[BUG]Security Analytics: Query index alias deleted on detector removal, causing rollover and IndexNotFoundException

[GitUseDeveloper]

Title
Security Analytics: Query index alias deleted on detector removal, causing rollover and IndexNotFoundException

Environment
OS: Ubuntu

OpenSearch: 2.15.0

Plugin: Security Analytics

Steps to Reproduce
Create a new log type (e.g., log type 1).

Create a rule (e.g., rule 1).

Create detector A using log type 1 and attach rule 1.

Observe query index .opensearch--detectors-queries-000001 created.

Stop detector A and remove rules.

Index 000001 is deleted.

Create detector B with the same log type.

Observe new query index 000002 created.

Add a rule back to detector A and enable it.

Observe new query index 000003 created.

Delete detector A.

Alias .opensearch--detectors-queries is deleted entirely.

Try to update detector B.

Error: IndexNotFoundException [.opensearch--detectors-queries].

Try to create another detector with the same log type.

Error: Failed to get write index for queryIndex alias.

Expected Behavior
Alias .opensearch--detectors-queries should persist across detector deletions.

Rollover should only occur when thresholds (size, age, docs) are met, not on every detector creation.

Detectors should reuse the same alias and write index chain for a given log type.

Actual Behavior
Alias is deleted when a detector is removed.

Every new detector creation forces a rollover (000001 → 000002 → 000003…).

Remaining detectors fail with IndexNotFoundException.

Impact
Detectors for the same log type cannot coexist reliably.

Alias lifecycle is incorrectly tied to detector lifecycle instead of log type lifecycle.

Breaks multi-detector setups and prevents stable query index reuse.

Suggested Fix
Decouple alias lifecycle from detector lifecycle.

Ensure alias persists as long as the log type exists.

Trigger rollover only when thresholds are met, not on detector creation.

Allow detectors to reuse the same alias chain.

[GitUseDeveloper]

Anyone answer pls. Also I created the detectors again for the log type. Now, the detector queries index not writing anything into it. Why it happens. Is it related to cluster settings...

[krisfreedain]

@lezzago @sbcd90 @AWSHurneyt @eirsep @praveensameneni & maintainers - can you take a look at this

Catch All Triage - 1 2

[GitUseDeveloper]

Subject: Critical Bug in Security Analytics v2.15: Aggressive Rollover and Index Deletion for "Windows" Log Type Detectors

Body:

I am encountering a critical issue in OpenSearch Security Analytics v2.15.0 related to how the system handles the .opensearch-sap--detectors-queries system indices, specifically when creating multiple detectors for the "Windows" log type (or any log type with a large set of default Sigma rules).

The Issue:
The system appears to trigger an aggressive, unnecessary rollover of the query index every time a new detector is created for the same log type. This leads to a fragmented state where every detector has its own isolated index (e.g., ...queries-000001, ...queries-000002, etc.), rather than sharing a single active write index.

Replication Steps:

Create a "Windows" log type detector (det-1). The system creates .opensearch-sap-windows-detectors-queries-000001.
Create a second "Windows" detector (det-2). Instead of appending rules to 000001, the system forces a rollover and creates 000002.
Repeat this for 5 detectors. You end up with 5 separate indices (000001 to 000005).
The Failure: If I delete the last detector created (det-5), the system deletes the entire index ...000005. Because 000005 was the active write index for the alias .opensearch-sap-windows-detectors-queries, the alias breaks or loses its target.
Result: All remaining detectors (det-1 through det-4) become unmanageable. Attempting to stop or delete them results in a "Configured indices not found" error, leaving the detectors in a zombie state.
Analysis:
It appears the large volume of default Sigma rules for the Windows log type is triggering a rollover condition during every detector creation. The deletion logic then incorrectly removes the active write index without updating the alias to point back to a valid index, breaking the mapping for all other detectors sharing that alias.

Request:
Is there a permanent configuration fix or patch to prevent this aggressive rollover behavior for the Windows log type? We need a way to ensure multiple detectors can coexist on the same log type without fragmenting the query indices and breaking the alias upon deletion.