[Alerting] Make full Alert<Params> object accessible in Alert executors #95843
Labels
Feature:Alerting
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Describe the feature:
Currently the Alert executor options include
however the full Alert object is not directly accessible in the executor. Thus the Alert fields
actions
,createdAt
,updatedAt
, andschedule.interval
can't be retrieved without using the saved objects client to get the raw alert SO. However, using the saved objects client like this exposes executor functions to more internals of how the Alerting framework is implemented. It would be useful to pass inAlert<Params>
rather than just theParams
and safer than using the SO client.Describe a specific use case for the feature:
In the security solution we record the state of the Alert at the time of execution in all signal documents that we write to
.siem-signals
.The text was updated successfully, but these errors were encountered: