[Security Solution] Detection Rules' max_signals parameter is not respected beyond 1000 #157313
Comments
rylnd
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
rylnd
changed the title
MadameSheema
added
Team:Detections and Resp
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
We added docs about this behaviour elastic/security-docs#3293 @yctercero I guess we can consider options to fix this in 8.9? |
|
It'd be great to get to this one 8.9 if possible. I'm not sure how many users are setting their max signals that high - maybe we have the telemetry @peluja1012 ? But would still be great to understand. |
|
@banderror I think your team is dealing with this in the current prebuilt rule customization work - is that accurate? |
|
@yctercero Yes and no. We worked on #173593 and fixed #164234. We also noticed the issue described in this ticket and had some discussion with PM and TRaDE. Summary of the discussion can be found here. Immediate action items we've already addressed were:
No more work related to this is planned within the rule customization epic. But I agree that it's an issue and non-friendly and obscure UX. I'm just unsure that it should be handled as described in the expected behavior section in this ticket. The cc @approksiu |
banderror
added
Team:Detection Rule Management
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
|
Thanks for the quick response @banderror !
By this, do you mean just updating the UI to add validation so users can't set anything above |
@yctercero No, we already have validation and it's a warning in this case (user can still create or update the rule). Also, updating the 18 prebuilt rules that have max_signals == 10000 is not an option. The idea is that the app should give a heads up and explain to the user that if they want to use certain prebuilt rules, they will need/want to increase the global setting to allow these rules to promote as many external alerts as possible. I think how users increase this global setting is a separate question. Maybe, we can make it easier for users via Kibana Advanced Settings. But it's all speculation from my side. Let's wait for input from @approksiu when she has a chance to think about the UX for this feature. |
Describe the bug:
Kibana/Elasticsearch Stack version:
8.8
Steps to reproduce:
max_signalsset to 10,000Current behavior:
Up to 1000 alerts are generated, and the rule has an execution error.
max_signalsis not respected, and the default alerting value of 1000 is used to cap/validate the number of signals.Expected behavior:
Up to 10,000 alerts are generated. If that number is exceeded, a warning is created on the rule.
Screenshots (if relevant):
Related Issues
While not confirmed, I believe that the work done for #153611 introduced this behavior.
Slak conversation
https://elastic.slack.com/archives/CN7AD3605/p1683741078780019
The text was updated successfully, but these errors were encountered: