elasticmachine
commented
16 hours ago Pinging @elastic/response-ops (Team:ResponseOps)
Open pborgonovi opened 16 hours ago
elasticmachine
commented
16 hours ago Pinging @elastic/response-ops (Team:ResponseOps)
elasticmachine
commented
2 hours ago Pinging @elastic/response-ops-cases (Feature:Cases)
Description:
Currently, when using the functionality to automatically open a Case as an action from a rule run, there is a discrepancy in the number of alerts displayed in the Case compared to the Alert Table, specifically for Correlation rule types.
Current behavior:
This difference is seen when Cases are automatically opened due to rule runs, creating an inconsistency in the user experience, as they see different alert counts in different parts of the application. After discussions with the Detection Engine and ResponseOps teams, it was determined that this is the current intended behavior and not a bug. However, it would be beneficial for product consistency if both components behaved the same way regarding “building block alerts.”
Alerts table view:
Case alerts view:
When selecting
Include building block alertsin Alerts table we have the amounts matching:Proposal:
Align the behavior of the Alert Table and the Case so that both consistently display or hide “building block alerts.”
Justification:
Impact:
This change directly impacts the usability and trust in the information presented, especially when monitoring critical alerts and automatically creating Cases through rule runs.