-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Draft] Followup issues for alerting saved object sharing #106767
Comments
[Maps][Alerting] Migrate to using Saved Object References array to reference index patterns from RulesCurrently, geo containment rules stores two index pattern Saved Object IDs inside the rule params inside Example geo containment rule
In 8.0, saved objects will be converted to share-capable (meta issue). This means all index pattern SO IDs will be regenerated and the index pattern SO IDs stored within the geo containment rule params will be outdated. What does this mean?Rule Execution Rules UI Recommended approachWith this resolution of this issue with this PR, the alerting framework allows rule types to specify extract and inject hooks for pulling out SO references from rule parameters. POC for adding it to the geo containment rule type is available here: https://github.com/elastic/kibana/pull/106733/files. While these hooks will affect rules that are created/updated after implementation, a migration will also need to be added for the geo containment rule to update existing rules. Alternative approachSince the When does this need to be done? |
[Cases][Connectors] Migrate to using Saved Object References array to reference action saved objects from CasesCurrently, there are several cases saved object types that directly store the associated actions SO ID instead of utilizing the references array. With alerting planning to make actions share-capable in 8.0.0, the SO IDs for these actions will be re-generated, which will break the association in these cases saved objects. Cases SOStores the associated Example `cases` saved object
When the action SO is made share-capable, this error will show in the Cases UI because the ID has changed. Cases User Actions SOStores the associated Example `cases-user-actions` saved object
When the action SO is made share-capable, the Cases UI will display a user action message of Cases Configure SOStores the associated Example `cases-configure` saved object
When the action SO is made share-capable, the Configure Cases UI will incorrect state that the associated connector has been deleted. Note that the Recommended approachThe recommended approach is to update the Alternative approachAlternatively, the cases team could explore using the .resolve() functionality provided by the saved object service in order to resolve the outdated action SO ID to their re-generated ID. This would require tracking down all the places where the When does this need to be done? |
Existing security issue: #105819, #101975 [Security Rules] Migrate to using Saved Object References array to reference alert saved objects from security saved objectsCurrently, there are several security saved object types that directly store the associated rule ( Detection Engine Rule Status SOStores the associated Example `siem-detection-engine-rule-status` saved object
When the alert SO is made share-capable, no statuses will be returned for the rules in the detection UI. However, maybe this is ok? There doesn't seem to be any errors in the UI and since I think only the last few statuses are shown, user would just have to wait for the rule to run again with the new ID to start seeing statuses. Detection Engine Rule Action SOStores the associated Example `siem-detection-engine-rule-action` saved object
When the alert SO is made share-capable, the association between Recommended approachThe recommended approach is to update the Alternative approachAlternatively, the security team could explore using the When does this need to be done? |
No description provided.
The text was updated successfully, but these errors were encountered: