diff --git a/docs/api/alerting/list_rule_types.asciidoc b/docs/api/alerting/list_rule_types.asciidoc index 7640d50b3ccd05..05324e9b9a0260 100644 --- a/docs/api/alerting/list_rule_types.asciidoc +++ b/docs/api/alerting/list_rule_types.asciidoc @@ -63,9 +63,14 @@ context and state in action parameter templates, and a short human readable description. When you create a rule in {kib}, it uses this information to prompt you for these variables in action parameter editors. +// `alerts`:: TBD + `authorized_consumers`:: (object) The list of the plugins IDs that have access to the rule type. +`category`:: +(string) The rule category, which is used by features such as category-specific maintenance windows. + `default_action_group_id`:: (string) The default ID for the rule type group. @@ -77,6 +82,10 @@ action. (boolean) Indicates whether the rule type is enabled or disabled based on the subscription. +// `has_alerts_mappings`:: TBD + +// `has_fields_for_a_a_d`:: TBD + `id`:: (string) The unique identifier for the rule type. @@ -121,7 +130,28 @@ the API returns the following: { "id":"logs.alert.document.count", "name":"Log threshold", + "category": "observability", "producer":"logs", + "alerts": { + "context": "observability.logs", + "mappings": { + "fieldMap": { + "kibana.alert.evaluation.threshold": { + "type": "scaled_float", + "scaling_factor": 100, + "required": false + }, + "kibana.alert.evaluation.value": { + "type": "scaled_float", + "scaling_factor": 100, + "required": false + }, + ... + } + }, + "useEcs": true, + "useLegacyAlerts": true + }, "enabled_in_license":true, "recovery_action_group":{ "id":"recovered", @@ -164,7 +194,10 @@ the API returns the following: "logs":{"read":true,"all":false}, "alerts":{"read":true,"all":false} }, - "does_set_recovery_context":true - } + "does_set_recovery_context":true, + "has_alerts_mappings": true, + "has_fields_for_a_a_d": true + }, + .... ] -------------------------------------------------- diff --git a/docs/management/maintenance-windows/images/create-maintenance-window.png b/docs/management/maintenance-windows/images/create-maintenance-window.png index aa6132afbeaf9b..c6953d4e48693e 100644 Binary files a/docs/management/maintenance-windows/images/create-maintenance-window.png and b/docs/management/maintenance-windows/images/create-maintenance-window.png differ diff --git a/docs/management/maintenance-windows/maintenance-windows.asciidoc b/docs/management/maintenance-windows/maintenance-windows.asciidoc index ba630092016b26..9f7ffbae80edd1 100644 --- a/docs/management/maintenance-windows/maintenance-windows.asciidoc +++ b/docs/management/maintenance-windows/maintenance-windows.asciidoc @@ -11,7 +11,7 @@ preview::[] You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages. -Maintenance windows affect all rules in all {kib} apps and spaces. +By default, maintenance windows affect all rules in all {kib} apps and spaces. Alerts continue to be generated, however notifications are suppressed as follows: - When an alert occurs during a maintenance window, there are no notifications. @@ -42,6 +42,10 @@ You can optionally configure it to repeat daily, monthly, yearly, or on a custom image::images/create-maintenance-window.png[The Create Maintenance Window user interface in {kib}] // NOTE: This is an autogenerated screenshot. Do not edit it directly. +By default, maintenance windows affect all categories of rules. +The category-specific maintenance window options alter this behavior. +For the definitive list of rule types in each category, refer to the <>. + A maintenance window can have any one of the following statuses: - `Upcoming`: It will run at the scheduled date and time. diff --git a/x-pack/plugins/alerting/docs/openapi/bundled.json b/x-pack/plugins/alerting/docs/openapi/bundled.json index e28ee34960dae2..5b81939b66f5ed 100644 --- a/x-pack/plugins/alerting/docs/openapi/bundled.json +++ b/x-pack/plugins/alerting/docs/openapi/bundled.json @@ -862,6 +862,9 @@ } } }, + "alerts": { + "type": "object" + }, "authorized_consumers": { "description": "The list of the plugins IDs that have access to the rule type.", "type": "object", @@ -954,6 +957,17 @@ } } }, + "slo": { + "type": "object", + "properties": { + "all": { + "type": "boolean" + }, + "read": { + "type": "boolean" + } + } + }, "stackAlerts": { "type": "object", "properties": { @@ -978,6 +992,15 @@ } } }, + "category": { + "type": "string", + "description": "The rule category, which is used by features such as category-specific maintenance windows.", + "enum": [ + "management", + "observability", + "securitySolution" + ] + }, "default_action_group_id": { "description": "The default identifier for the rule type group.", "type": "string" @@ -990,6 +1013,12 @@ "description": "Indicates whether the rule type is enabled or disabled based on the subscription.", "type": "boolean" }, + "has_alerts_mappings": { + "type": "boolean" + }, + "has_fields_for_a_a_d": { + "type": "boolean" + }, "id": { "description": "The unique identifier for the rule type.", "type": "string" @@ -7570,6 +7599,127 @@ "value": [ { "id": "xpack.ml.anomaly_detection_alert", + "name": "Anomaly detection alert", + "category": "management", + "producer": "ml", + "alerts": { + "context": "ml.anomaly-detection", + "mappings": { + "fieldMap": { + "kibana.alert.job_id": { + "type": "keyword", + "array": false, + "required": true + }, + "kibana.alert.anomaly_score": { + "type": "double", + "array": false, + "required": false + }, + "kibana.alert.is_interim": { + "type": "boolean", + "array": false, + "required": false + }, + "kibana.alert.anomaly_timestamp": { + "type": "date", + "array": false, + "required": false + }, + "kibana.alert.top_records": { + "type": "object", + "array": true, + "required": false, + "dynamic": false, + "properties": { + "job_id": { + "type": "keyword" + }, + "record_score": { + "type": "double" + }, + "initial_record_score": { + "type": "double" + }, + "detector_index": { + "type": "integer" + }, + "is_interim": { + "type": "boolean" + }, + "timestamp": { + "type": "date" + }, + "partition_field_name": { + "type": "keyword" + }, + "partition_field_value": { + "type": "keyword" + }, + "over_field_name": { + "type": "keyword" + }, + "over_field_value": { + "type": "keyword" + }, + "by_field_name": { + "type": "keyword" + }, + "by_field_value": { + "type": "keyword" + }, + "function": { + "type": "keyword" + }, + "typical": { + "type": "double" + }, + "actual": { + "type": "double" + }, + "field_name": { + "type": "keyword" + } + } + }, + "kibana.alert.top_influencers": { + "type": "object", + "array": true, + "required": false, + "dynamic": false, + "properties": { + "job_id": { + "type": "keyword" + }, + "influencer_field_name": { + "type": "keyword" + }, + "influencer_field_value": { + "type": "keyword" + }, + "influencer_score": { + "type": "double" + }, + "initial_influencer_score": { + "type": "double" + }, + "is_interim": { + "type": "boolean" + }, + "timestamp": { + "type": "date" + } + } + } + } + }, + "shouldWrite": true + }, + "enabled_in_license": true, + "recovery_action_group": { + "id": "recovered", + "name": "Recovered" + }, "action_groups": [ { "id": "anomaly_score_match", @@ -7580,6 +7730,10 @@ "name": "Recovered" } ], + "default_action_group_id": "anomaly_score_match", + "minimum_license_required": "platinum", + "is_exportable": true, + "rule_task_timeout": "5m", "action_variables": { "context": [ { @@ -7620,34 +7774,69 @@ "useWithTripleBracesInTemplates": true } ], - "params": [], - "state": [] + "state": [], + "params": [] }, "authorized_consumers": { "alerts": { - "all": true, - "read": true + "read": true, + "all": true + }, + "stackAlerts": { + "read": true, + "all": true + }, + "slo": { + "read": true, + "all": true }, "ml": { - "all": true, - "read": true + "read": true, + "all": true + }, + "uptime": { + "read": true, + "all": true + }, + "infrastructure": { + "read": true, + "all": true + }, + "logs": { + "read": true, + "all": true + }, + "monitoring": { + "read": true, + "all": true + }, + "siem": { + "read": true, + "all": true + }, + "apm": { + "read": true, + "all": true + }, + "discover": { + "read": true, + "all": true } }, - "default_action_group_id": "anomaly_score_match", "does_set_recovery_context": true, - "enabled_in_license": true, - "is_exportable": true, - "minimum_license_required": "platinum", - "name": "Anomaly detection alert", + "has_alerts_mappings": true, + "has_fields_for_a_a_d": false + }, + { + "id": "xpack.ml.anomaly_detection_jobs_health", + "name": "Anomaly detection jobs health", + "category": "management", "producer": "ml", + "enabled_in_license": true, "recovery_action_group": { "id": "recovered", "name": "Recovered" }, - "rule_task_timeout": "5m" - }, - { - "id": "xpack.ml.anomaly_detection_jobs_health", "action_groups": [ { "id": "anomaly_detection_realtime_issue", @@ -7658,6 +7847,10 @@ "name": "Recovered" } ], + "default_action_group_id": "anomaly_detection_realtime_issue", + "minimum_license_required": "platinum", + "is_exportable": true, + "rule_task_timeout": "5m", "action_variables": { "context": [ { @@ -7669,31 +7862,58 @@ "description": "Alert info message" } ], - "params": [], - "state": [] + "state": [], + "params": [] }, "authorized_consumers": { "alerts": { - "all": true, - "read": true + "read": true, + "all": true + }, + "stackAlerts": { + "read": true, + "all": true + }, + "slo": { + "read": true, + "all": true }, "ml": { - "all": true, - "read": true + "read": true, + "all": true + }, + "uptime": { + "read": true, + "all": true + }, + "infrastructure": { + "read": true, + "all": true + }, + "logs": { + "read": true, + "all": true + }, + "monitoring": { + "read": true, + "all": true + }, + "siem": { + "read": true, + "all": true + }, + "apm": { + "read": true, + "all": true + }, + "discover": { + "read": true, + "all": true } }, - "default_action_group_id": "anomaly_detection_realtime_issue", "does_set_recovery_context": true, - "enabled_in_license": true, - "is_exportable": true, - "minimum_license_required": "platinum", - "name": "Anomaly detection jobs health", - "producer": "ml", - "recovery_action_group": { - "id": "recovered", - "name": "Recovered" - }, - "rule_task_timeout": "5m" + "has_alerts_mappings": false, + "has_fields_for_a_a_d": false } ] } diff --git a/x-pack/plugins/alerting/docs/openapi/bundled.yaml b/x-pack/plugins/alerting/docs/openapi/bundled.yaml index f85428036b74f5..998eab1f0c6385 100644 --- a/x-pack/plugins/alerting/docs/openapi/bundled.yaml +++ b/x-pack/plugins/alerting/docs/openapi/bundled.yaml @@ -550,6 +550,8 @@ paths: type: string name: type: string + alerts: + type: object authorized_consumers: description: The list of the plugins IDs that have access to the rule type. type: object @@ -610,6 +612,13 @@ paths: type: boolean read: type: boolean + slo: + type: object + properties: + all: + type: boolean + read: + type: boolean stackAlerts: type: object properties: @@ -624,6 +633,13 @@ paths: type: boolean read: type: boolean + category: + type: string + description: The rule category, which is used by features such as category-specific maintenance windows. + enum: + - management + - observability + - securitySolution default_action_group_id: description: The default identifier for the rule type group. type: string @@ -633,6 +649,10 @@ paths: enabled_in_license: description: Indicates whether the rule type is enabled or disabled based on the subscription. type: boolean + has_alerts_mappings: + type: boolean + has_fields_for_a_a_d: + type: boolean id: description: The unique identifier for the rule type. type: string @@ -5357,11 +5377,101 @@ components: summary: Retrieve rule types associated with Kibana machine learning features value: - id: xpack.ml.anomaly_detection_alert + name: Anomaly detection alert + category: management + producer: ml + alerts: + context: ml.anomaly-detection + mappings: + fieldMap: + kibana.alert.job_id: + type: keyword + array: false + required: true + kibana.alert.anomaly_score: + type: double + array: false + required: false + kibana.alert.is_interim: + type: boolean + array: false + required: false + kibana.alert.anomaly_timestamp: + type: date + array: false + required: false + kibana.alert.top_records: + type: object + array: true + required: false + dynamic: false + properties: + job_id: + type: keyword + record_score: + type: double + initial_record_score: + type: double + detector_index: + type: integer + is_interim: + type: boolean + timestamp: + type: date + partition_field_name: + type: keyword + partition_field_value: + type: keyword + over_field_name: + type: keyword + over_field_value: + type: keyword + by_field_name: + type: keyword + by_field_value: + type: keyword + function: + type: keyword + typical: + type: double + actual: + type: double + field_name: + type: keyword + kibana.alert.top_influencers: + type: object + array: true + required: false + dynamic: false + properties: + job_id: + type: keyword + influencer_field_name: + type: keyword + influencer_field_value: + type: keyword + influencer_score: + type: double + initial_influencer_score: + type: double + is_interim: + type: boolean + timestamp: + type: date + shouldWrite: true + enabled_in_license: true + recovery_action_group: + id: recovered + name: Recovered action_groups: - id: anomaly_score_match name: Anomaly score matched the condition - id: recovered name: Recovered + default_action_group_id: anomaly_score_match + minimum_license_required: platinum + is_exportable: true + rule_task_timeout: 5m action_variables: context: - name: timestamp @@ -5383,55 +5493,104 @@ components: - name: anomalyExplorerUrl description: URL to open in the Anomaly Explorer useWithTripleBracesInTemplates: true - params: [] state: [] + params: [] authorized_consumers: alerts: + read: true + all: true + stackAlerts: + read: true all: true + slo: read: true + all: true ml: + read: true all: true + uptime: read: true - default_action_group_id: anomaly_score_match + all: true + infrastructure: + read: true + all: true + logs: + read: true + all: true + monitoring: + read: true + all: true + siem: + read: true + all: true + apm: + read: true + all: true + discover: + read: true + all: true does_set_recovery_context: true - enabled_in_license: true - is_exportable: true - minimum_license_required: platinum - name: Anomaly detection alert + has_alerts_mappings: true + has_fields_for_a_a_d: false + - id: xpack.ml.anomaly_detection_jobs_health + name: Anomaly detection jobs health + category: management producer: ml + enabled_in_license: true recovery_action_group: id: recovered name: Recovered - rule_task_timeout: 5m - - id: xpack.ml.anomaly_detection_jobs_health action_groups: - id: anomaly_detection_realtime_issue name: Issue detected - id: recovered name: Recovered + default_action_group_id: anomaly_detection_realtime_issue + minimum_license_required: platinum + is_exportable: true + rule_task_timeout: 5m action_variables: context: - name: results description: Results of the rule execution - name: message description: Alert info message - params: [] state: [] + params: [] authorized_consumers: alerts: + read: true + all: true + stackAlerts: + read: true all: true + slo: read: true + all: true ml: + read: true all: true + uptime: read: true - default_action_group_id: anomaly_detection_realtime_issue + all: true + infrastructure: + read: true + all: true + logs: + read: true + all: true + monitoring: + read: true + all: true + siem: + read: true + all: true + apm: + read: true + all: true + discover: + read: true + all: true does_set_recovery_context: true - enabled_in_license: true - is_exportable: true - minimum_license_required: platinum - name: Anomaly detection jobs health - producer: ml - recovery_action_group: - id: recovered - name: Recovered - rule_task_timeout: 5m + has_alerts_mappings: false + has_fields_for_a_a_d: false diff --git a/x-pack/plugins/alerting/docs/openapi/components/examples/get_rule_types_response.yaml b/x-pack/plugins/alerting/docs/openapi/components/examples/get_rule_types_response.yaml index 8299f7357a2173..208cb6e82ea06c 100644 --- a/x-pack/plugins/alerting/docs/openapi/components/examples/get_rule_types_response.yaml +++ b/x-pack/plugins/alerting/docs/openapi/components/examples/get_rule_types_response.yaml @@ -1,81 +1,322 @@ summary: Retrieve rule types associated with Kibana machine learning features value: - - id: xpack.ml.anomaly_detection_alert - action_groups: - - id: anomaly_score_match - name: Anomaly score matched the condition - - id: recovered - name: Recovered - action_variables: - context: - - name: timestamp - description: The bucket timestamp of the anomaly - - name: timestampIso8601 - description: The bucket time of the anomaly in ISO8601 format - - name: jobIds - description: List of job IDs that triggered the alert - - name: message - description: Alert info message - - name: isInterim - description: Indicate if top hits contain interim results - - name: score - description: Anomaly score at the time of the notification action - - name: topRecords - description: Top records - - name: topInfluencers - description: Top influencers - - name: anomalyExplorerUrl - description: URL to open in the Anomaly Explorer - useWithTripleBracesInTemplates: true - params: [] - state: [] - authorized_consumers: - alerts: - all: true - read: true - ml: - all: true - read: true - default_action_group_id: anomaly_score_match - does_set_recovery_context: true - enabled_in_license: true - is_exportable: true - minimum_license_required: platinum - name: Anomaly detection alert - producer: ml - recovery_action_group: - id: recovered - name: Recovered - rule_task_timeout: 5m - - id: xpack.ml.anomaly_detection_jobs_health - action_groups: - - id: anomaly_detection_realtime_issue - name: Issue detected - - id: recovered - name: Recovered - action_variables: - context: - - name: results - description: Results of the rule execution - - name: message - description: Alert info message - params: [] - state: [] - authorized_consumers: - alerts: - all: true - read: true - ml: - all: true - read: true - default_action_group_id: anomaly_detection_realtime_issue - does_set_recovery_context: true - enabled_in_license: true - is_exportable: true - minimum_license_required: platinum - name: Anomaly detection jobs health - producer: ml - recovery_action_group: - id: recovered - name: Recovered - rule_task_timeout: 5m + [ + { + "id": "xpack.ml.anomaly_detection_alert", + "name": "Anomaly detection alert", + "category": "management", + "producer": "ml", + "alerts": { + "context": "ml.anomaly-detection", + "mappings": { + "fieldMap": { + "kibana.alert.job_id": { + "type": "keyword", + "array": false, + "required": true + }, + "kibana.alert.anomaly_score": { + "type": "double", + "array": false, + "required": false + }, + "kibana.alert.is_interim": { + "type": "boolean", + "array": false, + "required": false + }, + "kibana.alert.anomaly_timestamp": { + "type": "date", + "array": false, + "required": false + }, + "kibana.alert.top_records": { + "type": "object", + "array": true, + "required": false, + "dynamic": false, + "properties": { + "job_id": { + "type": "keyword" + }, + "record_score": { + "type": "double" + }, + "initial_record_score": { + "type": "double" + }, + "detector_index": { + "type": "integer" + }, + "is_interim": { + "type": "boolean" + }, + "timestamp": { + "type": "date" + }, + "partition_field_name": { + "type": "keyword" + }, + "partition_field_value": { + "type": "keyword" + }, + "over_field_name": { + "type": "keyword" + }, + "over_field_value": { + "type": "keyword" + }, + "by_field_name": { + "type": "keyword" + }, + "by_field_value": { + "type": "keyword" + }, + "function": { + "type": "keyword" + }, + "typical": { + "type": "double" + }, + "actual": { + "type": "double" + }, + "field_name": { + "type": "keyword" + } + } + }, + "kibana.alert.top_influencers": { + "type": "object", + "array": true, + "required": false, + "dynamic": false, + "properties": { + "job_id": { + "type": "keyword" + }, + "influencer_field_name": { + "type": "keyword" + }, + "influencer_field_value": { + "type": "keyword" + }, + "influencer_score": { + "type": "double" + }, + "initial_influencer_score": { + "type": "double" + }, + "is_interim": { + "type": "boolean" + }, + "timestamp": { + "type": "date" + } + } + } + } + }, + "shouldWrite": true + }, + "enabled_in_license": true, + "recovery_action_group": { + "id": "recovered", + "name": "Recovered" + }, + "action_groups": [ + { + "id": "anomaly_score_match", + "name": "Anomaly score matched the condition" + }, + { + "id": "recovered", + "name": "Recovered" + } + ], + "default_action_group_id": "anomaly_score_match", + "minimum_license_required": "platinum", + "is_exportable": true, + "rule_task_timeout": "5m", + "action_variables": { + "context": [ + { + "name": "timestamp", + "description": "The bucket timestamp of the anomaly" + }, + { + "name": "timestampIso8601", + "description": "The bucket time of the anomaly in ISO8601 format" + }, + { + "name": "jobIds", + "description": "List of job IDs that triggered the alert" + }, + { + "name": "message", + "description": "Alert info message" + }, + { + "name": "isInterim", + "description": "Indicate if top hits contain interim results" + }, + { + "name": "score", + "description": "Anomaly score at the time of the notification action" + }, + { + "name": "topRecords", + "description": "Top records" + }, + { + "name": "topInfluencers", + "description": "Top influencers" + }, + { + "name": "anomalyExplorerUrl", + "description": "URL to open in the Anomaly Explorer", + "useWithTripleBracesInTemplates": true + } + ], + "state": [], + "params": [] + }, + "authorized_consumers": { + "alerts": { + "read": true, + "all": true + }, + "stackAlerts": { + "read": true, + "all": true + }, + "slo": { + "read": true, + "all": true + }, + "ml": { + "read": true, + "all": true + }, + "uptime": { + "read": true, + "all": true + }, + "infrastructure": { + "read": true, + "all": true + }, + "logs": { + "read": true, + "all": true + }, + "monitoring": { + "read": true, + "all": true + }, + "siem": { + "read": true, + "all": true + }, + "apm": { + "read": true, + "all": true + }, + "discover": { + "read": true, + "all": true + } + }, + "does_set_recovery_context": true, + "has_alerts_mappings": true, + "has_fields_for_a_a_d": false + }, + { + "id": "xpack.ml.anomaly_detection_jobs_health", + "name": "Anomaly detection jobs health", + "category": "management", + "producer": "ml", + "enabled_in_license": true, + "recovery_action_group": { + "id": "recovered", + "name": "Recovered" + }, + "action_groups": [ + { + "id": "anomaly_detection_realtime_issue", + "name": "Issue detected" + }, + { + "id": "recovered", + "name": "Recovered" + } + ], + "default_action_group_id": "anomaly_detection_realtime_issue", + "minimum_license_required": "platinum", + "is_exportable": true, + "rule_task_timeout": "5m", + "action_variables": { + "context": [ + { + "name": "results", + "description": "Results of the rule execution" + }, + { + "name": "message", + "description": "Alert info message" + } + ], + "state": [], + "params": [] + }, + "authorized_consumers": { + "alerts": { + "read": true, + "all": true + }, + "stackAlerts": { + "read": true, + "all": true + }, + "slo": { + "read": true, + "all": true + }, + "ml": { + "read": true, + "all": true + }, + "uptime": { + "read": true, + "all": true + }, + "infrastructure": { + "read": true, + "all": true + }, + "logs": { + "read": true, + "all": true + }, + "monitoring": { + "read": true, + "all": true + }, + "siem": { + "read": true, + "all": true + }, + "apm": { + "read": true, + "all": true + }, + "discover": { + "read": true, + "all": true + } + }, + "does_set_recovery_context": true, + "has_alerts_mappings": false, + "has_fields_for_a_a_d": false + } + ] \ No newline at end of file diff --git a/x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule_types.yaml b/x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule_types.yaml index b6f8fafb35f17c..1dba3e085e2b7e 100644 --- a/x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule_types.yaml +++ b/x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule_types.yaml @@ -74,6 +74,8 @@ get: type: string name: type: string + alerts: + type: object authorized_consumers: description: The list of the plugins IDs that have access to the rule type. type: object @@ -134,6 +136,13 @@ get: type: boolean read: type: boolean + slo: + type: object + properties: + all: + type: boolean + read: + type: boolean stackAlerts: type: object properties: @@ -148,6 +157,13 @@ get: type: boolean read: type: boolean + category: + type: string + description: The rule category, which is used by features such as category-specific maintenance windows. + enum: + - management + - observability + - securitySolution default_action_group_id: description: The default identifier for the rule type group. type: string @@ -157,6 +173,10 @@ get: enabled_in_license: description: Indicates whether the rule type is enabled or disabled based on the subscription. type: boolean + has_alerts_mappings: + type: boolean + has_fields_for_a_a_d: + type: boolean id: description: The unique identifier for the rule type. type: string