[Security Solution][Alerts] Warn users when rule interval is larger than time range searched #154963
Labels
consider-next
enhancement
New value added to drive a business result
Feature:Detection Alerts
Security Solution Detection Alerts Feature
sdh-linked
Team:Detection Engine
Security Solution Detection Engine Area
v8.8.0
Currently it's possible to specify arbitrary values for
to
,from
, andinterval
in the detection rules APIs. This can lead to scenarios where the difference betweento
andfrom
is smaller than the rule interval and some time periods will not be searched by the rule. For example, if we havethen the rule searches a 2 minute time period every 5 minutes. This leaves 3 out of every 5 minutes un-searched. We should add additional validation in rule APIs and/or runtime checks at rule execution time to prevent/warn users about misconfigurations like this.
Related Issues
to
value on rule details page #154967The text was updated successfully, but these errors were encountered: