[Internal]: Document new advanced setting for max cases per rule run (Cases alert action)

[nastasha-solomon]

Description

A new Kibana advanced setting, maxOpenCasesPerRuleRun, has been added that allows users to configure the maximum number of cases that can be created per security rule execution via the Cases alert action.

What changed:

• Previously, the maximum was hardcoded at 5 (and later configurable up to 20 via a per-rule setting introduced in 9.4)
• Users can now navigate to Advanced Settings, search for cases, and set maxOpenCasesPerRuleRun to any value appropriate for their environment — for example, 100 for large clusters with many agents
• The limit of 20 cases created by Attack Discovery is unaffected by this setting

What needs to be documented:

• The existence and purpose of the new maxOpenCasesPerRuleRun advanced setting
• Where to find it (Stack Management → Advanced Settings, search "cases")
• The default value and the previous hardcoded limits (for context/migration)
• A note that this setting applies to the Cases alert action on security rules, not to Attack Discovery
• Guidance for large-scale deployments (e.g., clusters with 100+ agents) on when to increase this value

Resources

This feature was implemented in elastic/kibana#259255.

This feature was scoped in elastic/kibana#260290.

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

The feature is identical in all deployment methods.

What release is this request related to?

9.3

Serverless release

Unknown — check with @janmonschke for serverless availability timeline.

Collaboration model

The documentation team

Point of contact.

Main contact: @janmonschke

Stakeholders: Team:Cases

[nastasha-solomon]

This setting is appearing in the 9.4 snapshot, but not in serverless. Pinged dev in Slack about this.

Serverless non-canary prod

9.4 snapshot