The SIEM app is now a part of the Elastic Security solution.
Click
here to view SIEM documentation for previous releases.
About building-block rules
editAbout building-block rules
editCreate building-block rules when you do not want to see their generated alerts in the UI. This is useful when you want:
- A record of low-risk alerts without producing noise in the Alerts table.
-
Rules that execute on the alert indices (
.siem-signals-<kibana space>-*
). You can then use building-block rules to create hidden alerts that act as a basis for an ordinary rule to generate visible alerts.
Set up rules that run on alert indices
editTo create a rule that searches alert indices, in the Index patterns field, add the index pattern for alert indices:
View building-block alerts in the UI
edit- Go to Security → Detections
- In the Alert table, select Additional filters → Include building-block alerts.
On a building-block Rule details page, the rule’s alerts are displayed (by default, Include building-block alerts is selected).