[Request][8.15 & Serverless] Alert suppression for ML rules

[nastasha-solomon]

Description

Suppression for ML rules is being added in 8.15. Details to add to https://www.elastic.co/guide/en/security/current/alert-suppression.html:

• What’s the maximum and minimum number of fields that users can specify when setting up fields to suppress by?
  1-3 fields
• How are event fields with an array of values treated?
  TBD
• What’s the max number of alerts that can be suppressed for ES|QL rules?
  It would be the same as threshold/eql rules: equal to the max_signals setting, which is 100 by default.
• How do users set up alert suppression for ES|QL rules using the create/update/patch rule APIs?
  Works the same way as setting up alert suppression for query, indicator match, event correlation (non-sequence queries only), and new terms rules.
• Any other gotchas?
  Unlike the “events” in other rule types, the source of alerts for ML rules are anomalies, which is an abstraction/aggregation on top of the user’s source events. What this means is that only fields on the anomalies themselves can be used for suppression.

Background & resources

• PRs: [Detection Engine] Adds Alert Suppression to ML Rules kibana#181926
• Issues/metas: N/A
• Point of contact: @rylnd
• Test environments: N/A

Which documentation set does this change impact?

ESS and serverless

ESS release

8.12

Serverless release

July 22, 2024 (need to discuss this with @rylnd when I'm back from PTO on July 15)

Feature differences

None

API docs impact

See notes in description

Prerequisites, privileges, feature flags

None

[nastasha-solomon]

Closing this issue as Serverless and 8.15 docs merged.