-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request for alerting internal tags structure #58417
Comments
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
I think this is a case where we would want the "system" tags (vs "user" tags) to not be settable via the HTTP APIs, only via the alerting client. I think it probably makes sense to make them visible to users though (get requests and searches). |
It's ok to have them visible but not changeable and to have system tags. This is a good approach that I agree with 👍 |
+1 for system tags. This is super important for being able to reliably query for alerts based on solution specific identifiers. |
"Reviewed by Frank Hassanabad on 7/29/2020, still valid as of this date" |
Edit: this might already have been discussed in the linked issue. Will read through that now. @alexfrancoeur Will these tags support key/value lookups, eg. It is important that it's not simply a single value lookup like: One approach we've taken is to use a reserved keyword (eg. |
cc @arisonl |
Moving from |
Moving from |
I just merged the capability of filtering alerts by string parameters (#92036). This should remove the need to use internal tags altogether as you can find alerts based on keyword values as long as they are parameters to the alert. I can't think of any extra information you don't want to become a parameter to the alert executor so I will close the issue Wednesday, Feb 24th if there are no problems/use cases. |
Thanks @mikecote! I've opened #92334 for refactoring our Testing real quick though, I modified: kibana/x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts Lines 113 to 118 in 4584a8b
to be: const showCustomRuleFilter = filterOptions.showCustomRules
? [`alert.attributes.params.immutable: "false"`]
: [];
const showElasticRuleFilter = filterOptions.showElasticRules
? [`alert.attributes.params.immutable: "true"`]
: []; And this appears to work! 🎉 So I think this should be suitable for us to remove this chunk of tech debt barring any other unforeseen issues. Thank you for your efforts here! 🙂 |
@sqren Do the new flattened params work for you as well? I think we can close this issue, if so. |
I have yet to try it out but yes, I agree that it removes the need for internal tags - at least for my use cases. |
Btw. this is super awesome. Thanks for working so hard on it and finally getting it in! |
I will consider this issue now resolved and closed. Thanks all! |
Describe the feature:
Add internal tags structure for consumers of the Alert API that are not use facing. Right now we are using on SIEM internal structures and trying to keep them filtered from the front end. It would be better if we separate the two tags from each other of internal and public facing tags in two different structures.
The text was updated successfully, but these errors were encountered: