[Security Solution] Error occurs on rule execution after adding the suppression alert fields in endpoint security [Duplicate] rule #146494
Comments
ghost
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
@karanbirsingh-qasource Please review!! |
|
@deepikakeshav-qasource may you please check if the above error persists when:
Remember to enable and disable the rule after modifying the values to force it to re-execute. Thanks! |
MadameSheema
added
Team:Detection Rule Management
|
Hi @MadameSheema , The issue is still persisting when modify the additional look-back and Runs every time. Screencast: endpoint.mp4endpoint2.mp4Please let us know if anything else is required from our end!! Thanks!! |
…elastic#146564) ## Summary Addresses elastic#146494 We only need the first document from the bucket to create the alert, not `maxSignals` documents. If `maxSignals` was greater than 100, this caused an error in the search. (cherry picked from commit d659ee6)
…g size (#146564) (#146712) # Backport This will backport the following commits from `main` to `8.6`: - [[Security Solution][Alerts] Don't use maxSignals for topHits agg size (#146564)](#146564) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Marshall Main","email":"[email protected]"},"sourceCommit":{"committedDate":"2022-11-30T15:50:16Z","message":"[Security Solution][Alerts] Don't use maxSignals for topHits agg size (#146564)\n\n## Summary\r\n\r\nAddresses https://github.com/elastic/kibana/issues/146494\r\n\r\nWe only need the first document from the bucket to create the alert, not\r\n`maxSignals` documents. If `maxSignals` was greater than 100, this\r\ncaused an error in the search.","sha":"d659ee6f2eb04e81b240db137996aa2a4c4378b1","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team: SecuritySolution","Team:Detection Alerts","v8.6.0","v8.7.0"],"number":146564,"url":"https://github.com/elastic/kibana/pull/146564","mergeCommit":{"message":"[Security Solution][Alerts] Don't use maxSignals for topHits agg size (#146564)\n\n## Summary\r\n\r\nAddresses https://github.com/elastic/kibana/issues/146494\r\n\r\nWe only need the first document from the bucket to create the alert, not\r\n`maxSignals` documents. If `maxSignals` was greater than 100, this\r\ncaused an error in the search.","sha":"d659ee6f2eb04e81b240db137996aa2a4c4378b1"}},"sourceBranch":"main","suggestedTargetBranches":["8.6"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/146564","number":146564,"mergeCommit":{"message":"[Security Solution][Alerts] Don't use maxSignals for topHits agg size (#146564)\n\n## Summary\r\n\r\nAddresses https://github.com/elastic/kibana/issues/146494\r\n\r\nWe only need the first document from the bucket to create the alert, not\r\n`maxSignals` documents. If `maxSignals` was greater than 100, this\r\ncaused an error in the search.","sha":"d659ee6f2eb04e81b240db137996aa2a4c4378b1"}}]}] BACKPORT--> Co-authored-by: Marshall Main <[email protected]>
|
This should be fixed by #146564 on the latest 8.6 branch, can you re-test there? |
|
@deepikakeshav-qasource can you please validate this on latest 8.6.0 branch? Thanks :) Please keep the ticket open until is validated on next BC. |
|
we have validated this issue on latest 8.6.0 branch and below are the observations , duplicate endpoint security rule is failing however rule failure reason is different also alerts are generating by this rule in failure rule state. Failure Reason: KaranV_Linux.Master.VM2.-.VMware.Remote.Console.2022-12-02.17-38-45.mp4KaranV_Linux.Master.VM2.-.VMware.Remote.Console.2022-12-02.17-40-08.mp4 |
|
@marshallmain may you please take a look at the above? Thanks! |
|
I'm not seeing this new error when I test locally, the |
|
Hi @marshallmain , We have validated this issue on 8.6.0 BC5 build and Observe that issue is Fixed. We did not got any error on 8.6.0 BC5 build Please find the below details: Screencast: Suppression.Alerts.mp4Hence, We are closing this issue and marking as QA Validated!! Thanks!! |
Describe the bug
Error occurs on rule execution after adding the suppression alert fields in endpoint security [Duplicate] rule
Build info
Preconditions
Steps to Reproduce
Actual Result
Expected Result
Screen-shot
Rule
endpoint Security.zip
The text was updated successfully, but these errors were encountered: