-
Notifications
You must be signed in to change notification settings - Fork 680
Update Max signals value to supported limits #4556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 9 commits
3e4dde0
b34df64
2edae6a
fff2995
616d892
917af05
157399c
5210a6c
9fe163b
0f5a198
508097b
c836382
010aa59
9a77790
96a77c3
6f0d2f9
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -5,7 +5,7 @@ maturity = "production" | |||||
| min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." | ||||||
| min_stack_version = "8.16.0" | ||||||
| promotion = true | ||||||
| updated_date = "2025/02/06" | ||||||
| updated_date = "2025/03/21" | ||||||
|
|
||||||
| [rule] | ||||||
| author = ["Elastic"] | ||||||
|
|
@@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"] | |||||
| interval = "1m" | ||||||
| language = "kuery" | ||||||
| license = "Elastic License v2" | ||||||
| max_signals = 10000 | ||||||
| max_signals = 1000 | ||||||
| name = "Memory Threat - Detected - Elastic Defend" | ||||||
| note = """## Triage and analysis | ||||||
|
|
||||||
|
|
@@ -102,13 +102,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f | |||||
| To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306). | ||||||
|
|
||||||
| ### Additional notes | ||||||
| This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. | ||||||
|
|
||||||
| **IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. | ||||||
|
shashank-elastic marked this conversation as resolved.
|
||||||
|
|
||||||
| To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. | ||||||
|
|
||||||
| **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. | ||||||
| For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
Small adjust
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @approksiu thoughts on this, as we have derived this from the issue template. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Looks good! I am fine with the change There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This would need to be changed across all rules in this PR |
||||||
| """ | ||||||
| severity = "high" | ||||||
| tags = ["Data Source: Elastic Defend", "Tactic: Defense Evasion", "Resources: Investigation Guide"] | ||||||
|
|
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This kind of rule shouldn't need to be troubleshooted, we are limiting it on purpose
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are just adding a consistent setup guide note on all rules with max_signals. The value of this rule is untouched
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh i see the point of adding troubleshoot guide. But the thought proccess was to add a consistent setup guide across, If this is not a valid information for users, we can limit to the promotion rules only @w0rk3r