Merge pull request #2043 from SEKOIA-IO/doc/alert_filter

Add documentation for review alert features

docs/getting_started/restricted_roles.md

@@ -0,0 +1,26 @@
+# Restricted roles
+
+!!! Important
+    Users with a restricted role have access to a very limited set of features. They can only view `events` and `alerts` associated with selected `intakes`.
+
+## Creating a restricted role
+
+To create a restricted role, follow these steps:
+
+1. Go to Settings > Workspace > Roles
+2. Click on the Add New Role button
+3. Provide role details:
+    - Role name: Enter a name for the new role
+    - Description: Write a description between 10 and 1000 characters to explain the purpose and responsibilities associated with this role
+4. Click on the `specific intakes` label to display the list of intakes available in the workspace
+5. Select the `intakes` authorized for this role
+6. Choose the specific permissions you want to assign to this role. These permissions will define what actions users with this role can perform
+7. Click Save to create the role. The new role will now appear in the roles listing with a `Restricted intakes` badge.
+
+## Assigning the restricted role to users
+
+Once the restricted role is created, you can assign it to existing users:
+
+1. Navigate to the Workspace users page in the settings menu
+2. Select the user you want to assign the role to
+3. Attribute the new restricted role to the user and save your changes

docs/getting_started/roles.md

@@ -1,6 +1,6 @@
 # Overview
 
-Role-based access systems are designed to enhance security and improve the user experience by defining user permissions based on their specific roles. These systems typically include built-in roles that are pre-defined and cannot be modified and Custom roles, providing additional options for user access control.
+Role-based access systems are designed to enhance security and improve the user experience by defining user permissions based on their specific roles. These systems typically include built-in roles that are pre-defined and cannot be modified, Custom roles providing additional options for user access control and finally Intakes restricted roles.
 
 ## Built-In roles
 
@@ -24,6 +24,13 @@ In addition to built-in roles, each admin may create Custom roles. These allow t
 
 Please refer to this section to learn [how to create custom roles](custom_roles.md).  
 
+## Restricted Roles
+
+Restricted roles allows you to restrict access to events per `intake`. It is especially helpful to segregate data access and make sure that sensitive data is accessed only by authorized users. 
+
+Please refer to this section to learn [how to create restricted roles](restricted_roles.md).  
+
+
 ## Intake Restricted Roles
 
 Admin may also create Intake restricted roles to segregate user access by datasources. These roles enable organizations to compartmentalize data streams so that only users with the appropriate permissions can access specific subsets of data in a read-only mode. However with Intake restricted roles, the list of available permissions is limited due to the nature of the role.

docs/xdr/features/detect/rules_catalog.md

@@ -109,10 +109,30 @@ You can click on the name of a rule to display additional details, such as, but
 - Associated Data Sources
 - Known False Positives
 - The actual detection logic (the pattern)
+- Alert filters
 - [Similarity strategy](../../investigate/alerts/#similarity-strategies) for the produced alerts
 
 ![rule details](/assets/operation_center/rules_catalog/rule_details2.png)
 
+### Alert filters
+
+In the section `Alert filters`, you can consult the list of alert filters that are currently enabled in the `Actives` tab. The number of alert `muted` in the `last 30 days` is displayed for each alert filter to help you audit its effectiveness.
+
+Click on the `arrow` to expand the alert filter and consult the exclusion pattern.
+
+![alert filters](/assets/operation_center/rules_catalog/alert_filters.png)
+
+The `Expired` tab list all the alert filters that had an `expiration date` set and whose date has been reached. Expired alert filters can be deleted if needed.
+
+### Rules with active alert filter
+
+To search for rules that have at least one active alert filter, use the search `Alert filter` and select the criteria `Rules with alert filters`.
+All rules with active alert filters will be returned in the list.
+
+![search alert filters](/assets/operation_center/rules_catalog/search_alert_filters.png)
+
+You can also search for rules that have no active alert filters with the other search criteria.
+
 ### Enable new rules
 #### Automatically
 
@@ -209,7 +229,15 @@ For all types of rules, You will be able to limit its applicable scope with the
 
 When rules have limited scope with selected entities or assets, these rules will not automatically apply to new entities or assets that are later created.
 
+#### Create an alert Filter
+
+To prevent known false positives from raising alerts in the future:
 
+- Click on the `+ Alert filter` button to create an alert filter
+- Enter the `name` of the alert filter (mandatory)
+- Enter the `description` of the alert filter (optional)
+- Enter the `pattern` to exclude events (mandatory)
+- Set an `expiration date` (optional) to define a temporary alert filter
 
 ### Notify on new rules