generates too much findings(findings count = rules count) for one trigerred rule when exists multiple alerts(each for specific rule) in detector config

[humster88]

Hello.
I'm seeing this problem.
I tried versions 2.13.0, 2.14.0, 2.15.0, it appears everywhere.
I'm using docker-compose deployment.
There is one detector, with 3 rules and 3 alerts attached (each alert has its own rule selected in the trigger).
When any rule is triggered, one alert is generated, which is logical.
But besides this, 3 finding are generated, all of them belong to the same rule (which generated the trigger).
When viewing details, each finding refers to the same document from the index.
If i leave one alert in the detector, triggered by any rule, then when triggered everything is correct, one finding, one alert.
If i remove alerts from the detector altogether, then everything is fine with finding.

Originally posted by @humster88 in #824 (comment)

[dblock]

[Catch All Triage - 1, 2, 3]

[daimoniac]

I can confirm this issue.

We have a detector that generates 3 findings per matching document. When removing all or all except one alert triggers, this is reduced to 1 finding.

[nishtham-amazon]

This behavior is expected. Detector findings are generated based on the rules defined at the detector level. If a detector has x rules and y triggers, findings will be generated for each of the y triggers across the x rules. Thus, the 3 findings for 3 triggers defined. Depending on the associated alert rules, if only one alert rule matches a finding, a single alert will be triggered.