I was exploring the security analytics plugin and going through the detectors. I was just wondering what is the maximum number of detectors that we can create in opensearch? If I create a detector for every rule and not combine multiple rules into single detector then is that a good approach or it might impact the performance?
This is going to be limited by max number of monitors allowed in Alerting:
Default setting is 1000 and depending if you’re using log type which has rules with aggregations, that would be 2 monitors per detector, otherwise 1 monitor per detector.
If I create a detector for every rule and not combine multiple rules into single detector then is that a good approach or it might impact the performance?
It is much better to multiple rules in 1 detector.
Thanks for the reply. As you said it is better to have multiple rules in a single detector and not have a single rule in a detector, right? And as in detector we can mention the interval in which we need to run it, so what if I want to have different intervals for different rules of same type? Is there any way by which we can handle this in detectors?
You can’t choose interval for specific rules. It will apply for all rules in Detector.
Thanks @devp for your question. While you can configure any number of rules you like per detector, we recommend that you use multiple rules per detector as often times there are multiple rules that are monitoring different conditions in the same log type. This will also help in filtering on alerts or findings by detector (that monitors a log type).