diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 3a58fcf0ee..d7441a1235 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -484,6 +484,43 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`). |timestamp_field |String |Contains the event timestamp used for sorting a sequence of events. This is different from `timestamp_override`, which is used for querying events within a range. Defaults to the `@timestamp` ECS field. +|============================================== + +[[opt-fields-alert-suppression]] +===== Optional alert suppression fields for query, threshold rules + +====== Query rule + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|alert_suppression |Object |Defines alert suppression configuration. Fields: + +* `group_by` (string[], required): Field names to use for suppressing alerts by, maximum array size is 3. + +* `duration` (<>, optional): Defines time period, alerts will be suppressed on. Object takes values: If absent, alerts will be suppressed on rule execution only. + +* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields, fields don’t exist. Values: + + - `doNotSuppress` - Create a separate alert for each matching event + - `suppress` - Create one alert for each group of events with missing fields + + +|============================================== + +====== Threshold rule + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|alert_suppression |Object |Defines alert suppression configuration. Available fields: + +* `duration` (<>, required): Defines time period, alerts will be suppressed on +cardinality. + + |============================================== [[actions-object-schema]] @@ -712,6 +749,20 @@ All fields are required: NOTE: Only threats described using the MITRE ATT&CK^TM^ framework are displayed in the UI (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*). +[[alert-suppression-duration-schema]] +===== Alert suppression duration schema + +All fields are required: + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|unit |string | Time unit, takes value of `s`(seconds), `m`(minutes), `h`(hours). +|value |number | Positive number + +|============================================== + ===== Example requests *Example 1*