Hello all,
TL;DR
When an alert is triggered by a correlation rule, the linked alerts (building blocks) are not automatically closed with the "main alert". This results in a large number of unnoticed open alerts.
Problem
In case of an alert triggered by a correlation rule, one alert is displayed by default in the Kibana Security/Alert interface. Additional alerts/information can be displayed by using the "additional filter" button and checking the "Include building block alerts" box. In addition, these are also visible through the investigation within the timeline.
If a "main alert" is set to the acknowledged or close state, the alerts of the building blocks remain in their original state. Although they are linked to each other via the group.id. The same behavior can be seen when the "main alert" is assigned to a case, the building-block alerts remain untouched.
This issue leads to many unnoticed open alarms during alert analysis, which affect the Elastic stack negatively over time.
Questions
- Is this an intended behavior or a bug?
- Is there a way to automatically link the alert status of the building-block alerts to that of the main alert? Also, can these be automatically attached during case creation?
In other words, when using Correlation Rules, is Elastic expected to always have the option: "additional filter" - "Include building block alerts" enabled to handle all open alerts?
Many thanks for your help
Elastic Versions
8.4.3
8.8.2