Skip to content

[Internal]: Risk score custom alert filters #3837

New issue
New issue
Open
#3861
Open
[Internal]: Risk score custom alert filters#3837
#3861
Assignees
natasha-moore-elastic
Labels
Team:ExperienceIssues owned by the Experience Docs Team
@hop-dev

Description

@hop-dev
hop-dev
opened on Nov 6, 2025

Description

We have introduced a new feature alert filtering which allows the user to filter out alerts for cerrtain entity types, for example:

  • a customer may not want to generate risk for the root user because they have too many alerts/ it is not useful, they would add not user.name: "root" applied to risk scores of Users

  • a customer may not want to calculate risk score for users with asset criticality set to "low_impact" not user.asset.criticality: "low_impact"

  • a customer may want to consider alerts that are closed, but they may not want to consider alerts which were false positives, in this case they could select "Include closed alerts in calculation" and then add a filter `not kibana.alert.workflow_reason : "false_positive"

Resources

alert_filtering.mov

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

New filter UI added to risk engine management page

What release is this request related to?

N/A

Serverless release

27/10/2025

Collaboration model

The documentation team

Point of contact.

Main contact: @hop-dev

Stakeholders:

Metadata

Metadata

Assignees

Labels

Team:ExperienceIssues owned by the Experience Docs Team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions