6 +749,20 @@ All fields are required:
 NOTE: Only threats described using the MITRE ATT&CK^TM^ framework are displayed
 in the UI (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*).
 
+[[alert-suppression-duration-schema]]
+===== Alert suppression duration schema
+
+All fields are required:
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|unit |string | Time unit, takes value of `s`(seconds), `m`(minutes), `h`(hours).
+|value |number | Positive number
+
+|==============================================
+
 ===== Example requests
 
 *Example 1*