[Request] add New terms rule alert suppression docs #5030
Assignees
Comments
6 tasks
vitaliidm
added a commit
to elastic/kibana
that referenced
this issue
Apr 9, 2024
…Terms rule type (#178294) ## Summary - addresses elastic/security-team#8824 - adds alert suppression for new terms rule type - fixes `getOpenAlerts` test function, which returned closed alerts as well ### UI <img width="2294" alt="Screenshot 2024-04-02 at 12 53 26" src="https://github.com/elastic/kibana/assets/92328789/8398fba4-a06c-464b-87ef-1c5d5a18e37f"> <img width="1651" alt="Screenshot 2024-04-02 at 12 53 46" src="https://github.com/elastic/kibana/assets/92328789/971ec0da-c1d9-4c96-a4af-7cc8dfae52a4"> ### Checklist - [x] Functional changes are hidden behind a feature flag Feature flag `alertSuppressionForNewTermsRuleEnabled` - [x] Functional changes are covered with a test plan and automated tests. Test plan: elastic/security-team#9045 - [x] Stability of new and changed tests is verified using the [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner). Cypress ESS: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5547 Cypress Serverless: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5548 FTR ESS: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5596 FTR Serverless: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5597 - [ ] Comprehensive manual testing is done by two engineers: the PR author and one of the PR reviewers. Changes are tested in both ESS and Serverless. - [x] Mapping changes are accompanied by a technical design document. It can be a GitHub issue or an RFC explaining the changes. The design document is shared with and approved by the appropriate teams and individual stakeholders. Existing AlertSuppression schema field is used for New terms rule, the one that used for Query and IM rules. ```yml alert_suppression: $ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression' ``` where ```yml AlertSuppression: type: object properties: group_by: $ref: '#/components/schemas/AlertSuppressionGroupBy' duration: $ref: '#/components/schemas/AlertSuppressionDuration' missing_fields_strategy: $ref: '#/components/schemas/AlertSuppressionMissingFieldsStrategy' required: - group_by ``` - [x] Functional changes are communicated to the Docs team. A ticket or PR is opened in https://github.com/elastic/security-docs. The following information is included: any feature flags used, affected environments (Serverless, ESS, or both). elastic/security-docs#5030
|
ESS and Serverless docs merged! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
adds alert suppression for New terms rule type
Background & resources
Which documentation set does this change impact?
ESS and serverless
ESS release
8.14
Serverless release
around 8.14 release
Feature differences
ESS: alert suppression is available for Platinum license
Serverless: available for Essentials and Complete tiers
API docs impact
adds alert_suppression field to New terms rule create/update/patch rule APIs
Prerequisites, privileges, feature flags
ESS: requires Platinum license
Feature Flag:
alertSuppressionForNewTermsRuleEnabledThe text was updated successfully, but these errors were encountered: