I'm setting up custom query rules that alert when fields in a document exceed pre-defined thresholds.
In some circumstances, if the document category is a particular string value, then the thresholds should be different.
What is the easiest way to set this up in the rules? If I set up two separate rules, where one has a more specific query (i.e. checks the category field first), I get false positives for the other rule.
I've looked into Rule Exceptions but it would involve modifying all our existing rules to be linked to the exceptions. Is it possible to set up some sort of hierarchy/precedence of rules? Where if one rule is triggered for a document, the other rules are not run?
Is it possible to set up some sort of hierarchy/precedence of rules? Where if one rule is triggered for a document, the other rules are not run?
Absolutely!
Well the former at least, but not for the latter -- the rule will still run regardless but you should be able to construct its filter to only pick up what you want.
For this you'll want to leverage Building Block Rules -- there's an advanced setting under About Rule when editing/creating the rule.
When checked, any alert created will set the kibana.alert.rule.building_block_type field on the alert, and they'll be hidden in the UI by default. You can then create a second rule looking at the .alerts-security.alerts-* index, that would then create alerts based on some criteria/filters you have for the building block alerts that have been created.
Does this sound like it'll help resolve your issue? If not, could you please share your query and I would be happy to help guide you further.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
