-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Alerting] Preconfigured alert history index connector #94909
Conversation
…ing/default-es-index-schema
…ing/default-es-index-schema
…ing/default-es-index-schema
This points to the big problem with "preconfigured alerts". They really need to be "owned" by a user, so that they'll be run with the right privileges. In this case, we'd have to write to the index as kibana system user, since there is no other user in the picture at this point, but at the same time the data would need to be read by customers, and there's some problems with that (I think). Generally kibana system user doesn't read/write to customer indices, and users don't read/write to indices owned by the kibana system user (directly).
Ya, and kibana system user will need access as well.
Smells like ECS! We should look to see how much of this actually maps to ECS ... this is what I use as my cheat-sheet for ECS fields, but there's more doc in that repo (and asciidoc versions also in the usual docs site): https://github.com/elastic/ecs/blob/master/generated/csv/fields.csv
index-per-rule or index-per-producer would let us apply some role access to the indices, to keep folks with security but not o11y from seeing o11y alert activity. We also need to consider the Kibana space security access bits, which might end up being another part of the index name (SIEM does this today).
If kibana system user is writing this index, then we won't have that problem :-) We could look into how Stack Monitoring does this - I believe they require some kind of user gesture - maybe even just visiting a page, to set up their alerts, so they can associate the alerts with a user.
I think we could start with hand-rolled mappings/schemas. The properties in As a side note, there has been some recent chatter about us providing Kibana Index Patterns for these kind of indices as well - indices Kibana is generating but expecting customers to use in Discover / Lens. Presumably we'd create these at the same time we create the alerts. |
@pmuellr Thanks for your feedback! To me, there is a (small?) difference between this and preconfigured alerts, because here, it's still the responsibility of a user to create an alert that uses this special preconfigured connector. Therefore the action that uses the connector would call ES with the user's role. That's why I chose to not bootstrap the actual index on plugin start, just the index template and ILM. I was thinking of it more similarly to the metricbeat and heartbeat indices, where there are index templates for them if and when the customer/user starts writing to the indices. Maybe that's not a good way to think of it though and we should just consider this a kibana system owned index? |
Oof, you're right - I was triggered by "preconfigured alert" as part of the phrasing, so we should call this something else :-) . "Alert state indexing action" or something? Names, amirite? So ya, the index will have been written by the user who created the alert itself. Mentions of ILM also make me wonder if we should consider data streams here. It handles some/all of the ILM aspects, and there are some other benefits like I believe you can optimally do time-range searches since the datastream knows the date ranges at the index level (don't have to search through indices not in the time-range). There are likely some gotchas as well. I have a feeling that creating the associated resources with the index (datastream, template, ILM, privileges, etc) is going to get complicated, and wondering if we could get by - first pass anyway - with just doc'ing how to do that. That would actually provide some user-level flexibility - they'd pick if they wanted to use a datastream, or set up ILM, or maybe living the lazy template/mapping-free lifestyle is actually ok for them. And may actually work out fine! :-) The doc for the new config could point to instructions on setting up the various associated resources. I super-interested in how useful this data will be to customers. I guess we already showed the value with @gmmorris's prototype? I just noticed I'm assuming there is interesting stuff in |
Thanks for pushing this draft @ymao1 ! I love the idea of a drag-and-drop Index connector that just indexes the alerts into an index, but I do fear that the moving pieces here could make it hard for users to figure out what's going on. A couple of questions: Would this support multiple rule types? Is this worth the effort given the Alerts-as-data initiative? I'll be the first to say my POC was flawed in many ways, but it gave a simple and unambiguous one way to do one specific thing users have asked for. I could argue it both ways tbh, so wondering what @arisonl thinks about this approach. |
…ing/default-es-index-schema
…ing/default-es-index-schema
…ing/default-es-index-schema
…ing/default-es-index-schema
…ing/default-es-index-schema
@gchaps @pmuellr Have moved the docs for this to the Index connector page and added some experimental warnings and a note about ILM Put a link to that from the preconfigured connector page as well: https://kibana_94909.docs-preview.app.elstc.co/guide/en/kibana/master/pre-configured-connectors.html#build-in-preconfigured-connectors |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
|
||
[float] | ||
[[preconfigured-connector-alert-history]] | ||
=== Alert history preconfigured {es} index connector |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This title is a little hard to read. Is the word "preconfigured" needed?
Alert history {es} index connector
…ing/default-es-index-schema
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @ymao1 |
* Adding preconfigured alert history index * Adding functions to build alert history document * Adding functions to build alert history document * Moving index template creation to plugin start * Adding unit tests * Adding unit tests * Adding unit tests * Simplifying * Revert "Merge branch 'master' of https://github.com/elastic/kibana into alerting/default-es-index-schema" This reverts commit 957c333, reversing changes made to 4b1b787. * Reverting some changes * Reverting some changes * Adding index override * Updating UI with index override * Only allow indexOverride for preconfigured alert history connector * Handling preconfigured connector id clashes * Cleanup * UI unit tests * Fixing default schema shown in UI * Fixing functional tests * Adding functional test * Fixing functional tests * Adding docs and link to docs * Adding config to docker allowlist * Fixing wrong typescript operator * Changing default for config to false * Cleanup * Adding note about index privileges to docs * Fixing i18n * PR fixes * PR fixes * PR fixes * PR fixes - wording * PR fixes * Fixing unit and functional tests * Fixing types check * ES -> Elasticsearch * Moving files * Adding kibana- to beginning of prefix * Namespacing alert data within schema with kibana * Fix i18n * Updating docs * Fixing unit tests * Fixing doc links * Fixing types check * PR fixes Co-authored-by: Kibana Machine <[email protected]>
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
…#96680) * [Alerting] Preconfigured alert history index connector (#94909) * Adding preconfigured alert history index * Adding functions to build alert history document * Adding functions to build alert history document * Moving index template creation to plugin start * Adding unit tests * Adding unit tests * Adding unit tests * Simplifying * Revert "Merge branch 'master' of https://github.com/elastic/kibana into alerting/default-es-index-schema" This reverts commit 957c333, reversing changes made to 4b1b787. * Reverting some changes * Reverting some changes * Adding index override * Updating UI with index override * Only allow indexOverride for preconfigured alert history connector * Handling preconfigured connector id clashes * Cleanup * UI unit tests * Fixing default schema shown in UI * Fixing functional tests * Adding functional test * Fixing functional tests * Adding docs and link to docs * Adding config to docker allowlist * Fixing wrong typescript operator * Changing default for config to false * Cleanup * Adding note about index privileges to docs * Fixing i18n * PR fixes * PR fixes * PR fixes * PR fixes - wording * PR fixes * Fixing unit and functional tests * Fixing types check * ES -> Elasticsearch * Moving files * Adding kibana- to beginning of prefix * Namespacing alert data within schema with kibana * Fix i18n * Updating docs * Fixing unit tests * Fixing doc links * Fixing types check * PR fixes Co-authored-by: Kibana Machine <[email protected]> * Fixing docs link Co-authored-by: Kibana Machine <[email protected]>
…to-metrics-tab * 'master' of github.com:elastic/kibana: (44 commits) [Exploratory View]Additional metrics for kpi over time (elastic#96532) [Fleet] UI changes on hosted policy detail view (elastic#96337) Stacked line charts incorrectly shows one term as 100% (elastic#96203) [Fleet] Create enrollment API keys as current user (elastic#96464) [Lens] Make table and metric show on top Chart switcher (elastic#96601) skip flaky suite (elastic#96691) [Lens] Hide "Show more errors" once expanded (elastic#96605) [Discover] Unskip histogram hiding test (elastic#95759) skip flyout test, add linked issue elastic#96708 skip copy_to_space_flyout_internal.test.tsx elastic#96708 fix config validation (elastic#96502) Document telemetry fields for stack security features (elastic#96638) [Partial Results] Move inspector adapter integration into search source (elastic#96241) [RAC] Rule registry plugin (elastic#95903) [APM] Run precommit tasks sequentially (elastic#96551) [Maps] fix Kibana does not recognize a valid geo_shape index when attempting to create a Tracking Containment alert (elastic#96633) [Security Solution] [Cases] Small UI bugfixes (elastic#96511) [Actions UI] Changed PagerDuty action form UI to fill payload fields according to the API docs for Resolve and Acknowledge events. (elastic#96363) App Search: Result Component Updates (elastic#96184) [Alerting] Preconfigured alert history index connector (elastic#94909) ...
Resolves #90412
Summary
This PR introduces the idea of a pre-configured alert history Index connector, where we control the mappings and the basic shape of the data being written.
xpack.actions.preconfiguredAlertHistoryEsIndex
, which defaults tofalse
true
, a preconfigured connector is added onaction
plugin setup and an index template matching thealert-history-*
index pattern is created onaction
plugin startalert-history-
prefix in order to be matched by the index templatewhere
context
andparams
are namespaced with the rule type id to avoid mapping conflicts if user is interested in adding more mappings.Checklist
Delete any items that are not applicable to this PR.