[Security Solution] Rules don't always write a status when finished executing #116358
Open
Labels
enhancement
New value added to drive a business result
Feature:Rule Monitoring
Security Solution Detection Rule Monitoring area
Team:Detection Engine
Security Solution Detection Engine Area
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Comments
marshallmain
added
enhancement
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
banderror
added
the
Feature:Rule Monitoring
19 tasks
11 tasks
banderror
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
yctercero
added
Team:Detection Engine
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kibana version: 7.16.0
In the current detection engine implementation, warning statuses are written by rules near the beginning of rule execution. At the end of rule execution, a success status is written only if no warning or error statuses were written during rule execution. This makes it difficult to determine when a rule is finished executing if it writes a warning status. It's especially difficult for integration tests that also expect the rule execution not to write any alerts because we don't have a status document or alert documents, so there's nothing to tell us when rule execution is finished. Thus it's hard to tell if, when we check to see if 0 alerts were written, the rule executed correctly and wrote no alerts or the rule simply hasn't finished yet.
The text was updated successfully, but these errors were encountered: