Description
Currently, the Cases action in Detection Rules has a hardcoded backend circuit breaker set to 5. If a rule execution triggers creation of more than 5 distinct cases (based on the Group by alert field), the system overrides the user's grouping logic and merges all subsequent alerts into a single fallback case.
This behavior causes "data corruption" from the user's perspective, as the fallback case becomes a mix of unrelated alerts (e.g., different users or hosts mixed together), breaking triage workflows.
This feature allows users to set the grouping limit to any value between 1 and 20 (see screenshot).
Resources
PR: elastic/kibana#247990
Product ticket: https://github.com/elastic/security-team/issues/15196
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
None
What release is this request related to?
9.4
Serverless release
The week of January 26th 2026
Collaboration model
The documentation team
Point of contact.
Main contact: @janmonschke
Stakeholders: @melissaburpo
Description
Currently, the Cases action in Detection Rules has a hardcoded backend circuit breaker set to 5. If a rule execution triggers creation of more than 5 distinct cases (based on the Group by alert field), the system overrides the user's grouping logic and merges all subsequent alerts into a single fallback case.
This behavior causes "data corruption" from the user's perspective, as the fallback case becomes a mix of unrelated alerts (e.g., different users or hosts mixed together), breaking triage workflows.
This feature allows users to set the grouping limit to any value between 1 and 20 (see screenshot).
Resources
PR: elastic/kibana#247990
Product ticket: https://github.com/elastic/security-team/issues/15196
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
None
What release is this request related to?
9.4
Serverless release
The week of January 26th 2026
Collaboration model
The documentation team
Point of contact.
Main contact: @janmonschke
Stakeholders: @melissaburpo