Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RAC][Alerts as Data] Adds RAC plugin #94663

Closed
wants to merge 9 commits into from
Closed

[RAC][Alerts as Data] Adds RAC plugin #94663

wants to merge 9 commits into from

Conversation

spong
Copy link
Member

@spong spong commented Mar 16, 2021
edited
Loading

NOTE:

This PoC is on pause as we integrate the rule-registry #95903. Reference Rule implementations being iterated on as part of #96015

Summary

This is a draft PR for iterating towards the first three Alerts as Data milestones:

The RAC plugin will act as a test bed while Alerting (#90375) & Detections (#93550) tackle their initial tasks around renaming/modularization. Once suitable implementations are determined for the above we can start integrating modularized pieces like exceptions, monitoring, and begin iterating on API's and other refactoring efforts around rules (supporting alerts as data in remaining Observability rules, breaking out security rules into multiple types, rule management, etc).

This initial pass leverages the event_log method of bootstrapping the index, and just needs the exports.EcsEventLogProperties updated to be able to generate the correct mappings using the script:

node ./x-pack/plugins/rac/scripts/create_schemas.js

Current progress:

  • Schema Definition
    • ECS Fields
    • Alert Fields (ancestor, id's, groups, etc)
      • Rule Fields
      • Workflow Fields
  • Bootsrapping Index
    • Create Index (Kibana System User)
      • Per rule type, shared mapping?
    • Create ILM
    • Create Index Template
  • Bulk Indexing Strategies
    • Wired up reference rule type
    • Observability Rule / Lifecycle Rule
      • Leverage ancestors/groups (ala EQL Rules), creates shell mutable alert, and immutable building block alerts
    • Security Rule / Persistence Rule
      • Fires and forgets, immutable alerts

@spong spong mentioned this pull request Mar 16, 2021
Closed
pmuellr
pmuellr reviewed Mar 22, 2021
View reviewed changes
Copy link
Member

@pmuellr pmuellr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

made a few notes on the schema

x-pack/plugins/rac/scripts/generate_mapping/mappings.js
},
},
},
parents: {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be a nested type? I'd guess that parent is the direct parent, and that there could be other "indirect" parents? Or just one?

x-pack/plugins/rac/scripts/generate_mapping/mappings.js
},
},
},
ancestors: {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same question re: parents - should this be nested? Could there be multiple in here?

x-pack/plugins/rac/scripts/generate_mapping/mappings.js
field: {
type: 'keyword',
},
value: {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we've not added a notion of a fixed type for thresholds, because "IT depends". The index threshold has comparators "between" and "not between" which take two threshold values. The geo containment alert threshold is some geo-related value - I believe a shape, but perhaps it's a set of points, or ??? - it's unlikely to be captured as a float though.

@spong
Copy link
Member Author

spong commented Mar 24, 2021

Thank you for the 👀's @pmuellr! In discussing with @dgieselaar today I'm going to remove the index/mapping bootstraping logic from this PR and integrate with the rule-registry (once merged). That said, your comments are still valid, and we'll need to decide about parents, ancestors, and the rule-specific fields. We can iterate on those within the rule-registry, but in the meantime I'll be sure to gather the details around how detections is using the parents/ancestor fields for enabling building block alerts, and alerts-on-alerts (depth is used here too if I recall correctly).

@spong spong mentioned this pull request Mar 30, 2021
Closed
7 tasks
@kibanamachine
Copy link
Contributor

⏳ Build in-progress, with failures

Failed CI Steps

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

kibanamachine commented Apr 1, 2021
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

Kibana Pipeline / jest / Jest Tests.x-pack/plugins/alerting/server/task_runner.Task Runner validates params before executing the alert type

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

Stack Trace

Error: expect(jest.fn()).toHaveBeenCalledWith(...expected)

Expected: "Executing Alert \"1\" has resulted in Error: params invalid: [param1]: expected value of type [string] but got [undefined]"
Received: [Error: Executing Alert "1" has resulted in Error: params invalid: [param1]: expected value of type [string] but got [undefined]]

Number of calls: 1
    at Object.<anonymous> (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.test.ts:1432:61)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at _callCircusTest (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:212:5)
    at _runTest (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:149:3)
    at _runTestsForDescribeBlock (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:63:9)
    at _runTestsForDescribeBlock (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:57:9)
    at run (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:25:3)
    at runAndTransformResultsToJestFormat (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/legacy-code-todo-rewrite/jestAdapterInit.js:176:21)
    at jestAdapter (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/legacy-code-todo-rewrite/jestAdapter.js:109:19)
    at runTestInternal (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/runTest.js:380:16)
    at runTest (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/runTest.js:472:34)
    at Object.worker (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/testWorker.js:133:12)
Kibana Pipeline / jest / Jest Tests.x-pack/plugins/event_log/server/es.createIndexTemplate should throw error if index template still doesn't exist after error is thrown

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

Stack Trace

Error: expect(received).rejects.toThrowErrorMatchingInlineSnapshot(snapshot)

Snapshot name: `createIndexTemplate should throw error if index template still doesn't exist after error is thrown 1`

Snapshot: "error creating index template: Fail"
Received: "Could not create index template: Fail"
    at Object.toThrowErrorMatchingInlineSnapshot (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/expect/build/index.js:241:20)
    at Object.<anonymous> (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/x-pack/plugins/event_log/server/es/cluster_client_adapter.test.ts:253:15)
    at Promise.then.completed (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/utils.js:276:28)
    at new Promise (<anonymous>)
    at callAsyncCircusFn (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/utils.js:216:10)
    at _callCircusTest (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:212:40)
    at _runTest (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:149:3)
    at _runTestsForDescribeBlock (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:63:9)
    at _runTestsForDescribeBlock (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:57:9)
    at run (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:25:3)
    at runAndTransformResultsToJestFormat (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/legacy-code-todo-rewrite/jestAdapterInit.js:176:21)
    at jestAdapter (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/legacy-code-todo-rewrite/jestAdapter.js:109:19)
    at runTestInternal (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/runTest.js:380:16)
    at runTest (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/runTest.js:472:34)
    at Object.worker (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/testWorker.js:133:12)
Kibana Pipeline / jest / Jest Tests.x-pack/plugins/apm/server/lib/alerts.Transaction duration anomaly alert doesn't send alert ml is not defined

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

Stack Trace

TypeError: Cannot read property 'registerType' of undefined
    at registerTransactionDurationAnomalyAlertType (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/x-pack/plugins/apm/server/lib/alerts/register_transaction_duration_anomaly_alert_type.ts:46:12)
    at Object.<anonymous> (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/x-pack/plugins/apm/server/lib/alerts/register_transaction_duration_anomaly_alert_type.test.ts:44:7)
    at Promise.then.completed (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/utils.js:276:28)
    at new Promise (<anonymous>)
    at callAsyncCircusFn (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/utils.js:216:10)
    at _callCircusTest (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:212:40)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at _runTest (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:149:3)
    at _runTestsForDescribeBlock (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:63:9)
    at _runTestsForDescribeBlock (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:57:9)
    at _runTestsForDescribeBlock (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:57:9)
    at run (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:25:3)
    at runAndTransformResultsToJestFormat (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/legacy-code-todo-rewrite/jestAdapterInit.js:176:21)
    at jestAdapter (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/legacy-code-todo-rewrite/jestAdapter.js:109:19)
    at runTestInternal (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/runTest.js:380:16)
    at runTest (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/runTest.js:472:34)
    at Object.worker (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/testWorker.js:133:12)

and 12 more failures, only showing the first 3.

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
rac - 19 +19

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
rac - 4.7KB +4.7KB
securitySolution 7.2MB 7.2MB +593.0B
total +5.3KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
core 412.3KB 412.5KB +177.0B
rac - 14.6KB +14.6KB
total +14.8KB
Unknown metric groups

async chunk count

id before after diff
rac - 1 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@legrego legrego closed this Jul 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmuellr pmuellr pmuellr left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@spong @kibanamachine @pmuellr @legrego @dgieselaar