Description
Description
This docs issue is for adding a section to the Upgrade Elastic Security docs that details the expected behaviors of rule execution during the downtime that may occur during an upgrade. This is with regards to managing gaps and missed alerts from downtime.
Currently, as detailed in elastic/kibana#68339, the system is setup to remediate gaps in rule execution by performing up to a 4x lookback of the rule's configured interval. So if the deployment has rules configured to run every 10 minutes, and there was 30min of downtime for the upgrade, the rules will 'self recover' and ensure there was no gap during the upgrade. However if there were 45min of downtime, this could result in ~5min window of gaps for the rules, and the user will have to manually resolve by increasing the lookback to cover there period of time (perhaps some crossover with the managing gaps docs)
Acceptance Test Criteria
As a user I should be able to understand what happens to enabled and executing rules during an upgrade, and if there should be any concern for missed alerts and how I would go about remediating any gaps that may have occurred during the upgrade.
Notes
Please see the above issue or ping the @elastic/security-detections-response-alerts folks for the most up-to-date information here.