[Response Ops][Alerting] Research generating context and state variables from alerts as data documents #145107
Labels
blocked
Feature:Alerting/RulesFramework
Issues related to the Alerting Rules Framework
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Comments
ymao1
added
Team:ResponseOps
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
Blocked by #145103 |
ymao1
moved this from Awaiting Triage
to Blocked / On hold
in AppEx: ResponseOps - Execution & Connectors
mikecote
moved this from Blocked / On hold
to On Hold
in AppEx: ResponseOps - Execution & Connectors
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As part of the new Alerts API, we should investigate whether we can generate context and state variables from the information stored inside the alerts as data documents to maintain backwards compatibility for all rule types. Currently, rule type executors explicitly set context and state variables when creating an alert. With the new API, they will be setting fields within the alert documents. We should provide a way for rule types to specify a converter function that takes an alert document with the generic FAAD schema and returns context and state variables. This way we can move closer to deprecating the AlertFactory.
The text was updated successfully, but these errors were encountered: