-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SIEM] [Detections] Gap detection mitigation and remediation summary #63290
Comments
Pinging @elastic/siem (Team:SIEM) |
@spong @dhurley14 In many organizations, data is often encountered with a delay. Now in some severe cases, it could be as large as a couple of days. But mostly, it is limited to an hour or two. An approach to solve this would be to break the detection process in two parts:
Batch Detection
Near Real-Time detection
|
#68339 closed this. |
Pinging @elastic/security-solution (Team: SecuritySolution) |
Gap detection and remediation workflow
As it currently stands, rules flow backwards in time when looking for events to generate signals from. Rules look at events from "now" back to some duration in the past which is determined by the interval they run at plus some optional look-back time. The look-back time is there to optionally capture events that the rule might have already analyzed in case the rule is not started at a consistent interval. This design allows analysts to consistently have a view of the "newest" events but can allow events that might have triggered signal generation to slip by if that rule fails to start at a reliable interval.
Given this, there are a few proposals for solutions from a query perspective and from a user experience perspective that would help document when these situations occur and possibly remediate / mitigate.
From our discussion there are ways to mix some of these solutions together, but for now I will just list them as-is and we can determine how best to mix them in further conversations.
interval
or until we hit max signals. With this, now we can be certain we won't have gaps from a historical perspective. This has the problem of continually trying to "catch up" to new events. We will be "behind" in processing new events and may forever be trying to play catch up.edit: Adding fifth option we discussed - some form of sampling with acknowledgement there will be "gaps" that we generally control.
The text was updated successfully, but these errors were encountered: