[REQUEST]: Add docs for a new advanced setting that allows the suppression window to continue when an alert is closed

[denar50]

Description

Today if a user closes an alert, and a new event is found during the same suppression window, a new alert is created. Some of our users would like to keep the suppression window going after an alert is closed and therefore prevent the creation of new alerts when events are found.

Therefore we are adding a new advanced setting called securitySolution:suppressionBehaviorOnAlertClosure with two possible values: restart-suppression (default) which represents the existing behaviour and continue-until-window-ends which keeps the suppression window open, meaning that any new alerts of the same type will continue to be suppressed until the window ends.

We will also display a modal on alert closure, informing users about what will happen with the suppression window given the value of the advanced setting. The modal comes with a "do not show this message again" checkbox which, if checked when the user confirms the modal, will prevent the modal from showing again on the same computer.

This is what it looks like when the setting value is restart-suppression (default):

current-behavior2.mov

This is what it looks like when the setting value is continue-until-window-ends:

current-behavior.mov

Resources

This feature is implemented in this PR.
Original GH issue.

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

No differences.

What release is this request related to?

9.2

Serverless release

PR has not been merged yet.

Collaboration model

The documentation team

Point of contact.

Main contact: @denar50

Stakeholders: @yctercero @approksiu

[nastasha-solomon]

@approksiu @denar50 the securitySolution:suppressionBehaviorOnAlertClosure advanced setting description has a two terms that I think would be worth defining in the suppression docs:

• Active suppression window (e.g., "if an alert is closed while suppression is active")
• Suppression window (e.g., "Continue suppression until window ends")

How would you define these terms? Also, what are your thoughts on adding a brief explanation about when suppression starts and ends for a rule? That might help users make better-informed decisions when configuring the advanced setting.

[denar50]

@nastasha-solomon let's say that we have a suppression window of 5 minutes configured on the rule:

Let's say that the rule executes for the very first time and one event occurs, so we create one alert. In the next execution, another event occurs, but since suppression is active, we look for any alert created within the last 5 minutes which is the suppression window (we exclude closed alerts if securitySolution:suppressionBehaviorOnAlertClosure is restart-suppression and include them when it's continue-until-window-ends).
If an alert is found, then we suppress the alert that would have been created with this event.

In a sense "Active suppression window" for an alert would be if there is an alert within the time range that we look back. Then we are suppressing any new alerts under that one.

[nastasha-solomon]

Moving the status of this issue to Waiting on dev/product because @denar50 still plans to review the docs. Atm, he's fixing an implementation bug, which may/may affect the docs once it's resolved. In the meantime, I'm leaving this issue and the 9.2/Serverless docs PR open until those feature docs are forsuredonedone.

[nastasha-solomon]

9.2 and Serverless docs are merged.