-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Containment alert missing context
when "no longer contained" action is selected
#134772
Comments
Pinging @elastic/kibana-gis (Team:Geo) |
Below is not to dismiss this bug, but to provide some explanation as to why this is happening: The kibana/x-pack/plugins/stack_alerts/server/alert_types/geo_containment/alert_type.ts Lines 226 to 231 in 3730dd0
e.g. a typical lifecycle of a geo-containment alert would be:
So the recovery event (which only happens once) loses a reference to the Taking this into account, there seem to be a few open-questions:
I am not sure how this should be resolved. Any thoughts from @elastic/response-ops ? |
@thomasneirynck The alerting framework has recently merged a PR to allow rule types to specify context for recovered alerts. Here is the PR: #124972 If the geo containment rule type does create an issue for this, please link it to this meta issue where we're tracking the rule types. |
This might be a dup of #127191 |
Your example requests context.detectionDateTime and context.entityLocation. entityLocation is unknown in the recovered alert. The recovered alert only has access to previous alerting state. The recovered alert does not have access to the latest document triggering the entity to be outside the boundary. Therefore, context.entityDateTime and context.entityLocation can either be null or the value of the last detection inside the boundary. Is that ok? @ymao1 The logic is in an async method so technically it is possible, just want to know if its a good idea performance wise? |
Frankly, I don't think the alert has any real value if I don't know where or when the entity left the boundary. The fact that it left is interesting, but the time it left (knowing we can approximate it as some point between the recovered alert trigger and the look-back time for that alert) and where it was going (leave north boundary or south?) are fairly critical. Your question about querying ES to pull in last known location/time is a good one as I'd expect (haven't asked anyone) users would be doing that in practice when using this kind of alert. ... to provide a workaround to the |
Would you expect recovered alert context to not contain |
@nreese I know I'm too slow on the reply, but for completeness: yes, I'd expect the alert context to contain the boundaryID/Name of the boundary the entity just left. If I have more than one boundary, how would I know which boundary a given entity left? Granted, a query could tell me that, but obviously more valuable to be pushable in the body of an alert. |
Kibana version:
8.2.0
Elasticsearch version:
8.2.0
Server OS version:
ESS
Describe the bug:
The
context
object is empty for the Tracking Containment alert action, resulting in the action (email, slack message, etc) lacking relevant information.Steps to reproduce:
context
field or{{.}}
Expected behavior:
The
context
should contain information, specifically thecontext.entityId
of the entity that is no longer contained in the defined boundaryScreenshots (if relevant):
Configured Alert
Output from ^^ alert:
The text was updated successfully, but these errors were encountered: