Skip to content

[Internal]: Document new advanced setting for max cases per rule run (Cases alert action) #5867

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nastasha-solomon merged 7 commits into from
Apr 29, 2026
Merged

[Internal]: Document new advanced setting for max cases per rule run (Cases alert action) #5867

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
bb2407c
First draft
nastasha-solomon Apr 11, 2026
6c20c36
Merge branch 'main' into issue-5737-sec
nastasha-solomon Apr 16, 2026
09e6354
Merge branch 'main' into issue-5737-sec
nastasha-solomon Apr 16, 2026
aad28c5
Merge branch 'main' into issue-5737-sec
nastasha-solomon Apr 21, 2026
6277ba6
Merge branch 'main' into issue-5737-sec
nastasha-solomon Apr 29, 2026
c2b70f2
Merge branch 'main' into issue-5737-sec
nastasha-solomon Apr 29, 2026
4ac73cf
Merge branch 'main' into issue-5737-sec
nastasha-solomon Apr 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions solutions/security/get-started/configure-advanced-settings.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ The advanced settings control the behavior of the {{security-app}}, such as:
* Whether cross-cluster search (CCS) privilege warnings are displayed
* Whether related integrations are displayed on the Rules page tables
* The options provided in the alert tag menu
* The maximum number of cases the Cases connector can open each time a detection rule runs

::::{admonition} Requirements
Your role must have the appropriate privileges to change advanced settings:
Expand Down Expand Up @@ -228,6 +229,20 @@ By default, Elastic prebuilt rules in the **Rules** and **Rule Monitoring** tabl
The `securitySolution:alertTags` field determines which options display in the alert tag menu. The default alert tag options are `Duplicate`, `False Positive`, and `Further investigation required`. You can update the alert tag menu by editing these options or adding more. To learn more about using alert tags, refer to [Apply and filter alert tags](/solutions/security/detect-and-alert/manage-detection-alerts.md#apply-alert-tags).


## Maximum cases created per rule run [max-cases-cases-connector]

```yaml {applies_to}
stack: ga 9.4
```

The `cases:maxOpenCasesPerRuleRun` advanced setting sets the upper limit for how many new cases the [Cases connector](/deploy-manage/manage-connectors.md) can open during a single detection rule run. It applies when you add a Cases action to the rule. The default value is 20. The minimum accepted value is 1, the maximum is 1000.

For example, if one rule run creates many alerts and you want a case opened for each alert, you can increase the limit for the `cases:maxOpenCasesPerRuleRun` setting to avoid meeting the per-run limit. Pick a number that works for your team and cluster, but be aware that opening a large batch of cases in a single run might increase load on {{kib}} and {{es}}.

::::{note}
The `cases:maxOpenCasesPerRuleRun` setting does not apply to [Attack Discovery](/solutions/security/ai/attack-discovery.md). Attack Discovery continues to use its own case-creation limit (20).
::::

## Add custom alert closing reasons [custom-alert-closing-reasons]
```yaml {applies_to}
stack: ga 9.4+
Expand Down
Loading