Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alert creation delay based on user definition #173009

Closed
shanisagiv1 opened this issue Dec 10, 2023 · 3 comments · Fixed by #175851 or #176346
Closed

Alert creation delay based on user definition #173009

shanisagiv1 opened this issue Dec 10, 2023 · 3 comments · Fixed by #175851 or #176346
Assignees
@doakalexi
Labels
Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@shanisagiv1
Copy link

shanisagiv1 commented Dec 10, 2023
edited

Describe the feature:
In order to reduce noise for alerting rules with low sensitivity and ensure created alerts will be actionable and reasonable, we want to allow users to define how many rule executions should match before creating the alert.

Describe a specific use case for the feature:

  • The user should be able to define a new input X. This input should be available for each rule type. This X should be called "Alert Consecutive matches before alert generation" / "Rule query threshold should met X times before alert generations" - TBD about the label..
  • When determining this input, the rule should run X times and match X times before creating alerts (and triggering its actions). e.g: the rule will run 4 times and has to match the defined threshold 4 times before creating the alert.
  • the number of consecutive execution should be available on the created alerts (e.g rule runs and was matched 6 times before alert creation)
  • This input won't affect the alert recovery, which means alert recovery will work as today, when a rule returns no results, life-cycled alerts are recovered automatically.
  • Out of scope for this task, but might be an extension in the future is "Delayed Recovery", which means we'll have to leverage the same X for delay the recovery based the same logic or to use a separated Y for that. but it's out of scope for this task
  • This logic should be implemented for life-cycled alerts (stack and o11y) only and be available in the current rule flyout and API.

Related to this: #146220
@botelastic botelastic bot added the needs-team Issues missing a team label label Dec 10, 2023
@shanisagiv1 shanisagiv1 added the Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) label Dec 10, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Dec 10, 2023
@mikecote mikecote assigned doakalexi and unassigned XavierM and shanisagiv1 Jan 4, 2024
@Erikg346
Copy link

Erikg346 commented Jan 5, 2024
edited

To add an example of why this can be useful:
I would like to run a rule that calculates average CPU usage and only alerts when the average CPU is consistently hitting the threshold 15 times. The reason for this we get spikes in CPU usage but it's ideal to only alert when it's consistent for 15 minutes or 15 times.

@doakalexi doakalexi mentioned this issue Jan 16, 2024
Merged
1 task
doakalexi added a commit that referenced this issue Jan 23, 2024
@doakalexi
[ResponseOps][BE] Alert creation delay based on user definition (#174657
80640cf 
)

Related to #173009

## Summary

This is the first of two PRs and only focuses on the backend
implementation. This PR adds a new `notificationDelay` field to the
`Rule` object. With the delay the rule will run X times and has to match
the threshold X times before triggering actions. It won't affect the
alert recovery, but it can be expanded on easily if we want to include
recovered alerts in the future.


### Checklist

- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Use [Dev Tools](http://localhost:5601/app/dev_tools#/console) to
create a rule with the `notificationDelay`

```
POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "notification_delay": {
    "active": 3
  }
}
```

- Verify that the rule will not trigger actions until it has matched the
delay threshold. It might be helpful to look at rule details page and
add the Triggered actions column to easily see the action was triggered
after X consecutive active alerts
<img width="1420" alt="Screen Shot 2024-01-16 at 1 18 52 PM"
src="https://github.com/elastic/kibana/assets/109488926/85d8ceef-042c-4a52-950e-24492dc0e79f">
- Verify that the delay does not affect recovered alerts
@doakalexi doakalexi mentioned this issue Jan 23, 2024
Closed
2 tasks
lcawl pushed a commit to lcawl/kibana that referenced this issue Jan 26, 2024
@doakalexi @lcawl
[ResponseOps][BE] Alert creation delay based on user definition (elas…
1750a16 
…tic#174657)

Related to elastic#173009

## Summary

This is the first of two PRs and only focuses on the backend
implementation. This PR adds a new `notificationDelay` field to the
`Rule` object. With the delay the rule will run X times and has to match
the threshold X times before triggering actions. It won't affect the
alert recovery, but it can be expanded on easily if we want to include
recovered alerts in the future.


### Checklist

- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Use [Dev Tools](http://localhost:5601/app/dev_tools#/console) to
create a rule with the `notificationDelay`

```
POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "notification_delay": {
    "active": 3
  }
}
```

- Verify that the rule will not trigger actions until it has matched the
delay threshold. It might be helpful to look at rule details page and
add the Triggered actions column to easily see the action was triggered
after X consecutive active alerts
<img width="1420" alt="Screen Shot 2024-01-16 at 1 18 52 PM"
src="https://github.com/elastic/kibana/assets/109488926/85d8ceef-042c-4a52-950e-24492dc0e79f">
- Verify that the delay does not affect recovered alerts
This was referenced Jan 30, 2024
Merged
Closed
Closed
doakalexi added a commit that referenced this issue Feb 6, 2024
@doakalexi
[ResponseOps] Alert creation delay based on user definition (#175851)
31fbc86 
Resolves #173009

## Summary

This PR:

- Changes the field name from `notification_delay` to `alert_delay`
- Updates the alerts client and rule registry to index new alert docs on
a delay
- Updates the framework code to delay the creation of an alert


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Use [Dev Tools](http://localhost:5601/app/dev_tools#/console) to
create a rule with the `alertDelay`

```
POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "alert_delay": {
    "active": 3
  }
}
```

- Verify that the alert will not be created until it has matched the
delay threshold.
- Verify that the delay does not affect recovered alerts
@doakalexi doakalexi mentioned this issue Feb 6, 2024
Merged
2 tasks
fkanout pushed a commit to fkanout/kibana that referenced this issue Feb 7, 2024
@doakalexi @fkanout
[ResponseOps] Alert creation delay based on user definition (elastic#…
1204165 
…175851)

Resolves elastic#173009

## Summary

This PR:

- Changes the field name from `notification_delay` to `alert_delay`
- Updates the alerts client and rule registry to index new alert docs on
a delay
- Updates the framework code to delay the creation of an alert


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Use [Dev Tools](http://localhost:5601/app/dev_tools#/console) to
create a rule with the `alertDelay`

```
POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "alert_delay": {
    "active": 3
  }
}
```

- Verify that the alert will not be created until it has matched the
delay threshold.
- Verify that the delay does not affect recovered alerts
@mikecote
Copy link
Contributor

mikecote commented Feb 8, 2024

Reopening until #176346 is completed.

@mikecote mikecote reopened this Feb 8, 2024
@lcawl lcawl mentioned this issue Feb 14, 2024
Merged
CoenWarmer pushed a commit to CoenWarmer/kibana that referenced this issue Feb 15, 2024
@doakalexi @CoenWarmer
[ResponseOps][BE] Alert creation delay based on user definition (elas…
046d8b6 
…tic#174657)

Related to elastic#173009

## Summary

This is the first of two PRs and only focuses on the backend
implementation. This PR adds a new `notificationDelay` field to the
`Rule` object. With the delay the rule will run X times and has to match
the threshold X times before triggering actions. It won't affect the
alert recovery, but it can be expanded on easily if we want to include
recovered alerts in the future.


### Checklist

- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Use [Dev Tools](http://localhost:5601/app/dev_tools#/console) to
create a rule with the `notificationDelay`

```
POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "notification_delay": {
    "active": 3
  }
}
```

- Verify that the rule will not trigger actions until it has matched the
delay threshold. It might be helpful to look at rule details page and
add the Triggered actions column to easily see the action was triggered
after X consecutive active alerts
<img width="1420" alt="Screen Shot 2024-01-16 at 1 18 52 PM"
src="https://github.com/elastic/kibana/assets/109488926/85d8ceef-042c-4a52-950e-24492dc0e79f">
- Verify that the delay does not affect recovered alerts
CoenWarmer pushed a commit to CoenWarmer/kibana that referenced this issue Feb 15, 2024
@doakalexi @CoenWarmer
[ResponseOps] Alert creation delay based on user definition (elastic#…
96935d4 
…175851)

Resolves elastic#173009

## Summary

This PR:

- Changes the field name from `notification_delay` to `alert_delay`
- Updates the alerts client and rule registry to index new alert docs on
a delay
- Updates the framework code to delay the creation of an alert


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Use [Dev Tools](http://localhost:5601/app/dev_tools#/console) to
create a rule with the `alertDelay`

```
POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "alert_delay": {
    "active": 3
  }
}
```

- Verify that the alert will not be created until it has matched the
delay threshold.
- Verify that the delay does not affect recovered alerts
CoenWarmer pushed a commit to CoenWarmer/kibana that referenced this issue Feb 15, 2024
@doakalexi @CoenWarmer
[ResponseOps][BE] Alert creation delay based on user definition (elas…
ef588e0 
…tic#174657)

Related to elastic#173009

## Summary

This is the first of two PRs and only focuses on the backend
implementation. This PR adds a new `notificationDelay` field to the
`Rule` object. With the delay the rule will run X times and has to match
the threshold X times before triggering actions. It won't affect the
alert recovery, but it can be expanded on easily if we want to include
recovered alerts in the future.


### Checklist

- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Use [Dev Tools](http://localhost:5601/app/dev_tools#/console) to
create a rule with the `notificationDelay`

```
POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "notification_delay": {
    "active": 3
  }
}
```

- Verify that the rule will not trigger actions until it has matched the
delay threshold. It might be helpful to look at rule details page and
add the Triggered actions column to easily see the action was triggered
after X consecutive active alerts
<img width="1420" alt="Screen Shot 2024-01-16 at 1 18 52 PM"
src="https://github.com/elastic/kibana/assets/109488926/85d8ceef-042c-4a52-950e-24492dc0e79f">
- Verify that the delay does not affect recovered alerts
CoenWarmer pushed a commit to CoenWarmer/kibana that referenced this issue Feb 15, 2024
@doakalexi @CoenWarmer
[ResponseOps] Alert creation delay based on user definition (elastic#…
8e3bd96 
…175851)

Resolves elastic#173009

## Summary

This PR:

- Changes the field name from `notification_delay` to `alert_delay`
- Updates the alerts client and rule registry to index new alert docs on
a delay
- Updates the framework code to delay the creation of an alert


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Use [Dev Tools](http://localhost:5601/app/dev_tools#/console) to
create a rule with the `alertDelay`

```
POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "alert_delay": {
    "active": 3
  }
}
```

- Verify that the alert will not be created until it has matched the
delay threshold.
- Verify that the delay does not affect recovered alerts
doakalexi added a commit that referenced this issue Feb 15, 2024
@doakalexi @lcawl
[ResponseOps][FE] Alert creation delay based on user definition (#176346
68d6ab2 
)

Resolves #173009

## Summary

Adds a new input for the user to define the `alertDelay`. This input is
available for life-cycled alerts (stack and o11y) rule types.

### Checklist

Delete any items that are not applicable to this PR.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Using the UI create a rule with the `alertDelay` field set.
- Verify that the field is saved properly and that you can edit the
`alertDelay`
- Verify that you can add the alert delay to existing rules. Create a
rule in a different branch and switch to this one. Edit the rule and set
the `alertDelay`. Verify that the rule saves and works as expected.

---------

Co-authored-by: Lisa Cawley <lcawley@elastic.co>
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Feb 15, 2024
@doakalexi
[ResponseOps][FE] Alert creation delay based on user definition (elas…
5299a02 
…tic#176346)

Resolves elastic#173009

## Summary

Adds a new input for the user to define the `alertDelay`. This input is
available for life-cycled alerts (stack and o11y) rule types.

### Checklist

Delete any items that are not applicable to this PR.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

### To verify

- Using the UI create a rule with the `alertDelay` field set.
- Verify that the field is saved properly and that you can edit the
`alertDelay`
- Verify that you can add the alert delay to existing rules. Create a
rule in a different branch and switch to this one. Edit the rule and set
the `alertDelay`. Verify that the rule saves and works as expected.

---------

Co-authored-by: Lisa Cawley <lcawley@elastic.co>
(cherry picked from commit 68d6ab2)
kibanamachine added a commit that referenced this issue Feb 15, 2024
@kibanamachine @doakalexi
[8.13] [ResponseOps][FE] Alert creation delay based on user definition (
234ef3d 
#176346) (#177051)

# Backport

This will backport the following commits from `main` to `8.13`:
- [[ResponseOps][FE] Alert creation delay based on user definition
(#176346)](#176346)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Alexi
Doak","email":"109488926+doakalexi@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-02-15T17:13:06Z","message":"[ResponseOps][FE]
Alert creation delay based on user definition (#176346)\n\nResolves
#173009
Summary\r\n\r\nAdds a new input for the user to define the `alertDelay`.
This input is\r\navailable for life-cycled alerts (stack and o11y) rule
types.\r\n\r\n### Checklist\r\n\r\nDelete any items that are not
applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n\r\n### To
verify\r\n\r\n- Using the UI create a rule with the `alertDelay` field
set.\r\n- Verify that the field is saved properly and that you can edit
the\r\n`alertDelay`\r\n- Verify that you can add the alert delay to
existing rules. Create a\r\nrule in a different branch and switch to
this one. Edit the rule and set\r\nthe `alertDelay`. Verify that the
rule saves and works as
expected.\r\n\r\n---------\r\n\r\nCo-authored-by: Lisa Cawley
<lcawley@elastic.co>","sha":"68d6ab21354bcf0504dc3664b818ab07f94340bc","branchLabelMapping":{"^v8.14.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:ResponseOps","v8.13.0","v8.14.0"],"title":"[ResponseOps][FE]
Alert creation delay based on user
definition","number":176346,"url":"#176346
Alert creation delay based on user definition (#176346)\n\nResolves
#173009
Summary\r\n\r\nAdds a new input for the user to define the `alertDelay`.
This input is\r\navailable for life-cycled alerts (stack and o11y) rule
types.\r\n\r\n### Checklist\r\n\r\nDelete any items that are not
applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n\r\n### To
verify\r\n\r\n- Using the UI create a rule with the `alertDelay` field
set.\r\n- Verify that the field is saved properly and that you can edit
the\r\n`alertDelay`\r\n- Verify that you can add the alert delay to
existing rules. Create a\r\nrule in a different branch and switch to
this one. Edit the rule and set\r\nthe `alertDelay`. Verify that the
rule saves and works as
expected.\r\n\r\n---------\r\n\r\nCo-authored-by: Lisa Cawley
<lcawley@elastic.co>","sha":"68d6ab21354bcf0504dc3664b818ab07f94340bc"}},"sourceBranch":"main","suggestedTargetBranches":["8.13"],"targetPullRequestStates":[{"branch":"8.13","label":"v8.13.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.14.0","branchLabelMappingKey":"^v8.14.0$","isSourceBranch":true,"state":"MERGED","url":"#176346
Alert creation delay based on user definition (#176346)\n\nResolves
#173009
Summary\r\n\r\nAdds a new input for the user to define the `alertDelay`.
This input is\r\navailable for life-cycled alerts (stack and o11y) rule
types.\r\n\r\n### Checklist\r\n\r\nDelete any items that are not
applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's
writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\r\nsentence case text and includes
[i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n-
[x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n\r\n### To
verify\r\n\r\n- Using the UI create a rule with the `alertDelay` field
set.\r\n- Verify that the field is saved properly and that you can edit
the\r\n`alertDelay`\r\n- Verify that you can add the alert delay to
existing rules. Create a\r\nrule in a different branch and switch to
this one. Edit the rule and set\r\nthe `alertDelay`. Verify that the
rule saves and works as
expected.\r\n\r\n---------\r\n\r\nCo-authored-by: Lisa Cawley
<lcawley@elastic.co>","sha":"68d6ab21354bcf0504dc3664b818ab07f94340bc"}}]}]
BACKPORT-->

Co-authored-by: Alexi Doak <109488926+doakalexi@users.noreply.github.com>
awahab07 pushed a commit to awahab07/kibana that referenced this issue Feb 19, 2024
@doakalexi @lcawl @awahab07
[ResponseOps][FE] Alert creation delay based on user definition (elas…
a0456cc 
…tic#176346)

Resolves elastic#173009

## Summary

Adds a new input for the user to define the `alertDelay`. This input is
available for life-cycled alerts (stack and o11y) rule types.

### Checklist

Delete any items that are not applicable to this PR.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Using the UI create a rule with the `alertDelay` field set.
- Verify that the field is saved properly and that you can edit the
`alertDelay`
- Verify that you can add the alert delay to existing rules. Create a
rule in a different branch and switch to this one. Edit the rule and set
the `alertDelay`. Verify that the rule saves and works as expected.

---------

Co-authored-by: Lisa Cawley <lcawley@elastic.co>
fkanout pushed a commit to fkanout/kibana that referenced this issue Mar 4, 2024
@doakalexi @fkanout
[ResponseOps] Alert creation delay based on user definition (elastic#…
b36717e 
…175851)

Resolves elastic#173009

## Summary

This PR:

- Changes the field name from `notification_delay` to `alert_delay`
- Updates the alerts client and rule registry to index new alert docs on
a delay
- Updates the framework code to delay the creation of an alert


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Use [Dev Tools](http://localhost:5601/app/dev_tools#/console) to
create a rule with the `alertDelay`

```
POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "alert_delay": {
    "active": 3
  }
}
```

- Verify that the alert will not be created until it has matched the
delay threshold.
- Verify that the delay does not affect recovered alerts
fkanout pushed a commit to fkanout/kibana that referenced this issue Mar 4, 2024
@doakalexi @lcawl @fkanout
[ResponseOps][FE] Alert creation delay based on user definition (elas…
1d073fb 
…tic#176346)

Resolves elastic#173009

## Summary

Adds a new input for the user to define the `alertDelay`. This input is
available for life-cycled alerts (stack and o11y) rule types.

### Checklist

Delete any items that are not applicable to this PR.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Using the UI create a rule with the `alertDelay` field set.
- Verify that the field is saved properly and that you can edit the
`alertDelay`
- Verify that you can add the alert delay to existing rules. Create a
rule in a different branch and switch to this one. Edit the rule and set
the `alertDelay`. Verify that the rule saves and works as expected.

---------

Co-authored-by: Lisa Cawley <lcawley@elastic.co>
This was referenced Mar 11, 2024
Merged
Merged
@mergify mergify bot mentioned this issue Mar 13, 2024
Merged
@lcawl lcawl mentioned this issue Mar 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@doakalexi doakalexi

Labels
Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
AppEx: ResponseOps - Execution & Connectors
Status: Done
AppEx: ResponseOps - Rules & Alerts Management
Status: Done
Milestone
No milestone
6 participants
@XavierM @mikecote @elasticmachine @Erikg346 @shanisagiv1 @doakalexi