Increasing number of Alerts for Detection Rules

uhxqc · April 9, 2024, 12:12pm

Hello, I am currently using the open source version of Elastic.
I have created a couple of Detection Rules. But the number of alerts I can create per rule is limited to 100.
If my understanding is correct, the number of alerts are limited by the field "max_signals" (which defaults at 100) , but I am unsure on how I can change this value in my custom querry rule that I have created in Kibana.
Any information will be helpful, thank you!

jessgarson · April 9, 2024, 4:05pm

Welcome, @uhxqc. Thanks for reaching out here. Do you have a code sample of the rule you are creating?

You can modify the field "max_signals" by using the create rule API. You may also want to confirm that you do not set the max_signals value higher than the value of xpack.alerting.rules.run.alerts.max.

uhxqc · April 9, 2024, 7:59pm

Hello @jessgarson
I am not using a code sample. I am directly creating the rule on the Kibana UI using 'Security > Rules > Detection Rules > Create rule'.

jessgarson · April 9, 2024, 9:01pm

Thanks! I have a few follow up questions:

Do you have a screen shot of what you are entering in here?
Are you getting an errors or are you simply not seeing the option for `max_signals"?
What version are you using?

uhxqc · April 11, 2024, 2:07pm

@jessgarson
I haven't come across 'Max_Signals' option anywhere in the GUI.
I am currently using the version 8.11

jessgarson · April 11, 2024, 4:31pm

Thanks for following up here. I'm going to contact a few coworkers and do some further research on the subject. I'll get back in touch when I hear more.

jessgarson · April 11, 2024, 8:41pm

Hi @uhxqc,

Have you tried updating using Dev Tools for updating the rule? I think something like this could work:

PUT /api/detection_engine/rules
{
  "id": "rule-id-here",
  "name": "Updated Detection Rule",
  "description": "Updated description here",
  "risk_score": 50,
  "severity": "high",
  "type": "query",
  "query": "user.name: admin",
  "language": "kuery",
  "index": ["auditbeat-*"],
  "interval": "10m",
  "max_signals": 150,
  "enabled": true,
  "tags": ["updated-tag"]
}

uhxqc · April 24, 2024, 3:43pm

Hello, I've been trying to run this on the Dev Console but I do not know my rule ID.
Since I have created my rule through the Kibana GUI, I did not initially have to enter any rule ID, is there any query I could use to fetch the rule ID?

jessgarson · April 24, 2024, 6:42pm

Thanks, @uhxqc! Could this endpoint work?