Normally, when creating cases using the case action in a rule, the alert that triggered this action will be attached to the new case and visible in the Alerts tab.
For rules created in stack management in serverless security projects, this is not working properly.
The alerts tab shows the correct count.
But the tab itself shows no alerts.
In #186270 a workaround was created to change the owner of these cases to be 'securitySolution' when the project is security serverless.
We probably have to do something similar with the alerts generated by these rules while keeping them visible in Stack Management.
How to reproduce
Start Kibana locally in serverless security mode.
Navigate to Rules in Stack Management.
Create a rule with the case action.
When an alert is triggered confirm that the corresponding case was created in Security > Cases.
Navigate to the case and confirm the alerts tab is empty.
DoD
When a user creates a stack rule from a serverless project where only the solution's cases are available the alerts should also be visible in the solution cases tab.
Summary
Normally, when creating cases using the case action in a rule, the alert that triggered this action will be attached to the new case and visible in the
Alerts
tab.For rules created in stack management in serverless security projects, this is not working properly.
The alerts tab shows the correct count.
But the tab itself shows no alerts.
In #186270 a workaround was created to change the owner of these cases to be
'securitySolution'
when the project is security serverless.We probably have to do something similar with the alerts generated by these rules while keeping them visible in
Stack Management
.How to reproduce
DoD