diff --git a/docs/user/alerting/images/rule-types-index-threshold-example-action-summary.png b/docs/user/alerting/images/rule-types-index-threshold-example-action-summary.png
new file mode 100644
index 0000000000000..337171d995676
Binary files /dev/null and b/docs/user/alerting/images/rule-types-index-threshold-example-action-summary.png differ
diff --git a/docs/user/alerting/images/rule-types-index-threshold-example-action.png b/docs/user/alerting/images/rule-types-index-threshold-example-action.png
index 278a722921757..da4fb66dc6400 100644
Binary files a/docs/user/alerting/images/rule-types-index-threshold-example-action.png and b/docs/user/alerting/images/rule-types-index-threshold-example-action.png differ
diff --git a/docs/user/alerting/rule-types/es-query.asciidoc b/docs/user/alerting/rule-types/es-query.asciidoc
index 029ec2e1eaa46..2f5e53b7b342d 100644
--- a/docs/user/alerting/rule-types/es-query.asciidoc
+++ b/docs/user/alerting/rule-types/es-query.asciidoc
@@ -1,18 +1,17 @@
[[rule-type-es-query]]
-== {es} query
-
-:frontmatter-description: Create an {es} query rule, which generates alerts when your query meets a threshold.
+== Create an {es} query rule
+:frontmatter-description: Generate alerts when an {es} query meets a threshold.
:frontmatter-tags-products: [kibana,alerting]
-:frontmatter-tags-content-type: [overview]
+:frontmatter-tags-content-type: [how-to]
:frontmatter-tags-user-goals: [analyze]
+++++
+{es} query
+++++
The {es} query rule type runs a user-configured query, compares the number of
matches to a configured threshold, and schedules actions to run when the
threshold condition is met.
-[float]
-=== Create the rule
-
In *{stack-manage-app}* > *{rules-ui}*, click *Create rule*, fill in the name and optional tags, then select *{es} query*.
An {es} query rule can be defined using KQL/Lucene or Query DSL.
@@ -66,14 +65,14 @@ image::images/es-query-rule-action-summary.png[UI for defining alert summary act
Alternatively, you can set the action frequency such that actions run for each alert.
Choose how often the action runs (at each check interval, only when the alert status changes, or at a custom action interval).
You must also choose an action group, which indicates whether the action runs when the query is matched or when the alert is recovered.
+Each connector supports a specific set of actions for each action group.
For example:
[role="screenshot"]
image::images/es-query-rule-action-query-matched.png[UI for defining a recovery action]
// NOTE: This is an autogenerated screenshot. Do not edit it directly.
-Each connector supports a specific set of actions for each action group.
-For more details, refer to <>.
+You can further refine the conditions under which actions run by specifying that actions only run they match a KQL query or when an alert occurs within a specific time frame.
[float]
=== Add action variables
diff --git a/docs/user/alerting/rule-types/geo-rule-types.asciidoc b/docs/user/alerting/rule-types/geo-rule-types.asciidoc
index f8c750acea62c..95fd9e0625881 100644
--- a/docs/user/alerting/rule-types/geo-rule-types.asciidoc
+++ b/docs/user/alerting/rule-types/geo-rule-types.asciidoc
@@ -1,6 +1,12 @@
-[role="xpack"]
[[geo-alerting]]
-== Tracking containment
+== Create a tracking containment rule
+:frontmatter-description: Generate alerts when a geographic entity is contained or no longer contained within a boundary.
+:frontmatter-tags-products: [kibana,alerting]
+:frontmatter-tags-content-type: [how-to]
+:frontmatter-tags-user-goals: [analyze]
+++++
+Tracking containment
+++++
The tracking containment rule alerts when an entity is contained or no longer contained within a boundary.
diff --git a/docs/user/alerting/rule-types/index-threshold.asciidoc b/docs/user/alerting/rule-types/index-threshold.asciidoc
index 69cdd2c3bbbcc..9945b58df8bb7 100644
--- a/docs/user/alerting/rule-types/index-threshold.asciidoc
+++ b/docs/user/alerting/rule-types/index-threshold.asciidoc
@@ -1,13 +1,17 @@
[[rule-type-index-threshold]]
-== Index threshold
-
-:frontmatter-description: An index threshold rule generates alerts when an aggregated query meets a threshold.
+== Create an index threshold rule
+:frontmatter-description: Generate alerts when an aggregated query meets a threshold.
:frontmatter-tags-products: [kibana,alerting]
-:frontmatter-tags-content-type: [overview]
+:frontmatter-tags-content-type: [how-to]
:frontmatter-tags-user-goals: [analyze]
+++++
+Index threshold
+++++
The index threshold rule type runs an {es} query. It aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met.
+In *{stack-manage-app}* > *{rules-ui}*, click *Create rule*, fill in the name and optional tags, then select *Index threshold*.
+
[float]
=== Define the conditions
@@ -31,13 +35,35 @@ If data is available and all clauses have been defined, a preview chart will ren
[[actions-index-threshold]]
=== Add actions
-You can <> to your rule to generate notifications.
+You can optionally send notifications when the rule conditions are met and when they are no longer met.
+In particular, this rule type supports:
+
+* alert summaries
+* actions that run when the threshold is met
+* recovery actions that run when the rule conditions are no longer met
+
+For each action, you must choose a connector, which provides connection information for a {kib} service or third party integration.
+For more information about all the supported connectors, go to <>.
+
+After you select a connector, you must set the action frequency.
+You can choose to create a summary of alerts on each check interval or on a custom interval.
+For example, summarize the new, ongoing, and recovered alerts at a custom interval:
+
+[role="screenshot"]
+image::user/alerting/images/rule-types-index-threshold-example-action-summary.png[UI for defining alert summary action in an index threshold rule]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+Alternatively, you can set the action frequency such that actions run for each alert.
+Choose how often the action runs (at each check interval, only when the alert status changes, or at a custom action interval).
+You must also choose an action group, which indicates whether the action runs when the threshold is met or when the alert is recovered.
+Each connector supports a specific set of actions for each action group.
+For example:
-Each action uses a connector, which provides connection information for a {kib} service or third party integration, depending on where you want to send the notifications.
+[role="screenshot"]
+image::user/alerting/images/rule-types-index-threshold-example-action.png[UI for defining an action for each alert]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
-After you choose a connector, you must choose an action group, which affects when the action runs.
-The valid action groups for an index threshold rule are: `Threshold met` and `Recovered`.
-Each connector supports a specific set of actions for each action group. For more details, refer to <>.
+You can further refine the conditions under which actions run by specifying that actions only run they match a KQL query or when an alert occurs within a specific time frame.
[float]
[[action-variables-index-threshold]]
@@ -118,8 +144,6 @@ For example, add an action that uses a server log connector to write an entry to
image::user/alerting/images/rule-types-index-threshold-example-action.png[Add an action to the rule]
// NOTE: This is an autogenerated screenshot. Do not edit it directly.
-NOTE: The index threshold rule does not support alert summaries; therefore they do not appear in the action frequency options.
-
The unique action variables that you can use in the notification are listed in <>. For more information, refer to <> and <>.
--
diff --git a/x-pack/test/screenshot_creation/apps/response_ops_docs/stack_alerting/index_threshold_rule.ts b/x-pack/test/screenshot_creation/apps/response_ops_docs/stack_alerting/index_threshold_rule.ts
index a09333154bc0e..9ca11a5a2dc45 100644
--- a/x-pack/test/screenshot_creation/apps/response_ops_docs/stack_alerting/index_threshold_rule.ts
+++ b/x-pack/test/screenshot_creation/apps/response_ops_docs/stack_alerting/index_threshold_rule.ts
@@ -79,7 +79,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
await testSubjects.click('overExpressionSelect');
await testSubjects.setValue('overExpressionSelect', 'top');
await testSubjects.setValue('fieldsNumberSelect', '4');
- await testSubjects.setValue('fieldsExpressionSelect', 'host.keyword');
+ await comboBox.set('fieldsExpressionSelect', 'host.keyword');
await commonScreenshots.takeScreenshot(
'rule-types-index-threshold-example-grouping',
screenshotDirectories,
@@ -128,6 +128,23 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
1024
);
+ const actionFrequency = await testSubjects.find('summaryOrPerRuleSelect');
+ await actionFrequency.click();
+ const actionSummary = await testSubjects.find('actionNotifyWhen-option-summary');
+ await actionSummary.click();
+ const notifyWhen = await testSubjects.find('notifyWhenSelect');
+ await notifyWhen.click();
+ const customInterval = await testSubjects.find('onThrottleInterval');
+ await customInterval.click();
+ await testSubjects.setValue('throttleInput', '24');
+ await testSubjects.scrollIntoView('addAlertActionButton');
+ await commonScreenshots.takeScreenshot(
+ 'rule-types-index-threshold-example-action-summary',
+ screenshotDirectories,
+ 1400,
+ 1024
+ );
+
const saveButton = await testSubjects.find('saveRuleButton');
await saveButton.click();
const flyOutCancelButton = await testSubjects.find('euiFlyoutCloseButton');