From bb0c4b67a7d71b5d651715fb3e7fa373803940be Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 10 Dec 2024 09:25:40 -0500 Subject: [PATCH 01/14] First draft --- docs/detections/alert-suppression.asciidoc | 8 ++++---- docs/serverless/alerts/alert-suppression.asciidoc | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index 9cc392cd38..8242e7ca12 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -16,7 +16,7 @@ Alert suppression allows you to reduce the number of repeated or duplicate detec * <> * <> * <> -* <> (non-sequence queries only) +* <> * <> * <> * <> @@ -34,7 +34,7 @@ You can configure alert suppression when you create or edit a supported rule typ . When configuring the rule type (the *Define rule* step for a new rule, or the *Definition* tab for an existing rule), specify how you want to group events for alert suppression: + -- -* **Custom query, indicator match, threshold, event correlation (non-sequence queries only), new terms, {ml}, and {esql} rules:** In *Suppress alerts by*, enter 1-3 field names to group events by the fields' values. +* **Custom query, indicator match, threshold, event correlation, new terms, {ml}, and {esql} rules:** In *Suppress alerts by*, enter 1-3 field names to group events by the fields' values. * **Threshold rule:** In *Group by*, enter up to 3 field names to group events by the fields' values, or leave the setting empty to group all qualifying events together. -- @@ -44,7 +44,7 @@ You can configure alert suppression when you create or edit a supported rule typ If you specify a field with multiple values, alerts with that field are handled as follows: * **Custom query or threshold rules:** A group of alerts is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. -* **Indicator match, event correlation (non-sequence queries only), new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group. +* **Indicator match, event correlation, new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group. ====== @@ -114,5 +114,5 @@ image::images/timeline-button.png[Investigate in timeline button, 200] Some rule types have a maximum number of alerts that can be suppressed (custom query rules don't have a suppression limit): -* **Threshold, event correlation (non-sequence queries only), {esql}, and {ml}:** The maximum number of alerts is the value you choose for the rule's **Max alerts per run** <>, which is `100` by default. +* **Threshold, event correlation, {esql}, and {ml}:** The maximum number of alerts is the value you choose for the rule's **Max alerts per run** <>, which is `100` by default. * **Indicator match and new terms:** The maximum number is five times the value you choose for the rule's **Max alerts per run** <>. The default value is `100`, which means the default maximum limit for indicator match rules and new term rules is `500`. \ No newline at end of file diff --git a/docs/serverless/alerts/alert-suppression.asciidoc b/docs/serverless/alerts/alert-suppression.asciidoc index 9f54d69312..9187e92436 100644 --- a/docs/serverless/alerts/alert-suppression.asciidoc +++ b/docs/serverless/alerts/alert-suppression.asciidoc @@ -21,7 +21,7 @@ Alert suppression allows you to reduce the number of repeated or duplicate detec * <> * <> * <> -* <> (non-sequence queries only) +* <> * <> * <> * <> @@ -43,7 +43,7 @@ You can configure alert suppression when you create or edit a supported rule typ . When configuring the rule type (the **Define rule** step for a new rule, or the **Definition** tab for an existing rule), specify how you want to group events for alert suppression: + -** **Custom query rule, indicator match, threshold, event correlation (non-sequence queries only), new terms, {esql}, or {ml} rules:** In **Suppress alerts by**, enter 1-3 field names to group events by the fields' values. +** **Custom query rule, indicator match, threshold, event correlation, new terms, {esql}, or {ml} rules:** In **Suppress alerts by**, enter 1-3 field names to group events by the fields' values. ** **Threshold rule:** In **Group by**, enter up to 3 field names to group events by the fields' values, or leave the setting empty to group all qualifying events together. + [NOTE] @@ -51,7 +51,7 @@ You can configure alert suppression when you create or edit a supported rule typ If you specify a field with multiple values, alerts with that field are handled as follows: * **Custom query or threshold rules:** Alerts are grouped by each unique value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. -* **Indicator match, event correlation (non-sequence queries only), new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group. +* **Indicator match, event correlation, new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group. ==== . If available, select how often to create alerts for duplicate events: + @@ -129,5 +129,5 @@ image:images/alert-suppression/-detections-timeline-button.png[Investigate in ti Some rule types have a maximum number of alerts that can be suppressed (custom query rules don't have a suppression limit): -* **Threshold, event correlation (non-sequence queries only, {esql}, and {ml}:** The maximum number is the value you choose for the rule's **Max alerts per run** <>, which is `100` by default. +* **Threshold, event correlation, {esql}, and {ml}:** The maximum number is the value you choose for the rule's **Max alerts per run** <>, which is `100` by default. * **Indicator match and new terms:** The maximum number is five times the value you choose for the rule's **Max alerts per run** <>. The default value is `100`, which means the default maximum limit for indicator match rules and new terms rules is `500`. From 0d32122c88dd8914e1e57140f102f772124603dc Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 12 Dec 2024 18:25:17 -0500 Subject: [PATCH 02/14] draft 1 --- docs/detections/alert-suppression.asciidoc | 6 ++++-- docs/serverless/alerts/alert-suppression.asciidoc | 6 +++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index 8242e7ca12..f468dedf7a 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -44,8 +44,10 @@ You can configure alert suppression when you create or edit a supported rule typ If you specify a field with multiple values, alerts with that field are handled as follows: * **Custom query or threshold rules:** A group of alerts is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. -* **Indicator match, event correlation, new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group. - +* **Indicator match, event correlation (non-sequence queries only), new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group. +* **Event correlation (sequence queries only) rules:** Be aware of the following: +** If the specified field contains an array of values, suppression only happens if the field's values are an exact match and in the same order. For example, if you specify the field `myips` and one sequence alert has [1.1.1.1, 0.0.0.0] and another sequence alert has [1.1.1.1, 192.168.0.1], neither of those alerts will be suppressed, despite sharing an array element. +** Suppression is only supported for sequence alerts, not <>. ====== . If available, select how often to create alerts for duplicate events: diff --git a/docs/serverless/alerts/alert-suppression.asciidoc b/docs/serverless/alerts/alert-suppression.asciidoc index 9187e92436..64ff20a0f7 100644 --- a/docs/serverless/alerts/alert-suppression.asciidoc +++ b/docs/serverless/alerts/alert-suppression.asciidoc @@ -51,7 +51,11 @@ You can configure alert suppression when you create or edit a supported rule typ If you specify a field with multiple values, alerts with that field are handled as follows: * **Custom query or threshold rules:** Alerts are grouped by each unique value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. -* **Indicator match, event correlation, new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group. +* **Indicator match, event correlation (non-sequence queries only), new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group. +* **Event correlation (sequence queries only) rules:** If the suppression field is an array of values, the suppressed alert will only suppress values that are an exact match. The values must be equivalent and be in the same position. For example, if you configure suppresson on the field `myips` and one sequence alert has [1.1.1.1, 0.0.0.0] and another sequence alert has [1.1.1.1, 192.168.0.1], neither of those alerts will be suppressed, despite sharing an array element. +* **Event correlation (sequence queries only) rules:** Be aware of the following: +** If the specified field contains an array of values, suppression only happens if the field's values are an exact match and in the same order. For example, if you specify the field `myips` and one sequence alert has [1.1.1.1, 0.0.0.0] and another sequence alert has [1.1.1.1, 192.168.0.1], neither of those alerts will be suppressed, despite sharing an array element. +** Suppression is only supported for sequence alerts, not <>. ==== . If available, select how often to create alerts for duplicate events: + From 6cf59b33efb8bacbc36e5a45d03a22b54b6783ca Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 16 Dec 2024 15:29:29 -0500 Subject: [PATCH 03/14] Update docs/detections/alert-suppression.asciidoc --- docs/detections/alert-suppression.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index f468dedf7a..a34eb857d2 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -47,7 +47,7 @@ If you specify a field with multiple values, alerts with that field are handled * **Indicator match, event correlation (non-sequence queries only), new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group. * **Event correlation (sequence queries only) rules:** Be aware of the following: ** If the specified field contains an array of values, suppression only happens if the field's values are an exact match and in the same order. For example, if you specify the field `myips` and one sequence alert has [1.1.1.1, 0.0.0.0] and another sequence alert has [1.1.1.1, 192.168.0.1], neither of those alerts will be suppressed, despite sharing an array element. -** Suppression is only supported for sequence alerts, not <>. +** Suppression is only supported for sequence alerts, not <>. ====== . If available, select how often to create alerts for duplicate events: From 7de8fb487d97e81d02dbd597fc03969b0da3b480 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 16 Dec 2024 17:12:14 -0500 Subject: [PATCH 04/14] fix it? --- docs/detections/alert-suppression.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index a34eb857d2..7dc6a6f91e 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -47,7 +47,7 @@ If you specify a field with multiple values, alerts with that field are handled * **Indicator match, event correlation (non-sequence queries only), new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group. * **Event correlation (sequence queries only) rules:** Be aware of the following: ** If the specified field contains an array of values, suppression only happens if the field's values are an exact match and in the same order. For example, if you specify the field `myips` and one sequence alert has [1.1.1.1, 0.0.0.0] and another sequence alert has [1.1.1.1, 192.168.0.1], neither of those alerts will be suppressed, despite sharing an array element. -** Suppression is only supported for sequence alerts, not <>. +** Suppression is only supported for sequence alerts, not <>. ====== . If available, select how often to create alerts for duplicate events: From 61ed833429ed20367a75514aa591308fab744dfe Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 16 Dec 2024 18:29:28 -0500 Subject: [PATCH 05/14] Moves info --- docs/detections/alert-suppression.asciidoc | 4 +--- docs/detections/building-block-rule.asciidoc | 2 ++ docs/detections/rules-ui-create.asciidoc | 1 - docs/serverless/alerts/alert-suppression.asciidoc | 3 --- docs/serverless/rules/building-block-rule.asciidoc | 2 ++ 5 files changed, 5 insertions(+), 7 deletions(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index 7dc6a6f91e..df1f7af494 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -45,9 +45,7 @@ If you specify a field with multiple values, alerts with that field are handled * **Custom query or threshold rules:** A group of alerts is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. * **Indicator match, event correlation (non-sequence queries only), new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group. -* **Event correlation (sequence queries only) rules:** Be aware of the following: -** If the specified field contains an array of values, suppression only happens if the field's values are an exact match and in the same order. For example, if you specify the field `myips` and one sequence alert has [1.1.1.1, 0.0.0.0] and another sequence alert has [1.1.1.1, 192.168.0.1], neither of those alerts will be suppressed, despite sharing an array element. -** Suppression is only supported for sequence alerts, not <>. +* **Event correlation (sequence queries only) rules:** If the specified field contains an array of values, suppression only happens if the field's values are an exact match and in the same order. For example, if you specify the field `myips` and one sequence alert has [1.1.1.1, 0.0.0.0] and another sequence alert has [1.1.1.1, 192.168.0.1], neither of those alerts will be suppressed, despite sharing an array element. ====== . If available, select how often to create alerts for duplicate events: diff --git a/docs/detections/building-block-rule.asciidoc b/docs/detections/building-block-rule.asciidoc index acac04d7f4..b204a4d047 100644 --- a/docs/detections/building-block-rule.asciidoc +++ b/docs/detections/building-block-rule.asciidoc @@ -18,6 +18,8 @@ To create a rule that searches alert indices, select *Index Patterns* as the rul [role="screenshot"] image::images/alert-indices-ui.png[] +NOTE: Suppressing building block alerts is not supported, but you can suppress alerts generated by event correlation rules with sequence queries. Refer to <> to learn more. + [float] === View building block alerts in the UI diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 1638a6664c..051f8ab8b4 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -206,7 +206,6 @@ NOTE: For sequence events, the {security-app} generates a single alert when all + . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. -+ //// The following steps are repeated across multiple rule types. If you change anything diff --git a/docs/serverless/alerts/alert-suppression.asciidoc b/docs/serverless/alerts/alert-suppression.asciidoc index 64ff20a0f7..51650665d6 100644 --- a/docs/serverless/alerts/alert-suppression.asciidoc +++ b/docs/serverless/alerts/alert-suppression.asciidoc @@ -53,9 +53,6 @@ If you specify a field with multiple values, alerts with that field are handled * **Custom query or threshold rules:** Alerts are grouped by each unique value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. * **Indicator match, event correlation (non-sequence queries only), new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group. * **Event correlation (sequence queries only) rules:** If the suppression field is an array of values, the suppressed alert will only suppress values that are an exact match. The values must be equivalent and be in the same position. For example, if you configure suppresson on the field `myips` and one sequence alert has [1.1.1.1, 0.0.0.0] and another sequence alert has [1.1.1.1, 192.168.0.1], neither of those alerts will be suppressed, despite sharing an array element. -* **Event correlation (sequence queries only) rules:** Be aware of the following: -** If the specified field contains an array of values, suppression only happens if the field's values are an exact match and in the same order. For example, if you specify the field `myips` and one sequence alert has [1.1.1.1, 0.0.0.0] and another sequence alert has [1.1.1.1, 192.168.0.1], neither of those alerts will be suppressed, despite sharing an array element. -** Suppression is only supported for sequence alerts, not <>. ==== . If available, select how often to create alerts for duplicate events: + diff --git a/docs/serverless/rules/building-block-rule.asciidoc b/docs/serverless/rules/building-block-rule.asciidoc index 9d3cac2452..c70b39ea40 100644 --- a/docs/serverless/rules/building-block-rule.asciidoc +++ b/docs/serverless/rules/building-block-rule.asciidoc @@ -22,6 +22,8 @@ To create a rule that searches alert indices, select **Index Patterns** as the r [role="screenshot"] image::images/building-block-rule/-detections-alert-indices-ui.png[] +NOTE: Suppressing building block alerts is not supported, but you can suppress alerts generated by event correlation rules with sequence queries. Refer to <> to learn more. + [discrete] [[security-building-block-rules-view-building-block-alerts-in-the-ui]] == View building block alerts in the UI From 5cd6f7b19942fbdb72477704b89e957bc7d05ba7 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 16 Dec 2024 19:02:30 -0500 Subject: [PATCH 06/14] updating ref --- docs/serverless/rules/building-block-rule.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/serverless/rules/building-block-rule.asciidoc b/docs/serverless/rules/building-block-rule.asciidoc index c70b39ea40..4cf4a79f3f 100644 --- a/docs/serverless/rules/building-block-rule.asciidoc +++ b/docs/serverless/rules/building-block-rule.asciidoc @@ -22,7 +22,7 @@ To create a rule that searches alert indices, select **Index Patterns** as the r [role="screenshot"] image::images/building-block-rule/-detections-alert-indices-ui.png[] -NOTE: Suppressing building block alerts is not supported, but you can suppress alerts generated by event correlation rules with sequence queries. Refer to <> to learn more. +NOTE: Suppressing building block alerts is not supported, but you can suppress alerts generated by event correlation rules with sequence queries. Refer to <> to learn more. [discrete] [[security-building-block-rules-view-building-block-alerts-in-the-ui]] From c77eaca9bc6bf3cddfeef079812db3854065543b Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 19 Dec 2024 14:41:26 -0500 Subject: [PATCH 07/14] Update docs/detections/building-block-rule.asciidoc --- docs/detections/building-block-rule.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/detections/building-block-rule.asciidoc b/docs/detections/building-block-rule.asciidoc index b204a4d047..04a869d583 100644 --- a/docs/detections/building-block-rule.asciidoc +++ b/docs/detections/building-block-rule.asciidoc @@ -18,7 +18,6 @@ To create a rule that searches alert indices, select *Index Patterns* as the rul [role="screenshot"] image::images/alert-indices-ui.png[] -NOTE: Suppressing building block alerts is not supported, but you can suppress alerts generated by event correlation rules with sequence queries. Refer to <> to learn more. [float] From b583165a516249ab999bf8c9ba26c386bae9728d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 19 Dec 2024 14:41:51 -0500 Subject: [PATCH 08/14] Update docs/serverless/rules/building-block-rule.asciidoc --- docs/serverless/rules/building-block-rule.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/serverless/rules/building-block-rule.asciidoc b/docs/serverless/rules/building-block-rule.asciidoc index 4cf4a79f3f..c0e86a97a2 100644 --- a/docs/serverless/rules/building-block-rule.asciidoc +++ b/docs/serverless/rules/building-block-rule.asciidoc @@ -22,7 +22,6 @@ To create a rule that searches alert indices, select **Index Patterns** as the r [role="screenshot"] image::images/building-block-rule/-detections-alert-indices-ui.png[] -NOTE: Suppressing building block alerts is not supported, but you can suppress alerts generated by event correlation rules with sequence queries. Refer to <> to learn more. [discrete] [[security-building-block-rules-view-building-block-alerts-in-the-ui]] From 3cd6c666c23c17c04edacbe0b87561a051acb166 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 19 Dec 2024 14:43:16 -0500 Subject: [PATCH 09/14] Removing empty lines --- docs/detections/building-block-rule.asciidoc | 1 - docs/serverless/rules/building-block-rule.asciidoc | 1 - 2 files changed, 2 deletions(-) diff --git a/docs/detections/building-block-rule.asciidoc b/docs/detections/building-block-rule.asciidoc index 04a869d583..acac04d7f4 100644 --- a/docs/detections/building-block-rule.asciidoc +++ b/docs/detections/building-block-rule.asciidoc @@ -18,7 +18,6 @@ To create a rule that searches alert indices, select *Index Patterns* as the rul [role="screenshot"] image::images/alert-indices-ui.png[] - [float] === View building block alerts in the UI diff --git a/docs/serverless/rules/building-block-rule.asciidoc b/docs/serverless/rules/building-block-rule.asciidoc index c0e86a97a2..9d3cac2452 100644 --- a/docs/serverless/rules/building-block-rule.asciidoc +++ b/docs/serverless/rules/building-block-rule.asciidoc @@ -22,7 +22,6 @@ To create a rule that searches alert indices, select **Index Patterns** as the r [role="screenshot"] image::images/building-block-rule/-detections-alert-indices-ui.png[] - [discrete] [[security-building-block-rules-view-building-block-alerts-in-the-ui]] == View building block alerts in the UI From 2f21e1270b216f7e0f71d1a9e389338ec8688ad8 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 19 Dec 2024 14:45:22 -0500 Subject: [PATCH 10/14] Removes tech preview label for 8.18 --- docs/detections/rules-ui-create.asciidoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 051f8ab8b4..a87c9327a6 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -100,7 +100,6 @@ When you use a saved query, the *Load saved query "_query name_" dynamically on * Deselect this to load the saved query as a one-time way of populating the rule's *Custom query* field and filters. This copies the settings from the saved query to the rule, so you can then further adjust the rule's query and filters as needed. If the saved query is later changed, the rule will not inherit those changes. . (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. -+ //// The following steps are repeated across multiple rule types. If you change anything @@ -205,7 +204,7 @@ NOTE: For sequence events, the {security-app} generates a single alert when all * *Timestamp field*: Contains the event timestamp used for sorting a sequence of events. This is different from the *Timestamp override* advanced setting, which is used for querying events within a range. Defaults to the `@timestamp` ECS field. + -. preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. +. Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. //// The following steps are repeated across multiple rule types. If you change anything From 26daaef218cc630636ccea59e2c0e072dbca01cf Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 19 Dec 2024 14:46:23 -0500 Subject: [PATCH 11/14] updates note about reqs --- docs/serverless/alerts/alert-suppression.asciidoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/serverless/alerts/alert-suppression.asciidoc b/docs/serverless/alerts/alert-suppression.asciidoc index 51650665d6..b4ef6587ab 100644 --- a/docs/serverless/alerts/alert-suppression.asciidoc +++ b/docs/serverless/alerts/alert-suppression.asciidoc @@ -12,8 +12,7 @@ .Requirements and notice [IMPORTANT] ==== -* {ml-cap} rules have <> for alert suppression. -* Alert suppression is in technical preview for event correlation rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. +{ml-cap} rules have <> for alert suppression. ==== Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types: From 2c5912df5b40c9b8556e9af55568559d6c0e0feb Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 19 Dec 2024 14:50:42 -0500 Subject: [PATCH 12/14] Re-adds + --- docs/detections/rules-ui-create.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index a87c9327a6..ecca156368 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -100,6 +100,7 @@ When you use a saved query, the *Load saved query "_query name_" dynamically on * Deselect this to load the saved query as a one-time way of populating the rule's *Custom query* field and filters. This copies the settings from the saved query to the rule, so you can then further adjust the rule's query and filters as needed. If the saved query is later changed, the rule will not inherit those changes. . (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. ++ //// The following steps are repeated across multiple rule types. If you change anything From 4cd7a6b465936225c7c51346ff65e4a696628440 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 19 Dec 2024 15:23:47 -0500 Subject: [PATCH 13/14] Fixes Serverless note --- docs/detections/alert-suppression.asciidoc | 2 -- docs/serverless/alerts/alert-suppression.asciidoc | 3 ++- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index df1f7af494..320d74ef18 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -7,8 +7,6 @@ * Alert suppression requires a https://www.elastic.co/pricing[Platinum or higher subscription]. * {ml-cap} rules have <> for alert suppression. - -preview::["Alert suppression is in technical preview for event correlation rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."] -- Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types: diff --git a/docs/serverless/alerts/alert-suppression.asciidoc b/docs/serverless/alerts/alert-suppression.asciidoc index b4ef6587ab..51650665d6 100644 --- a/docs/serverless/alerts/alert-suppression.asciidoc +++ b/docs/serverless/alerts/alert-suppression.asciidoc @@ -12,7 +12,8 @@ .Requirements and notice [IMPORTANT] ==== -{ml-cap} rules have <> for alert suppression. +* {ml-cap} rules have <> for alert suppression. +* Alert suppression is in technical preview for event correlation rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. ==== Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types: From 50f54a44024bf6aed0734f1bc0cd3efbbb9e1f84 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 19 Dec 2024 17:02:49 -0500 Subject: [PATCH 14/14] Fixes numebring --- docs/detections/rules-ui-create.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index ecca156368..9491f98c19 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -206,7 +206,7 @@ NOTE: For sequence events, the {security-app} generates a single alert when all + . Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. - ++ //// The following steps are repeated across multiple rule types. If you change anything in these steps or sub-steps, apply the change to the other rule types, too.