IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
About building block rules
editAbout building block rules
editCreate building block rules when you do not want to see their generated alerts in the UI. This is useful when you want:
- A record of low-risk alerts without producing noise in the Alerts table.
-
Rules that execute on the alert indices (
.siem-signals-<kibana space>-*). You can then use building block rules to create hidden alerts that act as a basis for an ordinary rule to generate visible alerts.
Set up rules that run on alert indices
editTo create a rule that searches alert indices, in the Index patterns field, add the index pattern for alert indices:
View building block alerts in the UI
edit- Go to Detect → Alerts.
- In the Alerts table, select Additional filters → Include building block alerts, located on the far-right.
On a building block rule details page, the rule’s alerts are displayed (by default, Include building block alerts is selected).