[🐛 Bug]: Incident is_visible

[diegovb-sys]

Describe the bug
The threshold property to create an Incident from a correlation has a particularly implementation. When the threshold is > 1 the Incident is created with this first alert and put on hold until the upcoming alerts come in. This behavior makes feasible, for instance, to launch the "On Create" WF with the second alert instead the first (for a threshold = 2).

The principal issue is that the alert could be hidden because of this.
On the one hand, it's clear that in the Incidents, the incident won't be stay there, because is a germ-incident, not an incident itself.

On the other hand, if we filter the Feed by incident.id==null, the alert (which cause that germ-incident) won't be there, due to the alert has a real Incident in the data base.

In order to solve this problem, the solution would be having a filter like (incident.id==null || incident.is_visible == false). Nevertheless, the incident.is_visible is "wrapping" with this patter matching:

    FieldMappingConfiguration(
        map_from_pattern="alert.*",
        map_to=["JSON(alertenrichment.enrichments).*", "JSON(alert.event).*"],
    ),

in keep/api/core/incidents.py

To Reproduce
Steps to reproduce the behavior:

1. Create a correlation with threshold > 1.
2. Send 1 alert that matches with the previous correlation.
3. Filter by incident.id == null in Feed
4. Try to filter by incident.is_visible == false

Expected behavior
The expected behavior is having a consistence in the Feed when the preset tries to show only the alerts without incidents.

[dosubot]

The current implementation creates an incident (a "germ-incident") when the correlation threshold is >1, but this incident is not fully active until more alerts arrive. Because the alert is already linked to an incident in the database—even if that incident is not visible or finalized—filtering the Feed by incident.id == null will not show that alert.

The incident.is_visible field is a boolean on the Incident model and is used in queries to exclude non-visible incidents by default, which means alerts linked to these "germ-incidents" are also hidden when filtering for alerts without incidents. The mapping and filtering logic in the codebase confirms this behavior, and currently, there is no documented workaround or facet that exposes incident.is_visible for alert filtering in the Feed. The default query logic always filters for Incident.is_visible == True, so even trying to filter by incident.is_visible == false will not return the hidden alerts as expectedcode reference.

In summary, the current design does not support showing alerts linked to non-visible (germ) incidents in the Feed using standard filters. This is a known limitation based on the code and mapping configuration.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}