From d99033cd00794f5da96351dcc223b0ab4c3cd19c Mon Sep 17 00:00:00 2001 From: vitaliidm Date: Mon, 18 Dec 2023 16:38:58 +0000 Subject: [PATCH 01/12] adds missing alert suppression API references --- .../api/rules/rules-api-create.asciidoc | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 3a58fcf0ee..d7441a1235 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -484,6 +484,43 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`). |timestamp_field |String |Contains the event timestamp used for sorting a sequence of events. This is different from `timestamp_override`, which is used for querying events within a range. Defaults to the `@timestamp` ECS field. +|============================================== + +[[opt-fields-alert-suppression]] +===== Optional alert suppression fields for query, threshold rules + +====== Query rule + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|alert_suppression |Object |Defines alert suppression configuration. Fields: + +* `group_by` (string[], required): Field names to use for suppressing alerts by, maximum array size is 3. + +* `duration` (<>, optional): Defines time period, alerts will be suppressed on. Object takes values: If absent, alerts will be suppressed on rule execution only. + +* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields, fields don’t exist. Values: + + - `doNotSuppress` - Create a separate alert for each matching event + - `suppress` - Create one alert for each group of events with missing fields + + +|============================================== + +====== Threshold rule + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|alert_suppression |Object |Defines alert suppression configuration. Available fields: + +* `duration` (<>, required): Defines time period, alerts will be suppressed on +cardinality. + + |============================================== [[actions-object-schema]] @@ -712,6 +749,20 @@ All fields are required: NOTE: Only threats described using the MITRE ATT&CK^TM^ framework are displayed in the UI (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*). +[[alert-suppression-duration-schema]] +===== Alert suppression duration schema + +All fields are required: + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|unit |string | Time unit, takes value of `s`(seconds), `m`(minutes), `h`(hours). +|value |number | Positive number + +|============================================== + ===== Example requests *Example 1* From 02eda707e193e7cdca27708c09198dfafdb2506e Mon Sep 17 00:00:00 2001 From: vitaliidm Date: Tue, 19 Dec 2023 09:58:40 +0000 Subject: [PATCH 02/12] fixes --- docs/detections/api/rules/rules-api-create.asciidoc | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index d7441a1235..a0fe6e9bb6 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -497,9 +497,9 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`). |alert_suppression |Object |Defines alert suppression configuration. Fields: -* `group_by` (string[], required): Field names to use for suppressing alerts by, maximum array size is 3. +* `group_by` (string[], required): Field names to use for suppressing alerts by, array size of 1-3. -* `duration` (<>, optional): Defines time period, alerts will be suppressed on. Object takes values: If absent, alerts will be suppressed on rule execution only. +* `duration` (<>, optional): Defines time period, alerts will be suppressed on. If absent, alerts will be suppressed on rule execution only. * `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields, fields don’t exist. Values: @@ -518,7 +518,6 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`). |alert_suppression |Object |Defines alert suppression configuration. Available fields: * `duration` (<>, required): Defines time period, alerts will be suppressed on -cardinality. |============================================== @@ -750,7 +749,7 @@ NOTE: Only threats described using the MITRE ATT&CK^TM^ framework are displayed in the UI (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*). [[alert-suppression-duration-schema]] -===== Alert suppression duration schema +===== `alert_suppression.duration` schema All fields are required: From e23b5ca7befafdf670f21be73a4c75231be829fd Mon Sep 17 00:00:00 2001 From: vitaliidm Date: Tue, 19 Dec 2023 10:00:21 +0000 Subject: [PATCH 03/12] add preview --- docs/detections/api/rules/rules-api-create.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index a0fe6e9bb6..c1579e750d 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -489,6 +489,8 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`). [[opt-fields-alert-suppression]] ===== Optional alert suppression fields for query, threshold rules +preview::[] + ====== Query rule [width="100%",options="header"] From 671e0cca0f54fae7c70246f149ead3d13e960d81 Mon Sep 17 00:00:00 2001 From: vitaliidm Date: Tue, 19 Dec 2023 10:39:59 +0000 Subject: [PATCH 04/12] fixes --- docs/detections/api/rules/rules-api-create.asciidoc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index c1579e750d..de951159fc 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -503,10 +503,13 @@ preview::[] * `duration` (<>, optional): Defines time period, alerts will be suppressed on. If absent, alerts will be suppressed on rule execution only. -* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields, fields don’t exist. Values: +* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields, fields don’t exist. - - `doNotSuppress` - Create a separate alert for each matching event - - `suppress` - Create one alert for each group of events with missing fields + Values: + + - `doNotSuppress` - Create a separate alert for each matching event + + - `suppress` - Create one alert for each group of events with missing fields |============================================== From fbb31da3decab2b2454653eab3d8afa2c3891cd2 Mon Sep 17 00:00:00 2001 From: vitaliidm Date: Tue, 19 Dec 2023 10:46:17 +0000 Subject: [PATCH 05/12] add example --- .../api/rules/rules-api-create.asciidoc | 56 +++++++++++++++++-- 1 file changed, 51 insertions(+), 5 deletions(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index de951159fc..60d85f0688 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -1041,11 +1041,6 @@ POST api/detection_engine/rules -------------------------------------------------- // KIBANA -==== Response code - -`200`:: - Indicates a successful call. - *Example 7* {esql} rule that creates alerts from events that match an Excel parent process: @@ -1069,6 +1064,57 @@ POST api/detection_engine/rules } -------------------------------------------------- + +*Example 8* + +Query rule that searches for processes started by MS Office and suppress alerts by `process.parent.name` field on 5 hours time period: + +[source,console] +-------------------------------------------------- +POST api/detection_engine/rules +{ + "rule_id": "process_started_by_ms_office_program", + "risk_score": 50, + "description": "Process started by MS Office program - possible payload", + "interval": "1h", <1> + "name": "MS Office child process", + "severity": "low", + "tags": [ + "child process", + "ms office" + ], + "type": "query", + "from": "now-70m", <2> + "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE", + "language": "kuery", + "filters": [ + { + "query": { + "match": { + "event.action": { + "query": "Process Create (rule: ProcessCreate)", + "type": "phrase" + } + } + } + } + ], + "enabled": false, + "alert_suppression": { + "duration": { "unit": "h", "value": 5 }, + "group_by": [ + "process.parent.name" + ], + "missing_fields_strategy": "suppress" + } +} +-------------------------------------------------- + +==== Response code + +`200`:: + Indicates a successful call. + ==== Response payload A JSON object that includes a unique ID, the time the rule was created, and its From 6968576873356f5f8984509496455d3a78e291e5 Mon Sep 17 00:00:00 2001 From: vitaliidm Date: Tue, 19 Dec 2023 10:56:34 +0000 Subject: [PATCH 06/12] update --- .../api/rules/rules-api-update.asciidoc | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index eb0b156e9c..b6abb60584 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -497,6 +497,49 @@ technique: NOTE: Only threats described using the MITRE ATT&CK^TM^ framework are displayed in the UI (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*). + +[[opt-fields-alert-suppression]] +===== Optional alert suppression fields for query, threshold rules + +preview::[] + +====== Query rule + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|alert_suppression |Object |Defines alert suppression configuration. Fields: + +* `group_by` (string[], required): Field names to use for suppressing alerts by, array size of 1-3. + +* `duration` (<>, optional): Defines time period, alerts will be suppressed on. If absent, alerts will be suppressed on rule execution only. + +* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields, fields don’t exist. + + Values: + + - `doNotSuppress` - Create a separate alert for each matching event + + - `suppress` - Create one alert for each group of events with missing fields + + +|============================================== + +====== Threshold rule + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|alert_suppression |Object |Defines alert suppression configuration. Available fields: + +* `duration` (<>, required): Defines time period, alerts will be suppressed on + + +|============================================== + + ===== Example request Updates the `threat` object: From 19e2aa19054ec84e8288f3ec02dee5617809bd8d Mon Sep 17 00:00:00 2001 From: vitaliidm Date: Tue, 19 Dec 2023 11:57:29 +0000 Subject: [PATCH 07/12] unique ids --- docs/detections/api/rules/rules-api-create.asciidoc | 2 +- docs/detections/api/rules/rules-api-update.asciidoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 60d85f0688..70f0f3de77 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -486,7 +486,7 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`). |============================================== -[[opt-fields-alert-suppression]] +[[opt-fields-alert-suppression-create]] ===== Optional alert suppression fields for query, threshold rules preview::[] diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index b6abb60584..e68aabcfd0 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -498,7 +498,7 @@ NOTE: Only threats described using the MITRE ATT&CK^TM^ framework are displayed in the UI (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*). -[[opt-fields-alert-suppression]] +[[opt-fields-alert-suppression-update]] ===== Optional alert suppression fields for query, threshold rules preview::[] From 699ecc214b54958fc98b0e45201c5a570191c83c Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 20 Dec 2023 10:38:35 -0500 Subject: [PATCH 08/12] Fix syntax, some edits --- .../api/rules/rules-api-create.asciidoc | 20 ++++++++----------- .../api/rules/rules-api-update.asciidoc | 20 ++++++++----------- 2 files changed, 16 insertions(+), 24 deletions(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 70f0f3de77..54a676db7b 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -497,20 +497,17 @@ preview::[] |============================================== |Name |Type |Description -|alert_suppression |Object |Defines alert suppression configuration. Fields: +|alert_suppression |Object a|Defines alert suppression configuration. Available fields: -* `group_by` (string[], required): Field names to use for suppressing alerts by, array size of 1-3. +* `group_by` (string[], required): An array of 1-3 field names to use for suppressing alerts. -* `duration` (<>, optional): Defines time period, alerts will be suppressed on. If absent, alerts will be suppressed on rule execution only. +* `duration` (<>, optional): Defines the time period in which alerts will be suppressed. If absent, alerts will be suppressed on rule execution only. -* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields, fields don’t exist. +* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields, fields don’t exist. Values: - Values: - - - `doNotSuppress` - Create a separate alert for each matching event - - - `suppress` - Create one alert for each group of events with missing fields + - `doNotSuppress`: Create a separate alert for each matching event. + - `suppress`: Create one alert for each group of events with missing fields. |============================================== @@ -520,10 +517,9 @@ preview::[] |============================================== |Name |Type |Description -|alert_suppression |Object |Defines alert suppression configuration. Available fields: - -* `duration` (<>, required): Defines time period, alerts will be suppressed on +|alert_suppression |Object a|Defines alert suppression configuration. Available fields: +* `duration` (<>, required): Defines the time period in which alerts will be suppressed. |============================================== diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index e68aabcfd0..0d643ea700 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -509,20 +509,17 @@ preview::[] |============================================== |Name |Type |Description -|alert_suppression |Object |Defines alert suppression configuration. Fields: +|alert_suppression |Object a|Defines alert suppression configuration. Available fields: -* `group_by` (string[], required): Field names to use for suppressing alerts by, array size of 1-3. +* `group_by` (string[], required): An array of 1-3 field names to use for suppressing alerts. -* `duration` (<>, optional): Defines time period, alerts will be suppressed on. If absent, alerts will be suppressed on rule execution only. +* `duration` (<>, optional): Defines the time period in which alerts will be suppressed. If absent, alerts will be suppressed on rule execution only. -* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields, fields don’t exist. +* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields, fields don’t exist. Values: - Values: - - - `doNotSuppress` - Create a separate alert for each matching event - - - `suppress` - Create one alert for each group of events with missing fields + - `doNotSuppress` - Create a separate alert for each matching event. + - `suppress` - Create one alert for each group of events with missing fields. |============================================== @@ -532,10 +529,9 @@ preview::[] |============================================== |Name |Type |Description -|alert_suppression |Object |Defines alert suppression configuration. Available fields: - -* `duration` (<>, required): Defines time period, alerts will be suppressed on +|alert_suppression a|Object |Defines alert suppression configuration. Available fields: +* `duration` (<>, required): Defines the time period in which alerts will be suppressed. |============================================== From 258813d56ed3d64ba11c94b161e4f0bb4e6e9bf0 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 20 Dec 2023 10:42:57 -0500 Subject: [PATCH 09/12] Another edit --- docs/detections/api/rules/rules-api-create.asciidoc | 2 +- docs/detections/api/rules/rules-api-update.asciidoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 54a676db7b..80d459b356 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -503,7 +503,7 @@ preview::[] * `duration` (<>, optional): Defines the time period in which alerts will be suppressed. If absent, alerts will be suppressed on rule execution only. -* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields, fields don’t exist. Values: +* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields. Values: - `doNotSuppress`: Create a separate alert for each matching event. diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index 0d643ea700..1b0464f030 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -515,7 +515,7 @@ preview::[] * `duration` (<>, optional): Defines the time period in which alerts will be suppressed. If absent, alerts will be suppressed on rule execution only. -* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields, fields don’t exist. Values: +* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields. Values: - `doNotSuppress` - Create a separate alert for each matching event. From 0a8c2b2720cf936eb6cc865520384f550dae1195 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 20 Dec 2023 12:09:21 -0500 Subject: [PATCH 10/12] Remove callout syntax in Example --- docs/detections/api/rules/rules-api-create.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 80d459b356..9fb7c4bc1d 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -1072,7 +1072,7 @@ POST api/detection_engine/rules "rule_id": "process_started_by_ms_office_program", "risk_score": 50, "description": "Process started by MS Office program - possible payload", - "interval": "1h", <1> + "interval": "1h", "name": "MS Office child process", "severity": "low", "tags": [ @@ -1080,7 +1080,7 @@ POST api/detection_engine/rules "ms office" ], "type": "query", - "from": "now-70m", <2> + "from": "now-70m", "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE", "language": "kuery", "filters": [ From d345e933e1cc7bf4e37ca824a56771654f3a1012 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 3 Jan 2024 16:12:33 -0500 Subject: [PATCH 11/12] Apply suggestions from Natasha's review Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> --- docs/detections/api/rules/rules-api-create.asciidoc | 8 ++++---- docs/detections/api/rules/rules-api-update.asciidoc | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 9fb7c4bc1d..542e0a4971 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -503,7 +503,7 @@ preview::[] * `duration` (<>, optional): Defines the time period in which alerts will be suppressed. If absent, alerts will be suppressed on rule execution only. -* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields. Values: +* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields. Possible values: - `doNotSuppress`: Create a separate alert for each matching event. @@ -758,8 +758,8 @@ All fields are required: |============================================== |Name |Type |Description -|unit |string | Time unit, takes value of `s`(seconds), `m`(minutes), `h`(hours). -|value |number | Positive number +|unit |string | Time unit. Possible values are: `s`(seconds), `m`(minutes), or `h`(hours). +|value |number | Positive number. |============================================== @@ -1063,7 +1063,7 @@ POST api/detection_engine/rules *Example 8* -Query rule that searches for processes started by MS Office and suppress alerts by `process.parent.name` field on 5 hours time period: +Query rule that searches for processes started by MS Office and suppresses alerts by the `process.parent.name` field within a 5-hour time period: [source,console] -------------------------------------------------- diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index 1b0464f030..4bca5f119e 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -515,11 +515,11 @@ preview::[] * `duration` (<>, optional): Defines the time period in which alerts will be suppressed. If absent, alerts will be suppressed on rule execution only. -* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields. Values: +* `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields. Possible values: - - `doNotSuppress` - Create a separate alert for each matching event. + - `doNotSuppress`: Create a separate alert for each matching event. - - `suppress` - Create one alert for each group of events with missing fields. + - `suppress`: Create one alert for each group of events with missing fields. |============================================== From 0a737b7ee163f6abbec6a858a9a9d7340ac9331a Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 3 Jan 2024 16:23:24 -0500 Subject: [PATCH 12/12] Apply `duration` edits from Natasha's review Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> --- docs/detections/api/rules/rules-api-create.asciidoc | 4 ++-- docs/detections/api/rules/rules-api-update.asciidoc | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 542e0a4971..62bf16a9c4 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -501,7 +501,7 @@ preview::[] * `group_by` (string[], required): An array of 1-3 field names to use for suppressing alerts. -* `duration` (<>, optional): Defines the time period in which alerts will be suppressed. If absent, alerts will be suppressed on rule execution only. +* `duration` (<>, optional): The time period in which alerts will be suppressed, beginning when the rule first meets its criteria and creates the alert. If not specified, alerts will be suppressed on rule execution only. * `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields. Possible values: @@ -519,7 +519,7 @@ preview::[] |alert_suppression |Object a|Defines alert suppression configuration. Available fields: -* `duration` (<>, required): Defines the time period in which alerts will be suppressed. +* `duration` (<>, required): The time period in which alerts will be suppressed, beginning when the rule first meets its criteria and creates the alert. |============================================== diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index 4bca5f119e..a196fe5d60 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -513,7 +513,7 @@ preview::[] * `group_by` (string[], required): An array of 1-3 field names to use for suppressing alerts. -* `duration` (<>, optional): Defines the time period in which alerts will be suppressed. If absent, alerts will be suppressed on rule execution only. +* `duration` (<>, optional): The time period in which alerts will be suppressed, beginning when the rule first meets its criteria and creates the alert. If not specified, alerts will be suppressed on rule execution only. * `missing_fields_strategy` (string, optional): Defines how to handle events with missing suppression fields. Possible values: @@ -531,7 +531,7 @@ preview::[] |alert_suppression a|Object |Defines alert suppression configuration. Available fields: -* `duration` (<>, required): Defines the time period in which alerts will be suppressed. +* `duration` (<>, required): The time period in which alerts will be suppressed, beginning when the rule first meets its criteria and creates the alert. |==============================================