Description
Description
We received a bug report on Elastic Stack Community channel claiming that during creating the rule exception the Close all alerts that match this exception and were generated by this rule checkbox does not close existing alerts that match the exception conditions.
After some investigation, I found that it is a current expected behaviour and we need to update our docs to reflect that.
When it comes to alerts which are built based off the group of source events - building blocks (EQL, threshold rules, suppressions etc.):
- During the rule execution, exceptions applied to all source events and that is why we would not generate an alert if one of the events matches the exceptions conditions.
- On the other hand, during the add/edit rule exception flow, when user selects to "Close all alerts that match this exception and were generated by this rule" exceptions applied to the generated alerts which will contain source data only if the field present and same in all building blocks - source events.
We need to clarify this behaviour in our docs and make it clear.
cc @yctercero
Related links / assets
Please include each of the following, if applicable:
Doc URL: https://www.elastic.co/guide/en/security/current/add-exceptions.html
Which documentation set needs improvement?
ESS and serverless
Software version
We should add a known behaviour note since the exceptions were introduced. From what I see it is 7.10+
Collaborators
Developer: @e40pud
Timeline / deliverables
If time permits, we can add this into 8.15. Otherwise, next release should be fine as well.