-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Display Total Hits
and Alerts Created
as columns in the Rule Monitoring
tab, to make hitting the max_signals
circuit breaker evident
#120668
Comments
Pinging @elastic/security-solution (Team: SecuritySolution) |
Also consider exposing |
Given the following:
it may also be helpful to:
|
Discussed with the @elastic/security-detections-response-rules folks and in addition to writing this info to the rule execution log (allowing support for these columns) it was proposed that we mark the final status of the execution as a |
@jethr0null please check this ticket when you have some time. We triaged it today at our area sync and looking for an approval from the product standpoint - if it makes sense, and if yes, are there any details you’d like to change in Andrew’s proposal? From our perspective as engineers it makes a lot of sense to measure those metrics and make available for troubleshooting (both for us as engineers who deal with SDHs and for our users). But this data could be communicated to the user in various forms, it could be columns in the Rule Monitoring table or something else. |
TODO @banderror review the implementation of this circuit breaker to better understand the problem to be able to reason about any possible solutions. We'll groom this ticket later. |
Discussed #124198 with team, holding for 8.2 to further iterate on implementation and UX. |
Summary
max_signals
circuit breakerTotal Hits
andAlerts Created
are not displayed in Kibanakibana.yml
to enableDEBUG
logging inkibana.log
kibana.log
(and the option to enable debug logging for this scenario is not publicly documented)To address the above, consider displaying
Total Hits
andAlerts Created
as columns in theRule Monitoring
tab shown in the screenshot below:Above:
Total Hits
andAlerts Created
are NOT shown as columns in theRule Monitoring
tabDetails
A user recently reached out for support to help explain why they were consistently seeing fewer alerts generated from a detection rule, where the rule criteria matched more documents than alerts created (in a given interval).
The user's detection rule is likely triggering the
max_signals
circuit breaker, which defaults to100
alerts.Today (
7.16
), it's not possible for users to understand when and why they hit the circuit breaker (within Kibana).Specifically, since
Total Hits
andAlerts Created
for a given interval are not displayed in the UI, users must:kibana.yml
, (this configuration is different between7.x
and8.x
versions).Security Analysts may not have access to
kibana.log
(and even if they do, they would have to intuit that there's a difference between the total hits and alerts created, and then seek support on how to investigate the discrepancy.)kibana.log
, users find and correlate multiple log messages for a given interval / rule execution to compareTotal Hits
vsAlerts Created
, per the examples below:and
to compare (in this example):
totalHits: 247
vs
Finished indexing 100 signals into .alerts-security.alerts
The text was updated successfully, but these errors were encountered: