From efb7cdd49ede9126a8c19103dc58538f23da30ed Mon Sep 17 00:00:00 2001 From: Ying Mao Date: Wed, 21 Dec 2022 16:48:28 -0500 Subject: [PATCH] [Response Ops] [Alerting] Unflattening summarized alerts (#147890) Towards https://github.com/elastic/kibana/issues/147379 ## Summary When investigating how to [onboard detection alerts onto framework alert summaries](https://github.com/elastic/kibana/issues/147379), there were some discrepancies in the format of the alert documents returned. This PR fixes the formatting so it matches and there will be no difference in `context.alerts` when we migrate detection alerts to the framework. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --- .../create_get_summarized_alerts_fn.test.ts | 906 +++++++++++++++--- .../utils/create_get_summarized_alerts_fn.ts | 29 +- .../tests/trial/get_summarized_alerts.ts | 5 +- 3 files changed, 820 insertions(+), 120 deletions(-) diff --git a/x-pack/plugins/rule_registry/server/utils/create_get_summarized_alerts_fn.test.ts b/x-pack/plugins/rule_registry/server/utils/create_get_summarized_alerts_fn.test.ts index 0ceb1e6ed8a84..387bd0174dbc4 100644 --- a/x-pack/plugins/rule_registry/server/utils/create_get_summarized_alerts_fn.test.ts +++ b/x-pack/plugins/rule_registry/server/utils/create_get_summarized_alerts_fn.test.ts @@ -76,6 +76,8 @@ describe('createGetSummarizedAlertsFn', () => { }, hits: [ { + _id: '1', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -86,6 +88,8 @@ describe('createGetSummarizedAlertsFn', () => { }, }, { + _id: '2', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -105,6 +109,8 @@ describe('createGetSummarizedAlertsFn', () => { }, hits: [ { + _id: '3', + _index: '.alerts-default-000001', _source: { '@timestamp': '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -115,6 +121,8 @@ describe('createGetSummarizedAlertsFn', () => { }, }, { + _id: '4', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -125,6 +133,8 @@ describe('createGetSummarizedAlertsFn', () => { }, }, { + _id: '5', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -144,6 +154,8 @@ describe('createGetSummarizedAlertsFn', () => { }, hits: [ { + _id: '6', + _index: '.alerts-default-000001', _source: { '@timestamp': '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -283,56 +295,140 @@ describe('createGetSummarizedAlertsFn', () => { expect(summarizedAlerts.recovered.count).toEqual(1); expect(summarizedAlerts.new.data).toEqual([ { + _id: '1', + _index: '.alerts-default-000001', '@timestamp': '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [EVENT_ACTION]: 'open', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_3', - [ALERT_UUID]: 'uuid1', + event: { + action: 'open', + }, + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_3', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid1', + }, + }, }, { + _id: '2', + _index: '.alerts-default-000001', '@timestamp': '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [EVENT_ACTION]: 'open', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_4', - [ALERT_UUID]: 'uuid2', + event: { + action: 'open', + }, + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_4', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid2', + }, + }, }, ]); expect(summarizedAlerts.ongoing.data).toEqual([ { + _id: '3', + _index: '.alerts-default-000001', '@timestamp': '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [EVENT_ACTION]: 'active', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_1', - [ALERT_UUID]: 'uuid3', + event: { + action: 'active', + }, + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_1', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid3', + }, + }, }, { + _id: '4', + _index: '.alerts-default-000001', '@timestamp': '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [EVENT_ACTION]: 'active', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_2', - [ALERT_UUID]: 'uuid4', + event: { + action: 'active', + }, + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_2', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid4', + }, + }, }, { + _id: '5', + _index: '.alerts-default-000001', '@timestamp': '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [EVENT_ACTION]: 'active', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_5', - [ALERT_UUID]: 'uuid5', + event: { + action: 'active', + }, + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_5', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid5', + }, + }, }, ]); expect(summarizedAlerts.recovered.data).toEqual([ { + _id: '6', + _index: '.alerts-default-000001', '@timestamp': '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [EVENT_ACTION]: 'close', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_9', - [ALERT_UUID]: 'uuid6', + event: { + action: 'close', + }, + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_9', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid6', + }, + }, }, ]); }); @@ -345,6 +441,8 @@ describe('createGetSummarizedAlertsFn', () => { }, hits: [ { + _id: '1', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -356,6 +454,8 @@ describe('createGetSummarizedAlertsFn', () => { }, }, { + _id: '2', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -367,6 +467,8 @@ describe('createGetSummarizedAlertsFn', () => { }, }, { + _id: '3', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:10:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -387,6 +489,8 @@ describe('createGetSummarizedAlertsFn', () => { }, hits: [ { + _id: '4', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:20:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -398,6 +502,8 @@ describe('createGetSummarizedAlertsFn', () => { }, }, { + _id: '5', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -418,6 +524,8 @@ describe('createGetSummarizedAlertsFn', () => { }, hits: [ { + _id: '6', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:20:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -585,63 +693,135 @@ describe('createGetSummarizedAlertsFn', () => { expect(summarizedAlerts.recovered.count).toEqual(1); expect(summarizedAlerts.new.data).toEqual([ { + _id: '1', + _index: '.alerts-default-000001', [TIMESTAMP]: '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_3', - [ALERT_UUID]: 'uuid1', - [ALERT_START]: '2020-01-01T12:00:00.000Z', alert_type: 'new', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_3', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + start: '2020-01-01T12:00:00.000Z', + uuid: 'uuid1', + }, + }, }, { + _id: '2', + _index: '.alerts-default-000001', [TIMESTAMP]: '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_4', - [ALERT_UUID]: 'uuid2', - [ALERT_START]: '2020-01-01T12:00:00.000Z', alert_type: 'new', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_4', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + start: '2020-01-01T12:00:00.000Z', + uuid: 'uuid2', + }, + }, }, { + _id: '3', + _index: '.alerts-default-000001', [TIMESTAMP]: '2020-01-01T12:10:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_1', - [ALERT_UUID]: 'uuid3', - [ALERT_START]: '2020-01-01T12:10:00.000Z', alert_type: 'new', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_1', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + start: '2020-01-01T12:10:00.000Z', + uuid: 'uuid3', + }, + }, }, ]); expect(summarizedAlerts.ongoing.data).toEqual([ { + _id: '4', + _index: '.alerts-default-000001', [TIMESTAMP]: '2020-01-01T12:20:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_2', - [ALERT_UUID]: 'uuid4', - [ALERT_START]: '2020-01-01T12:00:00.000Z', alert_type: 'ongoing', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_2', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + start: '2020-01-01T12:00:00.000Z', + uuid: 'uuid4', + }, + }, }, { + _id: '5', + _index: '.alerts-default-000001', [TIMESTAMP]: '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_5', - [ALERT_UUID]: 'uuid5', - [ALERT_START]: '2020-01-01T11:00:00.000Z', alert_type: 'ongoing', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_5', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + start: '2020-01-01T11:00:00.000Z', + uuid: 'uuid5', + }, + }, }, ]); expect(summarizedAlerts.recovered.data).toEqual([ { + _id: '6', + _index: '.alerts-default-000001', [TIMESTAMP]: '2020-01-01T12:20:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_9', - [ALERT_UUID]: 'uuid6', - [ALERT_START]: '2020-01-01T11:00:00.000Z', - [ALERT_END]: '2020-01-01T12:20:00.000Z', alert_type: 'recovered', + kibana: { + alert: { + end: '2020-01-01T12:20:00.000Z', + instance: { + id: 'TEST_ALERT_9', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + start: '2020-01-01T11:00:00.000Z', + uuid: 'uuid6', + }, + }, }, ]); }); @@ -654,6 +834,8 @@ describe('createGetSummarizedAlertsFn', () => { }, hits: [ { + _id: '1', + _index: '.alerts-default-000001', _source: { '@timestamp': '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -663,6 +845,8 @@ describe('createGetSummarizedAlertsFn', () => { }, }, { + _id: '2', + _index: '.alerts-default-000001', _source: { '@timestamp': '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -672,6 +856,8 @@ describe('createGetSummarizedAlertsFn', () => { }, }, { + _id: '3', + _index: '.alerts-default-000001', _source: { '@timestamp': '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -681,6 +867,8 @@ describe('createGetSummarizedAlertsFn', () => { }, }, { + _id: '4', + _index: '.alerts-default-000001', _source: { '@timestamp': '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -690,16 +878,19 @@ describe('createGetSummarizedAlertsFn', () => { }, }, { + _id: '5', + _index: '.alerts-default-000001', _source: { '@timestamp': '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', [ALERT_RULE_UUID]: 'rule-id', - [EVENT_ACTION]: 'active', [ALERT_INSTANCE_ID]: 'TEST_ALERT_5', [ALERT_UUID]: 'uuid5', }, }, { + _id: '6', + _index: '.alerts-default-000001', _source: { '@timestamp': '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', @@ -761,47 +952,118 @@ describe('createGetSummarizedAlertsFn', () => { expect(summarizedAlerts.recovered.count).toEqual(0); expect(summarizedAlerts.new.data).toEqual([ { - '@timestamp': '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_3', - [ALERT_UUID]: 'uuid1', + _id: '1', + _index: '.alerts-default-000001', + [TIMESTAMP]: '2020-01-01T12:00:00.000Z', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_3', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid1', + }, + }, }, { - '@timestamp': '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_4', - [ALERT_UUID]: 'uuid2', + _id: '2', + _index: '.alerts-default-000001', + [TIMESTAMP]: '2020-01-01T12:00:00.000Z', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_4', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid2', + }, + }, }, { - '@timestamp': '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_1', - [ALERT_UUID]: 'uuid3', + _id: '3', + _index: '.alerts-default-000001', + [TIMESTAMP]: '2020-01-01T12:00:00.000Z', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_1', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid3', + }, + }, }, { - '@timestamp': '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_2', - [ALERT_UUID]: 'uuid4', + _id: '4', + _index: '.alerts-default-000001', + [TIMESTAMP]: '2020-01-01T12:00:00.000Z', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_2', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid4', + }, + }, }, { - '@timestamp': '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [EVENT_ACTION]: 'active', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_5', - [ALERT_UUID]: 'uuid5', + _id: '5', + _index: '.alerts-default-000001', + [TIMESTAMP]: '2020-01-01T12:00:00.000Z', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_5', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid5', + }, + }, }, { - '@timestamp': '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_9', - [ALERT_UUID]: 'uuid6', + _id: '6', + _index: '.alerts-default-000001', + [TIMESTAMP]: '2020-01-01T12:00:00.000Z', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_9', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid6', + }, + }, }, ]); expect(summarizedAlerts.ongoing.data).toEqual([]); @@ -816,57 +1078,395 @@ describe('createGetSummarizedAlertsFn', () => { }, hits: [ { + _id: '1', + _index: '.alerts-default-000001', + _source: { + [TIMESTAMP]: '2020-01-01T12:00:00.000Z', + [ALERT_RULE_EXECUTION_UUID]: 'abc', + [ALERT_RULE_UUID]: 'rule-id', + [ALERT_INSTANCE_ID]: 'TEST_ALERT_3', + [ALERT_UUID]: 'uuid1', + }, + }, + { + _id: '2', + _index: '.alerts-default-000001', + _source: { + [TIMESTAMP]: '2020-01-01T12:00:00.000Z', + [ALERT_RULE_EXECUTION_UUID]: 'abc', + [ALERT_RULE_UUID]: 'rule-id', + [ALERT_INSTANCE_ID]: 'TEST_ALERT_4', + [ALERT_UUID]: 'uuid2', + }, + }, + { + _id: '3', + _index: '.alerts-default-000001', + _source: { + [TIMESTAMP]: '2020-01-01T12:10:00.000Z', + [ALERT_RULE_EXECUTION_UUID]: 'abc', + [ALERT_RULE_UUID]: 'rule-id', + [ALERT_INSTANCE_ID]: 'TEST_ALERT_1', + [ALERT_UUID]: 'uuid3', + }, + }, + { + _id: '4', + _index: '.alerts-default-000001', + _source: { + [TIMESTAMP]: '2020-01-01T12:20:00.000Z', + [ALERT_RULE_EXECUTION_UUID]: 'abc', + [ALERT_RULE_UUID]: 'rule-id', + [ALERT_INSTANCE_ID]: 'TEST_ALERT_2', + [ALERT_UUID]: 'uuid4', + }, + }, + { + _id: '5', + _index: '.alerts-default-000001', + _source: { + [TIMESTAMP]: '2020-01-01T12:00:00.000Z', + [ALERT_RULE_EXECUTION_UUID]: 'abc', + [ALERT_RULE_UUID]: 'rule-id', + [ALERT_INSTANCE_ID]: 'TEST_ALERT_5', + [ALERT_UUID]: 'uuid5', + }, + }, + { + _id: '6', + _index: '.alerts-default-000001', + _source: { + [TIMESTAMP]: '2020-01-01T12:20:00.000Z', + [ALERT_RULE_EXECUTION_UUID]: 'abc', + [ALERT_RULE_UUID]: 'rule-id', + [ALERT_INSTANCE_ID]: 'TEST_ALERT_9', + [ALERT_UUID]: 'uuid6', + }, + }, + ], + }, + } as any); + const getSummarizedAlertsFn = createGetSummarizedAlertsFn({ + ruleDataClient: ruleDataClientMock, + useNamespace: true, + isLifecycleAlert: false, + })(); + + const summarizedAlerts = await getSummarizedAlertsFn({ + start: new Date('2020-01-01T11:00:00.000Z'), + end: new Date('2020-01-01T12:25:00.000Z'), + ruleId: 'rule-id', + spaceId: 'space-id', + excludedAlertInstanceIds: ['TEST_ALERT_10'], + }); + expect(ruleDataClientMock.getReader).toHaveBeenCalledWith({ namespace: 'space-id' }); + expect(ruleDataClientMock.getReader().search).toHaveBeenCalledTimes(1); + expect(ruleDataClientMock.getReader().search).toHaveBeenCalledWith({ + body: { + size: 100, + track_total_hits: true, + query: { + bool: { + filter: [ + { + range: { + [TIMESTAMP]: { + gte: '2020-01-01T11:00:00.000Z', + lt: '2020-01-01T12:25:00.000Z', + }, + }, + }, + { + term: { + [ALERT_RULE_UUID]: 'rule-id', + }, + }, + { + bool: { + must_not: { + terms: { + [ALERT_INSTANCE_ID]: ['TEST_ALERT_10'], + }, + }, + }, + }, + ], + }, + }, + }, + }); + expect(summarizedAlerts.new.count).toEqual(6); + expect(summarizedAlerts.ongoing.count).toEqual(0); + expect(summarizedAlerts.recovered.count).toEqual(0); + expect(summarizedAlerts.new.data).toEqual([ + { + _id: '1', + _index: '.alerts-default-000001', + [TIMESTAMP]: '2020-01-01T12:00:00.000Z', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_3', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid1', + }, + }, + }, + { + _id: '2', + _index: '.alerts-default-000001', + [TIMESTAMP]: '2020-01-01T12:00:00.000Z', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_4', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid2', + }, + }, + }, + { + _id: '3', + _index: '.alerts-default-000001', + [TIMESTAMP]: '2020-01-01T12:10:00.000Z', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_1', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid3', + }, + }, + }, + { + _id: '4', + _index: '.alerts-default-000001', + [TIMESTAMP]: '2020-01-01T12:20:00.000Z', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_2', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid4', + }, + }, + }, + { + _id: '5', + _index: '.alerts-default-000001', + [TIMESTAMP]: '2020-01-01T12:00:00.000Z', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_5', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid5', + }, + }, + }, + { + _id: '6', + _index: '.alerts-default-000001', + [TIMESTAMP]: '2020-01-01T12:20:00.000Z', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_9', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid6', + }, + }, + }, + ]); + expect(summarizedAlerts.ongoing.data).toEqual([]); + expect(summarizedAlerts.recovered.data).toEqual([]); + }); + + it('creates function that correctly formats alerts', async () => { + ruleDataClientMock.getReader().search.mockResolvedValueOnce({ + hits: { + total: { + value: 6, + }, + hits: [ + { + _id: '1', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', [ALERT_RULE_UUID]: 'rule-id', [ALERT_INSTANCE_ID]: 'TEST_ALERT_3', [ALERT_UUID]: 'uuid1', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_3', + }, + rule: { + execution: { + uuid: 'abc', + }, + }, + uuid: 'uuid1', + }, + }, }, }, { + _id: '2', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', [ALERT_RULE_UUID]: 'rule-id', [ALERT_INSTANCE_ID]: 'TEST_ALERT_4', [ALERT_UUID]: 'uuid2', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_4', + }, + rule: { + execution: { + uuid: 'abc', + }, + }, + uuid: 'uuid2', + }, + }, }, }, { + _id: '3', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:10:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', [ALERT_RULE_UUID]: 'rule-id', [ALERT_INSTANCE_ID]: 'TEST_ALERT_1', [ALERT_UUID]: 'uuid3', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_1', + }, + rule: { + execution: { + uuid: 'abc', + }, + }, + uuid: 'uuid3', + }, + }, }, }, { + _id: '4', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:20:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', [ALERT_RULE_UUID]: 'rule-id', [ALERT_INSTANCE_ID]: 'TEST_ALERT_2', [ALERT_UUID]: 'uuid4', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_2', + }, + rule: { + execution: { + uuid: 'abc', + }, + }, + uuid: 'uuid4', + }, + }, }, }, { + _id: '5', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:00:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', [ALERT_RULE_UUID]: 'rule-id', [ALERT_INSTANCE_ID]: 'TEST_ALERT_5', [ALERT_UUID]: 'uuid5', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_5', + }, + rule: { + execution: { + uuid: 'abc', + }, + }, + uuid: 'uuid5', + }, + }, }, }, { + _id: '6', + _index: '.alerts-default-000001', _source: { [TIMESTAMP]: '2020-01-01T12:20:00.000Z', [ALERT_RULE_EXECUTION_UUID]: 'abc', [ALERT_RULE_UUID]: 'rule-id', [ALERT_INSTANCE_ID]: 'TEST_ALERT_9', [ALERT_UUID]: 'uuid6', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_9', + }, + rule: { + execution: { + uuid: 'abc', + }, + }, + uuid: 'uuid6', + }, + }, }, }, ], @@ -926,46 +1526,118 @@ describe('createGetSummarizedAlertsFn', () => { expect(summarizedAlerts.recovered.count).toEqual(0); expect(summarizedAlerts.new.data).toEqual([ { + _id: '1', + _index: '.alerts-default-000001', [TIMESTAMP]: '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_3', - [ALERT_UUID]: 'uuid1', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_3', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid1', + }, + }, }, { + _id: '2', + _index: '.alerts-default-000001', [TIMESTAMP]: '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_4', - [ALERT_UUID]: 'uuid2', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_4', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid2', + }, + }, }, { + _id: '3', + _index: '.alerts-default-000001', [TIMESTAMP]: '2020-01-01T12:10:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_1', - [ALERT_UUID]: 'uuid3', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_1', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid3', + }, + }, }, { + _id: '4', + _index: '.alerts-default-000001', [TIMESTAMP]: '2020-01-01T12:20:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_2', - [ALERT_UUID]: 'uuid4', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_2', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid4', + }, + }, }, { + _id: '5', + _index: '.alerts-default-000001', [TIMESTAMP]: '2020-01-01T12:00:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_5', - [ALERT_UUID]: 'uuid5', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_5', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid5', + }, + }, }, { + _id: '6', + _index: '.alerts-default-000001', [TIMESTAMP]: '2020-01-01T12:20:00.000Z', - [ALERT_RULE_EXECUTION_UUID]: 'abc', - [ALERT_RULE_UUID]: 'rule-id', - [ALERT_INSTANCE_ID]: 'TEST_ALERT_9', - [ALERT_UUID]: 'uuid6', + kibana: { + alert: { + instance: { + id: 'TEST_ALERT_9', + }, + rule: { + execution: { + uuid: 'abc', + }, + uuid: 'rule-id', + }, + uuid: 'uuid6', + }, + }, }, ]); expect(summarizedAlerts.ongoing.data).toEqual([]); diff --git a/x-pack/plugins/rule_registry/server/utils/create_get_summarized_alerts_fn.ts b/x-pack/plugins/rule_registry/server/utils/create_get_summarized_alerts_fn.ts index 82d044ad65a68..4754d47f236e3 100644 --- a/x-pack/plugins/rule_registry/server/utils/create_get_summarized_alerts_fn.ts +++ b/x-pack/plugins/rule_registry/server/utils/create_get_summarized_alerts_fn.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { merge } from 'lodash'; import type { PublicContract } from '@kbn/utility-types'; import { ESSearchRequest, ESSearchResponse } from '@kbn/es-types'; import type { GetSummarizedAlertsFnOpts } from '@kbn/alerting-plugin/server'; @@ -179,12 +180,38 @@ const getLifecycleAlertsByExecutionUuid = async ({ }; }; +const expandDottedField = (dottedFieldName: string, val: unknown): object => { + const parts = dottedFieldName.split('.'); + if (parts.length === 1) { + return { [parts[0]]: val }; + } else { + return { [parts[0]]: expandDottedField(parts.slice(1).join('.'), val) }; + } +}; + +const expandFlattenedAlert = (alert: object) => { + return Object.entries(alert).reduce( + (acc, [key, val]) => merge(acc, expandDottedField(key, val)), + {} + ); +}; + const getHitsWithCount = ( response: ESSearchResponse ) => { return { count: (response.hits.total as SearchTotalHits).value, - data: response.hits.hits.map((r) => r._source), + data: response.hits.hits.map((hit) => { + const { _id, _index, _source } = hit; + + const rawAlert = { + _id, + _index, + ..._source, + }; + + return expandFlattenedAlert(rawAlert as object); + }), }; }; diff --git a/x-pack/test/rule_registry/spaces_only/tests/trial/get_summarized_alerts.ts b/x-pack/test/rule_registry/spaces_only/tests/trial/get_summarized_alerts.ts index 8f50fd4589769..ccf57b8f6a0c1 100644 --- a/x-pack/test/rule_registry/spaces_only/tests/trial/get_summarized_alerts.ts +++ b/x-pack/test/rule_registry/spaces_only/tests/trial/get_summarized_alerts.ts @@ -28,6 +28,7 @@ import { RuleDataService, } from '@kbn/rule-registry-plugin/server'; import { RuleExecutorOptions } from '@kbn/alerting-plugin/server'; +import { get } from 'lodash'; import type { FtrProviderContext } from '../../../common/ftr_provider_context'; import { MockRuleParams, @@ -357,7 +358,7 @@ export default function createGetSummarizedAlertsTest({ getService }: FtrProvide expect(summarizedAlertsExcludingId1.new.count).to.eql(1); expect(summarizedAlertsExcludingId1.ongoing.count).to.eql(0); expect(summarizedAlertsExcludingId1.recovered.count).to.eql(0); - expect(summarizedAlertsExcludingId1.new.data[0][ALERT_INSTANCE_ID]).to.eql(id2); + expect(get(summarizedAlertsExcludingId1.new.data[0], ALERT_INSTANCE_ID)).to.eql(id2); const summarizedAlertsExcludingId2 = await getSummarizedAlerts({ ruleId, @@ -368,7 +369,7 @@ export default function createGetSummarizedAlertsTest({ getService }: FtrProvide expect(summarizedAlertsExcludingId2.new.count).to.eql(1); expect(summarizedAlertsExcludingId2.ongoing.count).to.eql(0); expect(summarizedAlertsExcludingId2.recovered.count).to.eql(0); - expect(summarizedAlertsExcludingId2.new.data[0][ALERT_INSTANCE_ID]).to.eql(id1); + expect(get(summarizedAlertsExcludingId2.new.data[0], ALERT_INSTANCE_ID)).to.eql(id1); }); }); }