From e33a358ea28d3f6ab73847bcc09db71280fbcdbe Mon Sep 17 00:00:00 2001 From: Chris Moore <107723039+cwillum@users.noreply.github.com> Date: Tue, 19 Sep 2023 14:45:37 -0700 Subject: [PATCH] Add documentation for automatic Alerting workflows from detector creation (#5003) * fix#4999 auto alerting workflows Signed-off-by: cwillum * fix#4999 auto alerting workflows Signed-off-by: cwillum * fix#4999 auto alerting workflows Signed-off-by: cwillum * fix#4999 auto alerting workflows Signed-off-by: cwillum * fix#4999 auto alerting workflows Signed-off-by: cwillum * fix#4999 auto alerting workflows Signed-off-by: cwillum * fix#4999 auto alerting workflows Signed-off-by: cwillum * fix#4999 auto alerting workflows Signed-off-by: cwillum --------- Signed-off-by: cwillum --- _api-reference/cluster-api/cluster-settings.md | 3 ++- _observing-your-data/alerting/composite-monitors.md | 2 +- .../sec-analytics-config/detectors-config.md | 8 ++++++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/_api-reference/cluster-api/cluster-settings.md b/_api-reference/cluster-api/cluster-settings.md index 7b01e2de8f..fa1d7f9407 100644 --- a/_api-reference/cluster-api/cluster-settings.md +++ b/_api-reference/cluster-api/cluster-settings.md @@ -60,7 +60,8 @@ Not all cluster settings can be updated using the cluster settings API. You will The following request field parameters are compatible with the cluster API. | Field | Data type | Description | -:--- | :--- | :--- +| :--- | :--- | :--- | +| plugins.security_analytics.enable_workflow_usage | Boolean | Supports Alerting plugin workflow integration with Security Analytics. Determines whether composite monitor workflows are generated for the Alerting plugin after creating a new threat detector in Security Analytics. By default, the setting is `true`.

When set to `true`, composite monitor workflows based on an associated threat detector's configuration are enabled. When set to `false`, composite monitor workflows based on an associated threat detector's configuration are disabled.

For more information about Alerting plugin workflow integration with Security Analytics, see [Integrated Alerting plugin workflows]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/#integrated-alerting-plugin-workflows). | | action.auto_create_index | Boolean | Automatically creates an index if the index doesn't already exist. Also applies any index templates that are configured. Default is `true`. | | action.destructive_requires_name | Boolean | When set to `true`, you must specify the index name to delete an index. You cannot delete all indexes or use wildcards. Default is `true`. | | cluster.indices.close.enable | Boolean | Enables closing of open indexes in OpenSearch. Default is `true`. | diff --git a/_observing-your-data/alerting/composite-monitors.md b/_observing-your-data/alerting/composite-monitors.md index 44bd31e30b..80c95e677e 100644 --- a/_observing-your-data/alerting/composite-monitors.md +++ b/_observing-your-data/alerting/composite-monitors.md @@ -63,7 +63,7 @@ In this simple example, the first monitor could be a per document monitor config ## Managing composite monitors with the API -You can manage composite monitors using the REST API or OpenSearch Dashboards. This section covers API functionality for composite monitors. +You can manage composite monitors using the OpenSearch REST API or [OpenSearch Dashboards](#creating-composite-monitors-in-opensearch-dashboards). This section describes API functionality for composite monitors. ### Create composite monitor diff --git a/_security-analytics/sec-analytics-config/detectors-config.md b/_security-analytics/sec-analytics-config/detectors-config.md index 85c4ff282f..093ba18bd3 100644 --- a/_security-analytics/sec-analytics-config/detectors-config.md +++ b/_security-analytics/sec-analytics-config/detectors-config.md @@ -144,6 +144,14 @@ To set up an alert for a detector, continue with the following steps: 1. Review the specifications for the detector and select **Create detector** in the lower-right corner of the screen. The detector details for the new detector are displayed. When you navigate to the main **Threat detectors** page, the new detector appears in the list. +## Integrated Alerting plugin workflows + +By default, when you create a threat detector, the system automatically creates a composite monitor and triggers workflows for the Alerting plugin. The detector's rules are converted into search queries for the Alerting plugin monitor, and the monitor executes its queries according to a schedule derived from the detector's configuration. + +You can change the behavior of automatically generated composite monitors by enabling or disabling the workflow functionality with the `plugins.security_analytics.enable_workflow_usage` setting. This setting is defined using the [Cluster settings API]({{site.url}}{{site.baseurl}}/api-reference/cluster-api/cluster-settings/). + +For more information about composite monitors and their workflows, see [Composite monitors]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/composite-monitors/). + --- ## What's next