[8.8] [DOCS] Conditional actions in Kibana alerting summary (#158045) (#158300)

# Backport

This will backport the following commits from `main` to `8.8`:
- [[DOCS] Conditional actions in Kibana alerting summary
(#158045)](https://github.com/elastic/kibana/pull/158045)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Lisa
Cawley","email":"lcawley@elastic.co"},"sourceCommit":{"committedDate":"2023-05-23T17:50:17Z","message":"[DOCS]
Conditional actions in Kibana alerting summary
(#158045)","sha":"c5a1d6b5f45207767ab6f2e0acb5bc8134468ff2","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:Alerting","release_note:skip","Team:ResponseOps","docs","backport:prev-minor","v8.8.0","v8.9.0"],"number":158045,"url":"https://github.com/elastic/kibana/pull/158045","mergeCommit":{"message":"[DOCS]
Conditional actions in Kibana alerting summary
(#158045)","sha":"c5a1d6b5f45207767ab6f2e0acb5bc8134468ff2"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/158045","number":158045,"mergeCommit":{"message":"[DOCS]
Conditional actions in Kibana alerting summary
(#158045)","sha":"c5a1d6b5f45207767ab6f2e0acb5bc8134468ff2"}}]}]
BACKPORT-->

Co-authored-by: Lisa Cawley <lcawley@elastic.co>

docs/user/alerting/alerting-getting-started.asciidoc

@@ -77,6 +77,9 @@ Rather than repeatedly entering connection information and credentials for each
 
 The _action frequency_ defines when the action runs (for example, only when the alert status changes or at specific time intervals). Each rule type also has a set of the _action groups_ that affects when the action runs (for example, when the threshold is met or when the alert is recovered). If you want to reduce the number of notifications you receive without affecting their timeliness, some rule types support alert summaries. You can set the action frequency such that you receive notifications that summarize the new, ongoing, and recovered alerts at your preferred time intervals.
 
+Some types of rules enable you to further refine the conditions under which actions run.
+For example, you can specify that actions run only when an alert occurs within a specific time frame or when it matches a KQL query.
+
 Each action definition is therefore a template: all the parameters needed to invoke a service are supplied except for specific values that are only known at the time the rule condition is detected. 
 
 In the server monitoring example, the `email` connector type is used, and `server` is mapped to the body of the email, using the template string `CPU on {{server}} is high`.

docs/user/alerting/create-and-manage-rules.asciidoc

@@ -77,6 +77,9 @@ Alternatively, you can set the action frequency such that the action runs for ea
 image::images/rule-flyout-action-details.png[UI for defining an email action,500]
 // NOTE: This is an autogenerated screenshot. Do not edit it directly.
 
+If you create rules in the {security-app}, you can further refine when actions run by adding time frame and query filters.
+For more details, refer to {security-guide}/rules-ui-create.html[Create a detection rule].
+
 Each connector enables different action properties. For example, an email connector enables you to set the recipients, the subject, and a message body in markdown format. For more information about connectors, refer to <<action-types>>.
 
 [[alerting-concepts-suppressing-duplicate-notifications]]