Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOCS] Conditional actions in Kibana alerting summary #158045

Merged
merged 2 commits into from
May 23, 2023
Merged

[DOCS] Conditional actions in Kibana alerting summary #158045

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d9d5bcf
[DOCS] Conditional actions in Kibana alerting summary
lcawl May 17, 2023
96d0223
[DOCS] Fix broken link
lcawl May 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions docs/user/alerting/alerting-getting-started.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,9 @@ Rather than repeatedly entering connection information and credentials for each

The _action frequency_ defines when the action runs (for example, only when the alert status changes or at specific time intervals). Each rule type also has a set of the _action groups_ that affects when the action runs (for example, when the threshold is met or when the alert is recovered). If you want to reduce the number of notifications you receive without affecting their timeliness, some rule types support alert summaries. You can set the action frequency such that you receive notifications that summarize the new, ongoing, and recovered alerts at your preferred time intervals.

Some types of rules enable you to further refine the conditions under which actions run.
For example, you can specify that actions run only when an alert occurs within a specific time frame or when it matches a KQL query.

Each action definition is therefore a template: all the parameters needed to invoke a service are supplied except for specific values that are only known at the time the rule condition is detected.

In the server monitoring example, the `email` connector type is used, and `server` is mapped to the body of the email, using the template string `CPU on {{server}} is high`.
Expand Down
3 changes: 3 additions & 0 deletions docs/user/alerting/create-and-manage-rules.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,9 @@ Alternatively, you can set the action frequency such that the action runs for ea
image::images/rule-flyout-action-details.png[UI for defining an email action,500]
// NOTE: This is an autogenerated screenshot. Do not edit it directly.

If you create rules in the {security-app}, you can further refine when actions run by adding time frame and query filters.
For more details, refer to {security-guide}rules-ui-create.html[Create a detection rule].
lcawl marked this conversation as resolved.
Show resolved Hide resolved

Each connector enables different action properties. For example, an email connector enables you to set the recipients, the subject, and a message body in markdown format. For more information about connectors, refer to <<action-types>>.

[[alerting-concepts-suppressing-duplicate-notifications]]
Expand Down