Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM][Detection Engine] Create signals mapping/index template on startup #47002

Closed
FrankHassanabad opened this issue Oct 1, 2019 · 2 comments
Closed

[SIEM][Detection Engine] Create signals mapping/index template on startup #47002

FrankHassanabad opened this issue Oct 1, 2019 · 2 comments
Labels
Team:SIEM

Comments

@FrankHassanabad
Copy link
Contributor

See here:
https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html

We need to initialize a template on startup of a Kibana instance. There can be more than 1 instance of Kibana starting close to each other and we will need to query for a check against the existence of it before adding it.

You can see the current template examples like so:

GET /_template

More than likely we should start out with an index named .siem-signals- since that would be similar to the ".ml-anomalies-" template.

For the ILM policies see here:
https://www.elastic.co/guide/en/elasticsearch/reference/current/getting-started-index-lifecycle-management.html

Choose to start:

50GB or 30 days rotation, no deletion
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem

@spong spong mentioned this issue Nov 12, 2019
Closed
20 tasks
@FrankHassanabad
Copy link
Contributor Author

This is completed and there might be tweaks but this should be closed now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:SIEM
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FrankHassanabad @elasticmachine