[Request] add ES|QL rule alert suppression docs #5156
Assignees
Comments
6 tasks
vitaliidm
added a commit
to elastic/kibana
that referenced
this issue
May 20, 2024
… rule type (#180927) ## Summary - addresses elastic/security-team#9203 - adds alert suppression for new terms rule type - similarly to [custom investigation fields](#177746) list of available suppression fields: - shows only ES|QL fields returned in query for aggregating queries - shows ES|QL fields returned in query + index fields for non-aggregating queries. Since resulted alerts for this type of query, are enriched with source documents. ### Demo 1. run esql rule w/o suppression 2. run esql rule w/ suppression per rule execution. Since ES|QL query is aggregating, no alerts suppressed on already agrregated field `host.ip` 3. run suppression on interval 20m 4. run suppression for custom ES|QL field which is the same as `host.ip`, hence same results 5. run suppression on interval 100m https://github.com/elastic/kibana/assets/92328789/4bd8cf13-6e23-4842-b775-605c74ae0127 ### Limitations Since suppressed alerts deduplication relies on alert timestamps, sorting of results other than `@timestamp asc` in ES|QL query may impact on number of suppressed alerts, when number of possible alerts more than max_signals. This affects only non-aggregating queries, since suppression boundaries for these alerts set as rule execution time ### Checklist - [x] Functional changes are hidden behind a feature flag Feature flag `alertSuppressionForEsqlRuleEnabled` - [x] Functional changes are covered with a test plan and automated tests. - elastic/security-team#9389 - [x] Stability of new and changed tests is verified using the [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner). - FTR(x100): https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5907 - Cypress(x100): https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6011 - [x] Comprehensive manual testing is done by two engineers: the PR author and one of the PR reviewers. Changes are tested in both ESS and Serverless. - [x] Mapping changes are accompanied by a technical design document. It can be a GitHub issue or an RFC explaining the changes. The design document is shared with and approved by the appropriate teams and individual stakeholders. Existing AlertSuppression schema field is used for ES|QL rule, the one that already used for Query, New terms and IM rules. ```yml alert_suppression: $ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression' ``` where ```yml AlertSuppression: type: object properties: group_by: $ref: '#/components/schemas/AlertSuppressionGroupBy' duration: $ref: '#/components/schemas/AlertSuppressionDuration' missing_fields_strategy: $ref: '#/components/schemas/AlertSuppressionMissingFieldsStrategy' required: - group_by ``` - [x] Functional changes are communicated to the Docs team. A ticket or PR is opened in https://github.com/elastic/security-docs. The following information is included: any feature flags used, affected environments (Serverless, ESS, or both). - elastic/security-docs#5156 --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Nikita Indik <[email protected]>
|
ESS and 8.15 docs merged! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
adds alert suppression to ES|QL rule
Background & resources
PRs:
[Security Solution][Detection Engine] adds alert suppression to ES|QL rule type kibana#180927
Issues/metas:
https://github.com/elastic/security-team/issues/9203
Point of contact: @vitaliidm
Test environments:
Which documentation set does this change impact?
ESS and serverless
ESS release
8.15
Serverless release
around 8.15 release
Feature differences
ESS: alert suppression is available for Platinum license
Serverless: available for Essentials and Complete tiers
API docs impact
adds alert_suppression field to ES|QL rule create/update/patch rule APIs
Prerequisites, privileges, feature flags
ESS: requires Platinum license
Feature Flag:
alertSuppressionForEsqlRuleEnabledThe text was updated successfully, but these errors were encountered: