diff --git a/docs/serverless/rules/alerts-ui-monitor.asciidoc b/docs/serverless/rules/alerts-ui-monitor.asciidoc index 93f706aeb3..0519f652e5 100644 --- a/docs/serverless/rules/alerts-ui-monitor.asciidoc +++ b/docs/serverless/rules/alerts-ui-monitor.asciidoc @@ -97,7 +97,6 @@ missing. There are a number of ways to try to resolve this issue: * <> * <> -* <> You can also use Task Manager in {kib} to troubleshoot background tasks and processes that may be related to missing alerts: @@ -158,77 +157,4 @@ You can reduce the number of missed alerts due to ingestion pipeline delay by sp For example, say an event occurred at 10:00 but wasn't ingested into {es} until 10:10 due to an ingestion pipeline delay. If you created a rule to detect that event with an interval + additional look-back time of 6 minutes, and the rule executes at 10:12, it would still detect the event because the `event.ingested` timestamp was from 10:10, only 2 minutes before the rule executed and well within the rule's 6-minute interval + additional look-back time. [role="screenshot"] -image::images/alerts-ui-monitor/-detections-timestamp-override.png[] - -[discrete] -[[ml-job-compatibility]] -=== Troubleshoot missing alerts for {ml} jobs - -{ml-cap} detection rules use {ml} jobs that have dependencies on data fields populated by the {beats} and {agent} integrations. In {stack} version 8.3, new {ml} jobs (prefixed with `v3`) were released to operate on the ECS fields available at that time. - -If you're using 8.2 or earlier versions of {beats} or {agent} with {stack} version 8.3 or later, you may need to duplicate prebuilt rules or create new custom rules _before_ you update the Elastic prebuilt rules. Once you update the prebuilt rules, they will only use `v3` {ml} jobs. Duplicating the relevant prebuilt rules before updating them ensures continued coverage by allowing you to keep using `v1` or `v2` jobs (in the duplicated rules) while also running the new `v3` jobs (in the updated prebuilt rules). - -[IMPORTANT] -==== -* Duplicated rules may result in duplicate anomaly detections and alerts. -* Ensure that the relevant `v3` {ml} jobs are running before you update the Elastic prebuilt rules. -==== - -* If you only have **8.3 or later versions of {beats} and {agent}**: You can download or update your prebuilt rules and use the latest `v3` {ml} jobs. No additional action is required. -* If you only have **8.2 or earlier versions of {beats} or {agent}**, or **a mix of old and new versions**: To continue using the `v1` and `v2` {ml} jobs specified by pre-8.3 prebuilt detection rules, you must duplicate affected prebuilt rules _before_ updating them to the latest rule versions. The duplicated rules can continue using the same `v1` and `v2` {ml} jobs, and the updated prebuilt {ml} rules will use the new `v3` {ml} jobs. -* If you have **a non-Elastic data shipper that gathers ECS-compatible events**: You can use the latest `v3` {ml} jobs with no additional action required, as long as your data shipper uses the latest ECS specifications. However, if you're migrating from {ml} rules using `v1`/`v2` jobs, ensure that you start the relevant `v3` jobs before updating the Elastic prebuilt rules. - -The following Elastic prebuilt rules use the new `v3` {ml} jobs to generate alerts. Duplicate their associated `v1`/`v2` prebuilt rules _before_ updating them if you need continued coverage from the `v1`/`v2` {ml} jobs: - -//// -/* {/* Links to prebuilt rule pages temporarily removed for initial serverless docs. We can renable links once -we add prebuilt rule pages to the serverless docs.*/ -//// - -//// -/* -* Unusual Linux Network Port Activity: `v3_linux_anomalous_network_port_activity` - -* Anomalous Process For a Linux Population: `v3_linux_anomalous_process_all_hosts` - -* Unusual Linux Username: `v3_linux_anomalous_user_name` - -* Unusual Linux Process Calling the Metadata Service: `v3_linux_rare_metadata_process` - -* Unusual Linux User Calling the Metadata Service: `v3_linux_rare_metadata_user` - -* Unusual Process For a Linux Host: `v3_rare_process_by_host_linux` - -* Unusual Process For a Windows Host: `v3_rare_process_by_host_windows` - -* Unusual Windows Network Activity: `v3_windows_anomalous_network_activity` - -* Unusual Windows Path Activity: `v3_windows_anomalous_path_activity` - -* Anomalous Windows Process Creation: `v3_windows_anomalous_process_creation` - -* Anomalous Process For a Windows Population: `v3_windows_anomalous_process_all_hosts` - -* Unusual Windows Username: `v3_windows_anomalous_user_name` - -* Unusual Windows Process Calling the Metadata Service: `v3_windows_rare_metadata_process` - -* Unusual Windows User Calling the Metadata Service: `v3_windows_rare_metadata_user` -*/ -//// - -* Unusual Linux Network Port Activity: `v3_linux_anomalous_network_port_activity` -* Unusual Linux Network Connection Discovery: `v3_linux_anomalous_network_connection_discovery` -* Anomalous Process For a Linux Population: `v3_linux_anomalous_process_all_hosts` -* Unusual Linux Username: `v3_linux_anomalous_user_name` -* Unusual Linux Process Calling the Metadata Service: `v3_linux_rare_metadata_process` -* Unusual Linux User Calling the Metadata Service: `v3_linux_rare_metadata_user` -* Unusual Process For a Linux Host: `v3_rare_process_by_host_linux` -* Unusual Process For a Windows Host: `v3_rare_process_by_host_windows` -* Unusual Windows Network Activity: `v3_windows_anomalous_network_activity` -* Unusual Windows Path Activity: `v3_windows_anomalous_path_activity` -* Anomalous Windows Process Creation: `v3_windows_anomalous_process_creation` -* Anomalous Process For a Windows Population: `v3_windows_anomalous_process_all_hosts` -* Unusual Windows Username: `v3_windows_anomalous_user_name` -* Unusual Windows Process Calling the Metadata Service: `v3_windows_rare_metadata_process` -* Unusual Windows User Calling the Metadata Service: `v3_windows_rare_metadata_user` +image::images/alerts-ui-monitor/-detections-timestamp-override.png[] \ No newline at end of file