Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ResponseOps] Alert creation delay based on user definition #175851

Merged
merged 22 commits into from
Feb 6, 2024
Merged

[ResponseOps] Alert creation delay based on user definition #175851

merged 22 commits into from
Feb 6, 2024

Conversation

doakalexi
Copy link
Contributor

@doakalexi doakalexi commented Jan 29, 2024
edited
Loading

Resolves #173009

Summary

This PR:

  • Changes the field name from notification_delay to alert_delay
  • Updates the alerts client and rule registry to index new alert docs on a delay
  • Updates the framework code to delay the creation of an alert

Checklist

To verify

  • Use Dev Tools to create a rule with the alertDelay
POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "alert_delay": {
    "active": 3
  }
}
  • Verify that the alert will not be created until it has matched the delay threshold.
  • Verify that the delay does not affect recovered alerts

@doakalexi
Copy link
Contributor Author

/ci

@doakalexi
Copy link
Contributor Author

/ci

@doakalexi doakalexi changed the title Alerting/notification delay fe [ResponseOps] Alert creation delay based on user definition Jan 30, 2024
@doakalexi
Copy link
Contributor Author

/ci

@doakalexi doakalexi marked this pull request as ready for review January 31, 2024 16:40
@doakalexi doakalexi requested review from a team as code owners January 31, 2024 16:40
@doakalexi doakalexi added release_note:enhancement v8.13.0 Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Jan 31, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@doakalexi doakalexi added release_note:skip Skip the PR/issue when compiling release notes and removed release_note:enhancement labels Jan 31, 2024
@ymao1
Copy link
Contributor

ymao1 commented Feb 1, 2024

I guess it's safe to assume that no rules will have been created with the notificationDelay config in serverless since it was API only? Otherwise they will be skipped due to validation error

[2024-02-01T11:12:21.408-05:00][WARN ][plugins.taskManager] Task (alerting:.es-query/85750824-12ec-4954-acfb-ec9b65899fc0) has a validation error in its indirect params: [notificationDelay]: definition for this key is missing

@doakalexi
Copy link
Contributor Author

doakalexi commented Feb 1, 2024
edited
Loading

I guess it's safe to assume that no rules will have been created with the notificationDelay config in serverless since it was API only? Otherwise they will be skipped due to validation error

[2024-02-01T11:12:21.408-05:00][WARN ][plugins.taskManager] Task (alerting:.es-query/85750824-12ec-4954-acfb-ec9b65899fc0) has a validation error in its indirect params: [notificationDelay]: definition for this key is missing

Yes, it was API only. I don't think anyone should have added a notification delay in this case.

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

ymao1
ymao1 approved these changes Feb 6, 2024
View reviewed changes
Copy link
Contributor

@ymao1 ymao1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Verified using an ES query rule type and a custom threshold rule type and alert delay works as described. Also tried upgrading to this PR branch from main with existing rules and verified that they continue running successfully.

@doakalexi doakalexi merged commit 31fbc86 into elastic:main Feb 6, 2024
39 checks passed
@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Feb 6, 2024
jloleysens added a commit that referenced this pull request Feb 7, 2024
@jloleysens
Merge branch 'main' into versioned-router-and-oas
32ba707 
* main: (224 commits)
  [Http] Replace `buildNr` with `buildSha` in static asset paths (#175898)
  [Ops] Fix GCS bucket access for future buildkite agents (#174756)
  [api-docs] 2024-02-07 Daily api_docs build (#176362)
  skip flaky suite (#176002)
  skip failing es promotion suite (#176359)
  [Cloud Security] [Grouping] Add URL Params support to the grouping components (#175749)
  chore(NA): update versions after v8.12.2 bump (#176309)
  chore(NA): update versions after v7.17.19 bump (#176313)
  skip failing test suite (#176352)
  [SLO] Enable burn rate alert by default during creation via UI (#176317)
  [Fleet] Add the uptime capability to observability projects (#176285)
  [Security Solution][Endpoint] Fix Manifest Manger so that it works with large (>10k) (#174411)
  [ResponseOps] Alert creation delay based on user definition (#175851)
  [data views] Default field formatters based on field meta values (#174973)
  [Cloud Security]Detection Rules counter on Rules Flyout (#176041)
  [Security Solution] Data Quality Dashboard persistence (#175673)
  [Ent Search] Connector client copy cleanup (#176290)
  [ML] Anomaly Detection: Adds actions menu to anomaly markers in Single Metric Viewer chart. (#175556)
  [ML] Anomaly Detection: Fix `values-dots` colors (#176303)
  [Fleet] Logstash Output - being compliant to RFC-952 (#176298)
  ...
fkanout pushed a commit to fkanout/kibana that referenced this pull request Feb 7, 2024
@doakalexi @fkanout
[ResponseOps] Alert creation delay based on user definition (elastic#…
1204165 
…175851)

Resolves elastic#173009

## Summary

This PR:

- Changes the field name from `notification_delay` to `alert_delay`
- Updates the alerts client and rule registry to index new alert docs on
a delay
- Updates the framework code to delay the creation of an alert


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Use [Dev Tools](http://localhost:5601/app/dev_tools#/console) to
create a rule with the `alertDelay`

```
POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "alert_delay": {
    "active": 3
  }
}
```

- Verify that the alert will not be created until it has matched the
delay threshold.
- Verify that the delay does not affect recovered alerts
@doakalexi doakalexi mentioned this pull request Feb 13, 2024
Merged
2 tasks
CoenWarmer pushed a commit to CoenWarmer/kibana that referenced this pull request Feb 15, 2024
@doakalexi @CoenWarmer
[ResponseOps] Alert creation delay based on user definition (elastic#…
96935d4 
…175851)

Resolves elastic#173009

## Summary

This PR:

- Changes the field name from `notification_delay` to `alert_delay`
- Updates the alerts client and rule registry to index new alert docs on
a delay
- Updates the framework code to delay the creation of an alert


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Use [Dev Tools](http://localhost:5601/app/dev_tools#/console) to
create a rule with the `alertDelay`

```
POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "alert_delay": {
    "active": 3
  }
}
```

- Verify that the alert will not be created until it has matched the
delay threshold.
- Verify that the delay does not affect recovered alerts
CoenWarmer pushed a commit to CoenWarmer/kibana that referenced this pull request Feb 15, 2024
@doakalexi @CoenWarmer
[ResponseOps] Alert creation delay based on user definition (elastic#…
8e3bd96 
…175851)

Resolves elastic#173009

## Summary

This PR:

- Changes the field name from `notification_delay` to `alert_delay`
- Updates the alerts client and rule registry to index new alert docs on
a delay
- Updates the framework code to delay the creation of an alert


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Use [Dev Tools](http://localhost:5601/app/dev_tools#/console) to
create a rule with the `alertDelay`

```
POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "alert_delay": {
    "active": 3
  }
}
```

- Verify that the alert will not be created until it has matched the
delay threshold.
- Verify that the delay does not affect recovered alerts
fkanout pushed a commit to fkanout/kibana that referenced this pull request Mar 4, 2024
@doakalexi @fkanout
[ResponseOps] Alert creation delay based on user definition (elastic#…
b36717e 
…175851)

Resolves elastic#173009

## Summary

This PR:

- Changes the field name from `notification_delay` to `alert_delay`
- Updates the alerts client and rule registry to index new alert docs on
a delay
- Updates the framework code to delay the creation of an alert


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Use [Dev Tools](http://localhost:5601/app/dev_tools#/console) to
create a rule with the `alertDelay`

```
POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "alert_delay": {
    "active": 3
  }
}
```

- Verify that the alert will not be created until it has matched the
delay threshold.
- Verify that the delay does not affect recovered alerts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ymao1 ymao1 ymao1 approved these changes

Assignees
No one assigned
Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v8.13.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Alert creation delay based on user definition
5 participants
@doakalexi @elasticmachine @ymao1 @kibana-ci @kibanamachine