[Rule Tuning] Multiple rules with excessively high max_signals value

[tttttx2]

Link to Rule

No response

Rule Tuning Type

None

Description

According to the documentation of Kibana, a higher setting than 1000 on 'xpack.alerting.rules.run.alerts.max' is "not recommended or supported".

There are multiple rules, where the "max_signals" value is greater than this global limit, thus throwing warnings during the execution of those rules. Maybe consider reducing the max_signals on the affected rules down to 1000 - I assume this was a simple oversight during the rule creation where somebody accidentally put a zero too many.

At a first glance, this seems to affect at least the following rules:

[
  {
    "name": "Malware - Detected - Elastic Endgame",
    "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de"
  },
  {
    "name": "Rapid7 Threat Command CVEs Correlation",
    "rule_id": "3a657da0-1df2-11ef-a327-f661ea17fbcc"
  },
  {
    "name": "Malware - Prevented - Elastic Endgame",
    "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895"
  },
  {
    "name": "Container Workload Protection",
    "rule_id": "4b4e9c99-27ea-4621-95c8-82341bc6e512"
  },
  {
    "name": "Ransomware - Detected - Elastic Endgame",
    "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd"
  },
  {
    "name": "Endpoint Security",
    "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
  },
  {
    "name": "Adversary Behavior - Detected - Elastic Endgame",
    "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69"
  },
  {
    "name": "Process Injection - Detected - Elastic Endgame",
    "rule_id": "80c52164-c82a-402c-9964-852533d58be1"
  },
  {
    "name": "Permission Theft - Prevented - Elastic Endgame",
    "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b"
  },
  {
    "name": "Credential Dumping - Detected - Elastic Endgame",
    "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e"
  },
  {
    "name": "Exploit - Detected - Elastic Endgame",
    "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"
  },
  {
    "name": "Exploit - Prevented - Elastic Endgame",
    "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036"
  },
  {
    "name": "Process Injection - Prevented - Elastic Endgame",
    "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e"
  },
  {
    "name": "Credential Manipulation - Detected - Elastic Endgame",
    "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f"
  },
  {
    "name": "Credential Manipulation - Prevented - Elastic Endgame",
    "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa"
  },
  {
    "name": "Permission Theft - Detected - Elastic Endgame",
    "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3"
  },
  {
    "name": "Credential Dumping - Prevented - Elastic Endgame",
    "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13"
  },
  {
    "name": "Ransomware - Prevented - Elastic Endgame",
    "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac"
  },
  {
    "name": "External Alerts",
    "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa"
  }
]

Example Data

No response

[w0rk3r]

Hey @tttttx2, this is briefly described in the setup section of these rules, but the 1000 limit is low for some larger environments. Promotion rules have special max_signals settings to not interfere with the promotion of alerts, and there is some work in progress to get a higher limit by default with no user modification in Kibana settings.

This rule is configured to generate more Max alerts per run than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.

IMPORTANT: The rule's Max alerts per run setting can be superseded by the xpack.alerting.rules.run.alerts.max Kibana config setting, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, this rule will still generate no more than 1000 alerts even if its own Max alerts per run is set higher.

To make sure this rule can generate as many alerts as it's configured in its own Max alerts per run setting, increase the xpack.alerting.rules.run.alerts.max system setting accordingly.