Increasing number of Alerts for Detection Rules

Hello, I am currently using the open source version of Elastic.
I have created a couple of Detection Rules. But the number of alerts I can create per rule is limited to 100.
If my understanding is correct, the number of alerts are limited by the field "max_signals" (which defaults at 100) , but I am unsure on how I can change this value in my custom querry rule that I have created in Kibana.
Any information will be helpful, thank you!

Welcome, @uhxqc. Thanks for reaching out here. Do you have a code sample of the rule you are creating?

You can modify the field "max_signals" by using the create rule API. You may also want to confirm that you do not set the max_signals value higher than the value of xpack.alerting.rules.run.alerts.max.

Hello @jessgarson
I am not using a code sample. I am directly creating the rule on the Kibana UI using 'Security > Rules > Detection Rules > Create rule'.

Thanks! I have a few follow up questions:

  • Do you have a screen shot of what you are entering in here?
  • Are you getting an errors or are you simply not seeing the option for `max_signals"?
  • What version are you using?

@jessgarson
I haven't come across 'Max_Signals' option anywhere in the GUI.
I am currently using the version 8.11

Thanks for following up here. I'm going to contact a few coworkers and do some further research on the subject. I'll get back in touch when I hear more.

Hi @uhxqc,

Have you tried updating using Dev Tools for updating the rule? I think something like this could work:

PUT /api/detection_engine/rules
{
  "id": "rule-id-here",
  "name": "Updated Detection Rule",
  "description": "Updated description here",
  "risk_score": 50,
  "severity": "high",
  "type": "query",
  "query": "user.name: admin",
  "language": "kuery",
  "index": ["auditbeat-*"],
  "interval": "10m",
  "max_signals": 150,
  "enabled": true,
  "tags": ["updated-tag"]
}

Hello, I've been trying to run this on the Dev Console but I do not know my rule ID.
Since I have created my rule through the Kibana GUI, I did not initially have to enter any rule ID, is there any query I could use to fetch the rule ID?

1 Like

Thanks, @uhxqc! Could this endpoint work?

Hello @jessgarson, The endpoint worked. I was able to find the Rule ID and update the max-signals field as well using Dev Tools 'Put /api/detection_engine/rules' command.
The rule is updated and says that it was run again.
But, the number of alerts created for said rule still seems to be limited to 100 alerts. Is there something I might be missing here?

Thanks for following up! I reached out to a few others internally and want to test a few things. I'll be back in touch shortly.

Thanks for following @uhxqc, there is currently an open bug report for the UI but this should work in the API, do you happen to have the request you used?

Hello @jessgarson ,

So far, I've been using Kibana UI to create Detection rules, would using Dev Tools API to create rules help solve this issue?
Would you have any examples that I could use to create rules using APIs?

Thanks @uhxqc, this should work. You may want to try something like this:

PUT /api/detection_engine/rules/_bulk_update
{
  "rules": [
    {
      "id": "<your_rule_id>",
      "max_signals": 10000 
    }
  ]
}

You will want to update this to have your disired number for max_signals and the rule ID you are you looking to update.

Thanks @jessgarson I tried the above command as well, it does not work. Gives an error message saying 'Bad Request' and
message : request body : Invalid value "{"rules"...

Thanks for letting me know, have you tried something like this as well:

PUT /api/detection_engine/rules
{
  "id": "<your_rule_id>",
  "max_signals": <updated_number>
}

@jessgarson This worked, the max_signals field has been updated. But when I try to run the rule, the number of alerts generated still is exactly 100 and has not increased.

Thanks for all the follow up, @uhxqc, you may want to report this as a bug.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.