First draft

nastasha-solomon · nastasha-solomon · commit 770ece24f3b1 · 2024-10-16T11:28:55.000-04:00
diff --git a/docs/reference/alert-schema.asciidoc b/docs/reference/alert-schema.asciidoc
@@ -195,9 +195,15 @@ Type: string[]
 
 Shows the alert’s estimated timestamp, had the alert been created when the source event initially occurred. The value in this field is determined by the way the rule was run:
 
-* **Scheduled run**: Alerts created by scheduled runs have the same timestamp as the `kibana.alert.rule.execution.timestamp` field, which shows when the rule was executed.
+* **Scheduled run**: Alerts created by scheduled runs have the same timestamp as the `@timestamp` field, which shows when the alert was created.
 * **Manual run**: Alerts created by manual runs have a timestamp that falls within the time range specified for the manual run. For example, if you set a rule to manually run on event data from `10/01/2024 05:00 PM` to `10/07/2024 05:00 PM`, the `kibana.alert.intended_timestamp` value will be a date and time within that range.
 
 Type: date
 
+|N/A | `kibana.alert.rule.execution_type` a| 
+
+Shows if an alert was created by a manual run or a scheduled run. The value can be `manual` or `scheduled`.
+
+Type: keyword
+
 |==============================================
diff --git a/docs/serverless/alerts/alert-schema.mdx b/docs/serverless/alerts/alert-schema.mdx
@@ -891,7 +891,7 @@ The non-ECS fields listed below are beta and subject to change.
       
     </DocCell>
   </DocRow>
-    <DocRow>
+  <DocRow>
     <DocCell>`kibana.alert.workflow_assignee_ids`</DocCell>
     <DocCell>
       List of users assigned to an alert.
@@ -904,17 +904,25 @@ The non-ECS fields listed below are beta and subject to change.
       
     </DocCell>
   </DocRow>
-    <DocRow>
+  <DocRow>
     <DocCell> `kibana.alert.intended_timestamp`</DocCell>
     <DocCell>
       Shows the alert’s estimated timestamp, had the alert been created when the source event initially occurred. The value in this field is determined by the way the rule was run:
 
-         * **Scheduled run**: Alerts created by scheduled runs have the same timestamp as the `kibana.alert.rule.execution.timestamp` field, which shows when the rule was executed.
+         * **Scheduled run**: Alerts created by scheduled runs have the same timestamp as the `@timestamp` field, which shows when the alert was created.
          * **Manual run**: Alerts created by manual runs have a timestamp that falls within the time range specified for the manual run. For example, if you set a rule to manually run on event data from `10/01/2024 05:00 PM` to `10/07/2024 05:00 PM`, the `kibana.alert.intended_timestamp` value will be a date and time within that range.
 
-
       Type: date
       
     </DocCell>
   </DocRow>
+  <DocRow>
+    <DocCell> `kibana.alert.rule.execution_type`</DocCell>
+    <DocCell>
+      Shows if an alert was created by a manual run or a scheduled run. The value can be `manual` or `scheduled`. 
+
+      Type: keyword
+      
+    </DocCell>
+  </DocRow>
 </DocTable>
