Open vitaliidm opened 10 months ago
Pinging @elastic/security-solution (Team: SecuritySolution)
Pinging @elastic/security-detections-response (Team:Detections and Resp)
Pinging @elastic/security-detection-engine (Team:Detection Engine)
This can be worked on as part of https://github.com/elastic/kibana/issues/171057
Describe the bug: max_signals property is not applied during rule preview
Kibana/Elasticsearch Stack version: 8.12, likely earlier by design
Steps to reproduce:
Current behavior: max_signals is not sent with preview request, so default 100 is always used
Expected behavior: max_signals should be sent with preview request
Any additional context (logs, chat logs, magical formulas, etc.):
Preview request
```JSON POST http://localhost:5601/kbn/api/detection_engine/rules/preview { "type": "threat_match", "index": [ "auditbeat*" ], "filters": [], "language": "kuery", "query": "*:*", "threat_index": [ "auditbeat*" ], "threat_query": "@timestamp >= \"now-30d/d\"", "threat_filters": [], "threat_mapping": [ { "entries": [ { "field": "agent.name", "type": "mapping", "value": "agent.name" } ] } ], "threat_language": "kuery", "author": [], "exceptions_list": [], "false_positives": [], "references": [], "risk_score": 21, "risk_score_mapping": [], "severity": "low", "severity_mapping": [], "threat": [], "threat_indicator_path": "threat.indicator", "name": "Preview Rule", "description": "Preview Rule", "tags": [], "license": "", "interval": "1h", "from": "now-3900s", "to": "now", "meta": { "from": "5m", "kibana_siem_app_url": "" }, "actions": [], "response_actions": [], "enabled": true, "invocationCount": 1, "timeframeEnd": "2024-01-10T15:53:17.031Z" } ```Note,
max_signals
is absent in the request. But it is present in rule configurationRule config
``` GET http://localhost:5601/kbn/api/detection_engine/rules?id=c7555d3c-4ce0-452a-9ef9-768d02ab225c { "id": "c7555d3c-4ce0-452a-9ef9-768d02ab225c", "updated_at": "2024-01-10T10:54:54.569Z", "updated_by": "elastic", "created_at": "2024-01-10T10:54:07.119Z", "created_by": "elastic", "name": "Indicator match MAX_SIGNALS 150", "tags": [], "interval": "1h", "enabled": true, "revision": 0, "description": "Indicator match MAX_SIGNALS", "risk_score": 21, "severity": "low", "license": "", "output_index": "", "meta": { "from": "5m", "kibana_siem_app_url": "http://localhost:5601/kbn/app/security" }, "author": [], "false_positives": [], "from": "now-3900s", "rule_id": "eba5980c-545f-4867-8c09-06089877e610", "max_signals": 150, "risk_score_mapping": [], "severity_mapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptions_list": [], "immutable": false, "related_integrations": [], "required_fields": [], "setup": "", "type": "threat_match", "language": "kuery", "index": [ "auditbeat*" ], "query": "*:*", "filters": [], "threat_filters": [], "threat_query": "@timestamp >= \"now-30d/d\"", "threat_mapping": [ { "entries": [ { "field": "agent.name", "type": "mapping", "value": "agent.name" } ] } ], "threat_language": "kuery", "threat_index": [ "auditbeat*" ], "threat_indicator_path": "threat.indicator", "actions": [], "execution_summary": { "last_execution": { "date": "2024-01-10T14:57:57.154Z", "status": "partial failure", "status_order": 20, "message": "This rule reached the maximum alert limit for the rule execution. Some alerts were not created.", "metrics": { "total_indexing_duration_ms": 577, "total_search_duration_ms": 238 } } } } ```