Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to define extra alert information and have free-text search #92011

Closed
mikecote opened this issue Feb 19, 2021 · 4 comments
Closed

Unable to define extra alert information and have free-text search #92011

mikecote opened this issue Feb 19, 2021 · 4 comments
Labels
discuss enhancement New value added to drive a business result Feature:Alerting R&D Research and development ticket (not meant to produce code, but to make a decision) Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@mikecote
Copy link
Contributor

It would be nice to provide more information to an alert when creating it and to free-text search that information to find a list of alerts.

In Security's use case, they could add a description, attack technique, and find alerts related to a free-text search.
@mikecote mikecote added enhancement New value added to drive a business result Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Feb 19, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@mikecote mikecote added the R&D Research and development ticket (not meant to produce code, but to make a decision) label Feb 19, 2021
@pmuellr
Copy link
Member

pmuellr commented Feb 19, 2021

Same for connectors? Something like a description field? I'd say this is actually another candidate for adding to Saved Objects directly, rather than alerts/connectors specifically.

@mikecote mikecote mentioned this issue Feb 19, 2021
Open
@pmuellr
Copy link
Member

pmuellr commented Feb 23, 2021

Something like the copy_to mapping parameter on the alert params could be a "good enough" fit here. But of course we can't use that, since we're now mapping the params to the flattened mapping type.

Not out of the question that we could do this ourselves. On create/update, take all the alert parameter "leaf" values, concatenate into a single string, add that as a new text field paramsText or such. Perhaps some text analyzer tweaks could be applied, with relevant formatting in the field, to make this more easily searchable.

Not sure if every alert type (and connector type) would need this, so it could be an opt-in via the alert type, to cut down on the space/time requirements this adds.

@mikecote
Copy link
Contributor Author

I will leave this issue up for discussion until March 9th.

@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discuss enhancement New value added to drive a business result Feature:Alerting R&D Research and development ticket (not meant to produce code, but to make a decision) Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pmuellr @kobelb @mikecote @elasticmachine