Currently, you must be aware that if you use event.kind:alert, this is always handled in the context of a security event.
However, the description of the Allowed Value of alert describes this in terms of the "often populated" by security appliance.
This can lead to confusion if you use the event.kind alert in the context of observability, as the prebuild rule External Alerts automatically generates alerts in the context of security.
Motivation
As an integration developer, I would also like to have the option of creating observability alerts in the context of observability.
To achieve, it must be considered how to implement distinction between security alerts and observability alerts.
Problem
Currently, you must be aware that if you use
event.kind:
alert
, this is always handled in the context of a security event. However, the description of the Allowed Value of alert describes this in terms of the "often populated" by security appliance.This can lead to confusion if you use the event.kind alert in the context of observability, as the prebuild rule External Alerts automatically generates alerts in the context of security.
Motivation
As an integration developer, I would also like to have the option of creating observability alerts in the context of observability. To achieve, it must be considered how to implement distinction between security alerts and observability alerts.