Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AAD Adoption - Onboard remaining ML rule types to framework alerts-as-data #171792

Closed
4 tasks
mikecote opened this issue Nov 22, 2023 · 3 comments · Fixed by #174537
Closed
4 tasks

AAD Adoption - Onboard remaining ML rule types to framework alerts-as-data #171792

mikecote opened this issue Nov 22, 2023 · 3 comments · Fixed by #174537
Labels
Feature:Alerting :ml Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@mikecote
Copy link
Contributor

We should onboard the remaining ML rule types to use FAAD and have them persist alerts-as-data documents with some additional data.

Remaining rule types:

  • Transform health
  • Anomaly detection jobs health

We should take the following into consideration:

  • Re-using the same alerts index that is already in place
  • Copying additional information from the context variables
@mikecote mikecote added :ml Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Nov 22, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/ml-ui (:ml)

@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@mikecote
Copy link
Contributor Author

cc @peteharverson @darnautov after talking with Pete, it didn't seem this was in ML's plans for 8.13 so just a heads up we may do this for you in 8.13 to have all rule types persisting AAD documents.

@heespi heespi changed the title Onboard remaining ML rule types to framework alerts-as-data AAD Adoption - Onboard remaining ML rule types to framework alerts-as-data Nov 27, 2023
@mikecote mikecote moved this from Awaiting Triage to Todo in AppEx: ResponseOps - Execution & Connectors Nov 30, 2023
@ymao1 ymao1 mentioned this issue Jan 9, 2024
Merged
ymao1 added a commit that referenced this issue Jan 10, 2024
@ymao1 @kibanamachine
[Response Ops][Alerting] Using alertsClient for transform health an…
fd0e462 
…d anomaly detection jobs health rule types to write default alerts-as-data docs (#174537)

Towards elastic/response-ops-team#164
Resolves #171792

## Summary

* Switches these rule types to use `alertsClient` from alerting
framework in favor of the deprecated `alertFactory`
* Defines the `default` alert config for these rule types so framework
level fields will be written out into the
`.alerts-default.alerts-default` index with no rule type specific
fields.

Example alert doc for transform health rule:

```
{
    "kibana.alert.reason": "Transform test_transform_01 is not started.",
    "kibana.alert.rule.category": "Transform health",
    "kibana.alert.rule.consumer": "alerts",
    "kibana.alert.rule.execution.uuid": "1dd66818-962e-4fef-8ce2-5a1eab2813a2",
    "kibana.alert.rule.name": "Test all transforms",
    "kibana.alert.rule.parameters": {
        "includeTransforms": [
            "*"
        ],
        "excludeTransforms": null,
        "testsConfig": null
    },
    "kibana.alert.rule.producer": "stackAlerts",
    "kibana.alert.rule.revision": 0,
    "kibana.alert.rule.rule_type_id": "transform_health",
    "kibana.alert.rule.tags": [],
    "kibana.alert.rule.uuid": "7fb57af0-56b5-4c63-9457-add79e9c3e37",
    "kibana.space_ids": [
        "space1"
    ],
    "@timestamp": "2024-01-10T14:43:00.974Z",
    "event.action": "open",
    "event.kind": "signal",
    "kibana.alert.action_group": "transform_issue",
    "kibana.alert.flapping": false,
    "kibana.alert.flapping_history": [
        true
    ],
    "kibana.alert.instance.id": "Transform is not started",
    "kibana.alert.maintenance_window_ids": [],
    "kibana.alert.status": "active",
    "kibana.alert.uuid": "25f7b99d-e4ab-4b97-89e4-1a537692ffa5",
    "kibana.alert.workflow_status": "open",
    "kibana.alert.duration.us": 0,
    "kibana.alert.start": "2024-01-10T14:43:00.974Z",
    "kibana.alert.time_range": {
        "gte": "2024-01-10T14:43:00.974Z"
    },
    "kibana.version": "8.13.0",
    "tags": []
}
```

---------

Co-authored-by: kibanamachine <[email protected]>
delanni pushed a commit to delanni/kibana that referenced this issue Jan 11, 2024
@ymao1 @kibanamachine @delanni
[Response Ops][Alerting] Using alertsClient for transform health an…
c725a75 
…d anomaly detection jobs health rule types to write default alerts-as-data docs (elastic#174537)

Towards elastic/response-ops-team#164
Resolves elastic#171792

## Summary

* Switches these rule types to use `alertsClient` from alerting
framework in favor of the deprecated `alertFactory`
* Defines the `default` alert config for these rule types so framework
level fields will be written out into the
`.alerts-default.alerts-default` index with no rule type specific
fields.

Example alert doc for transform health rule:

```
{
    "kibana.alert.reason": "Transform test_transform_01 is not started.",
    "kibana.alert.rule.category": "Transform health",
    "kibana.alert.rule.consumer": "alerts",
    "kibana.alert.rule.execution.uuid": "1dd66818-962e-4fef-8ce2-5a1eab2813a2",
    "kibana.alert.rule.name": "Test all transforms",
    "kibana.alert.rule.parameters": {
        "includeTransforms": [
            "*"
        ],
        "excludeTransforms": null,
        "testsConfig": null
    },
    "kibana.alert.rule.producer": "stackAlerts",
    "kibana.alert.rule.revision": 0,
    "kibana.alert.rule.rule_type_id": "transform_health",
    "kibana.alert.rule.tags": [],
    "kibana.alert.rule.uuid": "7fb57af0-56b5-4c63-9457-add79e9c3e37",
    "kibana.space_ids": [
        "space1"
    ],
    "@timestamp": "2024-01-10T14:43:00.974Z",
    "event.action": "open",
    "event.kind": "signal",
    "kibana.alert.action_group": "transform_issue",
    "kibana.alert.flapping": false,
    "kibana.alert.flapping_history": [
        true
    ],
    "kibana.alert.instance.id": "Transform is not started",
    "kibana.alert.maintenance_window_ids": [],
    "kibana.alert.status": "active",
    "kibana.alert.uuid": "25f7b99d-e4ab-4b97-89e4-1a537692ffa5",
    "kibana.alert.workflow_status": "open",
    "kibana.alert.duration.us": 0,
    "kibana.alert.start": "2024-01-10T14:43:00.974Z",
    "kibana.alert.time_range": {
        "gte": "2024-01-10T14:43:00.974Z"
    },
    "kibana.version": "8.13.0",
    "tags": []
}
```

---------

Co-authored-by: kibanamachine <[email protected]>
This was referenced Feb 22, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Alerting :ml Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
No open projects
AppEx: ResponseOps - Execution & Connectors
Status: Done
Milestone
No milestone
2 participants
@mikecote @elasticmachine