[Alert Summaries] Add summary capabilities to the API and execution logic #143376
Comments
|
Part of this issue, we should also add the new Alert Summaries options. |
mikecote
moved this from Awaiting Triage
to Todo
in AppEx: ResponseOps - Execution & Connectors
mikecote
moved this from Todo
to Blocked / On hold
in AppEx: ResponseOps - Execution & Connectors
mikecote
changed the title
|
With the upcoming alert summary feature, we will soon provide users access to the full AAD document. This allows users to build mustache templates on any field. It isn’t too late if we want to limit / filter out fields that would be accessible in rule actions. The current plan is to provide access to everything (including kibana.* fields), should we change that? |
Would we be exposing all fields from the existing AAD documents, or only the fields in the forthcoming FAAD schema? |
In the initial phase, it's hooked up to the rule registry, so all the existing AAD fields / documents. |
|
We could look into limiting existing AAD documents to only FAAD fields, if we have finalized/limited the list. |
|
Thanks for the clarification, @mikecote. The safest option is to hold off on exposing the kibana.alert.* fields and wait on the forthcoming FAAD schema. Otherwise, we run the risk of users starting to consume fields that we will end up removing. Do you see this being a problem? |
Shouldn't be a problem from my perspective, it's easier to add later than to remove, so lets filter them out at first. We will have to migrate the security solution to this feature at a later time, we can see if we need special handing for them, while keeping the fields out elsewhere. |
|
It might be that we'll need to expose some of the information about the alert if users want to iterate through them and provide a brief description of the alert 🤔 (ex: alert id) but maybe ECS has enough information for those use cases? |
I don't think ECS will have enough information. If we know we need certain fields exposed and we're fairly confident that they'll be in the FAAD schema, we can allowlist specific fields. |
Sounds good, we will do an exercise to allow list specific kibana.* fields and get feedback. I will create an explicit issue to limit the fields for summaries. |
mikecote
moved this from Blocked / On hold
to Todo
in AppEx: ResponseOps - Execution & Connectors
|
Removing blocked label as #144130 is now merged. |
ersin-erdal
moved this from Todo
to In Progress
in AppEx: ResponseOps - Execution & Connectors
ersin-erdal
moved this from In Progress
to In Review
in AppEx: ResponseOps - Execution & Connectors
Resolves: #143376 This PR adds the alerts summary capability to the rule execution. If an action is a summary action and not throttled (Summary of alerts on a custom interval) alerts summary is fetched from the AAD index and injected into the action message variables.
…ction (#145637) ## Summary Closes #143369 (~blocked by #143376) This PR updates the Stack Management UI and Observability UI to show Notify When and Throttle parameters at the **action level** instead of the **rule level**. The rule-level Check Every dropdown is moved to the end of the rule, right above the actions form The Security Solution UX remains unchanged, as it has a unique way of displaying action notification frequencies at the rule level. Instead, the API request has changed so that the selected action frequency will now be stored in each action's `frequency` param instead of at the rule level. In all three UIs, existing rules that have legacy rule-level `notifyWhen` and `frequency` params will have these parameters seamlessly migrated to the action level when the user edits a rule. The Rule Details page is also updated to show Notify frequencies in the Actions column instead of in the first, rule-level column. ### Rule Details Page update <img width="781" alt="Screen Shot 2022-11-17 at 4 23 02 PM" src="https://user-images.githubusercontent.com/1445834/202573067-bc55630d-f767-4a93-8d7c-752748da25c2.png"> ### Rule Form update <img width="605" alt="Screen Shot 2022-11-17 at 4 23 10 PM" src="https://user-images.githubusercontent.com/1445834/202573057-5d50e573-1453-4b63-8e1e-6505fa0261c6.png"> <img width="605" alt="Screen Shot 2022-12-27 at 1 18 12 PM" src="https://user-images.githubusercontent.com/1445834/209712784-34c2384b-bcc8-4db9-a42d-052d81099a40.png"> ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Xavier Mouligneau <xavier.mouligneau@elastic.co>
…ction (elastic#145637) ## Summary Closes elastic#143369 (~blocked by elastic#143376) This PR updates the Stack Management UI and Observability UI to show Notify When and Throttle parameters at the **action level** instead of the **rule level**. The rule-level Check Every dropdown is moved to the end of the rule, right above the actions form The Security Solution UX remains unchanged, as it has a unique way of displaying action notification frequencies at the rule level. Instead, the API request has changed so that the selected action frequency will now be stored in each action's `frequency` param instead of at the rule level. In all three UIs, existing rules that have legacy rule-level `notifyWhen` and `frequency` params will have these parameters seamlessly migrated to the action level when the user edits a rule. The Rule Details page is also updated to show Notify frequencies in the Actions column instead of in the first, rule-level column. ### Rule Details Page update <img width="781" alt="Screen Shot 2022-11-17 at 4 23 02 PM" src="https://user-images.githubusercontent.com/1445834/202573067-bc55630d-f767-4a93-8d7c-752748da25c2.png"> ### Rule Form update <img width="605" alt="Screen Shot 2022-11-17 at 4 23 10 PM" src="https://user-images.githubusercontent.com/1445834/202573057-5d50e573-1453-4b63-8e1e-6505fa0261c6.png"> <img width="605" alt="Screen Shot 2022-12-27 at 1 18 12 PM" src="https://user-images.githubusercontent.com/1445834/209712784-34c2384b-bcc8-4db9-a42d-052d81099a40.png"> ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Xavier Mouligneau <xavier.mouligneau@elastic.co>
Meta: #143200
Blocked by: #143374 and #143368The rule API and Task Runner should be modified to provide the new Alert Summaries options and functionality.
If an action is a
Summary of alerts per rule run, alerts of the current execution context should be injected in to the action context.If an action is a
Summary of alerts on a custom intervaland the action is still throttled the action should be skipped.If not, alerts that are generated within the given time span, should be injected in to the action context. Alerts should be fetched using the developed provider in #143374.
This issue relates to the following functional specifications (#143200): 1, 3, 4, 5, 6, 7.
This issue relates to the following non-functional specifications (#143200): 1.
The text was updated successfully, but these errors were encountered: