[RAM] Adds revision to alerts schema (#151388)

## Summary Follow up from #147398, which adds `revision` to the alerts schema so the rule's current revision is included when creating alerts. In Security Solution: <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/227386305-c8afe295-b79b-4b28-838a-cc3bed0f3eda.png" /> </p> In Observability: <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/227577019-05307860-e0e3-4e1e-b4cf-604bdb52afdf.png" /> </p> Note: this was originally a branched off #147398, so the large commit list is resulting from there as Github doesn't seem to re-write after after a rebase w/ `main` and a force push. ### Checklist Delete any items that are not applicable to this PR. - [ ] ~[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials~ * Base docs to be added for #147398 - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
elastic · Mar 29, 2023 · e41cc7a · e41cc7a
1 parent c283ca5
commit e41cc7a
Show file tree

Hide file tree

Showing 28 changed files with 95 additions and 7 deletions.
diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts
@@ -22,6 +22,7 @@ import {
   ALERT_RULE_NAME,
   ALERT_RULE_PARAMETERS,
   ALERT_RULE_PRODUCER,
+  ALERT_RULE_REVISION,
   ALERT_RULE_TAGS,
   ALERT_RULE_TYPE_ID,
   ALERT_RULE_UUID,
@@ -112,6 +113,11 @@ export const alertFieldMap = {
     array: false,
     required: true,
   },
+  [ALERT_RULE_REVISION]: {
+    type: 'long',
+    array: false,
+    required: true,
+  },
   [ALERT_RULE_TAGS]: {
     type: 'keyword',
     array: true,

diff --git a/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts b/packages/kbn-rule-data-utils/src/default_alerts_as_data.ts
@@ -82,6 +82,9 @@ const ALERT_RULE_PARAMETERS = `${ALERT_RULE_NAMESPACE}.parameters` as const;
 // kibana.alert.rule.producer - rule type producer for rule that generated this alert
 const ALERT_RULE_PRODUCER = `${ALERT_RULE_NAMESPACE}.producer` as const;
 
+// kibana.alert.rule.revision - current revision of the rule that generated this alert
+const ALERT_RULE_REVISION = `${ALERT_RULE_NAMESPACE}.revision` as const;
+
 // kibana.alert.rule.tags - rule tags for rule that generated this alert
 const ALERT_RULE_TAGS = `${ALERT_RULE_NAMESPACE}.tags` as const;
 
@@ -113,6 +116,7 @@ const fields = {
   ALERT_RULE_NAME,
   ALERT_RULE_PARAMETERS,
   ALERT_RULE_PRODUCER,
+  ALERT_RULE_REVISION,
   ALERT_RULE_TAGS,
   ALERT_RULE_TYPE_ID,
   ALERT_RULE_UUID,
@@ -148,6 +152,7 @@ export {
   ALERT_RULE_NAME,
   ALERT_RULE_PARAMETERS,
   ALERT_RULE_PRODUCER,
+  ALERT_RULE_REVISION,
   ALERT_RULE_TAGS,
   ALERT_RULE_TYPE_ID,
   ALERT_RULE_UUID,

diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/mapping_from_field_map.test.ts
@@ -254,6 +254,9 @@ describe('mappingFromFieldMap', () => {
                     producer: {
                       type: 'keyword',
                     },
+                    revision: {
+                      type: 'long',
+                    },
                     rule_type_id: {
                       type: 'keyword',
                     },

diff --git a/x-pack/plugins/alerting/common/rule.ts b/x-pack/plugins/alerting/common/rule.ts
@@ -186,6 +186,7 @@ export type SanitizedRuleConfig = Pick<
   | 'throttle'
   | 'notifyWhen'
   | 'muteAll'
+  | 'revision'
   | 'snoozeSchedule'
 > & {
   producer: string;

diff --git a/x-pack/plugins/alerting/server/task_runner/task_runner.ts b/x-pack/plugins/alerting/server/task_runner/task_runner.ts
@@ -260,6 +260,7 @@ export class TaskRunner<
       enabled,
       actions,
       muteAll,
+      revision,
       snoozeSchedule,
     } = rule;
     const {
@@ -379,6 +380,7 @@ export class TaskRunner<
                 tags,
                 consumer,
                 producer: ruleType.producer,
+                revision,
                 ruleTypeId: rule.alertTypeId,
                 ruleTypeName: ruleType.name,
                 enabled,

diff --git a/...erver/lib/alerting/inventory_metric_threshold/inventory_metric_threshold_executor.test.ts b/...erver/lib/alerting/inventory_metric_threshold/inventory_metric_threshold_executor.test.ts
@@ -75,6 +75,7 @@ const mockOptions = {
     throttle: null,
     notifyWhen: null,
     producer: '',
+    revision: 0,
     ruleTypeId: '',
     ruleTypeName: '',
     muteAll: false,

diff --git a/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.test.ts b/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.test.ts
@@ -113,6 +113,7 @@ const mockOptions = {
     throttle: null,
     notifyWhen: null,
     producer: '',
+    revision: 0,
     ruleTypeId: '',
     ruleTypeName: '',
     muteAll: false,

diff --git a/x-pack/plugins/observability/public/components/alerts_flyout.test.tsx b/x-pack/plugins/observability/public/components/alerts_flyout.test.tsx
@@ -67,6 +67,7 @@ const activeAlert: TopAlert = {
     'kibana.alert.rule.producer': 'logs',
     'kibana.alert.rule.consumer': 'logs',
     'kibana.alert.rule.category': 'Log threshold',
+    'kibana.alert.rule.revision': 0,
     'kibana.alert.start': '2021-09-02T12:54:09.674Z',
     'kibana.alert.rule.rule_type_id': 'logs.alert.document.count',
     'event.action': 'active',
@@ -97,6 +98,7 @@ const recoveredAlert: TopAlert = {
     'kibana.alert.rule.producer': 'infrastructure',
     'kibana.alert.rule.consumer': 'infrastructure',
     'kibana.alert.rule.category': 'Inventory',
+    'kibana.alert.rule.revision': 0,
     'kibana.alert.start': '2021-09-02T13:05:36.699Z',
     'kibana.alert.rule.rule_type_id': 'metrics.alert.inventory.threshold',
     'event.action': 'close',

diff --git a/x-pack/plugins/observability/public/hooks/use_fetch_alert_detail.test.ts b/x-pack/plugins/observability/public/hooks/use_fetch_alert_detail.test.ts
@@ -27,6 +27,7 @@ describe('useFetchAlertDetail', () => {
     'kibana.alert.rule.execution.uuid': 'e62c418d-734d-47e7-bbeb-e6f182f5fb45',
     'kibana.alert.rule.name': 'A super rule',
     'kibana.alert.rule.producer': 'infrastructure',
+    'kibana.alert.rule.revision': 0,
     'kibana.alert.rule.rule_type_id': 'metrics.alert.threshold',
     'kibana.alert.rule.uuid': '69411af0-82a2-11ec-8139-c1568734434e',
     'kibana.space_ids': ['default'],
@@ -124,6 +125,7 @@ describe('useFetchAlertDetail', () => {
               "kibana.alert.rule.execution.uuid": "e62c418d-734d-47e7-bbeb-e6f182f5fb45",
               "kibana.alert.rule.name": "A super rule",
               "kibana.alert.rule.producer": "infrastructure",
+              "kibana.alert.rule.revision": 0,
               "kibana.alert.rule.rule_type_id": "metrics.alert.threshold",
               "kibana.alert.rule.tags": Array [],
               "kibana.alert.rule.uuid": "69411af0-82a2-11ec-8139-c1568734434e",

diff --git a/x-pack/plugins/observability/public/pages/alert_details/mock/alert.ts b/x-pack/plugins/observability/public/pages/alert_details/mock/alert.ts
@@ -15,6 +15,7 @@ import {
   ALERT_RULE_CONSUMER,
   ALERT_RULE_NAME,
   ALERT_RULE_PRODUCER,
+  ALERT_RULE_REVISION,
   ALERT_RULE_TAGS,
   ALERT_RULE_TYPE_ID,
   ALERT_RULE_UUID,
@@ -46,6 +47,7 @@ export const alert: TopAlert = {
     [ALERT_RULE_PRODUCER]: 'logs',
     [ALERT_RULE_CONSUMER]: 'logs',
     [ALERT_RULE_CATEGORY]: 'Log threshold',
+    [ALERT_RULE_REVISION]: 0,
     [ALERT_START]: '2021-09-02T12:54:09.674Z',
     [ALERT_RULE_TYPE_ID]: 'logs.alert.document.count',
     [EVENT_ACTION]: 'active',

diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts
@@ -163,6 +163,11 @@ it('matches snapshot', () => {
         "required": false,
         "type": "keyword",
       },
+      "kibana.alert.rule.revision": Object {
+        "array": false,
+        "required": true,
+        "type": "long",
+      },
       "kibana.alert.rule.rule_id": Object {
         "array": false,
         "required": false,

diff --git a/x-pack/plugins/rule_registry/common/parse_technical_fields.test.ts b/x-pack/plugins/rule_registry/common/parse_technical_fields.test.ts
@@ -24,6 +24,7 @@ describe('parseTechnicalFields', () => {
       'kibana.alert.rule.rule_type_id': ['metrics.alert.threshold'],
       'event.action': ['active'],
       'kibana.alert.rule.name': ['Uptime'],
+      'kibana.alert.rule.revision': 0,
       'kibana.alert.uuid': ['f31f5726-3c47-4c88-bc42-4e1fbde17e34'],
       'kibana.space_ids': ['default'],
       'kibana.version': ['8.1.0'],
@@ -102,6 +103,7 @@ describe('parseTechnicalFields', () => {
       'kibana.alert.rule.category': ['Metric threshold'],
       'kibana.alert.rule.rule_type_id': ['metrics.alert.threshold'],
       'kibana.alert.rule.name': ['Uptime'],
+      'kibana.alert.rule.revision': 0,
       'kibana.alert.uuid': ['f31f5726-3c47-4c88-bc42-4e1fbde17e34'],
       'kibana.space_ids': ['default'],
     };

diff --git a/x-pack/plugins/rule_registry/common/schemas/8.8.0/index.ts b/x-pack/plugins/rule_registry/common/schemas/8.8.0/index.ts
@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { ALERT_RULE_REVISION } from '@kbn/rule-data-utils';
+import { CommonAlertFields870 } from '../8.7.0';
+
+/* DO NOT MODIFY THIS SCHEMA TO ADD NEW FIELDS. These types represent the alerts that shipped in 8.8.0.
+Any changes to these types should be bug fixes so the types more accurately represent the alerts from 8.8.0.
+
+If you are adding new fields for a new release of Kibana, create a new sibling folder to this one
+for the version to be released and add the field(s) to the schema in that folder.
+
+Then, update `../index.ts` to import from the new folder that has the latest schemas, add the
+new schemas to the union of all alert schemas, and re-export the new schemas as the `*Latest` schemas.
+*/
+
+export interface RevisionField880 {
+  [ALERT_RULE_REVISION]: number;
+}
+
+export type CommonAlertFields880 = CommonAlertFields870 & RevisionField880;
+
+export type CommonAlertFieldName880 = keyof CommonAlertFields880;
+
+export type AlertWithCommonFields880<T> = T & CommonAlertFields880;
diff --git a/x-pack/plugins/rule_registry/common/schemas/index.ts b/x-pack/plugins/rule_registry/common/schemas/index.ts
@@ -6,19 +6,22 @@
  */
 
 import type {
-  CommonAlertFieldName870,
+  AlertWithSuppressionFields870,
+  SuppressionFields870,
   CommonAlertIdFieldName870,
-  CommonAlertFields870,
-  AlertWithCommonFields870,
 } from './8.7.0';
 
-import type { AlertWithSuppressionFields870, SuppressionFields870 } from './8.7.0';
+import type {
+  AlertWithCommonFields880,
+  CommonAlertFieldName880,
+  CommonAlertFields880,
+} from './8.8.0';
 
 export type {
   AlertWithSuppressionFields870 as AlertWithSuppressionFieldsLatest,
   SuppressionFields870 as SuppressionFieldsLatest,
-  CommonAlertFieldName870 as CommonAlertFieldNameLatest,
+  CommonAlertFieldName880 as CommonAlertFieldNameLatest,
   CommonAlertIdFieldName870 as CommonAlertIdFieldNameLatest,
-  CommonAlertFields870 as CommonAlertFieldsLatest,
-  AlertWithCommonFields870 as AlertWithCommonFieldsLatest,
+  CommonAlertFields880 as CommonAlertFieldsLatest,
+  AlertWithCommonFields880 as AlertWithCommonFieldsLatest,
 };
diff --git a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts
@@ -11,6 +11,7 @@ import {
   ALERT_RULE_CONSUMER,
   ALERT_RULE_NAME,
   ALERT_RULE_PRODUCER,
+  ALERT_RULE_REVISION,
   ALERT_RISK_SCORE,
   ALERT_RULE_TYPE_ID,
   ALERT_RULE_UUID,
@@ -36,6 +37,7 @@ const getMockAlert = (): ParsedTechnicalFields & ParsedExperimentalFields => ({
   [ALERT_RULE_CONSUMER]: 'apm',
   [ALERT_RULE_NAME]: 'Check error rate',
   [ALERT_RULE_PRODUCER]: 'apm',
+  [ALERT_RULE_REVISION]: 0,
   [ALERT_RISK_SCORE]: 20,
   [ALERT_RULE_TYPE_ID]: 'fake-rule-type-id',
   [ALERT_RULE_UUID]: 'fake-rule-uuid',

diff --git a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts
@@ -115,6 +115,7 @@ function createRule(shouldWriteAlerts: boolean = true) {
           name: 'name',
           notifyWhen: 'onActionGroupChange',
           producer: 'producer',
+          revision: 0,
           ruleTypeId: 'ruleTypeId',
           ruleTypeName: 'ruleTypeName',
           schedule: {
@@ -255,6 +256,7 @@ describe('createLifecycleRuleTypeFactory', () => {
                 "threshold": 1,
               },
               "kibana.alert.rule.producer": "producer",
+              "kibana.alert.rule.revision": 0,
               "kibana.alert.rule.rule_type_id": "ruleTypeId",
               "kibana.alert.rule.tags": Array [
                 "tags",
@@ -291,6 +293,7 @@ describe('createLifecycleRuleTypeFactory', () => {
                 "threshold": 1,
               },
               "kibana.alert.rule.producer": "producer",
+              "kibana.alert.rule.revision": 0,
               "kibana.alert.rule.rule_type_id": "ruleTypeId",
               "kibana.alert.rule.tags": Array [
                 "tags",

diff --git a/x-pack/plugins/rule_registry/server/utils/get_common_alert_fields.ts b/x-pack/plugins/rule_registry/server/utils/get_common_alert_fields.ts
@@ -17,6 +17,7 @@ import {
   ALERT_RULE_TAGS,
   TIMESTAMP,
   ALERT_RULE_PARAMETERS,
+  ALERT_RULE_REVISION,
 } from '@kbn/rule-data-utils';
 
 import { RuleExecutorOptions } from '@kbn/alerting-plugin/server';
@@ -32,6 +33,7 @@ export const getCommonAlertFields = (
     [ALERT_RULE_EXECUTION_UUID]: options.executionId,
     [ALERT_RULE_NAME]: options.rule.name,
     [ALERT_RULE_PRODUCER]: options.rule.producer,
+    [ALERT_RULE_REVISION]: options.rule.revision,
     [ALERT_RULE_TYPE_ID]: options.rule.ruleTypeId,
     [ALERT_RULE_UUID]: options.rule.id,
     [SPACE_IDS]: [options.spaceId],

diff --git a/x-pack/plugins/rule_registry/server/utils/rule_executor.test_helpers.ts b/x-pack/plugins/rule_registry/server/utils/rule_executor.test_helpers.ts
@@ -66,6 +66,7 @@ export const createDefaultAlertExecutorOptions = <
     createdAt,
     updatedAt,
     notifyWhen: null,
+    revision: 0,
     ruleTypeId: 'RULE_TYPE_ID',
     ruleTypeName: 'RULE_TYPE_NAME',
     muteAll: false,

diff --git a/...gine/rule_actions_legacy/logic/notifications/legacy_rules_notification_alert_type.test.ts b/...gine/rule_actions_legacy/logic/notifications/legacy_rules_notification_alert_type.test.ts
@@ -53,6 +53,7 @@ describe('legacyRules_notification_alert_type', () => {
         tags: [],
         consumer: 'foo',
         producer: 'foo',
+        revision: 0,
         ruleTypeId: 'ruleType',
         ruleTypeName: 'Name of rule',
         enabled: true,

diff --git a/...ins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts b/...ins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts
@@ -223,6 +223,7 @@ export const previewRulesRoute = async (
             createdAt: new Date(),
             createdBy: username ?? 'preview-created-by',
             producer: 'preview-producer',
+            revision: 0,
             ruleTypeId,
             ruleTypeName,
             updatedAt: new Date(),

diff --git a/...gins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.mock.ts b/...gins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.mock.ts
@@ -216,6 +216,7 @@ export const getRuleConfigMock = (type: string = 'rule-type'): SanitizedRuleConf
   ruleTypeId: `${type}-id`,
   ruleTypeName: type,
   muteAll: false,
+  revision: 0,
   snoozeSchedule: [],
 });
 

diff --git a/...ty_solution/server/lib/detection_engine/rule_types/utils/search_after_bulk_create.test.ts b/...ty_solution/server/lib/detection_engine/rule_types/utils/search_after_bulk_create.test.ts
@@ -33,6 +33,7 @@ import {
   ALERT_RULE_NAME,
   ALERT_RULE_PARAMETERS,
   ALERT_RULE_PRODUCER,
+  ALERT_RULE_REVISION,
   ALERT_RULE_TAGS,
   ALERT_RULE_TYPE_ID,
   ALERT_RULE_UUID,
@@ -71,6 +72,7 @@ describe('searchAfterAndBulkCreate', () => {
     [ALERT_RULE_EXECUTION_UUID]: '97e8f53a-4971-4935-bb54-9b8f86930cc7',
     [ALERT_RULE_NAME]: 'rule-name',
     [ALERT_RULE_PRODUCER]: 'siem',
+    [ALERT_RULE_REVISION]: 0,
     [ALERT_RULE_TYPE_ID]: 'siem.queryRule',
     [ALERT_RULE_UUID]: '2e051244-b3c6-4779-a241-e1b4f0beceb9',
     [SPACE_IDS]: ['default'],

diff --git a/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.test.ts b/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.test.ts
@@ -716,6 +716,7 @@ async function invokeExecutor({
       ruleTypeId: '',
       ruleTypeName: '',
       enabled: true,
+      revision: 0,
       schedule: {
         interval: '1h',
       },

diff --git a/x-pack/plugins/stack_alerts/server/rule_types/index_threshold/rule_type.test.ts b/x-pack/plugins/stack_alerts/server/rule_types/index_threshold/rule_type.test.ts
@@ -206,6 +206,7 @@ describe('ruleType', () => {
         ruleTypeId: '',
         ruleTypeName: '',
         enabled: true,
+        revision: 0,
         schedule: {
           interval: '1h',
         },
@@ -272,6 +273,7 @@ describe('ruleType', () => {
         ruleTypeId: '',
         ruleTypeName: '',
         enabled: true,
+        revision: 0,
         schedule: {
           interval: '1h',
         },
@@ -338,6 +340,7 @@ describe('ruleType', () => {
         ruleTypeId: '',
         ruleTypeName: '',
         enabled: true,
+        revision: 0,
         schedule: {
           interval: '1h',
         },
@@ -403,6 +406,7 @@ describe('ruleType', () => {
         ruleTypeId: '',
         ruleTypeName: '',
         enabled: true,
+        revision: 0,
         schedule: {
           interval: '1h',
         },

diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/alerts.ts b/x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/alerts.ts
@@ -84,6 +84,7 @@ export default function alertTests({ getService }: FtrProviderContext) {
             };
           }),
           producer: 'alertsFixture',
+          revision: 0,
           ruleTypeId: 'test.always-firing',
           ruleTypeName: 'Test: Always Firing',
           muteAll: false,
@@ -432,6 +433,7 @@ instanceStateValue: true
               };
             }),
             producer: 'alertsFixture',
+            revision: 1,
             ruleTypeId: 'test.always-firing',
             ruleTypeName: 'Test: Always Firing',
             muteAll: false,

diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/alerts_base.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group1/alerts_base.ts
@@ -123,6 +123,7 @@ export function alertTests({ getService }: FtrProviderContext, space: Space) {
             };
           }),
           producer: 'alertsFixture',
+          revision: 0,
           ruleTypeId: 'test.always-firing',
           ruleTypeName: 'Test: Always Firing',
           muteAll: false,