[Enhancement]: For existing alerts, only alert with all events matching the condition are closed

[e40pud]

Description

We received a bug report on Elastic Stack Community channel claiming that during creating the rule exception the Close all alerts that match this exception and were generated by this rule checkbox does not close existing alerts that match the exception conditions.

After some investigation, I found that it is a current expected behaviour and we need to update our docs to reflect that.

When it comes to alerts which are built based off the group of source events - building blocks (EQL, threshold rules, suppressions etc.):

• During the rule execution, exceptions applied to all source events and that is why we would not generate an alert if one of the events matches the exceptions conditions.
• On the other hand, during the add/edit rule exception flow, when user selects to "Close all alerts that match this exception and were generated by this rule" exceptions applied to the generated alerts which will contain source data only if the field present and same in all building blocks - source events.

We need to clarify this behaviour in our docs and make it clear.

cc @yctercero

Related links / assets

Please include each of the following, if applicable:
Doc URL: https://www.elastic.co/guide/en/security/current/add-exceptions.html

Which documentation set needs improvement?

ESS and serverless

Software version

We should add a known behaviour note since the exceptions were introduced. From what I see it is 7.10+

Collaborators

Developer: @e40pud

Timeline / deliverables

If time permits, we can add this into 8.15. Otherwise, next release should be fine as well.