Save ES Query Rule type alerts in alert-as-data index #161685
Conversation
ersin-erdal
added
release_note:skip
ersin-erdal
force-pushed
the
159493-es-query-rule-alert-as-data
branch
from
ed9c4a4 to
323c18c
Compare
…ta' into 159493-es-query-rule-alert-as-data
| [ALERT_STATE_DATE_START]: dateStart, | ||
| [ALERT_STATE_DATE_END]: dateEnd, | ||
| }, | ||
| }); |
There was a problem hiding this comment.
ES Query Rule used to pass context and state params to the legacy alertsClient. Now we pass them in the payload to save in alert-as-data index.
Fields in the state object: dateEnd, dateStart, and latestTimestamp.
They are grouped under state namespace, like: kibana.alert.state.latestTimestamp
Fields in the context object: hits, link, conditions, value, date, title, message.
I didn't use any namespace for the context fields as they already make sense under the alert namespace.
Two field names has been created for the hits param.
kibana.alert.hits.count to pass the total number of the hits (in case of we want to cap the number of the hits)
kibana.alert.hits.hits to pass the hits (capped or all)
ALERT_URL (kibana.alert.url) is used from the default alert-as-data for the link param.
ALERT_CONDITIONS_MET_VALUE (kibana.alert.conditions_met_value) has been created for the value param in the context obj.
Do these field names and namespaces look OK to you? Should we group context params as well?
Is creating a separate hits.count field name for the hits OK?
There was a problem hiding this comment.
I would put actionContext.message into kibana.alert.reason and look into the ALERT_EVALUATION_THRESHOLD and ALERT_EVALUATION_VALUES fields that are currently used by observability alerts to see if we could use them to store actionContext.conditions and actionContext.value. If they are suitable, we could promote those to framework level fields and encourage rule types to use them to store their evaluation thresholds.
For this first iteration, I would leave out actionContext.hits until we settle on how this data should be properly stored. I believe @kobelb had the idea of maybe copying out all ECS source fields
The other thing to think about is whether we want to use the kibana.alert namespace directly or namespace these fields even more to be for stack alerts, so kibana.alert.stack_context.latest_timestamp for example
There was a problem hiding this comment.
+1 to what @ymao1 mentioned. Thank you for kicking off this discussion on field mappings. For the proposal, I've also been thinking the following:
ALERT_HITS_COUNT
There may be more hits than provided within actionContext.hits.length. Should we instead adapt fetchEsQuery and fetchSearchSourceQuery to return result.hits.total via numMatches and use that as the value? For example, setting size: 0 in the query will cause no hits, but ALERT_HITS_COUNT could contain result.hits.total from the query?
ALERT_STATE_LAST_TIMESTAMP, ALERT_STATE_DATE_START, ALERT_STATE_DATE_END
I wonder if we leave these out for now? They are used for internal query building (and I guess mustache) but I'm not sure if they provide value in the alert document itself. The values would update constantly until the last time the alert is detected (but we also store kibana.alert.start and kibana.alert.end at the framework level).
There was a problem hiding this comment.
Current fields are:
[ALERT_RULE_NAME]: name,
[ALERT_URL]: actionContext.link,
[ALERT_HITS_COUNT]: actionContext.hits.length,
[ALERT_HITS_HITS]: actionContext.hits,
[ALERT_MESSAGE]: actionContext.message,
[ALERT_TITLE]: actionContext.title,
[ALERT_CONDITIONS]: actionContext.conditions,
[ALERT_CONDITIONS_MET_VALUE]: actionContext.value,
[ALERT_STATE_LAST_TIMESTAMP]: latestTimestamp,
[ALERT_STATE_DATE_START]: dateStart,
[ALERT_STATE_DATE_END]: dateEnd,
I realised that ALERT_RULE_NAME is not in the current context, so i'll remove it.
I'll remove ALERT_HITS_HITS for now, as Ying suggested.
Will replace ALERT_MESSAGE with ALERT_REASON
ALERT_EVALUATION_THRESHOLD is used as a number, but actionContext.conditions in Es Query rule is the whole condition string. I'd rather adding ALERT_EVALUATION_CONDITIONS so it wold be compatible with the other ALERT_EVALUATION_*
I'll use ALERT_EVALUATION_VALUES instead of ALERT_CONDITIONS_MET_VALUE (CONDITIONS and VALUES will be under the same namespace)
I also realised that ALERT_HITS_COUNT is the same thing as ALERT_EVALUATION_VALUES, so i'll remove it too.
And will remove all the state fields as Mike suggests.
So the new payload will be:
[ALERT_URL]: actionContext.link,
[ALERT_REASON]: actionContext.message,
[ALERT_TITLE]: actionContext.title,
[ALERT_EVALUATION_CONDITIONS]: actionContext.conditions,
[ALERT_EVALUATION_VALUE]: actionContext.value,
And ALERT_TITLE will be the only ES Query specific field. Maybe we can move it to framework level as well, as it sounds like a generic field name.
There was a problem hiding this comment.
Can you elaborate on what the conditions field will store? The type just has it being a string, is it a human readable string?
Additionally, can you elaborate on the alert title? How does this differ from the reason?
Otherwise, the revised fields look good to me.
There was a problem hiding this comment.
Yes, conditions field is a human readable string that is generated in the rule type out of the params entered by the user.
e.g. Number of matching documents is greater than 1
Alert title is also a string generated in the rule type by using the rule name.
e.g. rule 'test' matched query
Reason on the other hand is the "message" field in the rule, that we use mustasche to parse.
There was a problem hiding this comment.
Gotcha, thanks Ersin. These look good to me.
…ta' into 159493-es-query-rule-alert-as-data
| @@ -85,6 +85,7 @@ const EVENT_MODULE = 'event.module' as const; | |||
| // Fields pertaining to the alert | |||
| const ALERT_BUILDING_BLOCK_TYPE = `${ALERT_NAMESPACE}.building_block_type` as const; | |||
| const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const; | |||
| const ALERT_EVALUATION_CONDITIONS = `${ALERT_NAMESPACE}.evaluation.conditions` as const; | |||
| const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const; | |||
There was a problem hiding this comment.
Maybe we can move all the ALERT_EVALUATION_* fields to default_alerts_as_data.
There was a problem hiding this comment.
We can, if we want them to apply to all alerts. For any of them that we want to move to apply to all alerts, we'll need to get the security solution team's approval. I'd prefer we just move the one we need for the time being to keep the scope small.
ersin-erdal
force-pushed
the
159493-es-query-rule-alert-as-data
branch
from
b23894d to
302a8d6
Compare
…ta' into 159493-es-query-rule-alert-as-data
| fieldMap: { | ||
| [ALERT_URL]: { type: 'text', array: false, required: false }, | ||
| [ALERT_TITLE]: { type: 'keyword', array: false, required: false }, | ||
| [ALERT_REASON]: { type: 'keyword', array: false, required: false }, |
There was a problem hiding this comment.
REASON should be in the framework fields so we shouldn't need to redefine it here
| context: STACK_AAD_INDEX_NAME, | ||
| mappings: { | ||
| fieldMap: { | ||
| [ALERT_URL]: { type: 'text', array: false, required: false }, |
There was a problem hiding this comment.
URL should be in the framework fields so we shouldn't need to redefine it here
ersin-erdal
changed the base branch from
o11y-rbac-rule-feature-branch
to
main
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Unknown metric groupsAPI count
References to deprecated APIs
History
To update your PR or re-run it, just comment with: cc @ersin-erdal |
Resolves: #159493
This PR replaces
AlertFactoryin ES Query rule type withAlertsClientso the alerts are persistent in an alert-as-data index.