iSharkFly-Docs
/
opensearch-docs-cn
mirror of https://github.com/iSharkFly-Docs/opensearch-docs-cn
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add documentation for automatic Alerting workflows from detector creation (#5003) 

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <cwmmoore@amazon.com>

* fix#4999 auto alerting workflows

Signed-off-by: cwillum <cwmmoore@amazon.com>

---------

Signed-off-by: cwillum <cwmmoore@amazon.com>
This commit is contained in:
Chris Moore 2023-09-19 14:45:37 -07:00 committed by GitHub
parent dde7c02b8d
commit e74831d6e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
_api-reference/cluster-api/cluster-settings.md
View File

@ -60,7 +60,8 @@ Not all cluster settings can be updated using the cluster settings API. You will
The following request field parameters are compatible with the cluster API. The following request field parameters are compatible with the cluster API.
| Field | Data type | Description | | Field | Data type | Description |
:--- | :--- | :--- | :--- | :--- | :--- |
| plugins.security_analytics.enable_workflow_usage | Boolean | Supports Alerting plugin workflow integration with Security Analytics. Determines whether composite monitor workflows are generated for the Alerting plugin after creating a new threat detector in Security Analytics. By default, the setting is `true`. <br> <br> When set to `true`, composite monitor workflows based on an associated threat detector's configuration are enabled. When set to `false`, composite monitor workflows based on an associated threat detector's configuration are disabled. <br> <br> For more information about Alerting plugin workflow integration with Security Analytics, see [Integrated Alerting plugin workflows]({{site.url}}{{site.baseurl}}/security-analytics/sec-analytics-config/detectors-config/#integrated-alerting-plugin-workflows). |
| action.auto_create_index | Boolean | Automatically creates an index if the index doesn't already exist. Also applies any index templates that are configured. Default is `true`. | | action.auto_create_index | Boolean | Automatically creates an index if the index doesn't already exist. Also applies any index templates that are configured. Default is `true`. |
| action.destructive_requires_name | Boolean | When set to `true`, you must specify the index name to delete an index. You cannot delete all indexes or use wildcards. Default is `true`. | | action.destructive_requires_name | Boolean | When set to `true`, you must specify the index name to delete an index. You cannot delete all indexes or use wildcards. Default is `true`. |
| cluster.indices.close.enable | Boolean | Enables closing of open indexes in OpenSearch. Default is `true`. | | cluster.indices.close.enable | Boolean | Enables closing of open indexes in OpenSearch. Default is `true`. |

2
_observing-your-data/alerting/composite-monitors.md
View File

@ -63,7 +63,7 @@ In this simple example, the first monitor could be a per document monitor config
## Managing composite monitors with the API ## Managing composite monitors with the API
You can manage composite monitors using the REST API or OpenSearch Dashboards. This section covers API functionality for composite monitors. You can manage composite monitors using the OpenSearch REST API or [OpenSearch Dashboards](#creating-composite-monitors-in-opensearch-dashboards). This section describes API functionality for composite monitors.
### Create composite monitor ### Create composite monitor

8
_security-analytics/sec-analytics-config/detectors-config.md
View File

@ -144,6 +144,14 @@ To set up an alert for a detector, continue with the following steps:
1. Review the specifications for the detector and select **Create detector** in the lower-right corner of the screen. The detector details for the new detector are displayed. When you navigate to the main **Threat detectors** page, the new detector appears in the list. 1. Review the specifications for the detector and select **Create detector** in the lower-right corner of the screen. The detector details for the new detector are displayed. When you navigate to the main **Threat detectors** page, the new detector appears in the list.
## Integrated Alerting plugin workflows
By default, when you create a threat detector, the system automatically creates a composite monitor and triggers workflows for the Alerting plugin. The detector's rules are converted into search queries for the Alerting plugin monitor, and the monitor executes its queries according to a schedule derived from the detector's configuration.
You can change the behavior of automatically generated composite monitors by enabling or disabling the workflow functionality with the `plugins.security_analytics.enable_workflow_usage` setting. This setting is defined using the [Cluster settings API]({{site.url}}{{site.baseurl}}/api-reference/cluster-api/cluster-settings/).
For more information about composite monitors and their workflows, see [Composite monitors]({{site.url}}{{site.baseurl}}/observing-your-data/alerting/composite-monitors/).
--- ---
## What's next ## What's next