[Security Solution] [Detections] Create a 'partial failure' status for rules #84293
Conversation
dhurley14
changed the title
dhurley14
force-pushed
the
warning-msg-rule-details
branch
from
07f1af1
to
3e807e7
Compare
dhurley14
added
Feature:Detection Rules
|
@elasticmachine merge upstream |
| @@ -93,6 +101,18 @@ export const ruleStatusServiceFactory = async ({ | |||
| }); | |||
| }, | |||
|
|
|||
| partialFailure: async (message, attributes) => { | |||
There was a problem hiding this comment.
Is the plan to use this function in signal_rule_alert_type.ts or is it already being used somewhere else?
There was a problem hiding this comment.
Currently, there's no place in the code where this function is being used. When this gets merged I will be incorporating it into the multiple timestamps pr #83134 I think by returning an error type instead of relying on the result.success boolean to write an error / success status.
💚 Build SucceededMetrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
LGTM. The UI elements are displayed as expected. As I reviewed the PR I wondered if we should also store "partial failures" as part of the "Failure History"? I wonder if users would be interested in seeing a log of partial failures alongside actual failures. This is more of a Product question and it won't block this PR but it's something to think about.
…r rules (elastic#84293) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* master: (63 commits) Revert the Revert of "[Alerting] renames Resolved action group to Recovered (elastic#84123)" (elastic#84662) declare kbn/monaco dependency on kbn/i18n explicitly (elastic#84660) Remove unscripted fields from sample data index-pattern saved objects (elastic#84659) [ML] Fix unnecessary trigger of wildcard field type search for ML plugin routes. (elastic#84605) Update create.asciidoc (elastic#84046) [Security Solution][Detections] Fix labels and issue with mandatory fields (elastic#84525) Fix flaky test suite (elastic#84602) [Security Solution] [Detections] Create a 'partial failure' status for rules (elastic#84293) Revert "[Alerting] renames Resolved action group to Recovered (elastic#84123)" Update code-comments describing babel plugins (elastic#84622) [Security Solution] [Cases] Cypress for case connector selector options (elastic#80745) [Discover] Unskip doc table tests (elastic#84564) [Lens] (Accessibility) Improve landmarks in Lens (elastic#84511) [Lens] (Accessibility) Focus mistakenly stops on righthand form (elastic#84519) Return early when parallel install process detected (elastic#84190) [Security Solution][Detections] Support arrays in event fields for Severity/Risk overrides (elastic#83723) [Security Solution][Detections] Fix grammatical error in validation message for threshold field in "Create new rule" -> "Define rule" (elastic#84490) [Fleet] Update agent details page (elastic#84434) adding documentation of use of NODE_EXTRA_CA_CERTS env var (elastic#84578) [Search] Integrate "Send to background" UI with session service (elastic#83073) ...
Summary
With the allowance of querying indices with different timestamps (PR, issue) we need a way to tell the customer when a rule is unable to query neither of the two timestamp fields provided (timestamp override and / or
@timestampfield). I have updated the rule status functions to write a "partial failure" status to indicate when we were able to successfully query some of the index patterns provided to the rule, but were unable to query others.This will also be helpful when we add checks for read privileges for the rule itself (#83134)
Checklist
Delete any items that are not applicable to this PR.
For maintainers