Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Edit max_signals field for custom rules in UI [classic] #5106

Merged
merged 11 commits into from
Jul 3, 2024
Merged

Edit max_signals field for custom rules in UI [classic] #5106

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
3bb6852
First draft
joepeeples Apr 23, 2024
dbaa59e
Update docs/detections/rules-ui-create.asciidoc
joepeeples Apr 23, 2024
4f9715f
Merge branch 'main' into 5029-max_signals-editable-classic
joepeeples Apr 25, 2024
57bf43b
Revise note (in API docs too)
joepeeples Apr 25, 2024
c7b1560
Merge branch 'main' into 5029-max_signals-editable-classic
joepeeples May 9, 2024
f1aa5b1
Update ESQL rule steps
joepeeples May 9, 2024
cc8946e
Merge branch 'main' into 5029-max_signals-editable-classic
joepeeples May 10, 2024
ad24226
Revise alert suppression refs to max_signals
joepeeples May 10, 2024
785967a
Explain max_signals = Max alerts per run
joepeeples May 10, 2024
7281506
Add updates to "update rule" API too
joepeeples May 10, 2024
32ff5d3
Merge branch 'main' into 5029-max_signals-editable-classic
joepeeples Jul 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/detections/api/rules/rules-api-create.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -331,7 +331,7 @@ means the rule runs every hour. Defaults to `5m` (5 minutes).
|max_signals |Integer a|Maximum number of alerts the rule can create during a
single execution. Defaults to `100`.

*NOTE*: To avoid rule failures, do not set the `max_signals` value higher than the value of {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`].
NOTE: This setting can be superseded by the {kibana-ref}/alert-action-settings-kb.html#alert-settings[{kib} configuration setting] `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by _any_ rule in the {kib} alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to `1000`, the rule can generate no more than 1000 alerts even if `max_signals` is set higher.

|meta |Object a|Placeholder for metadata about the rule.

Expand Down
4 changes: 4 additions & 0 deletions docs/detections/rules-ui-create.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -463,6 +463,10 @@ also affect this rule.
.. *Building block* (optional): Select to create a building-block rule. By
default, alerts generated from a building-block rule are not displayed in the
UI. See <<building-block-rule>> for more information.
.. **Max alerts per run** (optional): Specify the maximum number of alerts the rule can create each time it runs. Default is 100.
+
NOTE: This setting can be superseded by the {kibana-ref}/alert-action-settings-kb.html#alert-settings[{kib} configuration setting] `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by _any_ rule in the {kib} alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to `1000`, the rule can generate no more than 1000 alerts even if **Max alerts per run** is set higher.

.. *Indicator prefix override*: Define the location of indicator data within the structure of indicator documents. When the indicator match rule executes, it queries specified indicator indices and references this setting to locate fields with indicator data. This data is used to enrich indicator match alerts with metadata about matched threat indicators. The default value for this setting is `threat.indicator`.
+
IMPORTANT: If your threat indicator data is at a different location, update this setting accordingly to ensure alert enrichment can still be performed.
Expand Down