I noticed that a few detection rules consume a lot of memory, and cause
circuit_breaking_exception often in medium-ish deployments (~265 winlogbeat deployments).
- Installation of Custom Shim Databases
- Parent Process PID Spoofing
- Potential Process Herpaderping Attempt
These rules all seem to use a good amount of memory to run, here is generally the exception I see:
An error occurred during rule execution: message: "circuit_breaking_exception: [circuit_breaking_exception] Reason: [eql_sequence] Data too large, data for [sequence_inflight] would be [3221924600/3gb], which is larger than the limit of [3221225472/3gb]" name: "Installation of Custom Shim Databases" id: "ac10bafe-a91f-11eb-a252-7f35a8822039" rule id: "c5ce48a6-7f57-4ee8-9313-3d0024caee10" signals index: ".siem-signals-security"
Has anyone else run into this issue with rules, if you did, how did you solve it?