Detection rulesedit

This topic covers common troubleshooting issues when creating or managing detection rules.

Machine learning rulesedit

Machine learning rule is failing and a required machine learning job is stopped

If a machine learning rule is failing, check to make sure the required machine learning jobs are running and start any jobs that have stopped.

  1. Go to ManageRules, then select the machine learning rule. The required machine learning jobs and their statuses are listed in the Definition section.

    rules ts ml job stopped
  2. If a required machine learning job isn’t running, select ML job settings in the upper-right corner of the page, then search for the machine learning job.
  3. Turn on the Run job switch for the required machine learning job.

    rules ts start ml job
  4. Rerun the machine learning detection rule.

Indicator match rulesedit

Rules are failing due to number of alerts

If you receive the following rule failure: "Bulk Indexing of signals failed: [parent] Data too large", this indicates that the alerts payload was too large to process.

This can be caused by bad indicator data, a misconfigured rule, or too many event matches. Review your indicator data or rule query. If nothing obvious is misconfigured, try executing the rule against a subset of the original data and continue diagnosis.

Indicator match rules are timing out

If you receive the following rule failure: "An error occurred during rule execution: message: "Request Timeout after 90000ms", this indicates that the query phase is timing out. Try refining the time frame or dividing the data defined in the query into multiple rules.

Indicator match rules are failing because the maxClauseCount limit is too low

If you receive the following rule failure: Bulk Indexing of signals failed: index: ".index-name" reason: "maxClauseCount is set to 1024" type: "too_many_clauses", this indicates that the limit for the total number of clauses that a query tree can have is too low. To update your maximum clause count, increase the size of your Elasticsearch JVM heap memory. 1 GB of Elasticsearch JVM heap size or more is sufficient.

General slowness

If you notice rule delays, review the suggestions above to troubleshoot, and also consider limiting the number of rules that run simultaneously, as this can cause noticeable performance implications in Kibana.