Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation for automatic Alerting workflows from detector creation #5003

Merged
merged 8 commits into from
Sep 19, 2023

Conversation

cwillum
Copy link
Contributor

@cwillum cwillum commented Sep 12, 2023

Description

Documents the new setting plugins.security_analytics.enable_workflow_usage, which controls behavior for automatically generated Alerting plugin workflows when new detectors are created in Security Analytics.

Issues Resolved

Fixes #4999

Checklist

  • By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and subject to the Developers Certificate of Origin.
    For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@cwillum cwillum added 2 - In progress Issue/PR: The issue or PR is in progress. alerting release-notes PR: Include this PR in the automated release notes security-analytics v2.10.0 labels Sep 12, 2023
@cwillum cwillum self-assigned this Sep 12, 2023
@cwillum
Copy link
Contributor Author

cwillum commented Sep 12, 2023

@eirsep I've created this PR for the new setting in doc issue #4999. Some outstanding questions:

  1. Need more description for what kind of composite monitor is created when a detector is created.
  2. What is the connection between the detection rules and the composite monitor configuration?
  3. Where is this setting made: in opensearch.yml?
  4. How is the composite monitor named, and where is it found/identified?

Some of the language in the issue (e.g., "we don't support configuring triggers on group by based sigma rules") is confusing to me. Could you elaborate?
Thanks.

@@ -144,6 +144,18 @@ To set up an alert for a detector, continue with the following steps:

1. Review the specifications for the detector and select **Create detector** in the lower-right corner of the screen. The detector details for the new detector are displayed. When you navigate to the main **Threat detectors** page, the new detector appears in the list.

### Integrated Alerting plugin workflows

By default, when you create a threat detector the system automatically triggers workflows for the Alerting plugin. The new threat detector generates an underlying composite monitor whose configuration is informed by the detection rules selected during creation of the new detector. The composite monitor executes according to the detector's schedule rather than the monitor's schedule.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the composite monitor derives it's schedule from the detector's configuration

@eirsep
Copy link
Member

eirsep commented Sep 14, 2023

Need more description for what kind of composite monitor is created when a detector is created.

@eirsep I've created this PR for the new setting in doc issue #4999. Some outstanding questions:

  1. Need more description for what kind of composite monitor is created when a detector is created.
  2. What is the connection between the detection rules and the composite monitor configuration?

Security analytics detectors create Alerting plugin monitors. Detectors' rules are converted in Alerting plugin monitors' search queries and scheduled according to configuration.

  1. Where is this setting made: in opensearch.yml?

This setting is not made in opensearch.yml
It has to be updated via cluster settings API

  1. How is the composite monitor named, and where is it found/identified?

This is an underlying implementation detail which customers are oblivious to.

Some of the language in the issue (e.g., "we don't support configuring triggers on group by based sigma rules") is confusing to me. Could you elaborate? Thanks.

We don't need to go into the detail in the public documentation about the motivation to have this setting because it would be confusing to customer whoc is abstracted to usage of Alerting plugin in Security Analytics.

@hdhalter hdhalter added 3 - Tech review PR: Tech review in progress and removed 2 - In progress Issue/PR: The issue or PR is in progress. labels Sep 14, 2023
@cwillum
Copy link
Contributor Author

cwillum commented Sep 15, 2023

@eirsep Big thanks for looking over my questions. Very helpful. I've revised this PR to address your responses. Could you have a quick look to make sure everything makes sense? Thanks again.

@cwillum cwillum added 4 - Doc review PR: Doc review in progress and removed 3 - Tech review PR: Tech review in progress labels Sep 18, 2023
@cwillum
Copy link
Contributor Author

cwillum commented Sep 18, 2023

Moving this into Documentation team review.

Copy link
Collaborator

@Naarcha-AWS Naarcha-AWS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple small nits.

@cwillum
Copy link
Contributor Author

cwillum commented Sep 18, 2023

@Naarcha-AWS addressed nits. Thanks.
Moving this into editorial review.

@cwillum cwillum added 5 - Editorial review PR: Editorial review in progress and removed 4 - Doc review PR: Doc review in progress labels Sep 18, 2023
Copy link
Collaborator

@natebower natebower left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cwillum One comment and one change. Thanks!

_observing-your-data/alerting/composite-monitors.md Outdated Show resolved Hide resolved
@cwillum cwillum merged commit e74831d into main Sep 19, 2023
4 checks passed
@cwillum cwillum added 3 - Done Issue is done/complete and removed 5 - Editorial review PR: Editorial review in progress labels Sep 19, 2023
vagimeli pushed a commit that referenced this pull request Sep 19, 2023
…tion (#5003)

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

---------

Signed-off-by: cwillum <[email protected]>
vagimeli added a commit that referenced this pull request Sep 19, 2023
harshavamsi pushed a commit to harshavamsi/documentation-website that referenced this pull request Oct 31, 2023
…tion (opensearch-project#5003)

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

---------

Signed-off-by: cwillum <[email protected]>
vagimeli pushed a commit that referenced this pull request Dec 21, 2023
…tion (#5003)

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <[email protected]>

---------

Signed-off-by: cwillum <[email protected]>
@hdhalter hdhalter deleted the fix#4999-detector-alert-workflow branch March 28, 2024 21:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3 - Done Issue is done/complete alerting release-notes PR: Include this PR in the automated release notes security-analytics v2.10.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[DOC] New setting added in security analytics plugin
5 participants