About building-block rules

edit

Create building-block rules when you do not want to see their generated alerts in the UI. This is useful when you want:

  • A record of low-risk alerts without producing noise in the Alerts table.
  • Rules that execute on the alert indices (.siem-signals-<kibana space>-*). You can then use building-block rules to create hidden alerts that act as a basis for an ordinary rule to generate visible alerts.

Set up rules that run on alert indices

edit

To create a rule that searches alert indices, in the Index patterns field, add the index pattern for alert indices:

alert indices ui

View building-block alerts in the UI

edit
  1. Go to SecurityDetections.
  2. In the Alerts table, select Additional filtersInclude building-block alerts, located on the far-right.

On a building-block Rule details page, the rule’s alerts are displayed (by default, Include building-block alerts is selected).