Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Request] add ES|QL rule alert suppression docs #5156

Open
vitaliidm opened this issue May 3, 2024 · 0 comments
Open

[Request] add ES|QL rule alert suppression docs #5156

vitaliidm opened this issue May 3, 2024 · 0 comments
Assignees
@nastasha-solomon
Labels
Feature: Alerts Feature: Rules Team: Detection Engine v8.15.0

Comments

@vitaliidm
Copy link
Contributor

Description

adds alert suppression to ES|QL rule

Background & resources

Which documentation set does this change impact?

ESS and serverless

ESS release

8.15

Serverless release

around 8.15 release

Feature differences

ESS: alert suppression is available for Platinum license
Serverless: available for Essentials and Complete tiers

API docs impact

adds alert_suppression field to ES|QL rule create/update/patch rule APIs

Prerequisites, privileges, feature flags

ESS: requires Platinum license
Feature Flag: alertSuppressionForEsqlRuleEnabled
@vitaliidm vitaliidm mentioned this issue May 3, 2024
Merged
6 tasks
vitaliidm added a commit to elastic/kibana that referenced this issue May 20, 2024
@vitaliidm @kibanamachine @nikitaindik
[Security Solution][Detection Engine] adds alert suppression to ES|QL…
6e6b99c 
… rule type (#180927)

## Summary

- addresses elastic/security-team#9203
- adds alert suppression for new terms rule type
- similarly to [custom investigation
fields](#177746) list of available
suppression fields:
  - shows only ES|QL fields returned in query for aggregating queries
- shows ES|QL fields returned in query + index fields for
non-aggregating queries. Since resulted alerts for this type of query,
are enriched with source documents.

### Demo

1. run esql rule w/o suppression
2. run esql rule w/ suppression per rule execution. Since ES|QL query is
aggregating, no alerts suppressed on already agrregated field `host.ip`
3. run suppression on interval 20m
4. run suppression for custom ES|QL field which is the same as
`host.ip`, hence same results
5. run suppression on interval 100m


https://github.com/elastic/kibana/assets/92328789/4bd8cf13-6e23-4842-b775-605c74ae0127

### Limitations

Since suppressed alerts deduplication relies on alert timestamps,
sorting of results other than `@timestamp asc` in ES|QL query may impact
on number of suppressed alerts, when number of possible alerts more than
max_signals.
This affects only non-aggregating queries, since suppression boundaries
for these alerts set as rule execution time

### Checklist

- [x] Functional changes are hidden behind a feature flag 

    Feature flag `alertSuppressionForEsqlRuleEnabled`

- [x] Functional changes are covered with a test plan and automated
tests.

  - elastic/security-team#9389

- [x] Stability of new and changed tests is verified using the [Flaky
Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner).
- FTR(x100):
https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5907
- Cypress(x100):
https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6011
  
- [x] Comprehensive manual testing is done by two engineers: the PR
author and one of the PR reviewers. Changes are tested in both ESS and
Serverless.

- [x] Mapping changes are accompanied by a technical design document. It
can be a GitHub issue or an RFC explaining the changes. The design
document is shared with and approved by the appropriate teams and
individual stakeholders.

Existing AlertSuppression schema field is used for ES|QL rule, the one
that already used for Query, New terms and IM rules.
  
  ```yml
      alert_suppression:
$ref:
'./common_attributes.schema.yaml#/components/schemas/AlertSuppression'
  ```
  where
  
  ```yml
      AlertSuppression:
        type: object
        properties:
          group_by:
            $ref: '#/components/schemas/AlertSuppressionGroupBy'
          duration:
            $ref: '#/components/schemas/AlertSuppressionDuration'
          missing_fields_strategy:
$ref: '#/components/schemas/AlertSuppressionMissingFieldsStrategy'
        required:
          - group_by
     ```

- [x] Functional changes are communicated to the Docs team. A ticket or
PR is opened in https://github.com/elastic/security-docs. The following
information is included: any feature flags used, affected environments
(Serverless, ESS, or both).

  - elastic/security-docs#5156

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Nikita Indik <mail@nikitaindik.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nastasha-solomon nastasha-solomon

Labels
Feature: Alerts Feature: Rules Team: Detection Engine v8.15.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nastasha-solomon @vitaliidm