Open rylnd opened 1 year ago
Pinging @elastic/security-solution (Team: SecuritySolution)
Pinging @elastic/security-detections-response (Team:Detections and Resp)
We added docs about this behaviour https://github.com/elastic/security-docs/pull/3293
@yctercero I guess we can consider options to fix this in 8.9?
It'd be great to get to this one 8.9 if possible. I'm not sure how many users are setting their max signals that high - maybe we have the telemetry @peluja1012 ? But would still be great to understand.
@banderror I think your team is dealing with this in the current prebuilt rule customization work - is that accurate?
@yctercero Yes and no.
We worked on https://github.com/elastic/kibana/issues/173593 and fixed https://github.com/elastic/kibana/issues/164234. We also noticed the issue described in this ticket and had some discussion with PM and TRaDE. Summary of the discussion can be found here. Immediate action items we've already addressed were:
- We agreed that it would be worth documenting that those rules that have
max_signals
>xpack.alerting.rules.run.alerts.max
will be generating at mostxpack.alerting.rules.run.alerts.max
alerts per execution (1000 by default).
No more work related to this is planned within the rule customization epic.
But I agree that it's an issue and non-friendly and obscure UX. I'm just unsure that it should be handled as described in the expected behavior section in this ticket. The xpack.alerting.rules.run.alerts.max
setting seems to be a hard cap by design, because it's a global circuit breaker. We could handle this issue by changing the UX of installing and enabling rules. If we do it like that, the issue will be on the Rule Management side.
cc @approksiu
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)
Thanks for the quick response @banderror !
We could handle this issue by changing the UX of installing and enabling rules. If we do it like that, the issue will be on the Rule Management side.
By this, do you mean just updating the UI to add validation so users can't set anything above xpack.alerting.rules.run.alerts.max
and updating the prebuilt rules to be below that threshold? I know it could be a moving target since it's a setting but perhaps setting the prebuilt rules to the default xpack.alerting.rules.run.alerts.max
is what I imagine?
By this, do you mean just updating the UI to add validation so users can't set anything above xpack.alerting.rules.run.alerts.max and updating the prebuilt rules to be below that threshold?
@yctercero No, we already have validation and it's a warning in this case (user can still create or update the rule). Also, updating the 18 prebuilt rules that have max_signals == 10000 is not an option.
The idea is that the app should give a heads up and explain to the user that if they want to use certain prebuilt rules, they will need/want to increase the global setting to allow these rules to promote as many external alerts as possible. I think how users increase this global setting is a separate question. Maybe, we can make it easier for users via Kibana Advanced Settings.
But it's all speculation from my side. Let's wait for input from @approksiu when she has a chance to think about the UX for this feature.
Describe the bug:
Kibana/Elasticsearch Stack version: 8.8
Steps to reproduce:
max_signals
set to 10,000Current behavior: Up to 1000 alerts are generated, and the rule has an execution error.
max_signals
is not respected, and the default alerting value of 1000 is used to cap/validate the number of signals.Expected behavior: Up to 10,000 alerts are generated. If that number is exceeded, a warning is created on the rule.
Screenshots (if relevant):
Related Issues
While not confirmed, I believe that the work done for https://github.com/elastic/kibana/issues/153611 introduced this behavior.
Slak conversation
https://elastic.slack.com/archives/CN7AD3605/p1683741078780019