We recently upgraded to Kibana 8.8.0 from 8.0. When using the Alerts dashboard under Kibana Security, we typically use the status filter to filter the dashboard to show only "open" alerts, so that our analysts know what alerts need to be triaged (and have not been acknowledged/closed by other analysts). After upgrading, the alerts dashboard now displays all alerts when there are no more open alerts left. The status control has "open" listed as an ignored value.
It is confusing when you expect the dashboard to only show open alerts, and it ends up showing all alerts instead (because there are no open alerts left).
To recreate the issue, set the status on the alerts dashboard to "open," then close all of the alerts, and now the alerts dashboard will show all alerts instead of 0 open alerts. The "open"status filter does not function as expected.
The status control will also list "open" as being an ignored value.
I can confirm that we have the same experience when upgrading from 8.7.0 to 8.8.0, and I don't know if this is a bug or a "feature" according to Elastic but we find the new behaviour extremely counterproductive. I have a case on this with Elastic support but have so far not heard any useful feedback on it.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
