Edit max_signals field for custom rules in UI and API

[dplumlee]

Description

We're implementing a new field in the rule creation/editing and rule details UI for max_signals (The max amount of alerts that will be written per run). This field is restricted to a lower limit of 1 and gives a warning above the upper limit of whatever the alerting config setting xpack.alerting.rules.run.alerts.max is set to (defaults to 1000). The max_signals value defaults to 100 unless xpack.alerting.rules.run.alerts.max is below 100, then it defaults to that value. This addition doesn't affect any of the existing API schemas as max_signals is already a defaultable field, we're just now exposing it to the UI.

Importantly, in the rule executors themselves, we will use the rule's max_signals value UNLESS it is more than xpack.alerting.rules.run.alerts.max in which case we will use that value and log a warning in the detection engine that the max_signals value has been effectively overridden by the baseline config limit

Background & resources

• PRs:
  • [Security Solution] Allow users to edit max_signals field for custom rules kibana#179680
  • [Security Solution] max_signals validation follow up fixes kibana#182643
• Issues/metas: [Security Solution] Allow users to edit max_signals field for custom rules kibana#173593
• Related docs:
  • xpack.alerting.rules.run.alerts.max : https://www.elastic.co/guide/en/kibana/current/alert-action-settings-kb.html#alert-settings
• Point of contact: @dplumlee

Which documentation set does this change impact?

ESS and serverless

ESS release

8.15

Serverless release

Tues May 14, 2024

Feature differences

The feature is identical in ESS and serverless

API docs impact

No APIs have been changed other than now enforcing certain validations that would have broken rules in the past. Now we return 400 errors when a rule is created/edited with a max_signals value less than 1.

Prerequisites, privileges, feature flags

No response

---

Pull Requests

Preview Give feedback

1. Serverless docs — https://github.com/elastic/staging-serverless-security-docs/pull/328
2. Classic docs — Edit max_signals field for custom rules in UI [classic] #5106
3. No need for an API docs (classic) PR

[joepeeples]

elastic/kibana#179680 is still unmerged, so we won't be publishing serverless docs for this this week. Adjusting to next week (Tues May 7).

[joepeeples]

Pushed back one more week; feature didn't make this week's cutoff.

Also, follow-up dev PR will potentially hard-code a limit of 1000 alerts:

• [Security Solution] max_signals validation follow up fixes kibana#182643

This will affect serverless & ESS docs in different ways. Serverless should mention the limit, and that's it. ESS should mention the limit in relation to how max_signals and xpack.alerting.rules.run.alerts.max interact.