From a51cda51338895dcbbb733be34c08805b1ee4bf2 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic
 <137783811+natasha-moore-elastic@users.noreply.github.com>
Date: Thu, 14 Sep 2023 10:46:07 +0100
Subject: [PATCH] Alert suppression clarification (#3879)

* Alert suppression clarification

* Review updates

* Updates note phrasing

(cherry picked from commit 16b6c65f8cfb9dd5ad78b1ba205428ec27c1cc57)
---
 docs/detections/alert-suppression.asciidoc | 4 +++-
 docs/detections/rules-ui-create.asciidoc   | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc
index 69233e9429..f184618053 100644
--- a/docs/detections/alert-suppression.asciidoc
+++ b/docs/detections/alert-suppression.asciidoc
@@ -21,7 +21,9 @@ NOTE: Alert suppression is not available for Elastic prebuilt rules. However, if
 
 You can configure alert suppression when you create or edit a custom query rule. Refer to <<create-custom-rule>> for detailed instructions.
 
-. When configuring the rule type (the *Define rule* step for a new rule, or the *Definition* tab for an existing rule), enter one or more field names in *Suppress alerts by*. 
+. When configuring the rule type (the *Define rule* step for a new rule, or the *Definition* tab for an existing rule), enter one or more field names in *Suppress alerts by*.
++
+NOTE: If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each matching value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. 
 . Select how often to create alerts for duplicate events:
 +
 --
diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
index 4c6f3e0d50..3cbe1d06dd 100644
--- a/docs/detections/rules-ui-create.asciidoc
+++ b/docs/detections/rules-ui-create.asciidoc
@@ -162,6 +162,8 @@ When you use a saved query, the *Load saved query "_query name_" dynamically on
 . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule.
 
 .. Enter a field name to group matching source events by the field's unique values; only one alert will be created for each group of events. You can also enter multiple fields to group events by unique combinations of values.
++
+NOTE: If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each matching value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. 
 
 .. Select how often to create alerts for duplicate events:
 +