[Security Solution][Exception Lists] Prevent loading of >10k value list items into memory #212460
Labels
Feature:Rule Exceptions
Security Solution Detection Rule Exceptions area
Feature:Rule Value Lists
Security Solution Detection Rule Value Lists area
Team:Detection Engine
Security Solution Detection Engine Area
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
triage_needed
Comments
rylnd
added
Feature:Rule Exceptions
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
As a result of the investigation in #211637, it was discovered that we do in fact load all of the items from a particular value list into memory during the deletion of said list. As per #203017, this should be mitigated as much as possible.
This might involve performing these deletions in batches, or we might be able to stretch beyond the soft 10k limit by minimizing the data that we're retrieving (as suggested in #203017).
However, it appears as though the current logic is a consequence of our current APIs, so we may need to develop some additional functionality (perhaps as public HTTP endpoints) to make this work.
The text was updated successfully, but these errors were encountered: