diff --git a/docs/user/alerting/create-and-manage-rules.asciidoc b/docs/user/alerting/create-and-manage-rules.asciidoc index ed21a2bc8b228..31c43346ef308 100644 --- a/docs/user/alerting/create-and-manage-rules.asciidoc +++ b/docs/user/alerting/create-and-manage-rules.asciidoc @@ -71,22 +71,28 @@ conditions are met and when they are no longer met. Each action uses a connector, which provides connection information for a {kib} service or third party integration, depending on where you want to send the notifications. If no connectors exist, click **Add connector** to create one. -After you select a connector, set the action frequency. If the rule type supports alert summaries, you can choose to create a summary of alerts on each check interval or on a custom interval. For example, if you create a metrics threshold rule, you can send email notifications that summarize the new, ongoing, and recovered alerts each day: +After you select a connector, set the action frequency. If the rule type supports alert summaries, you can choose to create a summary of alerts on each check interval or on a custom interval. For example, if you create a metrics threshold rule, you can send email notifications that summarize the new, ongoing, and recovered alerts each hour: [role="screenshot"] -image::images/rule-flyout-action-summary.png[UI for defining rule conditions on a metric threshold rule,500] +image::images/action-alert-summary.png[UI for defining rule conditions on a metric threshold rule,500] +// NOTE: This is an autogenerated screenshot. Do not edit it directly. -TIP: If you choose a custom action interval, it cannot be shorter than the rule's check interval. +[NOTE] +==== +* The rules that support alert summaries, such as this metric threshold rule, enable you to further refine when actions run by adding time frame and query filters. +* If you choose a custom action interval, it cannot be shorter than the rule's check interval. +==== -Alternatively, you can set the action frequency such that the action runs for each alert. If the rule type does not support alert summaries, this is your only available option. You must choose when the action runs (for example, at each check interval, only when the alert status changes, or at a custom action interval). You must also choose an action group, which affects whether the action runs (for example, the action runs when the issue is detected or when it is recovered). Each rule type has a specific set of valid action groups. +Alternatively, you can set the action frequency such that the action runs for each alert. +If the rule type does not support alert summaries, this is your only available option. +You must choose when the action runs (for example, at each check interval, only when the alert status changes, or at a custom action interval). +You must also choose an action group, which affects whether the action runs. Each rule type has a specific set of valid action groups. +For example, you can set *Run when* to `Alert`, `Warning`, `No data`, or `Recovered` for the metric threshold rule: [role="screenshot"] image::images/rule-flyout-action-details.png[UI for defining an email action,500] // NOTE: This is an autogenerated screenshot. Do not edit it directly. -If you create rules in the {security-app}, you can further refine when actions run by adding time frame and query filters. -For more details, refer to {security-guide}/rules-ui-create.html[Create a detection rule]. - Each connector enables different action properties. For example, an email connector enables you to set the recipients, the subject, and a message body in markdown format. For more information about connectors, refer to <>. [[alerting-concepts-suppressing-duplicate-notifications]] diff --git a/docs/user/alerting/images/action-alert-summary.png b/docs/user/alerting/images/action-alert-summary.png new file mode 100644 index 0000000000000..038e346a72725 Binary files /dev/null and b/docs/user/alerting/images/action-alert-summary.png differ diff --git a/docs/user/alerting/images/rule-flyout-action-summary.png b/docs/user/alerting/images/rule-flyout-action-summary.png deleted file mode 100644 index f6fe3ba1ee9f5..0000000000000 Binary files a/docs/user/alerting/images/rule-flyout-action-summary.png and /dev/null differ