GithubHelp home page GithubHelp logo

Comments (5)

nkhristinin avatar nkhristinin commented on July 17, 2024 1

Known issue for Threshold rule:
If manual rule run cover the date range, which was already covered by scheduled rule executions it can produce duplicate errors.

Use case:

Let's say I have 4 events: 13:00, 14:00, 15:00, 16:00
Threshold rule - with 5 minute interval and 10 hours lookback time and threshold = 2
Normal rule execution - give me 2 alerts (14:00, 16:00)
If I run manual rule run from 12:00-16:10
I will have 2 alerts generated at 14:00 and 16:00.
Probably user should expect 0 alerts from manual rule run, as it was already covered by scheduled rule execution

from security-docs.

nkhristinin avatar nkhristinin commented on July 17, 2024 1

Known issue 2:
Suppression count for custom query rule can be updated wrong
https://github.com/elastic/security-team/issues/9870

from security-docs.

nastasha-solomon avatar nastasha-solomon commented on July 17, 2024 1

General notes from today's feature sync:

  • @nastasha-solomon will aim to have docs done in time for the Monday, July 29, 2024 Serverless release.
  • @nkhristinin will check if it's possible to only enable the feature flag for this feature in ESS.
  • @nkhristinin or @e40pud to provide a test env for docs testing and screenshots either this week, or after Nastasha is back from PTO (which is the week of July 15)

from security-docs.

nkhristinin avatar nkhristinin commented on July 17, 2024

We should mention Manual rule limitations - to users in docs

from security-docs.

e40pud avatar e40pud commented on July 17, 2024

API docs impact

We need to update next sections:

  1. Bulk action > Request body: add run as a new possible action's value
  2. Bulk action > Request body: add new property
Name Type Description Required
run BulkManualRuleRun[] Object that describes applying an manual rule run action. No. Yes, if action is run.
  1. We should add new type description similar to BulkDuplicateAction object and BulkEditAction object:

BulkManualRuleRun

  • start_date field: (String, Required). Defines start date of the manual rule run.
  • end_date field: (String, Optional). Defines end date of the manual rule run.
  1. Response payload: add run to the actions list. Also, we should mention that we use attributes.results.updated to return rule objects that were scheduled for manual rule run during the run action execution.

from security-docs.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.