-
Notifications
You must be signed in to change notification settings - Fork 502
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add documentation for automatic Alerting workflows from detector creation #5003
Conversation
Signed-off-by: cwillum <[email protected]>
@eirsep I've created this PR for the new setting in doc issue #4999. Some outstanding questions:
Some of the language in the issue (e.g., "we don't support configuring triggers on group by based sigma rules") is confusing to me. Could you elaborate? |
@@ -144,6 +144,18 @@ To set up an alert for a detector, continue with the following steps: | |||
|
|||
1. Review the specifications for the detector and select **Create detector** in the lower-right corner of the screen. The detector details for the new detector are displayed. When you navigate to the main **Threat detectors** page, the new detector appears in the list. | |||
|
|||
### Integrated Alerting plugin workflows | |||
|
|||
By default, when you create a threat detector the system automatically triggers workflows for the Alerting plugin. The new threat detector generates an underlying composite monitor whose configuration is informed by the detection rules selected during creation of the new detector. The composite monitor executes according to the detector's schedule rather than the monitor's schedule. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the composite monitor derives it's schedule from the detector's configuration
Security analytics detectors create Alerting plugin monitors. Detectors' rules are converted in Alerting plugin monitors' search queries and scheduled according to configuration.
This setting is not made in opensearch.yml
This is an underlying implementation detail which customers are oblivious to.
We don't need to go into the detail in the public documentation about the motivation to have this setting because it would be confusing to customer whoc is abstracted to usage of Alerting plugin in Security Analytics. |
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
Signed-off-by: cwillum <[email protected]>
@eirsep Big thanks for looking over my questions. Very helpful. I've revised this PR to address your responses. Could you have a quick look to make sure everything makes sense? Thanks again. |
Signed-off-by: cwillum <[email protected]>
Moving this into Documentation team review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple small nits.
Signed-off-by: cwillum <[email protected]>
@Naarcha-AWS addressed nits. Thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cwillum One comment and one change. Thanks!
Signed-off-by: cwillum <[email protected]>
…tion (#5003) * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> --------- Signed-off-by: cwillum <[email protected]>
…tion (opensearch-project#5003) * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> --------- Signed-off-by: cwillum <[email protected]>
…tion (#5003) * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> * fix#4999 auto alerting workflows Signed-off-by: cwillum <[email protected]> --------- Signed-off-by: cwillum <[email protected]>
Description
Documents the new setting
plugins.security_analytics.enable_workflow_usage
, which controls behavior for automatically generated Alerting plugin workflows when new detectors are created in Security Analytics.Issues Resolved
Fixes #4999
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.