Hello, I am currently using the open source version of Elastic.
I have created a couple of Detection Rules. But the number of alerts I can create per rule is limited to 100.
If my understanding is correct, the number of alerts are limited by the field "max_signals" (which defaults at 100) , but I am unsure on how I can change this value in my custom querry rule that I have created in Kibana.
Any information will be helpful, thank you!
Welcome, @uhxqc. Thanks for reaching out here. Do you have a code sample of the rule you are creating?
You can modify the field "max_signals" by using the create rule API. You may also want to confirm that you do not set the max_signals
value higher than the value of xpack.alerting.rules.run.alerts.max
.
Hello @jessgarson
I am not using a code sample. I am directly creating the rule on the Kibana UI using 'Security > Rules > Detection Rules > Create rule'.
Thanks! I have a few follow up questions:
- Do you have a screen shot of what you are entering in here?
- Are you getting an errors or are you simply not seeing the option for `max_signals"?
- What version are you using?
@jessgarson
I haven't come across 'Max_Signals' option anywhere in the GUI.
I am currently using the version 8.11
Thanks for following up here. I'm going to contact a few coworkers and do some further research on the subject. I'll get back in touch when I hear more.
Hi @uhxqc,
Have you tried updating using Dev Tools for updating the rule? I think something like this could work:
PUT /api/detection_engine/rules
{
"id": "rule-id-here",
"name": "Updated Detection Rule",
"description": "Updated description here",
"risk_score": 50,
"severity": "high",
"type": "query",
"query": "user.name: admin",
"language": "kuery",
"index": ["auditbeat-*"],
"interval": "10m",
"max_signals": 150,
"enabled": true,
"tags": ["updated-tag"]
}
Hello, I've been trying to run this on the Dev Console but I do not know my rule ID.
Since I have created my rule through the Kibana GUI, I did not initially have to enter any rule ID, is there any query I could use to fetch the rule ID?