[Endpoint] Encode the index of the alert in the id response #66919
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Retrieving alerts from ES is currently not working because of data streams. To reproduce this issue:
This will not happen when using the resolver data generator because it uses a mapping file which forces the index to not use data streams.
You should see the following in the UI
Alert UI Failure
The issue is that the ingest manager leverages v2 templates and data streams for the data sent by an endpoint. The endpoint binary is configured to send event data and alerts to
event-endpoint-1
. Instead of creating a normal index in ES, a data stream will be created and the actual index will be something likeevents-endpoint-1-000001
. When the alert details server code tries to retrieve the alert it uses a hard coded index value here: https://github.com/elastic/kibana/blob/master/x-pack/plugins/endpoint/common/alert_constants.ts#L19 (events-endpoint-1
) and uses the ES Get api for retrieving the alert by it's ID.This fails with the following error:
To solve this, the index will now be encoded in the response
id
field.Testing
Connect a live endpoint and trigger an alert. You should be able to see the alert in resolver.