Endpoint Security - Decrease max events to Kibana allowance of 1k

[nicpenning]

The default Endpoint Security rule appears to have been set at 10,000 alerts which is beyond the Kibana alerting limit of 1,000.

This corrects that change but not sure why it is set so high in the first place.

Summary - What I changed

Decreased to 1,000 - Any reason why this is set to 10K in the first place?

You won't hurt my feelings if this is closed right away with a reasonable explanation why this should not be decreased. :)

[w0rk3r]

Hey @nicpenning, this is briefly described in the setup section of the rule, but the 1000 limit is low for some larger environments. Promotion rules have special max_signals settings to not interfere with the promotion of alerts, and there is some work in progress to get a higher limit by default with no user modification in Kibana settings.

This rule is configured to generate more Max alerts per run than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.

To make sure this rule can generate as many alerts as it's configured in its own Max alerts per run setting, increase the xpack.alerting.rules.run.alerts.max system setting accordingly.

I'll close this one but will keep an eye on it if you have other Qs around this.

[nicpenning]

Haha, perfect! Funny thing is that I didn't expand the code to see that it was clearly documented there.

Thank you!