[8.x] Update rules-ui-create.asciidoc - fallback behavior in timestam…

…p overrides (backport #6425) (#6463) * Update rules-ui-create.asciidoc - fallback behavior in timestamp overrides (#6425) * Update rules-ui-create.asciidoc - Note fallback behavior in timestamp overrides Explicitly state the fallback behavior on timestamp overrides. * Serverless updates * Update docs/detections/rules-ui-create.asciidoc * Update docs/detections/rules-ui-create.asciidoc * formatting fix * Update docs/detections/rules-ui-create.asciidoc Co-authored-by: Yara Tercero <[email protected]> * Update docs/serverless/rules/rules-ui-create.asciidoc Co-authored-by: Yara Tercero <[email protected]> --------- Co-authored-by: Nastasha Solomon <[email protected]> Co-authored-by: nastasha.solomon <[email protected]> Co-authored-by: Yara Tercero <[email protected]> (cherry picked from commit e9f0d81) # Conflicts: # docs/serverless/rules/rules-ui-create.asciidoc * Delete docs/serverless directory and its contents --------- Co-authored-by: Roberto Seldner <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Nastasha Solomon <[email protected]>
elastic · Jan 22, 2025 · 23a9ea9 · 23a9ea9
1 parent 97bf833
commit 23a9ea9
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
@@ -587,8 +587,9 @@ Suricata, selecting `event.action` lets you see what action (Suricata category)
 caused the event directly in the Alerts table.
 +
 NOTE: For threshold rules, not all source event values can be used for overrides; only the fields that were aggregated over (the `Group by` fields) will contain data.
-.. *Timestamp override* (optional): Select a source event timestamp field. When selected, the rule's query uses the selected field, instead of the default `@timestamp` field, to search for alerts. This can help reduce missing alerts due to network or server outages. Specifically, if your ingest pipeline adds a timestamp when events are sent to {es}, this avoids missing alerts due to ingestion delays.
-However, if you know your data source has an inaccurate `@timestamp` value, it is recommended you select the *Do not use @timestamp as a fallback timestamp field* option to ignore the `@timestamp` field entirely.
+.. *Timestamp override* (optional): Select a source event timestamp field. When selected, the rule's query uses the selected field, instead of the default `@timestamp` field, to search for alerts. This can help reduce missing alerts due to network or server outages. Specifically, if your ingest pipeline adds a timestamp when events are sent to {es}, this can prevent missing alerts from ingestion delays. 
++
+If the selected field is unavailable, the rule query will use the `@timestamp` field instead. In the case that you don't want to use the `@timestamp` field because you know your data source has an inaccurate `@timestamp` value, we recommend selecting the **Do not use @timestamp as a fallback timestamp field** option instead. This will ensure that the rule query ignores the `@timestamp` field entirely.
 +
 TIP: The {filebeat-ref}/filebeat-module-microsoft.html[Microsoft] and
 {filebeat-ref}/filebeat-module-google_workspace.html[Google Workspace] {filebeat} modules have an `event.ingested` timestamp field that can be used instead of the default `@timestamp` field.