elastic · joepeeples · Oct 16, 2024 · Sep 12, 2024 · Sep 20, 2024 · Sep 23, 2024
@@ -7,6 +7,10 @@ To run and create {ml} jobs and rules, you need all of these:
 * There must be at least one {ml} node in your cluster
 * The `machine_learning_admin` user role
 
+Additionally, to configure <<alert-suppression,alert suppression>> for {ml} rules, your role needs the following {kibana-ref}/kibana-role-management.html#adding_index_privileges[index privilege]:
+
+* `read` permission for the `.ml-anomalies-*` index
+
 For more information, go to {ml-docs}/setup.html[Set up {ml-features}].
 
 [IMPORTANT]

@@ -4,7 +4,9 @@
 .Requirements and notices
 [sidebar]
 --
-Alert suppression requires a https://www.elastic.co/pricing[Platinum or higher subscription].
+* Alert suppression requires a https://www.elastic.co/pricing[Platinum or higher subscription].
+
+* {ml-cap} rules have <<ml-requirements,additional requirements>> for alert suppression.
 
 preview::["Alert suppression is in technical preview for threshold, indicator match, event correlation, and new terms rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."]
 --
@@ -17,7 +19,7 @@ Alert suppression allows you to reduce the number of repeated or duplicate detec
 * <<create-eql-rule,Event correlation>> (non-sequence queries only)
 * <<create-new-terms-rule,New terms>>  
 * <<create-esql-rule,{esql}>>
-* <<create-ml-rule,{ml-app}>>
+* <<create-ml-rule,{ml-cap}>>
 
 Normally, when a rule meets its criteria repeatedly, it creates multiple alerts, one for each time the rule's criteria are met. When alert suppression is configured, duplicate qualifying events are grouped, and only one alert is created for each group. Depending on the rule type, you can configure alert suppression to create alerts each time the rule runs, or once within a specified time window. You can also specify multiple fields to group events by unique combinations of values.
 

@@ -10,6 +10,10 @@ tags: [ 'serverless', 'security', 'reference', 'manage' ]
 
 To run and create ((ml)) jobs and rules, you need the appropriate <DocLink slug="/serverless/general/assign-user-roles">user role</DocLink>.
 
+Additionally, for <DocLink slug="/serverless/custom-roles">custom roles</DocLink>, to configure <DocLink slug="/serverless/security/alert-suppression">alert suppression</DocLink> for ((ml)) rules, your role needs the following index privilege:
+
+* `read` permission for the `.ml-anomalies-*` index
+
 For more information, go to [Set up ((ml-features))](((ml-docs))/setup.html).
 
 <DocCallOut title="Important" color="warning">

@@ -9,8 +9,10 @@ status: in review
 <DocBadge template="technical preview" />
 <div id="alert-suppression"></div>
 
-<DocCallOut color="warning" title="Technical Preview">
-Alert suppression is in technical preview for threshold, indicator match, event correlation, and new terms rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+<DocCallOut color="warning" title="Requirements and notice">
+    - ((ml-cap)) rules have <DocLink slug="/serverless/security/ml-requirements">additional requirements</DocLink> for alert suppression.
+
+    - Alert suppression is in technical preview for threshold, indicator match, event correlation, and new terms rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
 </DocCallOut>
 
 Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types: