Hiding building block rules in "Security/Overview"

[srikwit]

Dear Team,

As per the docs at "https://www.elastic.co/guide/en/security/current/building-block-rule.html":
Create building-block rules when you do not want to see their generated alerts in the UI.

However, this feature is only allowed in the detections tab but not in the Overview tab. Due to this the alerts visualization generated from building blocks can overwhelm other critical alerts.

Requesting you to add the following filter for the Overview page:

[tvernum]

@jmikell821 I think this belongs in https://github.com/elastic/security-docs, but since I don't have write access there, I can't transfer it across.
Are you able to?

[jmikell821]

Hi @tvernum - thanks for passing along. This, however, is an enhancement/feature request for Elastic Security as opposed to a documentation issue, so I'm going to transfer this to Kibana and tag the Detections & Response team.

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[banderror]

Hi @srikwit. First of all, thank you for your suggestions!

Hiding building block alerts on the Security Overview page is addressed in this bugfix: #105611

I'm not sure about adding the corresponding filter on the Security Overview page though. To my mind, users are able to navigate from Overview to Alerts and have all the slice-and-dice functionality in the Alerts table there. Filters applied to the Alerts table are synchronised with the Alerts Trend histogram. This way we could have finer grained controls on the Alerts page and leave the Overview page much lighter, giving just the overview of the whole system as the name stands for.

Any thoughts from the UX side would be appreciated @yiyangliu9286.

[yiyangliu9286]

@banderror Thanks for tagging!

Re: the information that has shared via bugfix: #105611, if there's other technical consideration around the implementation for adding a filter on the Security Overview page in the future; maybe a quick UX fix for now would be giving users the context on where they would find and view the building block alerts once they have the filter turned on in the Alerts table (wanted to let them know these alerts show only in the Alerts table but not the Overview page).

An Info EuiToast can be used here to give users extra context:

• Some additional UX question: why is there a yellow blocking shadow on the background of the Include building block alerts checkbox? Is this an intentional design?

[spong]

Some additional UX question: why is there a yellow blocking shadow on the background of the Include building block alerts checkbox? Is this an intentional design?

@yiyangliu9286 Yeah, this was the intended original design for conveying how building block alerts are shown within the Alerts/Timeline tables. Was added as part of #79049. This is probably worth revisiting along with other markers (like the yellow left border signifying an event of kind:alert) and where/what the appropriate legend is for users to make this association, so any thoughts you have here would be greatly appreciated 🙂