[RAC][Rule Registry] Cache rule data writers and index bootstrapping #110945
Labels
Team:Detection Alerts
Security Detection Alerts Area Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Theme: rac
label obsolete
Comments
banderror
added
Team:Detections and Resp
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
41 tasks
|
Hey everyone, FYI ownership of this ticket and other tickets related to rule_registry (like #101016) now goes to the Detection Alerts area ( |
|
Completed in #113389 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Parent ticket: #101016
Depends on: #108941
Summary
When we move certain parts of the index bootstrapping logic to
IRuleDataClient.getWriter()(#108941 (comment)) this method call will become relatively expensive.We could implement caching for writers, so that when a user has a lot of detection rules in a Kibana space, it doesn't end up with thousands of requests to Elasticsearch in order to bootstrap resources for the same
.alerts-security.alerts-{kibana-space-id}index. It shouldn't cache them forever, because in theory Kibana instances can run for a very long time. A short TTL might work.The text was updated successfully, but these errors were encountered: