[RAC][Rule Registry] Updating old alerts by "reindexing" them into the current write index #111165
Labels
Team:Detection Alerts
Security Detection Alerts Area Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Theme: rac
label obsolete
Parent ticket: #101016
Summary
Background: #109276 (comment)
We should consider a "hybrid" approach in which an "update" means we write a document to the current write index (which we can assume to have the most recent mappings) and we delete the document from the index it was previously in. That would be almost like a reindex-on-write approach.
Benefits:
Risks/cons:
@timestamp
and other fields except thestatus
, and the benefits are not that obvious for Security.The text was updated successfully, but these errors were encountered: