I have a testing Elasticsearch (7.14.0 before and 7.15.0 now) where I'm sending filebeat's Threat Intel data (50,000 documents on the
filebeat-* index) and a Firewall data index with less than 1,000,000 messages.
I've configured a simple Security rule that matches
source.ip from the firewall with
threatintel.indicator.ip. Every time it runs it gives me this error:
An error occurred during rule execution: message: "Request timed out" name: "ip_maliciosas" id: "501312b0-222e-11ec-bb83-bff19fd32bc0" rule id: "fb7b64fe-fcb2-4f0f-8b5f-d881811ee01a" signals index: ".siem-signals-default"
This cluster is a stand-alone server with 64GB in RAM, 16CPU and a lot of HD. There is nothing else in the cluster besides this two indices.
I don't get why is this timed out error.
What whould I do? make bigger the timeout? in Kibana? In Elasticsearch? If I have this problem with this very simple rule.. I've to forget about having any more complex one?