[Security Solution] Rule incorrectly reports gap when modifying interval while disabled and then re-enabling #155671
Assignees
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:Gap Detection/Remediation
Security Solution Gap Detection/Remediation
impact:low
Addressing this issue will have a low level of impact on the quality/strength of our product.
Team:Detection Engine
Security Solution Detection Engine Area
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Comments
spong
added
bug
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
yctercero
added
Team:Detection Engine
|
@nkhristinin are we fixing this as part of manual rule runs work? |
|
@yctercero I can look into that as part of gaps work, it's should not affect manual rule runs |
|
@nkhristinin @approksiu this goes to the definition of a gap and I think I would argue that we should indeed not treat this as a reported gap (when rules are disabled). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
First identified in
8.8/main(in testing #155384), but based on the issue this probably has existed since the initial implementation of the Detection Engine/Gap Detection logic. This is very low impact based on the reproduction steps, but logging for future iterations of our gap detection/remediation logic.Summary
If a previously executed disabled rule's interval is modified to be less than the previous interval, when it is re-enabled a gap will be reported even though it is just being re-enabled.
Reproduction steps
10mininterval and let it run once, then disable.10secintervalThe text was updated successfully, but these errors were encountered: