Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Apache License 2.0
71
stars
72
forks
source link
[BUG] Impossible to create/update detector when one data source index is closed #1103
What is the bug?
It's impossible to create or update a detector when one index behind the alias data source is closed
How can one reproduce the bug?
Steps to reproduce the behavior:
Edit an existing detector
Pick an alias as data source with a closed index
Save your changes
What is the expected behavior?
We would expect to update to be able to create or update a detector even though all the index behind the data source are not opened. In our case we are closing indexing older than 1 month to keep a good search performance. We keep them for some time in case of an incident.
What is your host/environment?
OS: WS2022
Version 2.15
Plugins
Do you have any screenshots?
Do you have any additional context?
I tried to open all the old indexes we have in the cluster and it solved the issue. However the detector is able to detect newly suspicious behaviours
dblock
commented
2 months ago
What is the bug? It's impossible to create or update a detector when one index behind the alias data source is closed
How can one reproduce the bug? Steps to reproduce the behavior:
What is the expected behavior? We would expect to update to be able to create or update a detector even though all the index behind the data source are not opened. In our case we are closing indexing older than 1 month to keep a good search performance. We keep them for some time in case of an incident.
What is your host/environment?
Do you have any screenshots?
Do you have any additional context? I tried to open all the old indexes we have in the cluster and it solved the issue. However the detector is able to detect newly suspicious behaviours