Update rules-ui-create.asciidoc - fallback behavior in timestamp overrides (#6425)

* Update rules-ui-create.asciidoc - Note fallback behavior in timestamp overrides

Explicitly state the fallback behavior on timestamp overrides.

* Serverless updates

* Update docs/detections/rules-ui-create.asciidoc

* Update docs/detections/rules-ui-create.asciidoc

* formatting fix

* Update docs/detections/rules-ui-create.asciidoc

Co-authored-by: Yara Tercero <[email protected]>

* Update docs/serverless/rules/rules-ui-create.asciidoc

Co-authored-by: Yara Tercero <[email protected]>

---------

Co-authored-by: Nastasha Solomon <[email protected]>
Co-authored-by: nastasha.solomon <[email protected]>
Co-authored-by: Yara Tercero <[email protected]>

Author: 3 people

docs/detections/rules-ui-create.asciidoc

@@ -587,8 +587,9 @@ Suricata, selecting `event.action` lets you see what action (Suricata category)
 caused the event directly in the Alerts table.
 +
 NOTE: For threshold rules, not all source event values can be used for overrides; only the fields that were aggregated over (the `Group by` fields) will contain data.
-.. *Timestamp override* (optional): Select a source event timestamp field. When selected, the rule's query uses the selected field, instead of the default `@timestamp` field, to search for alerts. This can help reduce missing alerts due to network or server outages. Specifically, if your ingest pipeline adds a timestamp when events are sent to {es}, this avoids missing alerts due to ingestion delays.
-However, if you know your data source has an inaccurate `@timestamp` value, it is recommended you select the *Do not use @timestamp as a fallback timestamp field* option to ignore the `@timestamp` field entirely.
+.. *Timestamp override* (optional): Select a source event timestamp field. When selected, the rule's query uses the selected field, instead of the default `@timestamp` field, to search for alerts. This can help reduce missing alerts due to network or server outages. Specifically, if your ingest pipeline adds a timestamp when events are sent to {es}, this can prevent missing alerts from ingestion delays. 
++
+If the selected field is unavailable, the rule query will use the `@timestamp` field instead. In the case that you don't want to use the `@timestamp` field because you know your data source has an inaccurate `@timestamp` value, we recommend selecting the **Do not use @timestamp as a fallback timestamp field** option instead. This will ensure that the rule query ignores the `@timestamp` field entirely.
 +
 TIP: The {filebeat-ref}/filebeat-module-microsoft.html[Microsoft] and
 {filebeat-ref}/filebeat-module-google_workspace.html[Google Workspace] {filebeat} modules have an `event.ingested` timestamp field that can be used instead of the default `@timestamp` field.

docs/serverless/rules/rules-ui-create.asciidoc

@@ -620,8 +620,9 @@ caused the event directly in the Alerts table.
 ====
 For threshold rules, not all source event values can be used for overrides; only the fields that were aggregated over (the `Group by` fields) will contain data.
 ====
-.. **Timestamp override** (optional): Select a source event timestamp field. When selected, the rule's query uses the selected field, instead of the default `@timestamp` field, to search for alerts. This can help reduce missing alerts due to network or server outages. Specifically, if your ingest pipeline adds a timestamp when events are sent to {es}, this avoids missing alerts due to ingestion delays.
-However, if you know your data source has an inaccurate `@timestamp` value, it is recommended you select the **Do not use @timestamp as a fallback timestamp field** option to ignore the `@timestamp` field entirely.
+.. **Timestamp override** (optional): Select a source event timestamp field. When selected, the rule's query uses the selected field, instead of the default `@timestamp` field, to search for alerts. This can help reduce missing alerts due to network or server outages. Specifically, if your ingest pipeline adds a timestamp when events are sent to {es}, this can prevent missing alerts from ingestion delays. 
++
+If the selected field is unavailable, the rule query will use the `@timestamp` field instead. In the case that you don't want to use the `@timestamp` field because you know your data source has an inaccurate `@timestamp` value, we recommend selecting the **Do not use @timestamp as a fallback timestamp field** option instead. This will ensure that the rule query ignores the `@timestamp` field entirely.
 +
 [TIP]
 ====