[Response Ops] Align Alert Counts Between Case and Alert Table for Correlation Rule Types

[pborgonovi]

Description:

Currently, when using the functionality to automatically open a Case as an action from a rule run, there is a discrepancy in the number of alerts displayed in the Case compared to the Alert Table, specifically for Correlation rule types.

Current behavior:

• In the Alert Table, “building block alerts” are hidden, reducing the visible number of alerts.
• In the Case, “building block alerts” are displayed, resulting in a higher number of alerts.

This difference is seen when Cases are automatically opened due to rule runs, creating an inconsistency in the user experience, as they see different alert counts in different parts of the application. After discussions with the Detection Engine and ResponseOps teams, it was determined that this is the current intended behavior and not a bug. However, it would be beneficial for product consistency if both components behaved the same way regarding “building block alerts.”

Alerts table view:

Case alerts view:

When selecting Include building block alerts in Alerts table we have the amounts matching:

Proposal:

Align the behavior of the Alert Table and the Case so that both consistently display or hide “building block alerts.”

• Option 1: Make “building block alerts” visible in the Alert Table, aligning it with the Case behavior.
• Option 2: Make “building block alerts” hidden in the Case, aligning it with the Alert Table behavior.

Justification:

• Improved user experience: Aligning the behavior will avoid confusion when comparing the number of alerts between the Alert Table and the Case.
• Consistency: Both views should display the same number of alerts, preventing discrepancies and potential misunderstandings.

Impact:

This change directly impacts the usability and trust in the information presented, especially when monitoring critical alerts and automatically creating Cases through rule runs.

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[elasticmachine]

Pinging @elastic/response-ops-cases (Feature:Cases)

[jcger]

is this related to #177208 ?

@cnasikas

[adcoelho]

@jcger different things.

The problem here is related to building block rules and the alerts they produce. Building block rules by definition are used when we don't wanna see the alerts in the UI. They are not visible in the alerts table so I guess those alerts shouldn't be shown on cases either. This is also connected to the case action because the alerts are automatically attached to the cases it creates. (I guess for building block rules we should make an exception? @cnasikas ?)

#177208 has to do with how the alert count in cases telemetry is not accurate(for a different reason). This happens because we treat each hit on a cases-comment of type alerts as a single alert but since multiple alerts can be grouped in a single comment that calculation is wrong. iirc we need to do an aggregation that takes into account the alert_id arrays inside the cases-comment saved objects.

[cnasikas]

Exactly as @adcoelho explained!