Skip to content

[Security Solution][Detection Engine] Investigate ways to bound memory usage of rule queries #192732

New issue
New issue
Open
Open
[Security Solution][Detection Engine] Investigate ways to bound memory usage of rule queries#192732

Description

@marshallmain

marshallmain
openedon Sep 12, 2024

Parent issue: https://github.com/elastic/security-team/issues/10106

Detection rules typically fetch 100 source documents at a time to transform into alerts. When these source documents are large, this puts significant memory pressure on both Elasticsearch and Kibana. If the documents are large enough, Elasticsearch and/or Kibana can run out of memory and crash. We should investigate ways that we can limit the total amount of data retrieved at one time to avoid OOM problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    Feature:Detection RulesAnything related to Security Solution's Detection RulesTeam:Detection EngineSecurity Solution Detection Engine Areaperformance

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions