Document comparison of Alert Suppression, Snoozing, Exceptions, Maint…

…enance Windows (#3314) (#3335) * First draft * Add link to custom query rule docs * Apply suggestions from code review Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Apply suggestions from code review * Apply suggestions from Janeen's review Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --------- Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> (cherry picked from commit 12483be) Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
elastic · May 23, 2023 · 88df064 · 88df064
1 parent a6e2c47
commit 88df064
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/docs/detections/alerts-reduce.asciidoc b/docs/detections/alerts-reduce.asciidoc
@@ -0,0 +1,31 @@
+[[reduce-notifications-alerts]]
+== Reduce notifications and alerts
+
+{elastic-sec} offers several features to help reduce the number of notifications and alerts generated by your detection rules. This table provides a general comparison of these features, with links for more details:
+
+[cols="2"]
+|===
+
+| <<snooze-rule-actions,Rule action snoozing>>
+a| *_Stops a specific rule's notification actions from running_*. 
+
+Use to avoid unnecessary notifications from a specific rule. The rule continues to run and generate alerts during the snooze period, but its <<rule-notifications,notification actions>> don't run.
+
+| {kibana-ref}/maintenance-windows.html[Maintenance window]
+a| *_Prevents all rules' notification actions from running_*. 
+
+Use to avoid false alarms and unnecessary notifications during planned outages. All rules continue to run and generate alerts during the maintenance window, but their <<rule-notifications,notification actions>> don't run.
+
+NOTE: Maintenance windows are a {kib} feature, configured outside of the {security-app} in *Stack Management*.
+
+| <<alert-suppression,Alert suppression>>
+a| *_Reduces repeated or duplicate alerts created by a custom query rule_*. 
+
+Use to reduce the number of alerts created by a <<create-custom-rule,custom query rule>> that matches multiple source events. Matching events are grouped by their values in a specified field, and only one alert is created for each group.
+
+| <<detections-ui-exceptions,Rule exception>>
+a| *_Prevents a rule from creating alerts under specific conditions_*.
+
+Use to reduce false positive alerts by preventing trusted processes and network activity from generating unnecessary alerts. You can configure an exception to be used by a single rule or shared among multiple rules, but they typically don't affect _all_ rules.
+
+|===
diff --git a/docs/detections/detections-index.asciidoc b/docs/detections/detections-index.asciidoc
@@ -32,6 +32,8 @@ include::alerts-add-to-cases.asciidoc[leveloffset=+1]
 
 include::alert-suppression.asciidoc[leveloffset=+1]
 
+include::alerts-reduce.asciidoc[]
+
 include::visual-event-analyzer.asciidoc[]
 
 include::query-alert-indices.asciidoc[]