[RAC] Add columns for Case ID and External Incident to Alerts table

[hbharding]

Part of #132772

Product issue: https://github.com/elastic/observability-product/issues/67
cc @cyrille-leclerc @vinaychandrasekhar @jasonrhodes @katrin-freihofner

We want to add columns for "Cases" and "External incident" to the alerts table so that users are able to see which alerts have cases and are being worked on. Currently, I don't think Cases or External incidents are included in the alert data scheme, so we may need to think of a way to add this information. I'll let engineering figure out how to tackle that oart and instead focus on the desired UI/UX requirements below:

Requirements

• Add a column for Cases and External incidents. If no data exists, show a blank cell using a hyphen -
• Users can configure the display of these columns in datagrid's "Columns" option.
• By default, the External incidents column should only appear if the user has a supported connector such as Jira, ServiceNow, etc. configured. This way users who don't use external incident management systems won't need to see an empty, useless column.
• If any rule with a supported connector/action triggers an alert, that alert should automatically be associated with the External incident that was created. This means it is possible for an alert to have an external incident but no Elastic case associated.
• The external incident column shows a link with a tooltip that says "Open incident in _____" i.e. Jira, ServiceNow, etc. Clicking the link will open in a new tab.
• The Case column provides a link to the associated case in Kibana. If more than one case is assigned to an alert, use a comma separated list.
• The Case column uses a human readable Case ID. This information does not exist today. Cases IDs will follow a similar pattern to github issues where they increment from 1, 2, 3, ... 456, etc. There are multiple views in our app where we should show Case IDs, so I'll create a separate issue for these.
• Hovering on a case will show a tooltip. Details captured in screenshot below:
  
• We should also show this information in the Alerts detail flyout. The links in the flyout should have the same tooltip behavior as the links shown in the table.
  

[cyrille-leclerc]

It looks great!

Few comments

• I love the human readable case identifier, should it be prefixed by few letters the same way Jira and PagerDuty identifiers are prefixed by letters. Maybe prefixing the Elastic cases and alerts with "ES", or with respectively "C" and "A" for cases and alerts.
• Should we say "External Incident" or "External Link"? "Incident" is an opinionated association, customers may associate their alert with something that is not called an incident.

[hbharding]

Thanks @cyrille-leclerc

I love the human readable case identifier, should it be prefixed by few letters the same way Jira and PagerDuty identifiers are prefixed by letters. Maybe prefixing the Elastic cases and alerts with "ES", or with respectively "C" and "A" for cases and alerts.

I considered using prefixes but I couldn't think of a strong reason for why users might need one. In my own experience and brief research, prefixes tend to be used as a way to organize issues by teams, job function, or project (i.e. IT-456 or HR-123). We could explore doing something like this, but I don't think it's necessary to start. I also considered a prefix like "ES" or "KBN", but I didn't see the value. All cases/alerts are native to our system, so I don't think we need to "hint" that they came from elasticsearch or kibana. Another idea I had was using "OBS-" and "SEC-", but again, I didn't see much value here. Some users may be confused by what these prefixes mean, or they might wonder if there is a way to customize the prefix.

I also considered using "C" and "A" prefixes for cases and alerts, but at the moment it's not clear to me why users would benefit from alert IDs. Some user stories would be helpful here, otherwise it feels like we may be adding an unnecessary layer of complexity. I think the name of the rule which triggered the alert and the timestamp is a sufficient way for users to identify a specific alert, whereas a case's name may be hard to remember and could benefit from having a short ID. If we end up not need alert IDs but only case IDs, the "C" and "A" prefix seems unnecessary.

Should we say "External Incident" or "External Link"? "Incident" is an opinionated association, customers may associate their alert with something that is not called an incident.

I choose "external incident" to be consistent with the columns we already use in the Cases table. I'll admit that when I first started working on this project, I was initially confused by what "external incident" meant and whether it was an industry term. But after doing a little research into other ITSM products, "incident" seems to be a common word. For example, even Jira (which typically I think of as "issues") has an issue type called incident.

This is something we may want to get user feedback on. Is "external incident" confusing or too opinionated as a label? I think "external link" might work, but I don't think it's any more clear. An external link to what? I wonder if it's even necessary that we use the word "external". If an external incident exists, does that mean there is "internal incident" counterpart? Yes, except in Kibana we've decided to call these "Cases". Perhaps we could just say "link" or "linked", as in a Kibana Case and be "linked" to an external incident ITSM platform. I don't have a strong opinion on what this should say, so long as we are consistent with all the places where this label appears.

[cyrille-leclerc]

Thanks for explaining your rationale.
I'm fine with just starting with human readable numeric identifier for cases.
I'm also fine starting calling the column "external incident" or maybe just "incident".

[elasticmachine]

Pinging @elastic/response-ops-cases (Feature:Cases)

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[emma-raffenne]

Depends on #115808

[cnasikas]

Hi everyone! In #146864 we added the cases column to the alerts table.

[katrin-freihofner]

Although the part about showing the external case link in the alerts table is missing, I'm closing this one and we can follow up on a separate issue if necessary.