From 7903770d1cf7850616c965359bb9ad26144e3015 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 5 Apr 2024 14:16:19 -0400 Subject: [PATCH 01/21] Update alert-suppression.asciidoc --- docs/detections/alert-suppression.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index 21cac47320..c9aab1aab9 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -14,6 +14,7 @@ Alert suppression allows you to reduce the number of repeated or duplicate detec * <> * <> * <> +* <> Normally, when a rule meets its criteria repeatedly, it creates multiple alerts, one for each time the rule's criteria are met. When alert suppression is configured, duplicate qualifying events are grouped, and only one alert is created for each group. Depending on the rule type, you can configure alert suppression to create alerts each time the rule runs, or once within a specified time window. You can also specify multiple fields to group events by unique combinations of values. From d852971ffa20b7873beadb0c0c6163b065558cbb Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 5 Apr 2024 15:11:03 -0400 Subject: [PATCH 02/21] Update docs/detections/alert-suppression.asciidoc --- docs/detections/alert-suppression.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index c9aab1aab9..0507dded3f 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -14,7 +14,7 @@ Alert suppression allows you to reduce the number of repeated or duplicate detec * <> * <> * <> -* <> +* <> Normally, when a rule meets its criteria repeatedly, it creates multiple alerts, one for each time the rule's criteria are met. When alert suppression is configured, duplicate qualifying events are grouped, and only one alert is created for each group. Depending on the rule type, you can configure alert suppression to create alerts each time the rule runs, or once within a specified time window. You can also specify multiple fields to group events by unique combinations of values. From ac356b942d36f9dd38d5483bd0f0a66ea522dc08 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 10 Apr 2024 21:40:17 -0400 Subject: [PATCH 03/21] Adding more to draft --- docs/detections/alert-suppression.asciidoc | 11 +++++++---- docs/detections/api/rules/rules-api-create.asciidoc | 4 ++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index 0507dded3f..59e63d5c92 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -14,7 +14,8 @@ Alert suppression allows you to reduce the number of repeated or duplicate detec * <> * <> * <> -* <> +* <> (non-sequence queries only) +* <> Normally, when a rule meets its criteria repeatedly, it creates multiple alerts, one for each time the rule's criteria are met. When alert suppression is configured, duplicate qualifying events are grouped, and only one alert is created for each group. Depending on the rule type, you can configure alert suppression to create alerts each time the rule runs, or once within a specified time window. You can also specify multiple fields to group events by unique combinations of values. @@ -32,6 +33,8 @@ You can configure alert suppression when you create or edit a supported rule typ * Custom query rule: In *Suppress alerts by*, enter 1-3 field names to group events by the fields' values. * Threshold rule: In *Group by*, enter up to 3 field names to group events by the fields' values, or leave the setting empty to group all qualifying events together. * Indicator match rule: In *Suppress alerts by*, enter 1-3 field names to group events by the fields' values. +* Event correlation rule (non-sequence queries only): In *Suppress alerts by*, enter 1-3 field names to group events by the fields' values. +* New terms rule: -- + [NOTE] @@ -39,7 +42,7 @@ You can configure alert suppression when you create or edit a supported rule typ Fields with multiple values are handled as follows: * **Custom query or threshold rules** - If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. -* **Indicator match rule** - If you specify a field with multiple values, an alert grouping is created for alerts that contain the array you specified. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts that contain this array are grouped and suppressed. +* **Indicator match rule, event correlation (non-sequence queries only), or new terms rule** - If you specify a field with multiple values, an alert grouping is created for alerts that contain the array you specified. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts that contain this array are grouped and suppressed. ====== @@ -102,5 +105,5 @@ image::images/timeline-button.png[Investigate in timeline button, 200] Some rule types have a maximum number of alerts that can be suppressed (custom query rules don't have a suppression limit): -* **Threshold** - The maximum number of alerts is the value specified for the <> setting, which is `100` by default. -* **Indicator match** - The maximum number is five times the value specified for the <> setting. The default `max_signals` value is `100`, which means the default maximum limit for indicator match rules is `500`. \ No newline at end of file +* **Threshold and event correlation (non-sequenced queries only)** - The maximum number of alerts is the value specified for the <> setting, which is `100` by default. +* **Indicator match and new terms** - The maximum number is five times the value specified for the <> setting. The default `max_signals` value is `100`, which means the default maximum limit for indicator match rules and new term rules is `500`. \ No newline at end of file diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 7da03b3009..ca291ec398 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -487,11 +487,11 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`). |============================================== [[opt-fields-alert-suppression-create]] -===== Optional alert suppression fields for query, indicator match, and threshold rules +===== Optional alert suppression fields for query, indicator match, threshold rule, and new terms rules preview::[] -====== Query rule and indicator match rule +====== Query rule, indicator match, and new terms rule [width="100%",options="header"] |============================================== From 2a36188fb1d35a1c9fd615572aacca8077e13573 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 11 Apr 2024 00:41:46 -0400 Subject: [PATCH 04/21] Minor typo --- docs/detections/alert-suppression.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index 59e63d5c92..aa39029990 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -105,5 +105,5 @@ image::images/timeline-button.png[Investigate in timeline button, 200] Some rule types have a maximum number of alerts that can be suppressed (custom query rules don't have a suppression limit): -* **Threshold and event correlation (non-sequenced queries only)** - The maximum number of alerts is the value specified for the <> setting, which is `100` by default. +* **Threshold and event correlation (non-sequence queries only)** - The maximum number of alerts is the value specified for the <> setting, which is `100` by default. * **Indicator match and new terms** - The maximum number is five times the value specified for the <> setting. The default `max_signals` value is `100`, which means the default maximum limit for indicator match rules and new term rules is `500`. \ No newline at end of file From 37aafe1a776e3dd0b8a1310f32cff9243ec3877b Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 11 Apr 2024 13:33:42 -0400 Subject: [PATCH 05/21] Aligning with Serverless docs --- docs/detections/alert-suppression.asciidoc | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index aa39029990..df405ed975 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -25,7 +25,7 @@ NOTE: Alert suppression is not available for Elastic prebuilt rules. However, if === Configure alert suppression -You can configure alert suppression when you create or edit a supported rule type. Refer to <>, <>, or <> for detailed instructions. +You can configure alert suppression when you create or edit a supported rule type. Refer to documentation for creating <>, <>, <>, or <> for detailed instructions. . When configuring the rule type (the *Define rule* step for a new rule, or the *Definition* tab for an existing rule), specify how you want to group events for alert suppression: + @@ -34,7 +34,8 @@ You can configure alert suppression when you create or edit a supported rule typ * Threshold rule: In *Group by*, enter up to 3 field names to group events by the fields' values, or leave the setting empty to group all qualifying events together. * Indicator match rule: In *Suppress alerts by*, enter 1-3 field names to group events by the fields' values. * Event correlation rule (non-sequence queries only): In *Suppress alerts by*, enter 1-3 field names to group events by the fields' values. -* New terms rule: +* New terms rule: In *Suppress alerts by*, enter 1-3 field names to group events by the fields' values. + -- + [NOTE] @@ -48,16 +49,20 @@ Fields with multiple values are handled as follows: . If available, select how often to create alerts for duplicate events: + +NOTE: Both options are available for custom query, indicator match, event correlation, and new terms rules. Threshold rules only have the *Per time period* option. ++ -- -* *Per rule execution*: (Only available for custom query rules and indicator match rules) Create an alert each time the rule runs and meets its criteria. -* *Per time period*: Create one alert for all qualifying events within a specified time window, beginning when the rule first meets its criteria and creates the alert. (This is the only option available for threshold rules.) +* *Per rule execution*: Create an alert each time the rule runs and meets its criteria. +* *Per time period*: Create one alert for all qualifying events within a specified time window, beginning when the rule first meets its criteria and creates the alert. + For example, if a rule runs every 5 minutes but you don't need alerts that frequently, you can set the suppression time period to a longer time, such as 1 hour. If the rule meets its criteria, it creates an alert at that time, and for the next hour, it'll suppress any subsequent qualifying events. + image::images/alert-suppression-options.png[Alert suppression options,400] -- -. (Only available for custom query rules and indicator match rules) Under *If a suppression field is missing*, choose how to handle events with missing suppression fields (events in which one or more of the *Suppress alerts by* fields don't exist): +. Under *If a suppression field is missing*, choose how to handle events with missing suppression fields (events in which one or more of the *Suppress alerts by* fields don't exist): ++ +NOTE: These options are not available for threshold rules. * *Suppress and group alerts for events with missing fields*: Create one alert for each group of events with missing fields. Missing fields get a `null` value, which is used to group and suppress alerts. * *Do not suppress alerts for events with missing fields*: Create a separate alert for each matching event. This basically falls back to normal alert creation for events with missing suppression fields. From e91fc63b67b3c450be5659c342cc29f0c4710120 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 12 Apr 2024 12:28:17 -0400 Subject: [PATCH 06/21] Update docs/detections/alert-suppression.asciidoc Co-authored-by: Ryland Herrick --- docs/detections/alert-suppression.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index df405ed975..4a9582f6aa 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -25,7 +25,7 @@ NOTE: Alert suppression is not available for Elastic prebuilt rules. However, if === Configure alert suppression -You can configure alert suppression when you create or edit a supported rule type. Refer to documentation for creating <>, <>, <>, or <> for detailed instructions. +You can configure alert suppression when you create or edit a supported rule type. Refer to documentation for creating <>, <>, <>, or <> rules for detailed instructions. . When configuring the rule type (the *Define rule* step for a new rule, or the *Definition* tab for an existing rule), specify how you want to group events for alert suppression: + From 3daeab6eb5c0146318e289b2507c0e0d8b86a0c4 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 12 Apr 2024 15:54:43 -0400 Subject: [PATCH 07/21] Update docs/detections/api/rules/rules-api-create.asciidoc --- docs/detections/api/rules/rules-api-create.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index ca291ec398..228d4042fe 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -487,7 +487,7 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`). |============================================== [[opt-fields-alert-suppression-create]] -===== Optional alert suppression fields for query, indicator match, threshold rule, and new terms rules +===== Optional alert suppression fields for query, indicator match, threshold rule, event correlation, and new terms rules preview::[] From 8e2024bdbdb2c20976821bd382f36750653da19d Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 12 Apr 2024 16:35:34 -0400 Subject: [PATCH 08/21] Updating update api --- docs/detections/api/rules/rules-api-update.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index 7e8242e201..3905293e7d 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -512,7 +512,7 @@ in the UI (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*). [[opt-fields-alert-suppression-update]] -===== Optional alert suppression fields for query, indicator match, and threshold rules +===== Optional alert suppression fields for query, indicator match, threshold rule, event correlation, and new terms rules preview::[] From 3f6210c9ffd3199a0c30c5419088a965fe57554c Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 12 Apr 2024 16:47:09 -0400 Subject: [PATCH 09/21] Fixed formatting error --- docs/detections/alert-suppression.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index 4a9582f6aa..8ef7e6726e 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -63,6 +63,7 @@ image::images/alert-suppression-options.png[Alert suppression options,400] . Under *If a suppression field is missing*, choose how to handle events with missing suppression fields (events in which one or more of the *Suppress alerts by* fields don't exist): + NOTE: These options are not available for threshold rules. + * *Suppress and group alerts for events with missing fields*: Create one alert for each group of events with missing fields. Missing fields get a `null` value, which is used to group and suppress alerts. * *Do not suppress alerts for events with missing fields*: Create a separate alert for each matching event. This basically falls back to normal alert creation for events with missing suppression fields. From 7b09c52a5b72386a04e639ef0754032a28825d1e Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 23 Apr 2024 16:11:53 -0400 Subject: [PATCH 10/21] Ben's input pt 1 --- docs/detections/alert-suppression.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index 8ef7e6726e..1fc48ab927 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -111,5 +111,5 @@ image::images/timeline-button.png[Investigate in timeline button, 200] Some rule types have a maximum number of alerts that can be suppressed (custom query rules don't have a suppression limit): -* **Threshold and event correlation (non-sequence queries only)** - The maximum number of alerts is the value specified for the <> setting, which is `100` by default. -* **Indicator match and new terms** - The maximum number is five times the value specified for the <> setting. The default `max_signals` value is `100`, which means the default maximum limit for indicator match rules and new term rules is `500`. \ No newline at end of file +* **Threshold and event correlation (non-sequence queries only)** - The maximum number of alerts is the value you choose for the <> setting, which is `100` by default. +* **Indicator match and new terms** - The maximum number is five times the value you choose for the <> setting. The default `max_signals` value is `100`, which means the default maximum limit for indicator match rules and new term rules is `500`. \ No newline at end of file From 67e4450a5350ece4cd5945fca4de23fc3184c5bd Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 23 Apr 2024 17:09:33 -0400 Subject: [PATCH 11/21] Ref suppression docs Ref suppression docs in steps for creating new terms and eql rules --- docs/detections/rules-ui-create.asciidoc | 25 ++++++------------------ 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 17719cbfbc..f555543ccf 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -83,17 +83,6 @@ When you use a saved query, the *Load saved query "_query name_" dynamically on . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. -.. Enter a field name to group qualifying source events by the field's unique values; only one alert will be created for each group of events. You can also enter up to 3 fields to group events by unique combinations of values. -+ -NOTE: If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. - -.. Select how often to create alerts for duplicate events: - -* *Per rule execution*: Create an alert each time the rule runs and meets its criteria. -* *Per time period*: Create one alert for all qualifying events within a specified time window, beginning when the rule first meets its criteria and creates the alert. -+ -For example, if a rule runs every 5 minutes but you don't need alerts that frequently, you can set the suppression time period to a longer time, such as 1 hour. If the rule meets its criteria, it creates an alert at that time, and for the next hour, it'll suppress any subsequent qualifying events. - . Click **Continue** to <>. [discrete] @@ -121,14 +110,6 @@ IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not re . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Select *Suppress alerts* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. -.. Enter field names in *Group by* to group qualifying source events by the fields' unique values; only one alert will be created for each group of events. You can enter up to 3 fields to group events by unique combinations of values. You can also leave *Group by* empty to group all qualifying events together. -+ -NOTE: If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. - -.. In *Per time period*, specify how often to create alerts for duplicate events. This will create one alert for all qualifying events within the specified time window, beginning when the rule first meets its criteria and creates the alert. -+ -For example, if a rule runs every 5 minutes but you don't need alerts that frequently, you can set the suppression time period to a longer time, such as 1 hour. If the rule meets its criteria, it creates an alert at that time, and for the next hour, it'll suppress any subsequent qualifying events. - . Click *Continue* to <>. [discrete] @@ -176,6 +157,9 @@ NOTE: For sequence events, the {security-app} generates a single alert when all * *Tiebreaker field*: Sets a secondary field for sorting events (in ascending, lexicographic order) if they have the same timestamp. * *Timestamp field*: Contains the event timestamp used for sorting a sequence of events. This is different from the *Timestamp override* advanced setting, which is used for querying events within a range. Defaults to the `@timestamp` ECS field. + + +. preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. + . Click *Continue* to <>. [discrete] @@ -271,6 +255,9 @@ IMPORTANT: When checking multiple fields, each unique combination of values from .. Use the *History Window Size* menu to specify the time range to search in minutes, hours, or days to determine if a term is new. The history window size must be larger than the rule interval plus additional look-back time, because the rule will look for terms where the only time(s) the term appears within the history window is _also_ within the rule interval and additional look-back time. + For example, if a rule has an interval of 5 minutes, no additional look-back time, and a history window size of 7 days, a term will be considered new only if the time it appears within the last 7 days is also within the last 5 minutes. Configure the rule interval and additional look-back time when you <>. + +. preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. + . Click *Continue* to <>. [discrete] From 482df043d13ec3c32df0ff41d012f145dfb1fb0f Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 23 Apr 2024 18:20:08 -0400 Subject: [PATCH 12/21] Re-adding content to avoid conflict --- docs/detections/rules-ui-create.asciidoc | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index f555543ccf..c8bd0b15d4 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -83,6 +83,17 @@ When you use a saved query, the *Load saved query "_query name_" dynamically on . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. +.. Enter a field name to group qualifying source events by the field's unique values; only one alert will be created for each group of events. You can also enter up to 3 fields to group events by unique combinations of values. ++ +NOTE: If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. + +.. Select how often to create alerts for duplicate events: + +* *Per rule execution*: Create an alert each time the rule runs and meets its criteria. +* *Per time period*: Create one alert for all qualifying events within a specified time window, beginning when the rule first meets its criteria and creates the alert. ++ +For example, if a rule runs every 5 minutes but you don't need alerts that frequently, you can set the suppression time period to a longer time, such as 1 hour. If the rule meets its criteria, it creates an alert at that time, and for the next hour, it'll suppress any subsequent qualifying events. + . Click **Continue** to <>. [discrete] @@ -110,6 +121,14 @@ IMPORTANT: Alerts created by threshold rules are synthetic alerts that do not re . preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Select *Suppress alerts* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <> for more information. +.. Enter field names in *Group by* to group qualifying source events by the fields' unique values; only one alert will be created for each group of events. You can enter up to 3 fields to group events by unique combinations of values. You can also leave *Group by* empty to group all qualifying events together. ++ +NOTE: If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. + +.. In *Per time period*, specify how often to create alerts for duplicate events. This will create one alert for all qualifying events within the specified time window, beginning when the rule first meets its criteria and creates the alert. ++ +For example, if a rule runs every 5 minutes but you don't need alerts that frequently, you can set the suppression time period to a longer time, such as 1 hour. If the rule meets its criteria, it creates an alert at that time, and for the next hour, it'll suppress any subsequent qualifying events. + . Click *Continue* to <>. [discrete] From b2b6040278eacdf2f35b12c1a615e868c89f99bc Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 24 Apr 2024 00:31:34 -0400 Subject: [PATCH 13/21] Update docs/detections/api/rules/rules-api-create.asciidoc --- docs/detections/api/rules/rules-api-create.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index c1aa6b77f4..0cb078b99a 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -495,7 +495,7 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`). preview::[] -====== Query rule, indicator match, and new terms rule +====== Query rule, indicator match, event correlation, and new terms rule [width="100%",options="header"] |============================================== From 21af9a3d74dea29422e18029ef241cd1e168a076 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 24 Apr 2024 00:34:32 -0400 Subject: [PATCH 14/21] Updating titles --- docs/detections/api/rules/rules-api-create.asciidoc | 4 ++-- docs/detections/api/rules/rules-api-update.asciidoc | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 0cb078b99a..2b10a224c7 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -491,11 +491,11 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`). |============================================== [[opt-fields-alert-suppression-create]] -===== Optional alert suppression fields for query, indicator match, threshold rule, event correlation, and new terms rules +===== Optional alert suppression fields for query, indicator match, threshold rule, event correlation (non-sequence queries only), and new terms rules preview::[] -====== Query rule, indicator match, event correlation, and new terms rule +====== Query rule, indicator match, event correlation (non-sequence queries only), and new terms rule [width="100%",options="header"] |============================================== diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index b5b89fa4ba..c14f4578e6 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -516,11 +516,11 @@ in the UI (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*). [[opt-fields-alert-suppression-update]] -===== Optional alert suppression fields for query, indicator match, threshold rule, event correlation, and new terms rules +===== Optional alert suppression fields for query, indicator match, threshold rule, event correlation (non-sequence queries only), and new terms rules preview::[] -====== Query rule and indicator match rule +====== Query rule, indicator match rule, event correlation (non-sequence queries only), and new terms rules [width="100%",options="header"] |============================================== From 119b395a7b9d6d173853a46d5b6323c921c6024a Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 24 Apr 2024 10:23:03 -0400 Subject: [PATCH 15/21] Vitalii's input --- docs/detections/alert-suppression.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index 1fc48ab927..b17424273b 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -40,10 +40,10 @@ You can configure alert suppression when you create or edit a supported rule typ + [NOTE] ====== -Fields with multiple values are handled as follows: +If you specify a field with multiple values, alerts with that field are handled in the following way: -* **Custom query or threshold rules** - If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. -* **Indicator match rule, event correlation (non-sequence queries only), or new terms rule** - If you specify a field with multiple values, an alert grouping is created for alerts that contain the array you specified. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts that contain this array are grouped and suppressed. +* **Custom query or threshold rules** - A group of alerts is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. +* **Indicator match rule, event correlation (non-sequence queries only), or new terms rule** - Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group. ====== From 5624b31aeea220b5cc3eaabd3a630d2ffec27775 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 24 Apr 2024 13:02:13 -0400 Subject: [PATCH 16/21] ben's input --- docs/detections/alert-suppression.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index b17424273b..6ec5a20a30 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -53,7 +53,7 @@ NOTE: Both options are available for custom query, indicator match, event correl + -- * *Per rule execution*: Create an alert each time the rule runs and meets its criteria. -* *Per time period*: Create one alert for all qualifying events within a specified time window, beginning when the rule first meets its criteria and creates the alert. +* *Per time period*: Create one alert for all qualifying events that occur within a specified time window, beginning from when an event first meets the rule criteria and creates the alert. + For example, if a rule runs every 5 minutes but you don't need alerts that frequently, you can set the suppression time period to a longer time, such as 1 hour. If the rule meets its criteria, it creates an alert at that time, and for the next hour, it'll suppress any subsequent qualifying events. + From c9099294215f5172f0f611f2ec622fa25d398069 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 24 Apr 2024 16:49:56 -0400 Subject: [PATCH 17/21] Update docs/detections/api/rules/rules-api-update.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --- docs/detections/api/rules/rules-api-update.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index c14f4578e6..6ede451a1c 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -520,7 +520,7 @@ in the UI (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*). preview::[] -====== Query rule, indicator match rule, event correlation (non-sequence queries only), and new terms rules +====== Query, indicator match, event correlation (non-sequence queries only), and new terms rules [width="100%",options="header"] |============================================== From eb14faf52834ff1a39a1e6e87f70e8bca2698dce Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 24 Apr 2024 16:50:08 -0400 Subject: [PATCH 18/21] Update docs/detections/api/rules/rules-api-create.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --- docs/detections/api/rules/rules-api-create.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index 2b10a224c7..a5124b2d1c 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -491,7 +491,7 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`). |============================================== [[opt-fields-alert-suppression-create]] -===== Optional alert suppression fields for query, indicator match, threshold rule, event correlation (non-sequence queries only), and new terms rules +===== Optional alert suppression fields for query, indicator match, threshold, event correlation (non-sequence queries only), and new terms rules preview::[] From 3e7006d729614995b25cc586769cd2eae4e28f38 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 24 Apr 2024 16:50:18 -0400 Subject: [PATCH 19/21] Update docs/detections/alert-suppression.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --- docs/detections/alert-suppression.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index 6ec5a20a30..9a1da41d62 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -40,7 +40,7 @@ You can configure alert suppression when you create or edit a supported rule typ + [NOTE] ====== -If you specify a field with multiple values, alerts with that field are handled in the following way: +If you specify a field with multiple values, alerts with that field are handled as follows: * **Custom query or threshold rules** - A group of alerts is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. * **Indicator match rule, event correlation (non-sequence queries only), or new terms rule** - Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group. From 2ab6914d679fff6ccd62884b75ed836a3df23279 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 24 Apr 2024 16:50:27 -0400 Subject: [PATCH 20/21] Update docs/detections/api/rules/rules-api-create.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --- docs/detections/api/rules/rules-api-create.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc index a5124b2d1c..24d9d0637d 100644 --- a/docs/detections/api/rules/rules-api-create.asciidoc +++ b/docs/detections/api/rules/rules-api-create.asciidoc @@ -495,7 +495,7 @@ a detection rule exception (`detection`) or an endpoint exception (`endpoint`). preview::[] -====== Query rule, indicator match, event correlation (non-sequence queries only), and new terms rule +====== Query, indicator match, event correlation (non-sequence queries only), and new terms rules [width="100%",options="header"] |============================================== From 5cf130d18fcc50888bb3066417f9d5dbb09e4a5e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 24 Apr 2024 16:50:33 -0400 Subject: [PATCH 21/21] Update docs/detections/api/rules/rules-api-update.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --- docs/detections/api/rules/rules-api-update.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc index 6ede451a1c..fc2fcfc369 100644 --- a/docs/detections/api/rules/rules-api-update.asciidoc +++ b/docs/detections/api/rules/rules-api-update.asciidoc @@ -516,7 +516,7 @@ in the UI (*Rules* -> *Detection rules (SIEM)* -> *_Rule name_*). [[opt-fields-alert-suppression-update]] -===== Optional alert suppression fields for query, indicator match, threshold rule, event correlation (non-sequence queries only), and new terms rules +===== Optional alert suppression fields for query, indicator match, threshold, event correlation (non-sequence queries only), and new terms rules preview::[]