[Security Solution] Give user the ability to cancel a long running rule execution #93740
Labels
consider-next
dependencies
Pull requests that update a dependency file
enhancement
New value added to drive a business result
Feature:Rule Management
Security Solution Detection Rule Management area
needs design
sdh-linked
Team:Detection Engine
Security Solution Detection Engine Area
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Theme: simp_prot_mgmt
Security Solution Simplified Protection Management Theme
Comments
peluja1012
added
enhancement
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
dontcallmesherryli
added
the
dependencies
peluja1012
added
sdh-linked
Team:Detection Rule Management
peluja1012
added
the
Theme: simp_prot_mgmt
peluja1012
added
Team:Detection Alerts
yctercero
added
Team:Detection Engine
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently there is no way to cancel rule execution. When a user "deactivates" (by clicking the "deactivate" button) a rule, it will simply not schedule the following rule execution task, but the current task will continue to run until finished.
In practice, users have experienced that some long running rules like Indicator Match rules continue to run for ~30 minutes after "deactivation". These long running rules could be performance intensive and affect the user's cluster, leaving the user with an undesirable user experience in the app until the rule execution finishes.
We should allow users to cancel rule execution, if desired.
The text was updated successfully, but these errors were encountered: