Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document comparison of Alert Suppression, Snoozing, Exceptions, Maintenance Windows #3314

Merged
merged 6 commits into from
May 23, 2023
Merged

Document comparison of Alert Suppression, Snoozing, Exceptions, Maintenance Windows #3314

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9e482f0
First draft
joepeeples May 18, 2023
ed6b5ab
Add link to custom query rule docs
joepeeples May 18, 2023
458ed67
Apply suggestions from code review
joepeeples May 22, 2023
63e985a
Apply suggestions from code review
joepeeples May 22, 2023
a94d038
Merge branch 'main' into 3153-compare-all-the-things
joepeeples May 23, 2023
164570f
Apply suggestions from Janeen's review
joepeeples May 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions docs/detections/alerts-reduce.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
[[reduce-notifications-alerts]]
== Reduce notifications and alerts

{elastic-sec} offers several features to help reduce the amount of notifications and alerts produced by your detection rules. This table provides a general comparison of these features, with links for more details:
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

[cols="2"]
|===

| <<snooze-rule-actions,Rule action snoozing>>
a| *_Prevents a specific rule's notification actions from running_*.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

Use to avoid unnecessary notifications from a noisy rule. The rule continues to run and generate alerts during the snooze period, but its <<rule-notifications,notification actions>> are suppressed.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

| {kibana-ref}/maintenance-windows.html[Maintenance window]
a| *_Prevents all rules' notification actions from running_*.

Use to avoid false alarms and unnecessary notifications during planned outages. All rules continue to run and generate alerts during the maintenance window, but their <<rule-notifications,notification actions>> are suppressed.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

NOTE: Maintenance windows are a {kib} feature and are configured outside of the {security-app} in *Stack Management*.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

| <<alert-suppression,Alert suppression>>
a| *_Reduces repeated or duplicate alerts created by a custom query rule_*.

Use to reduce the number of alerts created by a <<create-custom-rule,custom query rule>> that matches multiple source events. Matching events are grouped by their values in a specified field, and only one alert is created for each group.

| <<detections-ui-exceptions,Rule exception>>
a| *_Prevents a rule from creating alerts under specific conditions_*.

Use to reduce false positive alerts, by preventing trusted processes and network activity from generating unnecessary alerts. You can configure an exception to be used by a single rule or shared among multiple rules, but they typically don't affect _all_ rules.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

|===
2 changes: 2 additions & 0 deletions docs/detections/detections-index.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ include::alerts-add-to-cases.asciidoc[leveloffset=+1]

include::alert-suppression.asciidoc[leveloffset=+1]

include::alerts-reduce.asciidoc[]

include::visual-event-analyzer.asciidoc[]

include::query-alert-indices.asciidoc[]
Expand Down