Skip to content

Commit

Permalink
[RAC][Alerting][Security Solution] Adds Rule Execution UUID (#113058)
Browse files Browse the repository at this point in the history 
## Summary

Resolves: #110135

This PR is for introducing a new UUID (`kibana.alert.rule.execution.uuid` as defined in the AAD schema) for identifying individual rule executions. This id is introduced as a `private readonly` member of the [alerting server task_manager](https://github.com/elastic/kibana/blob/a993668663dd4fc25d3336e2d474101ed8d1b74d/x-pack/plugins/alerting/server/task_runner/task_runner.ts#L123), and plumbed through the `executionHandler` and to all appropriate alert event and event-log touch points.

For persistence when writing alerts within the RuleRegistry, `kibana.alert.rule.execution.uuid` is plumbed through [`getCommonAlertFields()`](https://github.com/elastic/kibana/blob/c81341c325edcb0eaca1dab2521b2a86fea18389/x-pack/plugins/rule_registry/server/utils/get_common_alert_fields.ts#L52) so it is grouped with like fields and is picked up by both the [`createPersistenceRuleTypeWrapper`](https://github.com/elastic/kibana/blob/c81341c325edcb0eaca1dab2521b2a86fea18389/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.ts#L38) used by Security Solution, and [`createLifecycleExecutor`](https://github.com/elastic/kibana/blob/d152ca5b6bf7f56fcba1d1d8c2cfee5404a821de/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts#L157) used by Observability rules.

Additionally on the Security Solution side, `kibana.alert.rule.execution.uuid` was plumbed through the `RuleExecutionLog` so that all events written to the event-log will now include this id so individual rule status events/metrics can be correlated with specific rule executions.

No UI facing changes were made, however `kibana.alert.rule.execution.uuid` is now available within the Alerts Table FieldBrowser, and can be toggled and viewed alongside alerts:

<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/149594433-b16e369b-adf4-4ae3-b6e9-98189b214d51.png" />
</p>

As visible when exploring `event-log` in Discover:

<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/149595237-155d25d7-8324-4981-9ec2-faf0af8e7bd7.png" />
</p>



### Checklist

Delete any items that are not applicable to this PR.

- [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials 
  - Will need to sync with Doc folks on updates here.
- [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
  • Loading branch information
@spong
spong authored Jan 21, 2022
1 parent 735948d commit 48693d1
Show file tree
Hide file tree
Showing 34 changed files with 716 additions and 12 deletions.
3 changes: 3 additions & 0 deletions packages/kbn-rule-data-utils/src/technical_field_names.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ const ALERT_RULE_CREATED_AT = `${ALERT_RULE_NAMESPACE}.created_at` as const;
const ALERT_RULE_CREATED_BY = `${ALERT_RULE_NAMESPACE}.created_by` as const;
const ALERT_RULE_DESCRIPTION = `${ALERT_RULE_NAMESPACE}.description` as const;
const ALERT_RULE_ENABLED = `${ALERT_RULE_NAMESPACE}.enabled` as const;
const ALERT_RULE_EXECUTION_UUID = `${ALERT_RULE_NAMESPACE}.execution.uuid` as const;
const ALERT_RULE_FROM = `${ALERT_RULE_NAMESPACE}.from` as const;
const ALERT_RULE_INTERVAL = `${ALERT_RULE_NAMESPACE}.interval` as const;
const ALERT_RULE_LICENSE = `${ALERT_RULE_NAMESPACE}.license` as const;
Expand Down Expand Up @@ -103,6 +104,7 @@ const fields = {
ALERT_RULE_CREATED_BY,
ALERT_RULE_DESCRIPTION,
ALERT_RULE_ENABLED,
ALERT_RULE_EXECUTION_UUID,
ALERT_RULE_FROM,
ALERT_RULE_INTERVAL,
ALERT_RULE_LICENSE,
Expand Down Expand Up @@ -156,6 +158,7 @@ export {
ALERT_RULE_CREATED_BY,
ALERT_RULE_DESCRIPTION,
ALERT_RULE_ENABLED,
ALERT_RULE_EXECUTION_UUID,
ALERT_RULE_FROM,
ALERT_RULE_INTERVAL,
ALERT_RULE_LICENSE,
Expand Down
24 changes: 24 additions & 0 deletions x-pack/plugins/alerting/server/lib/create_alert_event_log_record_object.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ describe('createAlertEventLogRecordObject', () => {
test('created alert event "execute-start"', async () => {
expect(
createAlertEventLogRecordObject({
executionId: '7a7065d7-6e8b-4aae-8d20-c93613dec9fb',
ruleId: '1',
ruleType,
action: 'execute-start',
Expand All @@ -50,6 +51,13 @@ describe('createAlertEventLogRecordObject', () => {
kind: 'alert',
},
kibana: {
alert: {
rule: {
execution: {
uuid: '7a7065d7-6e8b-4aae-8d20-c93613dec9fb',
},
},
},
saved_objects: [
{
id: '1',
Expand All @@ -76,6 +84,7 @@ describe('createAlertEventLogRecordObject', () => {
test('created alert event "recovered-instance"', async () => {
expect(
createAlertEventLogRecordObject({
executionId: '7a7065d7-6e8b-4aae-8d20-c93613dec9fb',
ruleId: '1',
ruleName: 'test name',
ruleType,
Expand Down Expand Up @@ -109,6 +118,13 @@ describe('createAlertEventLogRecordObject', () => {
start: '1970-01-01T00:00:00.000Z',
},
kibana: {
alert: {
rule: {
execution: {
uuid: '7a7065d7-6e8b-4aae-8d20-c93613dec9fb',
},
},
},
alerting: {
action_group_id: 'group 1',
action_subgroup: 'subgroup value',
Expand Down Expand Up @@ -138,6 +154,7 @@ describe('createAlertEventLogRecordObject', () => {
test('created alert event "execute-action"', async () => {
expect(
createAlertEventLogRecordObject({
executionId: '7a7065d7-6e8b-4aae-8d20-c93613dec9fb',
ruleId: '1',
ruleName: 'test name',
ruleType,
Expand Down Expand Up @@ -176,6 +193,13 @@ describe('createAlertEventLogRecordObject', () => {
start: '1970-01-01T00:00:00.000Z',
},
kibana: {
alert: {
rule: {
execution: {
uuid: '7a7065d7-6e8b-4aae-8d20-c93613dec9fb',
},
},
},
alerting: {
action_group_id: 'group 1',
action_subgroup: 'subgroup value',
Expand Down
25 changes: 24 additions & 1 deletion x-pack/plugins/alerting/server/lib/create_alert_event_log_record_object.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import { UntypedNormalizedRuleType } from '../rule_type_registry';
export type Event = Exclude<IEvent, undefined>;

interface CreateAlertEventLogRecordParams {
executionId?: string;
ruleId: string;
ruleType: UntypedNormalizedRuleType;
action: string;
Expand All @@ -36,7 +37,18 @@ interface CreateAlertEventLogRecordParams {
}

export function createAlertEventLogRecordObject(params: CreateAlertEventLogRecordParams): Event {
const { ruleType, action, state, message, task, ruleId, group, subgroup, namespace } = params;
const {
executionId,
ruleType,
action,
state,
message,
task,
ruleId,
group,
subgroup,
namespace,
} = params;
const alerting =
params.instanceId || group || subgroup
? {
Expand All @@ -59,6 +71,17 @@ export function createAlertEventLogRecordObject(params: CreateAlertEventLogRecor
},
kibana: {
...(alerting ? alerting : {}),
...(executionId
? {
alert: {
rule: {
execution: {
uuid: executionId,
},
},
},
}
: {}),
saved_objects: params.savedObjects.map((so) => ({
...(so.relation ? { rel: so.relation } : {}),
type: so.type,
Expand Down
4 changes: 4 additions & 0 deletions x-pack/plugins/alerting/server/rules_client/tests/disable.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ import { getBeforeSetup, setGlobalDate } from './lib';
import { eventLoggerMock } from '../../../../event_log/server/event_logger.mock';
import { TaskStatus } from '../../../../task_manager/server';

jest.mock('uuid', () => ({
v4: () => '5f6aa57d-3e22-484e-bae8-cbed868f4d28',
}));

const taskManager = taskManagerMock.createStart();
const ruleTypeRegistry = ruleTypeRegistryMock.create();
const unsecuredSavedObjectsClient = savedObjectsClientMock.create();
Expand Down
8 changes: 8 additions & 0 deletions x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ const createExecutionHandlerParams: jest.Mocked<
spaceId: 'test1',
ruleId: '1',
ruleName: 'name-of-alert',
executionId: '5f6aa57d-3e22-484e-bae8-cbed868f4d28',
tags: ['tag-A', 'tag-B'],
apiKey: 'MTIzOmFiYw==',
kibanaBaseUrl: 'http://localhost:5601',
Expand Down Expand Up @@ -173,6 +174,13 @@ test('enqueues execution per selected action', async () => {
"kind": "alert",
},
"kibana": Object {
"alert": Object {
"rule": Object {
"execution": Object {
"uuid": "5f6aa57d-3e22-484e-bae8-cbed868f4d28",
},
},
},
"alerting": Object {
"action_group_id": "default",
"instance_id": "2",
Expand Down
3 changes: 3 additions & 0 deletions x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ export interface CreateExecutionHandlerOptions<
> {
ruleId: string;
ruleName: string;
executionId: string;
tags?: string[];
actionsPlugin: ActionsPluginStartContract;
actions: AlertAction[];
Expand Down Expand Up @@ -83,6 +84,7 @@ export function createExecutionHandler<
logger,
ruleId,
ruleName,
executionId,
tags,
actionsPlugin,
actions: ruleActions,
Expand Down Expand Up @@ -206,6 +208,7 @@ export function createExecutionHandler<
ruleId,
ruleType: ruleType as UntypedNormalizedRuleType,
action: EVENT_LOG_ACTIONS.executeAction,
executionId,
instanceId: alertId,
group: actionGroup,
subgroup: actionSubgroup,
Expand Down
Loading

0 comments on commit 48693d1

Please sign in to comment.