-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Cases] Use alerting client for updating alert status #102929
Labels
Feature:Cases
Cases feature
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Comments
jonathan-buttner
added
Team:Detections and Resp
Security Detection Response Team
Team:Threat Hunting
Security Solution Threat Hunting Team
Feature:Cases
Cases feature
Feature:Cases-RAC-RBAC
labels
Jun 22, 2021
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
cnasikas
added
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
and removed
Team:Detections and Resp
Security Detection Response Team
Team:Threat Hunting
Security Solution Threat Hunting Team
labels
Jan 10, 2022
Pinging @elastic/response-ops (Team:ResponseOps) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Feature:Cases
Cases feature
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
When syncing is enabled the Cases plugin updates the status of alerts to keep them synced with the case status. This is done directly through requests to Elasticsearch. This functionality is located here: https://github.com/elastic/kibana/blob/master/x-pack/plugins/cases/server/services/alerts/index.ts#L48
When the alerts as data RBAC PR (#100705) is merged we'll need to transition this code to use the provided client here:
kibana/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts
Line 158 in 52eab94
Update 11/18/21
We removed this functionality prior to 7.16 because RBAC for alert within Security Solution was not implemented yet. So cases still updates the status of alerts directly through Elasticsearch. In 7.16 Observability enabled RBAC for alerts using the rule registry. This isn't an issue for Cases currently because Observability disables the sync alerts functionality within Cases.
If observability ever turns that functionality on within Cases we'll need to start using the rule registry. This would lead to needing specific functionality for Observability (using the rule registry) and for Security Solution (not using the rule registry).
The text was updated successfully, but these errors were encountered: