Snoozing alert notifications for detection rules

[nastasha-solomon]

Description

In 8.8, you can temporarily mute notifications created by rule actions. You can snooze rules from the following areas:

Rules table

Users click on the bell icon in the Notify column. When you click the button, you'll be offered additional customization options for the snoozle sesh.

To unsnooze the rule, can click the red icon.

Actions tab when editing a rule

Rule details page

Related:

• https://github.com/elastic/security-team/issues/5308
• [Security Solution] Support rule snoozing in the Rules table kibana#147735: Adds the column and button to the Rules table (?)
• [Security Solution] Support rule snoozing on the Rule Editing page kibana#147737: Adds support for snoozin alerts from the rule editing page (?)
• [Security Solution] Support rule snoozing on the Rule Details page kibana#155406

Questions/tests to run

• Q: What are the default snooze settings?
• Q: Do all users have the same commonly used options or are the options customized per user? Looks like all users get the same options.
• Q: When rules (custom and prebuilt) are imported, are they auto snoozed and turned off automatically? (Might be good to test 7.x -> 8.8.)

Doc updates

• Create a new section for rule snoozing. Add the following:
  • What rule snoozing is
  • Where users can hit the snooze button (Rules table, rule's details page, and Actions tab when editing a rule)
  • Examples with screenshots.
• Add a bullet to the list of things you can do on the Rules page.
• Add a bullet to list under step 2 of Managing rules that tells users they can also snooze rules. Link to the new rule snooze section for more info.
• Add that users can snooze rules when modifying existing rule settings. Link to the new rule snooze section for more info.

Notes

• Collaborate with @maximpn on UI copy that displays when users hover over the Snooze button and any other UI copy that's added for this feature.
• Kibana docs for snoozing rules: https://www.elastic.co/guide/en/kibana/8.7/create-and-manage-rules.html#controlling-rules
• Users can't choose a date in the past. Can choose an earlier/past time.
• The notify column can't be sorted.
• Looks like users can choose a previously selected option (this applies for all rules, regardless of if the rule was previously notified):
  

[nastasha-solomon]

Hey, @maximpn! @e40pud and I had a quick convo this morning and Zhenia brought up some information that I think would be useful to include in the action snoozing docs:

When users upgrade to 8.8, existing rules without actions (i.e., rules that were configured to not perform actions) will appear as "snoozed indefinitely" on the Rules table and in the rule settings.

I can insert this information as a note to the new Snooze rule actions section, the docs for upgrading from a 7.x version, and possibly call it out in the release notes/release highlight docs. What do you think?

[nastasha-solomon]

One more quick question: what, if any, changes were introduced to the publicly available Security rule APIs? Can users snooze rule actions via the Update rule API or any other detection APIs?

[maximpn]

When users upgrade to 8.8, existing rules without actions (i.e., rules that were configured to not perform actions) will appear as "snoozed indefinitely" on the Rules table and in the rule settings.

This was addressed by elastic/kibana#156593. This way all the security rules will be migrated and unmuted.

One more quick question: what, if any, changes were introduced to the publicly available Security rule APIs? Can users snooze rule actions via the Update rule API or any other detection APIs?

We don't have any API in Security Solution related to snoozing. Everything is handled by Alerting API.

@nastasha-solomon @e40pud