I am currently testing the Security Analytics plugin in a high-traffic environment and have encountered two specific behaviors regarding the lifecycle management of alerts and findings that require clarification.
1. Logic for Alert Transition to History Index
I have observed that alerts are appearing in the .opensearch-sap-<detector_type>-alerts-history-<date> index even though they were never manually acknowledged or deleted. * The Question: Apart from manual acknowledgement, what specific internal triggers move an “Active” alert into the “History” index?
-
Is there an automatic timeout for active alerts, or do they move to history once the underlying trigger condition is no longer met (transitioning to a
COMPLETEDstate)? -
Does the rollover of a Finding (based on
finding_history_max_age) force the associated active alert into the history index?
Current default settings:
{
"alert_history_max_docs": "1000",
"alert_history_rollover_period": "12h",
"alert_history_retention_period": "60d",
"finding_history_retention_period": "60d"
}
GET _cat/indices/.opensearch-sap-xdr_windows-alert*?expand_wildcards=all&v&h=index,docs.count,store.size,status
index docs.count store.size status
.opensearch-sap-xdr_windows-alerts-history-2026.01.24-000005 2280 7.8mb open
.opensearch-sap-xdr_windows-alerts-history-2026.01.23-000004 14240 40.8mb open
.opensearch-sap-xdr_windows-alerts-history-2026.01.28-000006 5666 19.3mb open
.opensearch-sap-xdr_windows-alerts-history-2026.01.20-000003 9551 30.5mb open
.opensearch-sap-xdr_windows-alerts-history-2026.02.26-000007 939 5.3mb open
.opensearch-sap-xdr_windows-alerts 1506329 696mb open
I am looking to understand the specific logic and triggers that transition alerts from the active index to the alert history index, as well as how to definitively identify the cause for each transition.