elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.63k stars 8.23k forks source link

[Security Solution][Detection Engine] max_signals is not applied during rule preview #174632

Open vitaliidm opened 10 months ago

vitaliidm commented 10 months ago

Describe the bug: max_signals property is not applied during rule preview

Kibana/Elasticsearch Stack version: 8.12, likely earlier by design

Steps to reproduce:

  1. Create detection rule with max_signals different to 100
  2. Use preview functionality for rule that generates more than max_signals alerts
  3. Observe number of generated alerts capped at 100, instead of max from rule config

Current behavior: max_signals is not sent with preview request, so default 100 is always used

Expected behavior: max_signals should be sent with preview request

Any additional context (logs, chat logs, magical formulas, etc.):

Preview request ```JSON POST http://localhost:5601/kbn/api/detection_engine/rules/preview { "type": "threat_match", "index": [ "auditbeat*" ], "filters": [], "language": "kuery", "query": "*:*", "threat_index": [ "auditbeat*" ], "threat_query": "@timestamp >= \"now-30d/d\"", "threat_filters": [], "threat_mapping": [ { "entries": [ { "field": "agent.name", "type": "mapping", "value": "agent.name" } ] } ], "threat_language": "kuery", "author": [], "exceptions_list": [], "false_positives": [], "references": [], "risk_score": 21, "risk_score_mapping": [], "severity": "low", "severity_mapping": [], "threat": [], "threat_indicator_path": "threat.indicator", "name": "Preview Rule", "description": "Preview Rule", "tags": [], "license": "", "interval": "1h", "from": "now-3900s", "to": "now", "meta": { "from": "5m", "kibana_siem_app_url": "" }, "actions": [], "response_actions": [], "enabled": true, "invocationCount": 1, "timeframeEnd": "2024-01-10T15:53:17.031Z" } ```

Note, max_signals is absent in the request. But it is present in rule configuration

Rule config ``` GET http://localhost:5601/kbn/api/detection_engine/rules?id=c7555d3c-4ce0-452a-9ef9-768d02ab225c { "id": "c7555d3c-4ce0-452a-9ef9-768d02ab225c", "updated_at": "2024-01-10T10:54:54.569Z", "updated_by": "elastic", "created_at": "2024-01-10T10:54:07.119Z", "created_by": "elastic", "name": "Indicator match MAX_SIGNALS 150", "tags": [], "interval": "1h", "enabled": true, "revision": 0, "description": "Indicator match MAX_SIGNALS", "risk_score": 21, "severity": "low", "license": "", "output_index": "", "meta": { "from": "5m", "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "author": [], "false_positives": [], "from": "now-3900s", "rule_id": "eba5980c-545f-4867-8c09-06089877e610", "max_signals": 150, "risk_score_mapping": [], "severity_mapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptions_list": [], "immutable": false, "related_integrations": [], "required_fields": [], "setup": "", "type": "threat_match", "language": "kuery", "index": [ "auditbeat*" ], "query": "*:*", "filters": [], "threat_filters": [], "threat_query": "@timestamp >= \"now-30d/d\"", "threat_mapping": [ { "entries": [ { "field": "agent.name", "type": "mapping", "value": "agent.name" } ] } ], "threat_language": "kuery", "threat_index": [ "auditbeat*" ], "threat_indicator_path": "threat.indicator", "actions": [], "execution_summary": { "last_execution": { "date": "2024-01-10T14:57:57.154Z", "status": "partial failure", "status_order": 20, "message": "This rule reached the maximum alert limit for the rule execution. Some alerts were not created.", "metrics": { "total_indexing_duration_ms": 577, "total_search_duration_ms": 238 } } } } ```
elasticmachine commented 10 months ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 10 months ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

elasticmachine commented 10 months ago

Pinging @elastic/security-detection-engine (Team:Detection Engine)

yctercero commented 8 months ago

This can be worked on as part of https://github.com/elastic/kibana/issues/171057