[Serverless][8.18] EQL Sequence alert suppression (#6291)

* First draft

* draft 1

* Update docs/detections/alert-suppression.asciidoc

* fix it?

* Moves info

* updating ref

* Update docs/detections/building-block-rule.asciidoc

* Update docs/serverless/rules/building-block-rule.asciidoc

* Removing empty lines

* Removes tech preview label for 8.18

* updates note about reqs

* Re-adds +

* Fixes Serverless note

* Fixes numebring

Author: nastasha-solomon

docs/detections/alert-suppression.asciidoc

@@ -7,16 +7,14 @@
 * Alert suppression requires a https://www.elastic.co/pricing[Platinum or higher subscription].
 
 * {ml-cap} rules have <<ml-requirements,additional requirements>> for alert suppression.
-
-preview::["Alert suppression is in technical preview for event correlation rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."]
 --
 
 Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types:
 
 * <<create-custom-rule,Custom query>>
 * <<create-threshold-rule,Threshold>>
 * <<create-indicator-rule,Indicator match>>
-* <<create-eql-rule,Event correlation>> (non-sequence queries only)
+* <<create-eql-rule,Event correlation>> 
 * <<create-new-terms-rule,New terms>>  
 * <<create-esql-rule,{esql}>>
 * <<create-ml-rule,{ml-cap}>>
@@ -34,7 +32,7 @@ You can configure alert suppression when you create or edit a supported rule typ
 . When configuring the rule type (the *Define rule* step for a new rule, or the *Definition* tab for an existing rule), specify how you want to group events for alert suppression:
 +
 --
-* **Custom query, indicator match, threshold, event correlation (non-sequence queries only), new terms, {ml}, and {esql} rules:** In *Suppress alerts by*, enter 1-3 field names to group events by the fields' values. 
+* **Custom query, indicator match, threshold, event correlation, new terms, {ml}, and {esql} rules:** In *Suppress alerts by*, enter 1-3 field names to group events by the fields' values. 
 * **Threshold rule:** In *Group by*, enter up to 3 field names to group events by the fields' values, or leave the setting empty to group all qualifying events together. 
 
 --
@@ -45,7 +43,7 @@ If you specify a field with multiple values, alerts with that field are handled
 
 * **Custom query or threshold rules:** A group of alerts is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`. 
 * **Indicator match, event correlation (non-sequence queries only), new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group.
-
+* **Event correlation (sequence queries only) rules:** If the specified field contains an array of values, suppression only happens if the field's values are an exact match and in the same order. For example, if you specify the field `myips` and one sequence alert has [1.1.1.1, 0.0.0.0] and another sequence alert has [1.1.1.1, 192.168.0.1], neither of those alerts will be suppressed, despite sharing an array element.
 ======
 
 . If available, select how often to create alerts for duplicate events:
@@ -114,5 +112,5 @@ image::images/timeline-button.png[Investigate in timeline button, 200]
 
 Some rule types have a maximum number of alerts that can be suppressed (custom query rules don't have a suppression limit):
 
-* **Threshold, event correlation (non-sequence queries only), {esql}, and {ml}:** The maximum number of alerts is the value you choose for the rule's **Max alerts per run** <<rule-ui-advanced-params,advanced setting>>, which is `100` by default.
+* **Threshold, event correlation, {esql}, and {ml}:** The maximum number of alerts is the value you choose for the rule's **Max alerts per run** <<rule-ui-advanced-params,advanced setting>>, which is `100` by default.
 * **Indicator match and new terms:** The maximum number is five times the value you choose for the rule's **Max alerts per run** <<rule-ui-advanced-params,advanced setting>>. The default value is `100`, which means the default maximum limit for indicator match rules and new term rules is `500`.

docs/detections/rules-ui-create.asciidoc

@@ -205,9 +205,8 @@ NOTE: For sequence events, the {security-app} generates a single alert when all
   * *Timestamp field*: Contains the event timestamp used for sorting a sequence of events. This is different from the *Timestamp override* advanced setting, which is used for querying events within a range. Defaults to the `@timestamp` ECS field.
 +
 
-. preview:[] (Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <<alert-suppression>> for more information.
+. Optional, https://www.elastic.co/pricing[Platinum or higher subscription] required) Use *Suppress alerts by* to reduce the number of repeated or duplicate alerts created by the rule. Refer to <<alert-suppression>> for more information.
 +
-
 ////
 The following steps are repeated across multiple rule types. If you change anything 
 in these steps or sub-steps, apply the change to the other rule types, too.

docs/serverless/alerts/alert-suppression.asciidoc

@@ -21,7 +21,7 @@ Alert suppression allows you to reduce the number of repeated or duplicate detec
 * <<create-custom-rule,Custom query>>
 * <<create-threshold-rule,Threshold>>
 * <<create-indicator-rule,Indicator match>>
-* <<create-eql-rule,Event correlation>> (non-sequence queries only)
+* <<create-eql-rule,Event correlation>> 
 * <<create-new-terms-rule,New terms>>
 * <<create-esql-rule,ES|QL>>
 * <<create-ml-rule,Machine learning>>
@@ -43,7 +43,7 @@ You can configure alert suppression when you create or edit a supported rule typ
 
 . When configuring the rule type (the **Define rule** step for a new rule, or the **Definition** tab for an existing rule), specify how you want to group events for alert suppression:
 +
-** **Custom query rule, indicator match, threshold, event correlation (non-sequence queries only), new terms, {esql}, or {ml} rules:** In **Suppress alerts by**, enter 1-3 field names to group events by the fields' values.
+** **Custom query rule, indicator match, threshold, event correlation, new terms, {esql}, or {ml} rules:** In **Suppress alerts by**, enter 1-3 field names to group events by the fields' values.
 ** **Threshold rule:** In **Group by**, enter up to 3 field names to group events by the fields' values, or leave the setting empty to group all qualifying events together.
 +
 [NOTE]
@@ -52,6 +52,7 @@ If you specify a field with multiple values, alerts with that field are handled
 
 * **Custom query or threshold rules:** Alerts are grouped by each unique value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`.
 * **Indicator match, event correlation (non-sequence queries only), new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group.
+* **Event correlation (sequence queries only) rules:** If the suppression field is an array of values, the suppressed alert will only suppress values that are an exact match. The values must be equivalent and be in the same position. For example, if you configure suppresson on the field `myips` and one sequence alert has [1.1.1.1, 0.0.0.0] and another sequence alert has [1.1.1.1, 192.168.0.1], neither of those alerts will be suppressed, despite sharing an array element.
 ====
 . If available, select how often to create alerts for duplicate events:
 +
@@ -129,5 +130,5 @@ image:images/alert-suppression/-detections-timeline-button.png[Investigate in ti
 
 Some rule types have a maximum number of alerts that can be suppressed (custom query rules don't have a suppression limit):
 
-* **Threshold, event correlation (non-sequence queries only, {esql}, and {ml}:** The maximum number is the value you choose for the rule's **Max alerts per run** <<rule-ui-advanced-params,advanced setting>>, which is `100` by default.
+* **Threshold, event correlation, {esql}, and {ml}:** The maximum number is the value you choose for the rule's **Max alerts per run** <<rule-ui-advanced-params,advanced setting>>, which is `100` by default.
 * **Indicator match and new terms:** The maximum number is five times the value you choose for the rule's **Max alerts per run** <<rule-ui-advanced-params,advanced setting>>. The default value is `100`, which means the default maximum limit for indicator match rules and new terms rules is `500`.