[Response Ops][Alerting] Should we send summary notifications when there are no alerts to report #155708
Assignees
Labels
Feature:Alerting
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Comments
1 task
ymao1
added
Feature:Alerting
Team:ResponseOps
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
IINM we discussed this when we develop the summary feature and decided to send notification for summary alerts on custom interval. |
|
I think we should change it because summary and conditional action are around notification fatigue and we want to avoid too many notification on our users. |
|
@shanisagiv1 and I have a discussion around this and we think it will be better to not send any notification if we do NOT find any alerts. |
ersin-erdal
added a commit
that referenced
this issue
May 3, 2023
…6421) Resolves: #155708 Currently we always trigger summary actions on custom interval even if there are no alerts to report. This PR changes this behaviour to skip summary actions when there are no alerts. ## To verify Create a Security Rule with a summary action that is on custom interval (`Summary of alerts` -> `Custom Frequency`) Add an alerts filter to filter out all the alerts (e.g. by using host name that doesn't exist) Expect the summary action not to be triggered.
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
May 3, 2023
…stic#156421) Resolves: elastic#155708 Currently we always trigger summary actions on custom interval even if there are no alerts to report. This PR changes this behaviour to skip summary actions when there are no alerts. ## To verify Create a Security Rule with a summary action that is on custom interval (`Summary of alerts` -> `Custom Frequency`) Add an alerts filter to filter out all the alerts (e.g. by using host name that doesn't exist) Expect the summary action not to be triggered. (cherry picked from commit 506806f)
kibanamachine
added a commit
that referenced
this issue
May 3, 2023
#156421) (#156617) # Backport This will backport the following commits from `main` to `8.8`: - [Don't trigger summary actions when there are no alerts to report (#156421)](#156421) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Ersin Erdal","email":"92688503+ersin-erdal@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-05-03T19:15:01Z","message":"Don't trigger summary actions when there are no alerts to report (#156421)\n\nResolves: #155708\r\n\r\nCurrently we always trigger summary actions on custom interval even if\r\nthere are no alerts to report.\r\nThis PR changes this behaviour to skip summary actions when there are no\r\nalerts.\r\n\r\n## To verify\r\nCreate a Security Rule with a summary action that is on custom interval\r\n(`Summary of alerts` -> `Custom Frequency`)\r\nAdd an alerts filter to filter out all the alerts (e.g. by using host\r\nname that doesn't exist)\r\nExpect the summary action not to be triggered.","sha":"506806fee7f374205d98995a2754a0d296fbebb0","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:ResponseOps","v8.8.0","v8.9.0"],"number":156421,"url":"#156421 trigger summary actions when there are no alerts to report (#156421)\n\nResolves: #155708\r\n\r\nCurrently we always trigger summary actions on custom interval even if\r\nthere are no alerts to report.\r\nThis PR changes this behaviour to skip summary actions when there are no\r\nalerts.\r\n\r\n## To verify\r\nCreate a Security Rule with a summary action that is on custom interval\r\n(`Summary of alerts` -> `Custom Frequency`)\r\nAdd an alerts filter to filter out all the alerts (e.g. by using host\r\nname that doesn't exist)\r\nExpect the summary action not to be triggered.","sha":"506806fee7f374205d98995a2754a0d296fbebb0"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"#156421 trigger summary actions when there are no alerts to report (#156421)\n\nResolves: #155708\r\n\r\nCurrently we always trigger summary actions on custom interval even if\r\nthere are no alerts to report.\r\nThis PR changes this behaviour to skip summary actions when there are no\r\nalerts.\r\n\r\n## To verify\r\nCreate a Security Rule with a summary action that is on custom interval\r\n(`Summary of alerts` -> `Custom Frequency`)\r\nAdd an alerts filter to filter out all the alerts (e.g. by using host\r\nname that doesn't exist)\r\nExpect the summary action not to be triggered.","sha":"506806fee7f374205d98995a2754a0d296fbebb0"}}]}] BACKPORT--> Co-authored-by: Ersin Erdal <92688503+ersin-erdal@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The alerting framework started supporting summary actions in 8.8 and detection rules have migrated to using framework alert summaries with this PR. We noticed a discrepancy in behavior between the two summary features when there are no alerts to report. The framework summary will trigger a notification in this case (where the action message would indicate there are 0 alerts to report) while the detection rule summary would skip notifications.
Should we be matching the previous detection rule summary behavior?
The text was updated successfully, but these errors were encountered: