Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[POC] Enable per-alert actions #154977

Closed
wants to merge 59 commits into from
Closed

[POC] Enable per-alert actions #154977

wants to merge 59 commits into from

Conversation

e40pud
Copy link
Contributor

@e40pud e40pud commented Apr 14, 2023

Summary

Summarize your PR. If it involves visual changes include a screenshot or gif.

e40pud and others added 30 commits March 10, 2023 16:49
@e40pud
[Security Solution][Alerts] - Integrate Alert summary inside of secur…
7dbc556 
…ity solution rule page elastic#151916
@e40pud
Merge branch 'main' into security/feature/actions-integration
2f90816
@kibanamachine
Merge branch 'main' into security/feature/actions-integration
c91e73d
@e40pud
Add frequency to bulk action payload sceme
63017b7
@e40pud
Make frequency a required field for bulk action form
350c42c
@e40pud
Fix “find rules” functional tests
6e176cd
@kibanamachine
Merge branch 'main' into security/feature/actions-integration
1b8c723
@kibanamachine
Merge branch 'main' into security/feature/actions-integration
f28e66a
@e40pud
Fix some functional tests
96d21a5
@e40pud
Unit test fixes
946ab92
@kibanamachine
Merge branch 'main' into security/feature/actions-integration
d357d91
@e40pud
Update bulk UI
549cfda
@kibanamachine
Merge branch 'main' into security/feature/actions-integration
6ee94c0
@e40pud
Customize action frequency UI
f1b771c
@e40pud
Update bulk request schema
f98dda0
@e40pud
Remove unused translations
70071e1
@e40pud
Update bulk API
d32777e
@kibanamachine
Merge branch 'main' into security/feature/actions-integration
deeb072
@e40pud
Remove redundant translations
4707350
@e40pud
Fix CI
c65ae14
@e40pud
Fix CI
a32cd68
@e40pud
Fix CI
cc102ee
@kibanamachine
Merge branch 'main' into security/feature/actions-integration
3f17459
@e40pud
Fix CI
32b407b
@e40pud
Move action transformation to the alert framework
3d9e7a0
@e40pud
Remove redundant code
4622cad
@kibanamachine
Merge branch 'main' into security/feature/actions-integration
39d2dee
@e40pud
Fix CI
c23b1cd
@kibanamachine
Merge branch 'main' into security/feature/actions-integration
f24cd4a
@e40pud
Fix CI
f8344d3
e40pud and others added 7 commits April 12, 2023 17:17
@e40pud
Fix CI
2d613ba
@e40pud
Merge branch 'main' into security/feature/actions-integration
c4a007a
@kibanamachine
Merge branch 'main' into security/feature/actions-integration
e772765
@e40pud
Actions transformation
192de42
@e40pud
Review feedback
f3bb06c
@e40pud
Aliasing context and state variables for detection rules in alert sum…
a468e7d 
…maries

commit 7265666
Merge: db3fbee e80abe8
Author: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date:   Thu Apr 13 09:17:32 2023 -0400

    Merge branch 'main' into security_rule_context_alias

commit db3fbee
Author: Ying <ying.mao@elastic.co>
Date:   Wed Apr 12 16:41:31 2023 -0400

    Using given intervals for time range, not deriving from alert data

commit ca9b149
Author: Ying <ying.mao@elastic.co>
Date:   Wed Apr 12 14:59:33 2023 -0400

    Aliasing context and state variables for detection rules in alert summaries
@e40pud
Enable per-alert action
2023fca
@e40pud e40pud self-assigned this Apr 14, 2023
@e40pud e40pud added release_note:enhancement ci:cloud-deploy Create or update a Cloud deployment labels Apr 14, 2023
@e40pud e40pud mentioned this pull request Apr 15, 2023
Closed
@e40pud e40pud changed the title Enable per-alert actions [POC] Enable per-alert actions Apr 15, 2023
@ymao1 ymao1 mentioned this pull request Apr 17, 2023
Merged
@e40pud
Copy link
Contributor Author

e40pud commented Apr 18, 2023

@elasticmachine merge upstream

1 similar comment
@e40pud
Copy link
Contributor Author

e40pud commented Apr 18, 2023

@elasticmachine merge upstream

ymao1
ymao1 reviewed Apr 19, 2023
View reviewed changes
x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.ts
createdAlerts.forEach((alert) =>
options.services.alertFactory
.create(alert._id)
.scheduleActions(type.defaultActionGroupId)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should include the context object in scheduleActions call so per alert actions have context variables.

ymao1
ymao1 reviewed Apr 19, 2023
View reviewed changes
x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.ts
};
})
.filter((_, idx) => response.body.items[idx].create?.status === 201),
createdAlerts,
errors: errorAggregator(response.body, [409]),
alertsWereTruncated,
};
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is an alertWithSuppression function here that should also be updated to call the alertFactory.create

ymao1 added a commit that referenced this pull request Apr 19, 2023
@ymao1 @kibanamachine
[Response Ops][Alerting] Aliasing context and state variables for det…
fc34969 
…ection rules in alert summary mode (#154864)

Toward enabling per-action-alerts for detection rules
#154977

## Summary

This PR provides the necessary changes for detection rules to fully
onboard onto alerting framework alert summaries.
* Aliases detection rule context and state variables for summary action
variables. This provides backwards compatibility with the
`context.alerts`, `context.results_link` and `state.signals_count`
action variables that are currently used by detection rules.
* Calculates time bounds for summary alerts that can be passed back to
the view in app URL generator. This allows rule types to generate view
in app URLs limited to the timeframe that will match the summary alerts
time range
* For throttled summary alerts, the time range is generated as `now -
throttle duration`
* For per execution summary alerts, we use the `previousStartedAt` time
from the task state if available and the schedule duration if not
available. This is because some rules write out alerts with `@timestamp:
task.startedAt` so just using `now - schedule duration` may not capture
those alerts due to task manager schedule delays.

---------

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
@e40pud
Copy link
Contributor Author

e40pud commented Apr 20, 2023

@elasticmachine merge upstream

@e40pud
Copy link
Contributor Author

e40pud commented Apr 21, 2023

@elasticmachine merge upstream

@kibana-ci
Copy link
Collaborator

kibana-ci commented Apr 21, 2023
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 add_actions adding actions should be able to create a new webhook action and attach it to a rule
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 add_actions adding actions should be able to create a new webhook action and attach it to a rule
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 delete_rules deleting rules should return the legacy action in the response body when it deletes a rule that has one
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 delete_rules deleting rules should return the legacy action in the response body when it deletes a rule that has one
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 delete_rules_bulk deleting rules bulk using POST should return 2 legacy actions in the response body when it deletes 2 rules
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 delete_rules_bulk deleting rules bulk using POST should return 2 legacy actions in the response body when it deletes 2 rules
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 delete_rules_bulk deleting rules bulk using POST should return the legacy action in the response body when it deletes a rule that has one
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 delete_rules_bulk deleting rules bulk using POST should return the legacy action in the response body when it deletes a rule that has one
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 export_rules exporting rules legacy_notification_system should be able to export 1 legacy action on 1 rule
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 export_rules exporting rules legacy_notification_system should be able to export 1 legacy action on 1 rule
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 export_rules exporting rules legacy_notification_system should be able to export 2 legacy actions on 1 rule
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 export_rules exporting rules legacy_notification_system should be able to export 2 legacy actions on 1 rule
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 export_rules exporting rules legacy_notification_system should be able to export 2 legacy actions on 2 rules
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 export_rules exporting rules legacy_notification_system should be able to export 2 legacy actions on 2 rules
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 export_rules exporting rules should export actions attached to 2 rules
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 export_rules exporting rules should export actions attached to 2 rules
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 export_rules exporting rules should export multiple actions attached to 1 rule
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 export_rules exporting rules should export multiple actions attached to 1 rule
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 find_rules legacy_notification_system should be able to a read a scheduled action correctly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 find_rules legacy_notification_system should be able to a read a scheduled action correctly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 find_rules should be able to find a scheduled action correctly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 find_rules should be able to find a scheduled action correctly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 find_rules should find a single rule with a execute immediately action correctly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 find_rules should find a single rule with a execute immediately action correctly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 update_actions updating actions should be able to create a new webhook action and attach it to an immutable rule
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 update_actions updating actions should be able to create a new webhook action and attach it to an immutable rule
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 update_actions updating actions should be able to create a new webhook action and update a rule with the webhook action
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 update_actions updating actions should be able to create a new webhook action and update a rule with the webhook action
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 update_actions updating actions should be able to create a new webhook action, attach it to an immutable rule and the rule should stay immutable when searching against immutable tags
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 1 update_actions updating actions should be able to create a new webhook action, attach it to an immutable rule and the rule should stay immutable when searching against immutable tags
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 migrate_legacy_actions migrates legacy actions for rule with action run daily
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 migrate_legacy_actions migrates legacy actions for rule with action run daily
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 migrate_legacy_actions migrates legacy actions for rule with action run hourly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 migrate_legacy_actions migrates legacy actions for rule with action run hourly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 migrate_legacy_actions migrates legacy actions for rule with action run on every run
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 migrate_legacy_actions migrates legacy actions for rule with action run on every run
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 migrate_legacy_actions migrates legacy actions for rule with action run weekly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 migrate_legacy_actions migrates legacy actions for rule with action run weekly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 migrate_legacy_actions migrates legacy actions for rule with no actions
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 migrate_legacy_actions migrates legacy actions for rule with no actions
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 patch_rules_bulk patch rules bulk should bulk disable two rules and migrate their actions
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 patch_rules_bulk patch rules bulk should bulk disable two rules and migrate their actions
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action edit action rule actions add_rule_actions should add action correctly to empty actions list
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action edit action rule actions add_rule_actions should add action correctly to empty actions list
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action edit action rule actions set_rule_actions should migrate legacy actions on edit when actions edited
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action edit action rule actions set_rule_actions should migrate legacy actions on edit when actions edited
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action edit action rule actions set_rule_actions should set action correctly to existing empty actions list
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action edit action rule actions set_rule_actions should set action correctly to existing empty actions list
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action edit action rule actions set_rule_actions should set action correctly to existing non empty actions list
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action edit action rule actions set_rule_actions should set action correctly to existing non empty actions list
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action edit action should migrate legacy actions on edit
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action edit action should migrate legacy actions on edit
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action should disable rules and migrate actions
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action should disable rules and migrate actions
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action should duplicate rule with a legacy action
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action should duplicate rule with a legacy action
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action should enable rules and migrate actions
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action should enable rules and migrate actions
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action should export rules with actions connectors
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 perform_bulk_action should export rules with actions connectors
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 read_rules reading rules legacy_notification_system should be able to a read a scheduled action correctly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 read_rules reading rules legacy_notification_system should be able to a read a scheduled action correctly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 read_rules reading rules should be able to a read a execute immediately action correctly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 read_rules reading rules should be able to a read a execute immediately action correctly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 read_rules reading rules should be able to a read a scheduled action correctly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 read_rules reading rules should be able to a read a scheduled action correctly
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 update_rules update rules should update a single rule property of name using an auto-generated rule_id and migrate the actions
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 update_rules update rules should update a single rule property of name using an auto-generated rule_id and migrate the actions
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 update_rules_bulk update rules bulk should update two rule properties of name using the two rules rule_id and migrate actions
  • [job] [logs] FTR Configs #20 / detection engine api security and spaces enabled - Group 10 update_rules_bulk update rules bulk should update two rule properties of name using the two rules rule_id and migrate actions
  • [job] [logs] Jest Tests #6 / duplicateRule returns an object with fields copied from a given rule
  • [job] [logs] Jest Tests #6 / get_export_by_object_ids getExportByObjectIds it will export rule without its action connectors as they are Preconfigured
  • [job] [logs] Jest Tests #6 / get_export_by_object_ids getExportByObjectIds it will export with rule and action connectors
  • [job] [logs] Jest Tests #6 / getExportAll it will export rule without its action connectors as they are Preconfigured
  • [job] [logs] Jest Tests #6 / getExportAll it will export with rule and action connectors
  • [job] [logs] Jest Tests #6 / patchRules regression tests does not update actions if none are specified
  • [job] [logs] Jest Tests #6 / patchRules regression tests updates the rule's actions if provided

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 3831 3832 +1

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/securitysolution-io-ts-alerting-types 122 127 +5

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 9.1MB 9.1MB -1.4KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 59.1KB 59.2KB +116.0B
Unknown metric groups

API count

id before after diff
@kbn/securitysolution-io-ts-alerting-types 141 147 +6

ESLint disabled line counts

id before after diff
securitySolution 394 398 +4

Total ESLint disabled count

id before after diff
securitySolution 474 478 +4

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @e40pud

@e40pud e40pud closed this Oct 10, 2023
@e40pud e40pud deleted the security/feature/actions-integration-with-per-alert-actions branch October 10, 2023 12:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ymao1 ymao1 ymao1 left review comments

Assignees

@e40pud e40pud

Labels
ci:cloud-deploy Create or update a Cloud deployment release_note:enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@e40pud @kibana-ci @ymao1 @kibanamachine