[Rule Tuning] Review all rules for performance optimizations

Question

[Rule Tuning] Review all rules for performance optimizations

brokensound77 opened this issue 5 months ago · comments

related to https://github.com/elastic/ia-trade-team/issues/232

It is always good to regularly check in on the state of overall rule performance to ensure that they are as optimized as possible. This means not only reviewing for best practices, but also to see if there are new enhancements to take advantage of as well. Similar to the referenced issue, there are several things we can do across the entire rule set to improve

Tasks

Beta Give feedback

Tighten down index patterns to specific uses (ex: logs-endpoint.events.* to logs-endpoint.events.process*)
review all sequence rules have a maxspan defined and that it is reasonable
review all sequence rules for overly loose matching criteria, especially in earlier sub-queries
review the lookback/interval ratios of all rules for efficient timing
review new_terms rule timing, as many of these can be run less frequently
review usage of wildcards
Options