Create building block rules when you do not want to see their generated alerts in the UI. This is useful when you want:
- A record of low-risk alerts without producing noise in the Alerts table.
- Rules that execute on the alert indices (
.alerts-security.alerts-<kibana space>). You can then use building block rules to create hidden alerts that act as a basis for an 'ordinary' rule to generate visible alerts.
To create a rule that searches alert indices, select Index Patterns as the rule's Source and enter the index pattern for alert indices (
By default, building block alerts are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts.
- Go to Alerts.
- In the Alerts table, select Additional filters → Include building block alerts, located on the far-right.
On a building block rule details page, the rule's alerts are displayed (by default, Include building block alerts is selected).
On this page