From 6915a36e2b9d141ac3749352faef3cd6681be9dd Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Thu, 12 Sep 2024 11:57:08 -0400 Subject: [PATCH 1/2] Update ESS docs: ML rule req for alert suppression --- docs/advanced-entity-analytics/ml-req.asciidoc | 4 ++++ docs/detections/alert-suppression.asciidoc | 6 ++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/advanced-entity-analytics/ml-req.asciidoc b/docs/advanced-entity-analytics/ml-req.asciidoc index f42f61e513..6c8868ad65 100644 --- a/docs/advanced-entity-analytics/ml-req.asciidoc +++ b/docs/advanced-entity-analytics/ml-req.asciidoc @@ -7,6 +7,10 @@ To run and create {ml} jobs and rules, you need all of these: * There must be at least one {ml} node in your cluster * The `machine_learning_admin` user role +Additionally, to configure <> for {ml} rules, you need the following {kibana-ref}/kibana-role-management.html#adding_index_privileges[index privilege]: + +* `read` permission for the `.ml-anomalies-*` index + For more information, go to {ml-docs}/setup.html[Set up {ml-features}]. [IMPORTANT] diff --git a/docs/detections/alert-suppression.asciidoc b/docs/detections/alert-suppression.asciidoc index 73f0537840..1d9070bd03 100644 --- a/docs/detections/alert-suppression.asciidoc +++ b/docs/detections/alert-suppression.asciidoc @@ -4,7 +4,9 @@ .Requirements and notices [sidebar] -- -Alert suppression requires a https://www.elastic.co/pricing[Platinum or higher subscription]. +* Alert suppression requires a https://www.elastic.co/pricing[Platinum or higher subscription]. + +* {ml-cap} rules have <> for alert suppression. preview::["Alert suppression is in technical preview for threshold, indicator match, event correlation, and new terms rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."] -- @@ -17,7 +19,7 @@ Alert suppression allows you to reduce the number of repeated or duplicate detec * <> (non-sequence queries only) * <> * <> -* <> +* <> Normally, when a rule meets its criteria repeatedly, it creates multiple alerts, one for each time the rule's criteria are met. When alert suppression is configured, duplicate qualifying events are grouped, and only one alert is created for each group. Depending on the rule type, you can configure alert suppression to create alerts each time the rule runs, or once within a specified time window. You can also specify multiple fields to group events by unique combinations of values. From 417e4d8cb3086dcc024dcf6e0df780b13852a8b4 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Fri, 27 Sep 2024 16:33:26 -0400 Subject: [PATCH 2/2] Update serverless docs, and align with ESS --- docs/advanced-entity-analytics/ml-req.asciidoc | 2 +- .../advanced-entity-analytics/ml-requirements.mdx | 4 ++++ docs/serverless/alerts/alert-suppression.mdx | 6 ++++-- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/docs/advanced-entity-analytics/ml-req.asciidoc b/docs/advanced-entity-analytics/ml-req.asciidoc index 6c8868ad65..edab94a672 100644 --- a/docs/advanced-entity-analytics/ml-req.asciidoc +++ b/docs/advanced-entity-analytics/ml-req.asciidoc @@ -7,7 +7,7 @@ To run and create {ml} jobs and rules, you need all of these: * There must be at least one {ml} node in your cluster * The `machine_learning_admin` user role -Additionally, to configure <> for {ml} rules, you need the following {kibana-ref}/kibana-role-management.html#adding_index_privileges[index privilege]: +Additionally, to configure <> for {ml} rules, your role needs the following {kibana-ref}/kibana-role-management.html#adding_index_privileges[index privilege]: * `read` permission for the `.ml-anomalies-*` index diff --git a/docs/serverless/advanced-entity-analytics/ml-requirements.mdx b/docs/serverless/advanced-entity-analytics/ml-requirements.mdx index 7be01a04a1..d3c22a4f21 100644 --- a/docs/serverless/advanced-entity-analytics/ml-requirements.mdx +++ b/docs/serverless/advanced-entity-analytics/ml-requirements.mdx @@ -10,6 +10,10 @@ tags: [ 'serverless', 'security', 'reference', 'manage' ] To run and create ((ml)) jobs and rules, you need the appropriate user role. +Additionally, for custom roles, to configure alert suppression for ((ml)) rules, your role needs the following index privilege: + +* `read` permission for the `.ml-anomalies-*` index + For more information, go to [Set up ((ml-features))](((ml-docs))/setup.html). diff --git a/docs/serverless/alerts/alert-suppression.mdx b/docs/serverless/alerts/alert-suppression.mdx index 462c03402e..f6cc5b08ef 100644 --- a/docs/serverless/alerts/alert-suppression.mdx +++ b/docs/serverless/alerts/alert-suppression.mdx @@ -9,8 +9,10 @@ status: in review
- -Alert suppression is in technical preview for threshold, indicator match, event correlation, and new terms rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + + - ((ml-cap)) rules have additional requirements for alert suppression. + + - Alert suppression is in technical preview for threshold, indicator match, event correlation, and new terms rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types: