From cc4a932f77b14839a67225279c1428acf462e9b7 Mon Sep 17 00:00:00 2001 From: nreese Date: Wed, 16 Aug 2023 10:35:10 -0600 Subject: [PATCH] Add support for geo_shape fields as the entity geospatial field when creating tracking containment alerts --- .../public/rule_types/geo_containment/readme.md | 2 +- .../public/rule_types/geo_containment/types.ts | 3 +-- .../rule_types/geo_containment/lib/alert_context.ts | 2 +- .../geo_containment/lib/es_query_builder.ts | 7 +++++-- .../geo_containment/lib/transform_results.ts | 11 ++--------- .../server/rule_types/geo_containment/types.ts | 2 +- 6 files changed, 11 insertions(+), 16 deletions(-) diff --git a/x-pack/plugins/stack_alerts/public/rule_types/geo_containment/readme.md b/x-pack/plugins/stack_alerts/public/rule_types/geo_containment/readme.md index 4b23f95a6e2e0c..0ee0c19f0d4321 100644 --- a/x-pack/plugins/stack_alerts/public/rule_types/geo_containment/readme.md +++ b/x-pack/plugins/stack_alerts/public/rule_types/geo_containment/readme.md @@ -4,7 +4,7 @@ There are several steps required to set up geo containment alerts for testing in that allows you to view triggered alerts as they happen. These instructions outline how to load test data, but really these steps can be used to load any data for geo containment alerts so long as you have the following data: -- An index containing a`geo_point` field and a `date` field. This data is presumed to +- An index containing a`geo_point` or `geo_shape` field and a `date` field. This data is presumed to be dynamic (updated). - An index containing `geo_shape` data, such as boundary data, bounding box data, etc. This data is presumed to be static (not updated). Shape data matching the query is diff --git a/x-pack/plugins/stack_alerts/public/rule_types/geo_containment/types.ts b/x-pack/plugins/stack_alerts/public/rule_types/geo_containment/types.ts index 949ebe6ff1e393..b34dd9ec4f8d27 100644 --- a/x-pack/plugins/stack_alerts/public/rule_types/geo_containment/types.ts +++ b/x-pack/plugins/stack_alerts/public/rule_types/geo_containment/types.ts @@ -23,6 +23,5 @@ export interface GeoContainmentAlertParams extends RuleTypeParams { boundaryIndexQuery?: Query; } -// Will eventually include 'geo_shape' -export const ES_GEO_FIELD_TYPES = ['geo_point']; +export const ES_GEO_FIELD_TYPES = ['geo_point', 'geo_shape']; export const ES_GEO_SHAPE_TYPES = ['geo_shape']; diff --git a/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/lib/alert_context.ts b/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/lib/alert_context.ts index 42e65edaec789c..2525c40e4b6c78 100644 --- a/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/lib/alert_context.ts +++ b/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/lib/alert_context.ts @@ -50,7 +50,7 @@ function getAlertContext({ entityId: entityName, entityDateTime: containment.dateInShape || null, entityDocumentId: containment.docId, - entityLocation: `POINT (${containment.location[0]} ${containment.location[1]})`, + entityLocation: containment.location, detectionDateTime: new Date(windowEnd).toISOString(), }; if (!isRecovered) { diff --git a/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/lib/es_query_builder.ts b/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/lib/es_query_builder.ts index 44d453401078c4..a2ee5f74e83059 100644 --- a/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/lib/es_query_builder.ts +++ b/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/lib/es_query_builder.ts @@ -63,13 +63,16 @@ export async function executeEsQuery( }, }, ], - docvalue_fields: [ + fields: [ entity, { field: dateField, format: 'strict_date_optional_time', }, - geoField, + { + field: geoField, + format: 'wkt' + } ], _source: false, }, diff --git a/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/lib/transform_results.ts b/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/lib/transform_results.ts index d9b1c36fa48122..5533044369fbd7 100644 --- a/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/lib/transform_results.ts +++ b/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/lib/transform_results.ts @@ -19,25 +19,18 @@ export function transformResults( const arrResults = _.flatMap(buckets, (bucket: unknown, bucketKey: string) => { const subBuckets = _.get(bucket, 'entitySplit.buckets', []); return _.map(subBuckets, (subBucket) => { - const locationFieldResult = _.get( + const location = _.get( subBucket, `entityHits.hits.hits[0].fields["${geoField}"][0]`, '' ); - const location = locationFieldResult - ? _.chain(locationFieldResult) - .split(', ') - .map((coordString) => +coordString) - .reverse() - .value() - : []; const dateInShape = _.get( subBucket, `entityHits.hits.hits[0].fields["${dateField}"][0]`, null ); const docId = _.get(subBucket, `entityHits.hits.hits[0]._id`); - + return { location, shapeLocationId: bucketKey, diff --git a/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/types.ts b/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/types.ts index 236688d504efe9..edd7f0a8ed90d3 100644 --- a/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/types.ts +++ b/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/types.ts @@ -54,7 +54,7 @@ export interface GeoContainmentRuleState extends RuleTypeState { } export interface GeoContainmentAlertInstanceState extends AlertInstanceState { - location: number[]; + location: string; shapeLocationId: string; dateInShape: string | null; docId: string;