[Internal]: Document existing "automated" gap remediation #3233
Description
Description
Since near inception of the detection engine, we have had some form of "automated" gap remediation in that we attempt to cover up to 4 times the rule interval if we find that there is a time period that was not searched since the rule last ran. While we are working on true automated gap remediation, users have been confused to find the rule run or cover a longer span than they expected. We would like to update https://www.elastic.co/docs/solutions/security/detect-and-alert/monitor-rule-executions#gaps-table to include a snippet about how things work at this time.
Suggested text:
The Detection Engine in Kibana includes built-in remediation logic that automatically extends a rule’s execution window—up to 4x the scheduled interval. This ensures that short-term scheduling delays are absorbed and all relevant events are still processed. However, this mechanism does not address longer outages, systematic scheduling issues, or scenarios where rules need to backfill for extended periods of missed execution.
Resources
This feature was implemented many years ago. It's not surfaced to the user in any UX.
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
What release is this request related to?
8.17+
Serverless release
Collaboration model
The engineering team
Point of contact.
Main contact: @yctercero
Stakeholders: @approksiu