Security Analytics enables users for detecting security threats on their security event log data. It will also allow them to modify/tailor the pre-packaged solution.
Apache License 2.0
64
stars
69
forks
source link
generates too much findings(findings count = rules count) for one trigerred rule when exists multiple alerts(each for specific rule) in detector config #1113
Hello.
I'm seeing this problem.
I tried versions 2.13.0, 2.14.0, 2.15.0, it appears everywhere.
I'm using docker-compose deployment.
There is one detector, with 3 rules and 3 alerts attached (each alert has its own rule selected in the trigger).
When any rule is triggered, one alert is generated, which is logical.
But besides this, 3 finding are generated, all of them belong to the same rule (which generated the trigger).
When viewing details, each finding refers to the same document from the index.
If i leave one alert in the detector, triggered by any rule, then when triggered everything is correct, one finding, one alert.
If i remove alerts from the detector altogether, then everything is fine with finding.
Hello. I'm seeing this problem. I tried versions 2.13.0, 2.14.0, 2.15.0, it appears everywhere. I'm using docker-compose deployment. There is one detector, with 3 rules and 3 alerts attached (each alert has its own rule selected in the trigger). When any rule is triggered, one alert is generated, which is logical. But besides this, 3 finding are generated, all of them belong to the same rule (which generated the trigger). When viewing details, each finding refers to the same document from the index. If i leave one alert in the detector, triggered by any rule, then when triggered everything is correct, one finding, one alert. If i remove alerts from the detector altogether, then everything is fine with finding.
Originally posted by @humster88 in https://github.com/opensearch-project/security-analytics/issues/824#issuecomment-2196288057