diff --git a/docs/detections/images/rule-snoozing.png b/docs/detections/images/rule-snoozing.png new file mode 100644 index 0000000000..8edd67978f Binary files /dev/null and b/docs/detections/images/rule-snoozing.png differ diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc index 6574de964a..ff41c52f58 100644 --- a/docs/detections/rules-ui-manage.asciidoc +++ b/docs/detections/rules-ui-manage.asciidoc @@ -17,6 +17,7 @@ On the Rules page, you can: * <> * <> * <> +* <> * <> * <> @@ -141,7 +142,9 @@ NOTE: The action frequency you select applies to all actions (both new and exist ** *Update rule schedules*: Update the <> and look-back times on all selected rules. ** *Apply Timeline template*: Apply a specified <> to the selected rules. You can also choose *None* to remove Timeline templates from the selected rules. -. On the flyout that opens, update the settings. +. On the flyout that opens, update the rule settings and actions. ++ +TIP: To <> rule actions, go to the *Actions* tab and click the bell icon. . If available, select *Overwrite all selected _x_* to overwrite the settings on the rules. For example, if you're adding tags to multiple rules, selecting *Overwrite all selected rules tags* removes all the rules' original tags and replaces them with the tags you specify. . Click *Save*. @@ -149,7 +152,7 @@ NOTE: The action frequency you select applies to all actions (both new and exist [[manage-rules-ui]] === Manage rules -You can duplicate, enable, disable, and delete rules: +You can duplicate, enable, disable, delete, and snooze actions for rules: NOTE: When duplicating a rule with exceptions, you can choose to duplicate the rule and its exceptions (active and expired), the rule and active exceptions only, or only the rule. If you duplicate the rule and its exceptions, copies of the exceptions are created and added to the duplicated rule's <>. If the original rule used exceptions from a shared exception list, the duplicated rule will reference the same shared exception list. @@ -158,6 +161,20 @@ NOTE: When duplicating a rule with exceptions, you can choose to duplicate the r * Select the *All actions* menu (*...*) on a rule, then select an action. * Select all the rules you want to modify, then select an action from the *Bulk actions* menu. * To enable or disable a single rule, switch on the rule's *Enabled* toggle. +* To <> actions for rules, click the bell icon. + +[float] +[[snooze-rule-actions]] +=== Snooze rule actions + +Instead of turning rules off to stop alert notifications, you can snooze rule actions for a specified time period. When you snooze rule actions, the rule continues to run on its defined schedule, but won't perform any actions or send alert notifications. + +You can snooze notifications temporarily or indefinitely. When actions are snoozed, you can cancel or change the duration of the snoozed state. You can also schedule and manage recurring downtime for actions. + +You can snooze rule notifications from the Rules table, the rule details page, or the *Actions* tab when editing a rule. + +[role="screenshot"] +image::images/rule-snoozing.png[Rules snooze options,65%] [float] [[import-export-rules-ui]]