Onboard an O11y rule type to use FAAD #164220
Assignees
Labels
Feature:Alerting
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Comments
mikecote
added
Feature:Alerting
Team:ResponseOps
|
Pinging @elastic/response-ops (Team:ResponseOps) |
github-project-automation
bot
moved this to Awaiting Triage
in AppEx: ResponseOps - Execution & Connectors
mikecote
moved this from Awaiting Triage
to Todo
in AppEx: ResponseOps - Execution & Connectors
|
I'm adding this one to the current iteration, it is a large issue that that involves R&D to uncover the challenges we will face to move a rule type. |
mikecote
moved this from Todo
to Blocked / On hold
in AppEx: ResponseOps - Execution & Connectors
|
I spoke with @simianhacker and we'll use the Metric Threshold rule as the first rule type to onboard to FAAD. @ymao1 I've unblocked this issue. |
mikecote
moved this from Blocked / On hold
to Todo
in AppEx: ResponseOps - Execution & Connectors
ymao1
moved this from Todo
to In Progress
in AppEx: ResponseOps - Execution & Connectors
ymao1
moved this from In Progress
to Todo
in AppEx: ResponseOps - Execution & Connectors
ymao1
moved this from Todo
to In Progress
in AppEx: ResponseOps - Execution & Connectors
ymao1
moved this from In Progress
to In Review
in AppEx: ResponseOps - Execution & Connectors
github-project-automation
bot
moved this from In Review
to Done
in AppEx: ResponseOps - Execution & Connectors
ymao1
added a commit
that referenced
this issue
Oct 18, 2023
…erts as data (#166664) Resolves #164220 ## Summary Removes the lifecycle executor wrapper around the metric threshold rule type executor so that this rule type is using the framework alerts client to write alerts as data documents. ### Response ops changes - Passing in task `startedAt` date to the alerts client. Lifecycle executor rules use this standardized timestamp for the `@timestamp` field of the AaD doc, as well as for the start and end time of an alert ### Metric threshold rule changes - Switch to using the alerts client in the executor to report alerts and to get recovered alert information. --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
16 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As part of the next steps to have a single architecture read and write alerts-as-data, we should focus on moving O11y rules away from the rule registry completely. Given there are unknowns, it would be best to start with a single O11y rule type and attempt to make it work without using the rule registry. As issues arise, we should look into triaging / solving them as well.
Definition of done:
The text was updated successfully, but these errors were encountered: