[FEATURE] Cross-cluster search support for security analytics plugin #687
Labels
enhancement
New feature or request
Comments
kritikashahi
changed the title
riysaxen-amzn
pushed a commit
to riysaxen-amzn/security-analytics
that referenced
this issue
Feb 20, 2024
Signed-off-by: Amardeepsingh Siglani <[email protected]>
github-project-automation
bot
moved this to Backlog (Feature Requests, Enhancements)
in Security Analytics Roadmap
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cross-cluster search support for security analytics plugin
What solution would you like?
Currently there is no support for cross cluster search for security analytics plugin. In case anyone uses cross-cluster (remote clusters) to store data, security analytics plugin comes of no use. The solution needs to have cross-clusters data (indexes) to search from in the data sources, and a specific node for security analytics so that it doesn't overload the other nodes and crash the opensearch. The cross-cluster support feature needs to be stable to handle all the sigma rules without crashing the opensearch.
Alerts should have suppression option i.e. to notify only once when n number of alerts was triggered for a specific rule within a specified time frame. Example: Notify to a channel/email only once for alert_1 which was detection 500 times in last 15 minutes. The dashboard should show total count, but email/notification should be sent only once.
The text was updated successfully, but these errors were encountered: