diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts index a29c1023caf67..4b3f3fbb6f370 100644 --- a/packages/kbn-rule-data-utils/src/technical_field_names.ts +++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts @@ -17,25 +17,18 @@ const CONSUMERS = `${KIBANA_NAMESPACE}.consumers` as const; const ECS_VERSION = 'ecs.version' as const; const EVENT_ACTION = 'event.action' as const; const EVENT_KIND = 'event.kind' as const; -const RULE_CATEGORY = 'rule.category' as const; -const RULE_CONSUMERS = 'rule.consumers' as const; -const RULE_ID = 'rule.id' as const; -const RULE_NAME = 'rule.name' as const; -const RULE_UUID = 'rule.uuid' as const; const SPACE_IDS = `${KIBANA_NAMESPACE}.space_ids` as const; const TAGS = 'tags' as const; const TIMESTAMP = '@timestamp' as const; const VERSION = `${KIBANA_NAMESPACE}.version` as const; +// Fields pertaining to the alert const ALERT_ACTION_GROUP = `${ALERT_NAMESPACE}.action_group` as const; const ALERT_DURATION = `${ALERT_NAMESPACE}.duration.us` as const; const ALERT_END = `${ALERT_NAMESPACE}.end` as const; const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const; const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const; const ALERT_ID = `${ALERT_NAMESPACE}.id` as const; -const ALERT_OWNER = `${ALERT_NAMESPACE}.owner` as const; -const ALERT_CONSUMERS = `${ALERT_NAMESPACE}.consumers` as const; -const ALERT_PRODUCER = `${ALERT_NAMESPACE}.producer` as const; const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const; const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const; const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const; @@ -49,8 +42,8 @@ const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const; const ALERT_WORKFLOW_STATUS = `${ALERT_NAMESPACE}.workflow_status` as const; const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const; +// Fields pertaining to the rule associated with the alert const ALERT_RULE_AUTHOR = `${ALERT_RULE_NAMESPACE}.author` as const; -const ALERT_RULE_CONSUMERS = `${ALERT_RULE_NAMESPACE}.consumers` as const; const ALERT_RULE_CREATED_AT = `${ALERT_RULE_NAMESPACE}.created_at` as const; const ALERT_RULE_CREATED_BY = `${ALERT_RULE_NAMESPACE}.created_by` as const; const ALERT_RULE_DESCRIPTION = `${ALERT_RULE_NAMESPACE}.description` as const; @@ -59,6 +52,7 @@ const ALERT_RULE_FROM = `${ALERT_RULE_NAMESPACE}.from` as const; const ALERT_RULE_ID = `${ALERT_RULE_NAMESPACE}.id` as const; const ALERT_RULE_INTERVAL = `${ALERT_RULE_NAMESPACE}.interval` as const; const ALERT_RULE_LICENSE = `${ALERT_RULE_NAMESPACE}.license` as const; +const ALERT_RULE_CATEGORY = `${ALERT_RULE_NAMESPACE}.category` as const; const ALERT_RULE_NAME = `${ALERT_RULE_NAMESPACE}.name` as const; const ALERT_RULE_NOTE = `${ALERT_RULE_NAMESPACE}.note` as const; const ALERT_RULE_REFERENCES = `${ALERT_RULE_NAMESPACE}.references` as const; @@ -75,6 +69,15 @@ const ALERT_RULE_TYPE_ID = `${ALERT_RULE_NAMESPACE}.rule_type_id` as const; const ALERT_RULE_UPDATED_AT = `${ALERT_RULE_NAMESPACE}.updated_at` as const; const ALERT_RULE_UPDATED_BY = `${ALERT_RULE_NAMESPACE}.updated_by` as const; const ALERT_RULE_VERSION = `${ALERT_RULE_NAMESPACE}.version` as const; +// the feature instantiating a rule type. +// Rule created in stack --> alerts +// Rule created in siem --> siem +const ALERT_RULE_CONSUMER = `${ALERT_RULE_NAMESPACE}.consumer` as const; +// the plugin that registered the rule type. +// Rule type apm.error_rate --> apm +// Rule type siem.signals --> siem +const ALERT_RULE_PRODUCER = `${ALERT_RULE_NAMESPACE}.producer` as const; +const ALERT_RULE_UUID = `${ALERT_RULE_NAMESPACE}.uuid` as const; const namespaces = { KIBANA_NAMESPACE, @@ -87,11 +90,6 @@ const fields = { ECS_VERSION, EVENT_KIND, EVENT_ACTION, - RULE_CATEGORY, - RULE_CONSUMERS, - RULE_ID, - RULE_NAME, - RULE_UUID, TAGS, TIMESTAMP, ALERT_ACTION_GROUP, @@ -100,13 +98,11 @@ const fields = { ALERT_EVALUATION_THRESHOLD, ALERT_EVALUATION_VALUE, ALERT_ID, - ALERT_OWNER, - ALERT_CONSUMERS, - ALERT_PRODUCER, + ALERT_RULE_CONSUMER, + ALERT_RULE_PRODUCER, ALERT_REASON, ALERT_RISK_SCORE, ALERT_RULE_AUTHOR, - ALERT_RULE_CONSUMERS, ALERT_RULE_CREATED_AT, ALERT_RULE_CREATED_BY, ALERT_RULE_DESCRIPTION, @@ -141,6 +137,8 @@ const fields = { ALERT_WORKFLOW_REASON, ALERT_WORKFLOW_STATUS, ALERT_WORKFLOW_USER, + ALERT_RULE_UUID, + ALERT_RULE_CATEGORY, SPACE_IDS, VERSION, }; @@ -154,9 +152,8 @@ export { ALERT_ID, ALERT_NAMESPACE, ALERT_RULE_NAMESPACE, - ALERT_OWNER, - ALERT_CONSUMERS, - ALERT_PRODUCER, + ALERT_RULE_CONSUMER, + ALERT_RULE_PRODUCER, ALERT_REASON, ALERT_RISK_SCORE, ALERT_STATUS, @@ -164,7 +161,6 @@ export { ALERT_WORKFLOW_STATUS, ALERT_WORKFLOW_USER, ALERT_RULE_AUTHOR, - ALERT_RULE_CONSUMERS, ALERT_RULE_CREATED_AT, ALERT_RULE_CREATED_BY, ALERT_RULE_DESCRIPTION, @@ -200,11 +196,8 @@ export { EVENT_ACTION, EVENT_KIND, KIBANA_NAMESPACE, - RULE_CATEGORY, - RULE_CONSUMERS, - RULE_ID, - RULE_NAME, - RULE_UUID, + ALERT_RULE_UUID, + ALERT_RULE_CATEGORY, TAGS, TIMESTAMP, SPACE_IDS, diff --git a/x-pack/plugins/alerting/server/authorization/alerting_authorization.test.ts b/x-pack/plugins/alerting/server/authorization/alerting_authorization.test.ts index 71ac9e48c7297..6314488af88d7 100644 --- a/x-pack/plugins/alerting/server/authorization/alerting_authorization.test.ts +++ b/x-pack/plugins/alerting/server/authorization/alerting_authorization.test.ts @@ -1013,14 +1013,14 @@ describe('AlertingAuthorization', () => { await alertAuthorization.getFindAuthorizationFilter(AlertingAuthorizationEntity.Rule, { type: AlertingAuthorizationFilterType.KQL, fieldNames: { - ruleTypeId: 'path.to.rule.id', + ruleTypeId: 'path.to.rule_type_id', consumer: 'consumer-field', }, }) ).filter ).toEqual( esKuery.fromKueryExpression( - `((path.to.rule.id:myAppAlertType and consumer-field:(myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule.id:myOtherAppAlertType and consumer-field:(myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule.id:mySecondAppAlertType and consumer-field:(myApp or myOtherApp or myAppWithSubFeature)))` + `((path.to.rule_type_id:myAppAlertType and consumer-field:(myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule_type_id:myOtherAppAlertType and consumer-field:(myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule_type_id:mySecondAppAlertType and consumer-field:(myApp or myOtherApp or myAppWithSubFeature)))` ) ); expect(auditLogger.logAuthorizationSuccess).not.toHaveBeenCalled(); diff --git a/x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.test.ts b/x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.test.ts index 5ea15c4818a21..4cb790a5dc818 100644 --- a/x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.test.ts +++ b/x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.test.ts @@ -37,14 +37,16 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => { { type: AlertingAuthorizationFilterType.KQL, fieldNames: { - ruleTypeId: 'path.to.rule.id', + ruleTypeId: 'path.to.rule_type_id', consumer: 'consumer-field', }, }, 'space1' ) ).toEqual( - esKuery.fromKueryExpression(`((path.to.rule.id:myAppAlertType and consumer-field:(myApp)))`) + esKuery.fromKueryExpression( + `((path.to.rule_type_id:myAppAlertType and consumer-field:(myApp)))` + ) ); }); @@ -72,7 +74,7 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => { { type: AlertingAuthorizationFilterType.KQL, fieldNames: { - ruleTypeId: 'path.to.rule.id', + ruleTypeId: 'path.to.rule_type_id', consumer: 'consumer-field', }, }, @@ -80,7 +82,7 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => { ) ).toEqual( esKuery.fromKueryExpression( - `((path.to.rule.id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp)))` + `((path.to.rule_type_id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp)))` ) ); }); @@ -144,7 +146,7 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => { { type: AlertingAuthorizationFilterType.KQL, fieldNames: { - ruleTypeId: 'path.to.rule.id', + ruleTypeId: 'path.to.rule_type_id', consumer: 'consumer-field', }, }, @@ -152,7 +154,7 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => { ) ).toEqual( esKuery.fromKueryExpression( - `((path.to.rule.id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule.id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule.id:mySecondAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)))` + `((path.to.rule_type_id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule_type_id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule_type_id:mySecondAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)))` ) ); }); @@ -199,7 +201,7 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => { { type: AlertingAuthorizationFilterType.KQL, fieldNames: { - ruleTypeId: 'path.to.rule.id', + ruleTypeId: 'path.to.rule_type_id', consumer: 'consumer-field', spaceIds: 'path.to.spaceIds', }, @@ -208,7 +210,7 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => { ) ).toEqual( esKuery.fromKueryExpression( - `((path.to.rule.id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature) and path.to.spaceIds:space1) or (path.to.rule.id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature) and path.to.spaceIds:space1))` + `((path.to.rule_type_id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature) and path.to.spaceIds:space1) or (path.to.rule_type_id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature) and path.to.spaceIds:space1))` ) ); }); @@ -255,7 +257,7 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => { { type: AlertingAuthorizationFilterType.KQL, fieldNames: { - ruleTypeId: 'path.to.rule.id', + ruleTypeId: 'path.to.rule_type_id', consumer: 'consumer-field', spaceIds: 'path.to.spaceIds', }, @@ -264,7 +266,7 @@ describe('asKqlFiltersByRuleTypeAndConsumer', () => { ) ).toEqual( esKuery.fromKueryExpression( - `((path.to.rule.id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule.id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)))` + `((path.to.rule_type_id:myAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)) or (path.to.rule_type_id:myOtherAppAlertType and consumer-field:(alerts or myApp or myOtherApp or myAppWithSubFeature)))` ) ); }); @@ -293,7 +295,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => { { type: AlertingAuthorizationFilterType.ESDSL, fieldNames: { - ruleTypeId: 'path.to.rule.id', + ruleTypeId: 'path.to.rule_type_id', consumer: 'consumer-field', }, }, @@ -307,7 +309,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => { should: [ { match: { - 'path.to.rule.id': 'myAppAlertType', + 'path.to.rule_type_id': 'myAppAlertType', }, }, ], @@ -355,7 +357,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => { { type: AlertingAuthorizationFilterType.ESDSL, fieldNames: { - ruleTypeId: 'path.to.rule.id', + ruleTypeId: 'path.to.rule_type_id', consumer: 'consumer-field', }, }, @@ -366,7 +368,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => { filter: [ { bool: { - should: [{ match: { 'path.to.rule.id': 'myAppAlertType' } }], + should: [{ match: { 'path.to.rule_type_id': 'myAppAlertType' } }], minimum_should_match: 1, }, }, @@ -459,7 +461,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => { { type: AlertingAuthorizationFilterType.ESDSL, fieldNames: { - ruleTypeId: 'path.to.rule.id', + ruleTypeId: 'path.to.rule_type_id', consumer: 'consumer-field', }, }, @@ -473,7 +475,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => { filter: [ { bool: { - should: [{ match: { 'path.to.rule.id': 'myAppAlertType' } }], + should: [{ match: { 'path.to.rule_type_id': 'myAppAlertType' } }], minimum_should_match: 1, }, }, @@ -516,7 +518,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => { filter: [ { bool: { - should: [{ match: { 'path.to.rule.id': 'myOtherAppAlertType' } }], + should: [{ match: { 'path.to.rule_type_id': 'myOtherAppAlertType' } }], minimum_should_match: 1, }, }, @@ -559,7 +561,7 @@ describe('asEsDslFiltersByRuleTypeAndConsumer', () => { filter: [ { bool: { - should: [{ match: { 'path.to.rule.id': 'mySecondAppAlertType' } }], + should: [{ match: { 'path.to.rule_type_id': 'mySecondAppAlertType' } }], minimum_should_match: 1, }, }, @@ -611,7 +613,7 @@ describe('asFiltersBySpaceId', () => { { type: AlertingAuthorizationFilterType.ESDSL, fieldNames: { - ruleTypeId: 'path.to.rule.id', + ruleTypeId: 'path.to.rule_type_id', consumer: 'consumer-field', spaceIds: 'path.to.space.id', }, @@ -629,7 +631,7 @@ describe('asFiltersBySpaceId', () => { { type: AlertingAuthorizationFilterType.KQL, fieldNames: { - ruleTypeId: 'path.to.rule.id', + ruleTypeId: 'path.to.rule_type_id', consumer: 'consumer-field', spaceIds: 'path.to.space.id', }, @@ -645,7 +647,7 @@ describe('asFiltersBySpaceId', () => { { type: AlertingAuthorizationFilterType.ESDSL, fieldNames: { - ruleTypeId: 'path.to.rule.id', + ruleTypeId: 'path.to.rule_type_id', consumer: 'consumer-field', }, }, @@ -660,7 +662,7 @@ describe('asFiltersBySpaceId', () => { { type: AlertingAuthorizationFilterType.ESDSL, fieldNames: { - ruleTypeId: 'path.to.rule.id', + ruleTypeId: 'path.to.rule_type_id', consumer: 'consumer-field', spaceIds: 'path.to.space.id', }, diff --git a/x-pack/plugins/apm/public/components/app/error_group_details/Distribution/index.tsx b/x-pack/plugins/apm/public/components/app/error_group_details/Distribution/index.tsx index 24257bcefa7f1..f969b5802e8b6 100644 --- a/x-pack/plugins/apm/public/components/app/error_group_details/Distribution/index.tsx +++ b/x-pack/plugins/apm/public/components/app/error_group_details/Distribution/index.tsx @@ -19,7 +19,7 @@ import { import { EuiTitle } from '@elastic/eui'; import d3 from 'd3'; import React, { Suspense, useState } from 'react'; -import { RULE_ID } from '@kbn/rule-data-utils/target/technical_field_names'; +import { ALERT_RULE_TYPE_ID } from '@kbn/rule-data-utils/target/technical_field_names'; import { useApmServiceContext } from '../../../../context/apm_service/use_apm_service_context'; import { APIReturnType } from '../../../../services/rest/createCallApmApi'; import { asRelativeDateTimeRange } from '../../../../../common/utils/formatters'; @@ -124,7 +124,7 @@ export function ErrorDistribution({ distribution, title }: Props) { /> {getAlertAnnotations({ alerts: alerts?.filter( - (alert) => alert[RULE_ID]?.[0] === AlertType.ErrorCount + (alert) => alert[ALERT_RULE_TYPE_ID]?.[0] === AlertType.ErrorCount ), chartStartTime: buckets[0]?.x0, getFormatter, diff --git a/x-pack/plugins/apm/public/components/shared/charts/helper/get_alert_annotations.test.tsx b/x-pack/plugins/apm/public/components/shared/charts/helper/get_alert_annotations.test.tsx index 81c4af44c90a3..0f09b042a587b 100644 --- a/x-pack/plugins/apm/public/components/shared/charts/helper/get_alert_annotations.test.tsx +++ b/x-pack/plugins/apm/public/components/shared/charts/helper/get_alert_annotations.test.tsx @@ -8,15 +8,19 @@ import { ALERT_DURATION, ALERT_EVALUATION_THRESHOLD, + ALERT_RULE_TYPE_ID, ALERT_EVALUATION_VALUE, ALERT_ID, - ALERT_PRODUCER, - ALERT_OWNER, + ALERT_RULE_PRODUCER, + ALERT_RULE_CONSUMER, ALERT_SEVERITY_LEVEL, ALERT_START, ALERT_STATUS, ALERT_UUID, SPACE_IDS, + ALERT_RULE_UUID, + ALERT_RULE_NAME, + ALERT_RULE_CATEGORY, } from '@kbn/rule-data-utils'; import { ValuesType } from 'utility-types'; import { EuiTheme } from '../../../../../../../../src/plugins/kibana_react/common'; @@ -34,20 +38,19 @@ const theme = ({ eui: { euiColorDanger, euiColorWarning }, } as unknown) as EuiTheme; const alert: Alert = { - [SPACE_IDS]: ['space-id'], - 'rule.id': ['apm.transaction_duration'], + [ALERT_RULE_TYPE_ID]: ['apm.transaction_duration'], [ALERT_EVALUATION_VALUE]: [2057657.39], 'service.name': ['frontend-rum'], - 'rule.name': ['Latency threshold | frontend-rum'], + [ALERT_RULE_NAME]: ['Latency threshold | frontend-rum'], [ALERT_DURATION]: [62879000], [ALERT_STATUS]: ['open'], [SPACE_IDS]: ['myfakespaceid'], tags: ['apm', 'service.name:frontend-rum'], 'transaction.type': ['page-load'], - [ALERT_PRODUCER]: ['apm'], + [ALERT_RULE_PRODUCER]: ['apm'], [ALERT_UUID]: ['af2ae371-df79-4fca-b0eb-a2dbd9478180'], - [ALERT_OWNER]: ['apm'], - 'rule.uuid': ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'], + [ALERT_RULE_CONSUMER]: ['apm'], + [ALERT_RULE_UUID]: ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'], 'event.action': ['active'], '@timestamp': ['2021-06-01T16:16:05.183Z'], [ALERT_ID]: ['apm.transaction_duration_All'], @@ -55,7 +58,7 @@ const alert: Alert = { [ALERT_EVALUATION_THRESHOLD]: [500000], [ALERT_START]: ['2021-06-01T16:15:02.304Z'], 'event.kind': ['state'], - 'rule.category': ['Latency threshold'], + [ALERT_RULE_CATEGORY]: ['Latency threshold'], }; const chartStartTime = new Date(alert[ALERT_START]![0] as string).getTime(); const getFormatter: ObservabilityRuleTypeRegistry['getFormatter'] = () => () => ({ @@ -135,7 +138,7 @@ describe('getAlertAnnotations', () => { setSelectedAlertId, theme, })![0].props.dataValues[0].details - ).toEqual(alert['rule.name']![0]); + ).toEqual(alert[ALERT_RULE_NAME]![0]); }); }); diff --git a/x-pack/plugins/apm/public/components/shared/charts/helper/get_alert_annotations.tsx b/x-pack/plugins/apm/public/components/shared/charts/helper/get_alert_annotations.tsx index fa0725018f783..31a8cbf44ea27 100644 --- a/x-pack/plugins/apm/public/components/shared/charts/helper/get_alert_annotations.tsx +++ b/x-pack/plugins/apm/public/components/shared/charts/helper/get_alert_annotations.tsx @@ -17,8 +17,8 @@ import { ALERT_SEVERITY_LEVEL, ALERT_START, ALERT_UUID, - RULE_ID, - RULE_NAME, + ALERT_RULE_TYPE_ID, + ALERT_RULE_NAME, } from '@kbn/rule-data-utils/target/technical_field_names'; import React, { Dispatch, SetStateAction } from 'react'; import { EuiTheme } from 'src/plugins/kibana_react/common'; @@ -106,10 +106,10 @@ export function getAlertAnnotations({ const severityLevel = parsed[ALERT_SEVERITY_LEVEL]; const color = getAlertColor({ severityLevel, theme }); const header = getAlertHeader({ severityLevel }); - const formatter = getFormatter(parsed[RULE_ID]!); + const formatter = getFormatter(parsed[ALERT_RULE_TYPE_ID]!); const formatted = { link: undefined, - reason: parsed[RULE_NAME], + reason: parsed[ALERT_RULE_NAME], ...(formatter?.({ fields: parsed, formatters: { asDuration, asPercent }, diff --git a/x-pack/plugins/apm/public/components/shared/charts/latency_chart/index.tsx b/x-pack/plugins/apm/public/components/shared/charts/latency_chart/index.tsx index 1a89f070bb5cd..d2df99ba29197 100644 --- a/x-pack/plugins/apm/public/components/shared/charts/latency_chart/index.tsx +++ b/x-pack/plugins/apm/public/components/shared/charts/latency_chart/index.tsx @@ -9,7 +9,7 @@ import { EuiFlexGroup, EuiFlexItem, EuiSelect, EuiTitle } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; import React from 'react'; import { useHistory } from 'react-router-dom'; -import { RULE_ID } from '@kbn/rule-data-utils/target/technical_field_names'; +import { ALERT_RULE_TYPE_ID } from '@kbn/rule-data-utils/target/technical_field_names'; import { AlertType } from '../../../../../common/alert_types'; import { useApmServiceContext } from '../../../../context/apm_service/use_apm_service_context'; import { LatencyAggregationType } from '../../../../../common/latency_aggregation_types'; @@ -128,8 +128,10 @@ export function LatencyChart({ height }: Props) { anomalyTimeseries={anomalyTimeseries} alerts={alerts.filter( (alert) => - alert[RULE_ID]?.[0] === AlertType.TransactionDuration || - alert[RULE_ID]?.[0] === AlertType.TransactionDurationAnomaly + alert[ALERT_RULE_TYPE_ID]?.[0] === + AlertType.TransactionDuration || + alert[ALERT_RULE_TYPE_ID]?.[0] === + AlertType.TransactionDurationAnomaly )} /> diff --git a/x-pack/plugins/apm/public/components/shared/charts/latency_chart/latency_chart.stories.tsx b/x-pack/plugins/apm/public/components/shared/charts/latency_chart/latency_chart.stories.tsx index 71d517ad53871..39b7f488d68e6 100644 --- a/x-pack/plugins/apm/public/components/shared/charts/latency_chart/latency_chart.stories.tsx +++ b/x-pack/plugins/apm/public/components/shared/charts/latency_chart/latency_chart.stories.tsx @@ -8,12 +8,17 @@ import { ALERT_DURATION, ALERT_EVALUATION_THRESHOLD, + ALERT_RULE_TYPE_ID, ALERT_EVALUATION_VALUE, ALERT_ID, ALERT_SEVERITY_LEVEL, ALERT_START, ALERT_STATUS, ALERT_UUID, + ALERT_RULE_UUID, + ALERT_RULE_NAME, + ALERT_RULE_CATEGORY, + ALERT_RULE_PRODUCER, } from '@kbn/rule-data-utils'; import { StoryContext } from '@storybook/react'; import React, { ComponentType } from 'react'; @@ -120,17 +125,17 @@ Example.args = { alertsResponse: { alerts: [ { - 'rule.id': ['apm.transaction_duration'], + [ALERT_RULE_TYPE_ID]: ['apm.transaction_duration'], [ALERT_EVALUATION_VALUE]: [2001708.19], 'service.name': ['frontend-rum'], - 'rule.name': ['Latency threshold | frontend-rum'], + [ALERT_RULE_NAME]: ['Latency threshold | frontend-rum'], [ALERT_DURATION]: [10000000000], [ALERT_STATUS]: ['open'], tags: ['apm', 'service.name:frontend-rum'], 'transaction.type': ['page-load'], - 'kibana.alert.producer': ['apm'], + [ALERT_RULE_PRODUCER]: ['apm'], [ALERT_UUID]: ['af2ae371-df79-4fca-b0eb-a2dbd9478180'], - 'rule.uuid': ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'], + [ALERT_RULE_UUID]: ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'], 'event.action': ['active'], '@timestamp': ['2021-06-01T20:27:48.833Z'], [ALERT_ID]: ['apm.transaction_duration_All'], @@ -138,21 +143,21 @@ Example.args = { [ALERT_EVALUATION_THRESHOLD]: [500000], [ALERT_START]: ['2021-06-02T04:00:00.000Z'], 'event.kind': ['state'], - 'rule.category': ['Latency threshold'], + [ALERT_RULE_CATEGORY]: ['Latency threshold'], }, { - 'rule.id': ['apm.transaction_duration'], + [ALERT_RULE_TYPE_ID]: ['apm.transaction_duration'], [ALERT_EVALUATION_VALUE]: [2001708.19], 'service.name': ['frontend-rum'], - 'rule.name': ['Latency threshold | frontend-rum'], + [ALERT_RULE_NAME]: ['Latency threshold | frontend-rum'], [ALERT_DURATION]: [10000000000], [ALERT_STATUS]: ['open'], tags: ['apm', 'service.name:frontend-rum'], 'transaction.type': ['page-load'], - 'kibana.alert.producer': ['apm'], + [ALERT_RULE_PRODUCER]: ['apm'], [ALERT_SEVERITY_LEVEL]: ['warning'], [ALERT_UUID]: ['af2ae371-df79-4fca-b0eb-a2dbd9478181'], - 'rule.uuid': ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'], + [ALERT_RULE_UUID]: ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'], 'event.action': ['active'], '@timestamp': ['2021-06-01T20:27:48.833Z'], [ALERT_ID]: ['apm.transaction_duration_All'], @@ -160,21 +165,21 @@ Example.args = { [ALERT_EVALUATION_THRESHOLD]: [500000], [ALERT_START]: ['2021-06-02T10:45:00.000Z'], 'event.kind': ['state'], - 'rule.category': ['Latency threshold'], + [ALERT_RULE_CATEGORY]: ['Latency threshold'], }, { - 'rule.id': ['apm.transaction_duration'], + [ALERT_RULE_TYPE_ID]: ['apm.transaction_duration'], [ALERT_EVALUATION_VALUE]: [2001708.19], 'service.name': ['frontend-rum'], - 'rule.name': ['Latency threshold | frontend-rum'], + [ALERT_RULE_NAME]: ['Latency threshold | frontend-rum'], [ALERT_DURATION]: [1000000000], [ALERT_STATUS]: ['open'], tags: ['apm', 'service.name:frontend-rum'], 'transaction.type': ['page-load'], - 'kibana.alert.producer': ['apm'], + [ALERT_RULE_PRODUCER]: ['apm'], [ALERT_SEVERITY_LEVEL]: ['critical'], [ALERT_UUID]: ['af2ae371-df79-4fca-b0eb-a2dbd9478182'], - 'rule.uuid': ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'], + [ALERT_RULE_UUID]: ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'], 'event.action': ['active'], '@timestamp': ['2021-06-01T20:27:48.833Z'], [ALERT_ID]: ['apm.transaction_duration_All'], @@ -182,7 +187,7 @@ Example.args = { [ALERT_EVALUATION_THRESHOLD]: [500000], [ALERT_START]: ['2021-06-02T16:50:00.000Z'], 'event.kind': ['state'], - 'rule.category': ['Latency threshold'], + [ALERT_RULE_CATEGORY]: ['Latency threshold'], }, ], }, diff --git a/x-pack/plugins/apm/public/components/shared/charts/transaction_error_rate_chart/index.tsx b/x-pack/plugins/apm/public/components/shared/charts/transaction_error_rate_chart/index.tsx index 18c765c50fbf7..226f9c095c2c3 100644 --- a/x-pack/plugins/apm/public/components/shared/charts/transaction_error_rate_chart/index.tsx +++ b/x-pack/plugins/apm/public/components/shared/charts/transaction_error_rate_chart/index.tsx @@ -8,7 +8,7 @@ import { EuiPanel, EuiTitle } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; import React from 'react'; -import { RULE_ID } from '../../../../../../rule_registry/common/technical_rule_data_field_names'; +import { ALERT_RULE_TYPE_ID } from '../../../../../../rule_registry/common/technical_rule_data_field_names'; import { AlertType } from '../../../../../common/alert_types'; import { APIReturnType } from '../../../../services/rest/createCallApmApi'; import { asPercent } from '../../../../../common/utils/formatters'; @@ -151,7 +151,8 @@ export function TransactionErrorRateChart({ yDomain={{ min: 0, max: 1 }} customTheme={comparisonChartThem} alerts={alerts.filter( - (alert) => alert[RULE_ID]?.[0] === AlertType.TransactionErrorRate + (alert) => + alert[ALERT_RULE_TYPE_ID]?.[0] === AlertType.TransactionErrorRate )} /> diff --git a/x-pack/plugins/observability/public/pages/alerts/alerts_flyout/index.tsx b/x-pack/plugins/observability/public/pages/alerts/alerts_flyout/index.tsx index 53b5300e556c5..7c23aa8582ece 100644 --- a/x-pack/plugins/observability/public/pages/alerts/alerts_flyout/index.tsx +++ b/x-pack/plugins/observability/public/pages/alerts/alerts_flyout/index.tsx @@ -26,8 +26,8 @@ import { ALERT_EVALUATION_VALUE, ALERT_SEVERITY_LEVEL, ALERT_UUID, - RULE_CATEGORY, - RULE_NAME, + ALERT_RULE_CATEGORY, + ALERT_RULE_NAME, } from '@kbn/rule-data-utils/target/technical_field_names'; import moment from 'moment-timezone'; import React, { useMemo } from 'react'; @@ -113,7 +113,7 @@ export function AlertsFlyout({ title: i18n.translate('xpack.observability.alertsFlyout.ruleTypeLabel', { defaultMessage: 'Rule type', }), - description: alertData.fields[RULE_CATEGORY] ?? '-', + description: alertData.fields[ALERT_RULE_CATEGORY] ?? '-', }, ]; @@ -121,7 +121,7 @@ export function AlertsFlyout({ -

{alertData.fields[RULE_NAME]}

+

{alertData.fields[ALERT_RULE_NAME]}

 {alertData.reason} diff --git a/x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid.tsx b/x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid.tsx index 4bc9c40e6e917..798be42fce5cd 100644 --- a/x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid.tsx +++ b/x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid.tsx @@ -16,7 +16,7 @@ import { ALERT_SEVERITY_LEVEL, ALERT_STATUS, ALERT_START, - RULE_NAME, + ALERT_RULE_NAME, } from '@kbn/rule-data-utils/target/technical_field_names'; import type { TimelinesUIStart } from '../../../../timelines/public'; @@ -108,7 +108,7 @@ export const columns: Array< defaultMessage: 'Reason', }), linkField: '*', - id: RULE_NAME, + id: ALERT_RULE_NAME, }, ]; diff --git a/x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid_actions.tsx b/x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid_actions.tsx index 1f5372c8f2fea..2ba105113fec9 100644 --- a/x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid_actions.tsx +++ b/x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid_actions.tsx @@ -14,7 +14,10 @@ import { EuiPopoverTitle, } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import { RULE_ID, RULE_NAME } from '@kbn/rule-data-utils/target/technical_field_names'; +import { + ALERT_RULE_TYPE_ID, + ALERT_RULE_NAME, +} from '@kbn/rule-data-utils/target/technical_field_names'; import React, { useState } from 'react'; import { format, parse } from 'url'; @@ -29,10 +32,10 @@ export function RowCellActionsRender({ data }: ActionProps) { const { prepend } = core.http.basePath; const dataFieldEs = data.reduce((acc, d) => ({ ...acc, [d.field]: d.value }), {}); const parsedFields = parseTechnicalFields(dataFieldEs); - const formatter = observabilityRuleTypeRegistry.getFormatter(parsedFields[RULE_ID]!); + const formatter = observabilityRuleTypeRegistry.getFormatter(parsedFields[ALERT_RULE_TYPE_ID]!); const formatted = { link: undefined, - reason: parsedFields[RULE_NAME]!, + reason: parsedFields[ALERT_RULE_NAME]!, ...(formatter?.({ fields: parsedFields, formatters: { asDuration, asPercent } }) ?? {}), }; diff --git a/x-pack/plugins/observability/public/pages/alerts/decorate_response.ts b/x-pack/plugins/observability/public/pages/alerts/decorate_response.ts index e177bea6c6dac..f09a735de97be 100644 --- a/x-pack/plugins/observability/public/pages/alerts/decorate_response.ts +++ b/x-pack/plugins/observability/public/pages/alerts/decorate_response.ts @@ -6,8 +6,8 @@ */ import { - RULE_ID, - RULE_NAME, + ALERT_RULE_TYPE_ID, + ALERT_RULE_NAME, ALERT_STATUS, ALERT_START, } from '@kbn/rule-data-utils/target/technical_field_names'; @@ -22,10 +22,10 @@ export function decorateResponse( ): TopAlert[] { return alerts.map((alert) => { const parsedFields = parseTechnicalFields(alert); - const formatter = observabilityRuleTypeRegistry.getFormatter(parsedFields[RULE_ID]!); + const formatter = observabilityRuleTypeRegistry.getFormatter(parsedFields[ALERT_RULE_TYPE_ID]!); const formatted = { link: undefined, - reason: parsedFields[RULE_NAME]!, + reason: parsedFields[ALERT_RULE_NAME]!, ...(formatter?.({ fields: parsedFields, formatters: { asDuration, asPercent } }) ?? {}), }; diff --git a/x-pack/plugins/observability/public/pages/alerts/example_data.ts b/x-pack/plugins/observability/public/pages/alerts/example_data.ts index 8bb15682dc619..112932d49311c 100644 --- a/x-pack/plugins/observability/public/pages/alerts/example_data.ts +++ b/x-pack/plugins/observability/public/pages/alerts/example_data.ts @@ -11,49 +11,54 @@ import { ALERT_ID, ALERT_SEVERITY_LEVEL, ALERT_SEVERITY_VALUE, + ALERT_RULE_TYPE_ID, ALERT_START, ALERT_STATUS, ALERT_UUID, + ALERT_RULE_UUID, + ALERT_RULE_NAME, + ALERT_RULE_CATEGORY, + ALERT_RULE_PRODUCER, } from '@kbn/rule-data-utils'; export const apmAlertResponseExample = [ { - 'rule.id': ['apm.error_rate'], + [ALERT_RULE_TYPE_ID]: ['apm.error_rate'], 'service.name': ['opbeans-java'], - 'rule.name': ['Error count threshold | opbeans-java (smith test)'], + [ALERT_RULE_NAME]: ['Error count threshold | opbeans-java (smith test)'], [ALERT_DURATION]: [180057000], [ALERT_STATUS]: ['open'], [ALERT_SEVERITY_LEVEL]: ['warning'], tags: ['apm', 'service.name:opbeans-java'], [ALERT_UUID]: ['0175ec0a-a3b1-4d41-b557-e21c2d024352'], - 'rule.uuid': ['474920d0-93e9-11eb-ac86-0b455460de81'], + [ALERT_RULE_UUID]: ['474920d0-93e9-11eb-ac86-0b455460de81'], 'event.action': ['active'], '@timestamp': ['2021-04-12T13:53:49.550Z'], [ALERT_ID]: ['apm.error_rate_opbeans-java_production'], [ALERT_START]: ['2021-04-12T13:50:49.493Z'], - 'kibana.producer': ['apm'], + [ALERT_RULE_PRODUCER]: ['apm'], 'event.kind': ['state'], - 'rule.category': ['Error count threshold'], + [ALERT_RULE_CATEGORY]: ['Error count threshold'], 'service.environment': ['production'], 'processor.event': ['error'], }, { - 'rule.id': ['apm.error_rate'], + [ALERT_RULE_TYPE_ID]: ['apm.error_rate'], 'service.name': ['opbeans-java'], - 'rule.name': ['Error count threshold | opbeans-java (smith test)'], + [ALERT_RULE_NAME]: ['Error count threshold | opbeans-java (smith test)'], [ALERT_DURATION]: [2419005000], [ALERT_END]: ['2021-04-12T13:49:49.446Z'], [ALERT_STATUS]: ['closed'], tags: ['apm', 'service.name:opbeans-java'], [ALERT_UUID]: ['32b940e1-3809-4c12-8eee-f027cbb385e2'], - 'rule.uuid': ['474920d0-93e9-11eb-ac86-0b455460de81'], + [ALERT_RULE_UUID]: ['474920d0-93e9-11eb-ac86-0b455460de81'], 'event.action': ['close'], '@timestamp': ['2021-04-12T13:49:49.446Z'], [ALERT_ID]: ['apm.error_rate_opbeans-java_production'], [ALERT_START]: ['2021-04-12T13:09:30.441Z'], - 'kibana.producer': ['apm'], + [ALERT_RULE_PRODUCER]: ['apm'], 'event.kind': ['state'], - 'rule.category': ['Error count threshold'], + [ALERT_RULE_CATEGORY]: ['Error count threshold'], 'service.environment': ['production'], 'processor.event': ['error'], }, @@ -158,7 +163,7 @@ export const dynamicIndexPattern = { readFromDocValues: true, }, { - name: 'kibana.producer', + name: [ALERT_RULE_PRODUCER], type: 'string', esTypes: ['keyword'], searchable: true, @@ -174,7 +179,7 @@ export const dynamicIndexPattern = { readFromDocValues: true, }, { - name: 'rule.category', + name: [ALERT_RULE_CATEGORY], type: 'string', esTypes: ['keyword'], searchable: true, @@ -182,7 +187,7 @@ export const dynamicIndexPattern = { readFromDocValues: true, }, { - name: 'rule.id', + name: [ALERT_RULE_TYPE_ID], type: 'string', esTypes: ['keyword'], searchable: true, @@ -190,7 +195,7 @@ export const dynamicIndexPattern = { readFromDocValues: true, }, { - name: 'rule.name', + name: [ALERT_RULE_NAME], type: 'string', esTypes: ['keyword'], searchable: true, @@ -198,7 +203,7 @@ export const dynamicIndexPattern = { readFromDocValues: true, }, { - name: 'rule.uuid', + name: [ALERT_RULE_UUID], type: 'string', esTypes: ['keyword'], searchable: true, diff --git a/x-pack/plugins/observability/public/pages/alerts/render_cell_value.tsx b/x-pack/plugins/observability/public/pages/alerts/render_cell_value.tsx index cac3240cd2004..560926bf20e87 100644 --- a/x-pack/plugins/observability/public/pages/alerts/render_cell_value.tsx +++ b/x-pack/plugins/observability/public/pages/alerts/render_cell_value.tsx @@ -12,7 +12,7 @@ import { ALERT_SEVERITY_LEVEL, ALERT_STATUS, ALERT_START, - RULE_NAME, + ALERT_RULE_NAME, } from '@kbn/rule-data-utils/target/technical_field_names'; import type { CellValueElementProps, TimelineNonEcsData } from '../../../../timelines/common'; @@ -93,7 +93,7 @@ export const getRenderCellValue = ({ return asDuration(Number(value)); case ALERT_SEVERITY_LEVEL: return ; - case RULE_NAME: + case ALERT_RULE_NAME: const dataFieldEs = data.reduce((acc, d) => ({ ...acc, [d.field]: d.value }), {}); const decoratedAlerts = decorateResponse( [dataFieldEs] ?? [], diff --git a/x-pack/plugins/rule_registry/README.md b/x-pack/plugins/rule_registry/README.md index 16e4b8f3e01e6..ef9a3252c41d7 100644 --- a/x-pack/plugins/rule_registry/README.md +++ b/x-pack/plugins/rule_registry/README.md @@ -11,9 +11,11 @@ It also exposes a rule data client that will create or update the index stream t By default, these indices will be prefixed with `.alerts`. To change this, for instance to support legacy multitenancy, set the following configuration option: ```yaml -xpack.ruleRegistry.index: '.kibana-alerts' +xpack.ruleRegistry.index: 'myAlerts' ``` +The above produces an alerts index prefixed `.alerts-myAlerts`. + To disable writing entirely: ```yaml @@ -120,11 +122,11 @@ The following fields are defined in the technical field component template and s - `event.kind`: signal (for the changeable alert document), state (for the state changes of the alert, e.g. when it opens, recovers, or changes in severity), or metric (individual evaluations that might be related to an alert). - `event.action`: the reason for the event. This might be `open`, `close`, `active`, or `evaluate`. - `tags`: tags attached to the alert. Right now they are copied over from the rule. -- `rule.id`: the identifier of the rule type, e.g. `apm.transaction_duration` -- `rule.uuid`: the saved objects id of the rule. -- `rule.name`: the name of the rule (as specified by the user). -- `rule.category`: the name of the rule type (as defined by the rule type producer) -- `kibana.alert.owner`: the feature which produced the alert. Usually a Kibana feature id like `apm`, `siem`... +- `kibana.alert.rule.rule_type_id`: the identifier of the rule type, e.g. `apm.transaction_duration` +- `kibana.alert.rule.uuid`: the saved objects id of the rule. +- `kibana.alert.rule.name`: the name of the rule (as specified by the user). +- `kibana.alert.rule.category`: the name of the rule type (as defined by the rule type producer) +- `kibana.alert.rule.consumer`: the feature which produced the alert (inherited from the rule producer field). Usually a Kibana feature id like `apm`, `siem`... - `kibana.alert.id`: the id of the alert, that is unique within the context of the rule execution it was created in. E.g., for a rule that monitors latency for all services in all environments, this might be `opbeans-java:production`. - `kibana.alert.uuid`: the unique identifier for the alert during its lifespan. If an alert recovers (or closes), this identifier is re-generated when it is opened again. - `kibana.alert.status`: the status of the alert. Can be `open` or `closed`. diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index 11e572260d133..eb8d88cf697b9 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -14,14 +14,11 @@ export const technicalRuleFieldMap = { Fields.TIMESTAMP, Fields.EVENT_KIND, Fields.EVENT_ACTION, - Fields.RULE_UUID, - Fields.RULE_ID, - Fields.RULE_NAME, - Fields.RULE_CATEGORY, Fields.TAGS ), - [Fields.ALERT_OWNER]: { type: 'keyword', required: true }, - [Fields.ALERT_PRODUCER]: { type: 'keyword' }, + [Fields.ALERT_RULE_TYPE_ID]: { type: 'keyword', required: true }, + [Fields.ALERT_RULE_CONSUMER]: { type: 'keyword', required: true }, + [Fields.ALERT_RULE_PRODUCER]: { type: 'keyword' }, [Fields.SPACE_IDS]: { type: 'keyword', array: true, required: true }, [Fields.ALERT_UUID]: { type: 'keyword' }, [Fields.ALERT_ID]: { type: 'keyword' }, @@ -33,11 +30,6 @@ export const technicalRuleFieldMap = { [Fields.ALERT_STATUS]: { type: 'keyword' }, [Fields.ALERT_EVALUATION_THRESHOLD]: { type: 'scaled_float', scaling_factor: 100 }, [Fields.ALERT_EVALUATION_VALUE]: { type: 'scaled_float', scaling_factor: 100 }, - [Fields.CONSUMERS]: { - type: 'keyword', - array: true, - required: false, - }, [Fields.VERSION]: { type: 'keyword', array: false, @@ -93,9 +85,19 @@ export const technicalRuleFieldMap = { array: false, required: false, }, - [Fields.ALERT_RULE_CONSUMERS]: { + [Fields.ALERT_RULE_CATEGORY]: { type: 'keyword', - array: true, + array: false, + required: false, + }, + [Fields.ALERT_RULE_UUID]: { + type: 'keyword', + array: false, + required: false, + }, + [Fields.ALERT_RULE_ID]: { + type: 'keyword', + array: false, required: false, }, [Fields.ALERT_RULE_CREATED_AT]: { @@ -123,11 +125,6 @@ export const technicalRuleFieldMap = { array: false, required: false, }, - [Fields.ALERT_RULE_ID]: { - type: 'keyword', - array: false, - required: false, - }, [Fields.ALERT_RULE_INTERVAL]: { type: 'keyword', array: false, diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts index 2a7419b20570e..aaceb167b2e51 100644 --- a/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts +++ b/x-pack/plugins/rule_registry/server/alert_data_client/alerts_client.ts @@ -29,8 +29,8 @@ import { alertAuditEvent, operationAlertAuditActionMap } from './audit_events'; import { AuditLogger } from '../../../security/server'; import { ALERT_STATUS, - ALERT_OWNER, - RULE_ID, + ALERT_RULE_CONSUMER, + ALERT_RULE_TYPE_ID, SPACE_IDS, } from '../../common/technical_rule_data_field_names'; import { ParsedTechnicalFields } from '../../common/parse_technical_fields'; @@ -40,11 +40,15 @@ type NonNullableProps = Omit }; type AlertType = NonNullableProps< ParsedTechnicalFields, - typeof RULE_ID | typeof ALERT_OWNER | typeof SPACE_IDS + typeof ALERT_RULE_TYPE_ID | typeof ALERT_RULE_CONSUMER | typeof SPACE_IDS >; const isValidAlert = (source?: ParsedTechnicalFields): source is AlertType => { - return source?.[RULE_ID] != null && source?.[ALERT_OWNER] != null && source?.[SPACE_IDS] != null; + return ( + source?.[ALERT_RULE_TYPE_ID] != null && + source?.[ALERT_RULE_CONSUMER] != null && + source?.[SPACE_IDS] != null + ); }; export interface ConstructorOptions { logger: Logger; @@ -121,7 +125,10 @@ export class AlertsClient { _id: string; // this is typed kind of crazy to fit the output of es api response to this _source?: - | { [RULE_ID]?: string | null | undefined; [ALERT_OWNER]?: string | null | undefined } + | { + [ALERT_RULE_TYPE_ID]?: string | null | undefined; + [ALERT_RULE_CONSUMER]?: string | null | undefined; + } | null | undefined; }>, @@ -132,16 +139,16 @@ export class AlertsClient { hitIds: [hit._id, ...acc.hitIds], ownersAndRuleTypeIds: [ { - [RULE_ID]: hit?._source?.[RULE_ID], - [ALERT_OWNER]: hit?._source?.[ALERT_OWNER], + [ALERT_RULE_TYPE_ID]: hit?._source?.[ALERT_RULE_TYPE_ID], + [ALERT_RULE_CONSUMER]: hit?._source?.[ALERT_RULE_CONSUMER], }, ], }), { hitIds: [], ownersAndRuleTypeIds: [] } as { hitIds: string[]; ownersAndRuleTypeIds: Array<{ - [RULE_ID]: string | null | undefined; - [ALERT_OWNER]: string | null | undefined; + [ALERT_RULE_TYPE_ID]: string | null | undefined; + [ALERT_RULE_CONSUMER]: string | null | undefined; }>; } ); @@ -150,8 +157,8 @@ export class AlertsClient { return Promise.all( ownersAndRuleTypeIds.map((hit) => { - const alertOwner = hit?.[ALERT_OWNER]; - const ruleId = hit?.[RULE_ID]; + const alertOwner = hit?.[ALERT_RULE_CONSUMER]; + const ruleId = hit?.[ALERT_RULE_TYPE_ID]; if (hit != null && assertString(alertOwner) && assertString(ruleId)) { return this.authorization.ensureAuthorized({ ruleTypeId: ruleId, @@ -322,7 +329,7 @@ export class AlertsClient { AlertingAuthorizationEntity.Alert, { type: AlertingAuthorizationFilterType.ESDSL, - fieldNames: { consumer: ALERT_OWNER, ruleTypeId: RULE_ID }, + fieldNames: { consumer: ALERT_RULE_CONSUMER, ruleTypeId: ALERT_RULE_TYPE_ID }, }, operation ); diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/bulk_update.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/bulk_update.test.ts index 97a19935fa787..a6d42853531d7 100644 --- a/x-pack/plugins/rule_registry/server/alert_data_client/tests/bulk_update.test.ts +++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/bulk_update.test.ts @@ -5,7 +5,12 @@ * 2.0. */ -import { ALERT_OWNER, ALERT_STATUS, SPACE_IDS, RULE_ID } from '@kbn/rule-data-utils'; +import { + ALERT_RULE_CONSUMER, + ALERT_STATUS, + SPACE_IDS, + ALERT_RULE_TYPE_ID, +} from '@kbn/rule-data-utils'; import { AlertsClient, ConstructorOptions } from '../alerts_client'; import { loggingSystemMock } from '../../../../../../src/core/server/mocks'; // eslint-disable-next-line @kbn/eslint/no-restricted-paths @@ -77,8 +82,8 @@ describe('bulkUpdate()', () => { _id: fakeAlertId, _index: indexName, _source: { - [RULE_ID]: 'apm.error_rate', - [ALERT_OWNER]: 'apm', + [ALERT_RULE_TYPE_ID]: 'apm.error_rate', + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: [DEFAULT_SPACE], }, @@ -134,8 +139,8 @@ describe('bulkUpdate()', () => { _id: fakeAlertId, _index: indexName, _source: { - [RULE_ID]: fakeRuleTypeId, - [ALERT_OWNER]: 'apm', + [ALERT_RULE_TYPE_ID]: fakeRuleTypeId, + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: [DEFAULT_SPACE], }, @@ -180,8 +185,8 @@ describe('bulkUpdate()', () => { _id: successfulAuthzHit, _index: indexName, _source: { - [RULE_ID]: 'apm.error_rate', - [ALERT_OWNER]: 'apm', + [ALERT_RULE_TYPE_ID]: 'apm.error_rate', + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: [DEFAULT_SPACE], }, @@ -190,8 +195,8 @@ describe('bulkUpdate()', () => { _id: unsuccessfulAuthzHit, _index: indexName, _source: { - [RULE_ID]: fakeRuleTypeId, - [ALERT_OWNER]: 'apm', + [ALERT_RULE_TYPE_ID]: fakeRuleTypeId, + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: [DEFAULT_SPACE], }, @@ -267,8 +272,8 @@ describe('bulkUpdate()', () => { _id: fakeAlertId, _index: '.alerts-observability-apm.alerts', _source: { - [RULE_ID]: 'apm.error_rate', - [ALERT_OWNER]: 'apm', + [ALERT_RULE_TYPE_ID]: 'apm.error_rate', + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: [DEFAULT_SPACE], }, @@ -327,8 +332,8 @@ describe('bulkUpdate()', () => { _id: fakeAlertId, _index: '.alerts-observability-apm.alerts', _source: { - [RULE_ID]: fakeRuleTypeId, - [ALERT_OWNER]: 'apm', + [ALERT_RULE_TYPE_ID]: fakeRuleTypeId, + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: [DEFAULT_SPACE], }, @@ -388,8 +393,8 @@ describe('bulkUpdate()', () => { _id: successfulAuthzHit, _index: '.alerts-observability-apm.alerts', _source: { - [RULE_ID]: 'apm.error_rate', - [ALERT_OWNER]: 'apm', + [ALERT_RULE_TYPE_ID]: 'apm.error_rate', + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: [DEFAULT_SPACE], }, @@ -398,8 +403,8 @@ describe('bulkUpdate()', () => { _id: unsuccessfulAuthzHit, _index: '.alerts-observability-apm.alerts', _source: { - [RULE_ID]: fakeRuleTypeId, - [ALERT_OWNER]: 'apm', + [ALERT_RULE_TYPE_ID]: fakeRuleTypeId, + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: [DEFAULT_SPACE], }, diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts index 651d728b1983c..c8d0d18dfd37e 100644 --- a/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts +++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/get.test.ts @@ -5,7 +5,12 @@ * 2.0. */ -import { ALERT_OWNER, ALERT_STATUS, RULE_ID, SPACE_IDS } from '@kbn/rule-data-utils'; +import { + ALERT_RULE_CONSUMER, + ALERT_STATUS, + SPACE_IDS, + ALERT_RULE_TYPE_ID, +} from '@kbn/rule-data-utils'; import { AlertsClient, ConstructorOptions } from '../alerts_client'; import { loggingSystemMock } from '../../../../../../src/core/server/mocks'; // eslint-disable-next-line @kbn/eslint/no-restricted-paths @@ -85,9 +90,9 @@ describe('get()', () => { _seq_no: 362, _primary_term: 2, _source: { - 'rule.id': 'apm.error_rate', + [ALERT_RULE_TYPE_ID]: 'apm.error_rate', message: 'hello world 1', - [ALERT_OWNER]: 'apm', + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: ['test_default_space_id'], }, @@ -100,13 +105,13 @@ describe('get()', () => { const result = await alertsClient.get({ id: '1', index: '.alerts-observability-apm' }); expect(result).toMatchInlineSnapshot(` Object { - "kibana.alert.owner": "apm", + "kibana.alert.rule.consumer": "apm", + "kibana.alert.rule.rule_type_id": "apm.error_rate", "kibana.alert.status": "open", "kibana.space_ids": Array [ "test_default_space_id", ], "message": "hello world 1", - "rule.id": "apm.error_rate", } `); expect(esClientMock.search).toHaveBeenCalledTimes(1); @@ -184,9 +189,9 @@ describe('get()', () => { _seq_no: 362, _primary_term: 2, _source: { - 'rule.id': 'apm.error_rate', + [ALERT_RULE_TYPE_ID]: 'apm.error_rate', message: 'hello world 1', - [ALERT_OWNER]: 'apm', + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: ['test_default_space_id'], }, @@ -235,8 +240,8 @@ describe('get()', () => { _id: fakeAlertId, _index: indexName, _source: { - [RULE_ID]: fakeRuleTypeId, - [ALERT_OWNER]: 'apm', + [ALERT_RULE_TYPE_ID]: fakeRuleTypeId, + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: [DEFAULT_SPACE], }, @@ -307,9 +312,9 @@ describe('get()', () => { _seq_no: 362, _primary_term: 2, _source: { - 'rule.id': 'apm.error_rate', + [ALERT_RULE_TYPE_ID]: 'apm.error_rate', message: 'hello world 1', - [ALERT_OWNER]: 'apm', + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: ['test_default_space_id'], }, @@ -330,13 +335,13 @@ describe('get()', () => { expect(result).toMatchInlineSnapshot(` Object { - "kibana.alert.owner": "apm", + "kibana.alert.rule.consumer": "apm", + "kibana.alert.rule.rule_type_id": "apm.error_rate", "kibana.alert.status": "open", "kibana.space_ids": Array [ "test_default_space_id", ], "message": "hello world 1", - "rule.id": "apm.error_rate", } `); }); diff --git a/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts b/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts index 435b6e310ffdf..0aaab20052716 100644 --- a/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts +++ b/x-pack/plugins/rule_registry/server/alert_data_client/tests/update.test.ts @@ -5,7 +5,12 @@ * 2.0. */ -import { ALERT_OWNER, ALERT_STATUS, SPACE_IDS, RULE_ID } from '@kbn/rule-data-utils'; +import { + ALERT_RULE_CONSUMER, + ALERT_STATUS, + SPACE_IDS, + ALERT_RULE_TYPE_ID, +} from '@kbn/rule-data-utils'; import { AlertsClient, ConstructorOptions } from '../alerts_client'; import { loggingSystemMock } from '../../../../../../src/core/server/mocks'; // eslint-disable-next-line @kbn/eslint/no-restricted-paths @@ -82,9 +87,9 @@ describe('update()', () => { _index: '.alerts-observability-apm', _id: 'NoxgpHkBqbdrfX07MqXV', _source: { - [RULE_ID]: 'apm.error_rate', + [ALERT_RULE_TYPE_ID]: 'apm.error_rate', message: 'hello world 1', - [ALERT_OWNER]: 'apm', + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: [DEFAULT_SPACE], }, @@ -168,9 +173,9 @@ describe('update()', () => { _index: '.alerts-observability-apm', _id: 'NoxgpHkBqbdrfX07MqXV', _source: { - 'rule.id': 'apm.error_rate', + [ALERT_RULE_TYPE_ID]: 'apm.error_rate', message: 'hello world 1', - [ALERT_OWNER]: 'apm', + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: [DEFAULT_SPACE], }, @@ -242,8 +247,8 @@ describe('update()', () => { _id: fakeAlertId, _index: indexName, _source: { - [RULE_ID]: fakeRuleTypeId, - [ALERT_OWNER]: 'apm', + [ALERT_RULE_TYPE_ID]: fakeRuleTypeId, + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: [DEFAULT_SPACE], }, @@ -323,9 +328,9 @@ describe('update()', () => { _index: '.alerts-observability-apm', _id: 'NoxgpHkBqbdrfX07MqXV', _source: { - 'rule.id': 'apm.error_rate', + [ALERT_RULE_TYPE_ID]: 'apm.error_rate', message: 'hello world 1', - [ALERT_OWNER]: 'apm', + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: [DEFAULT_SPACE], }, @@ -383,9 +388,9 @@ describe('update()', () => { _seq_no: 362, _primary_term: 2, _source: { - 'rule.id': 'apm.error_rate', + [ALERT_RULE_TYPE_ID]: 'apm.error_rate', message: 'hello world 1', - [ALERT_OWNER]: 'apm', + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [SPACE_IDS]: [DEFAULT_SPACE], }, diff --git a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts index 073a48248f89a..372fb09661259 100644 --- a/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts +++ b/x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts @@ -6,13 +6,11 @@ */ import { - ALERT_OWNER, + ALERT_RULE_CONSUMER, ALERT_RULE_RISK_SCORE, - ALERT_RULE_SEVERITY, ALERT_STATUS, - CONSUMERS, ECS_VERSION, - RULE_ID, + ALERT_RULE_TYPE_ID, SPACE_IDS, TIMESTAMP, VERSION, @@ -28,14 +26,12 @@ import { requestMock, serverMock } from './__mocks__/server'; const getMockAlert = (): ParsedTechnicalFields => ({ [TIMESTAMP]: '2021-06-21T21:33:05.713Z', [ECS_VERSION]: '1.0.0', - [CONSUMERS]: [], [VERSION]: '7.13.0', - [RULE_ID]: 'apm.error_rate', - [ALERT_OWNER]: 'apm', + [ALERT_RULE_TYPE_ID]: 'apm.error_rate', + [ALERT_RULE_CONSUMER]: 'apm', [ALERT_STATUS]: 'open', [ALERT_RULE_RISK_SCORE]: 20, [SPACE_IDS]: ['fake-space-id'], - [ALERT_RULE_SEVERITY]: 'warning', }); describe('getAlertByIdRoute', () => { diff --git a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.test.ts b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.test.ts index 037efadabd8de..efcc56a1b9511 100644 --- a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.test.ts +++ b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.test.ts @@ -23,8 +23,8 @@ import { ALERT_STATUS, EVENT_ACTION, EVENT_KIND, - RULE_ID, - ALERT_OWNER, + ALERT_RULE_TYPE_ID, + ALERT_RULE_CONSUMER, SPACE_IDS, } from '../../common/technical_rule_data_field_names'; import { createRuleDataClientMock } from '../rule_data_client/create_rule_data_client_mock'; @@ -131,16 +131,16 @@ describe('createLifecycleExecutor', () => { { fields: { [ALERT_ID]: 'TEST_ALERT_0', - [ALERT_OWNER]: 'CONSUMER', - [RULE_ID]: 'RULE_TYPE_ID', + [ALERT_RULE_CONSUMER]: 'CONSUMER', + [ALERT_RULE_TYPE_ID]: 'RULE_TYPE_ID', labels: { LABEL_0_KEY: 'LABEL_0_VALUE' }, // this must not show up in the written doc }, }, { fields: { [ALERT_ID]: 'TEST_ALERT_1', - [ALERT_OWNER]: 'CONSUMER', - [RULE_ID]: 'RULE_TYPE_ID', + [ALERT_RULE_CONSUMER]: 'CONSUMER', + [ALERT_RULE_TYPE_ID]: 'RULE_TYPE_ID', labels: { LABEL_0_KEY: 'LABEL_0_VALUE' }, // this must not show up in the written doc }, }, @@ -229,8 +229,8 @@ describe('createLifecycleExecutor', () => { fields: { '@timestamp': '', [ALERT_ID]: 'TEST_ALERT_0', - [ALERT_OWNER]: 'CONSUMER', - [RULE_ID]: 'RULE_TYPE_ID', + [ALERT_RULE_CONSUMER]: 'CONSUMER', + [ALERT_RULE_TYPE_ID]: 'RULE_TYPE_ID', [SPACE_IDS]: ['fake-space-id'], labels: { LABEL_0_KEY: 'LABEL_0_VALUE' }, // this must show up in the written doc }, @@ -239,8 +239,8 @@ describe('createLifecycleExecutor', () => { fields: { '@timestamp': '', [ALERT_ID]: 'TEST_ALERT_1', - [ALERT_OWNER]: 'CONSUMER', - [RULE_ID]: 'RULE_TYPE_ID', + [ALERT_RULE_CONSUMER]: 'CONSUMER', + [ALERT_RULE_TYPE_ID]: 'RULE_TYPE_ID', [SPACE_IDS]: ['fake-space-id'], labels: { LABEL_0_KEY: 'LABEL_0_VALUE' }, // this must not show up in the written doc }, @@ -335,7 +335,7 @@ const createDefaultAlertExecutorOptions = < ActionGroupIds extends string = '' >({ alertId = 'ALERT_ID', - ruleName = 'RULE_NAME', + ruleName = 'ALERT_RULE_NAME', params, state, createdAt = new Date(), diff --git a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts index 23ae24cb91bc4..7a00457f2c4e1 100644 --- a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts +++ b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts @@ -29,9 +29,9 @@ import { ALERT_UUID, EVENT_ACTION, EVENT_KIND, - ALERT_OWNER, - RULE_ID, - RULE_UUID, + ALERT_RULE_CONSUMER, + ALERT_RULE_TYPE_ID, + ALERT_RULE_UUID, TIMESTAMP, SPACE_IDS, } from '../../common/technical_rule_data_field_names'; @@ -155,8 +155,8 @@ export const createLifecycleExecutor = ( currentAlerts[id] = { ...fields, [ALERT_ID]: id, - [RULE_ID]: rule.ruleTypeId, - [ALERT_OWNER]: rule.consumer, + [ALERT_RULE_TYPE_ID]: rule.ruleTypeId, + [ALERT_RULE_CONSUMER]: rule.consumer, }; return alertInstanceFactory(id); }, @@ -197,7 +197,7 @@ export const createLifecycleExecutor = ( filter: [ { term: { - [RULE_UUID]: ruleExecutorData[RULE_UUID], + [ALERT_RULE_UUID]: ruleExecutorData[ALERT_RULE_UUID], }, }, { @@ -229,8 +229,8 @@ export const createLifecycleExecutor = ( alertsDataMap[alertId] = { ...fields, [ALERT_ID]: alertId, - [RULE_ID]: rule.ruleTypeId, - [ALERT_OWNER]: rule.consumer, + [ALERT_RULE_TYPE_ID]: rule.ruleTypeId, + [ALERT_RULE_CONSUMER]: rule.consumer, }; }); } @@ -247,7 +247,7 @@ export const createLifecycleExecutor = ( ...ruleExecutorData, [TIMESTAMP]: timestamp, [EVENT_KIND]: 'signal', - [ALERT_OWNER]: rule.consumer, + [ALERT_RULE_CONSUMER]: rule.consumer, [ALERT_ID]: alertId, } as ParsedTechnicalFields; diff --git a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts index c1358da97e95a..3469187122127 100644 --- a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts +++ b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts @@ -6,15 +6,7 @@ */ import { schema } from '@kbn/config-schema'; -import { - ALERT_DURATION, - ALERT_ID, - ALERT_OWNER, - ALERT_PRODUCER, - ALERT_START, - ALERT_STATUS, - ALERT_UUID, -} from '@kbn/rule-data-utils'; +import { ALERT_DURATION, ALERT_STATUS, ALERT_UUID } from '@kbn/rule-data-utils'; import { loggerMock } from '@kbn/logging/target/mocks'; import { castArray, omit, mapValues } from 'lodash'; import { RuleDataClient } from '../rule_data_client'; @@ -197,19 +189,19 @@ describe('createLifecycleRuleTypeFactory', () => { "@timestamp": "2021-06-16T09:01:00.000Z", "event.action": "open", "event.kind": "signal", - "${ALERT_DURATION}": 0, - "${ALERT_ID}": "opbeans-java", - "${ALERT_OWNER}": "consumer", - "${ALERT_PRODUCER}": "producer", - "${ALERT_START}": "2021-06-16T09:01:00.000Z", - "${ALERT_STATUS}": "open", + "kibana.alert.duration.us": 0, + "kibana.alert.id": "opbeans-java", + "kibana.alert.rule.category": "ruleTypeName", + "kibana.alert.rule.consumer": "consumer", + "kibana.alert.rule.name": "name", + "kibana.alert.rule.producer": "producer", + "kibana.alert.rule.rule_type_id": "ruleTypeId", + "kibana.alert.rule.uuid": "alertId", + "kibana.alert.start": "2021-06-16T09:01:00.000Z", + "kibana.alert.status": "open", "kibana.space_ids": Array [ "spaceId", ], - "rule.category": "ruleTypeName", - "rule.id": "ruleTypeId", - "rule.name": "name", - "rule.uuid": "alertId", "service.name": "opbeans-java", "tags": Array [ "tags", @@ -219,19 +211,19 @@ describe('createLifecycleRuleTypeFactory', () => { "@timestamp": "2021-06-16T09:01:00.000Z", "event.action": "open", "event.kind": "signal", - "${ALERT_DURATION}": 0, - "${ALERT_ID}": "opbeans-node", - "${ALERT_OWNER}": "consumer", - "${ALERT_PRODUCER}": "producer", - "${ALERT_START}": "2021-06-16T09:01:00.000Z", - "${ALERT_STATUS}": "open", + "kibana.alert.duration.us": 0, + "kibana.alert.id": "opbeans-node", + "kibana.alert.rule.category": "ruleTypeName", + "kibana.alert.rule.consumer": "consumer", + "kibana.alert.rule.name": "name", + "kibana.alert.rule.producer": "producer", + "kibana.alert.rule.rule_type_id": "ruleTypeId", + "kibana.alert.rule.uuid": "alertId", + "kibana.alert.start": "2021-06-16T09:01:00.000Z", + "kibana.alert.status": "open", "kibana.space_ids": Array [ "spaceId", ], - "rule.category": "ruleTypeName", - "rule.id": "ruleTypeId", - "rule.name": "name", - "rule.uuid": "alertId", "service.name": "opbeans-node", "tags": Array [ "tags", diff --git a/x-pack/plugins/rule_registry/server/utils/get_rule_executor_data.ts b/x-pack/plugins/rule_registry/server/utils/get_rule_executor_data.ts index 866eb5f882fe0..13f0b27e85c3b 100644 --- a/x-pack/plugins/rule_registry/server/utils/get_rule_executor_data.ts +++ b/x-pack/plugins/rule_registry/server/utils/get_rule_executor_data.ts @@ -7,30 +7,30 @@ import { AlertExecutorOptions } from '../../../alerting/server'; import { - ALERT_PRODUCER, - RULE_CATEGORY, - RULE_ID, - RULE_NAME, - RULE_UUID, + ALERT_RULE_PRODUCER, + ALERT_RULE_CATEGORY, + ALERT_RULE_TYPE_ID, + ALERT_RULE_NAME, + ALERT_RULE_UUID, TAGS, } from '../../common/technical_rule_data_field_names'; export interface RuleExecutorData { - [RULE_CATEGORY]: string; - [RULE_ID]: string; - [RULE_UUID]: string; - [RULE_NAME]: string; - [ALERT_PRODUCER]: string; + [ALERT_RULE_CATEGORY]: string; + [ALERT_RULE_TYPE_ID]: string; + [ALERT_RULE_UUID]: string; + [ALERT_RULE_NAME]: string; + [ALERT_RULE_PRODUCER]: string; [TAGS]: string[]; } export function getRuleData(options: AlertExecutorOptions) { return { - [RULE_ID]: options.rule.ruleTypeId, - [RULE_UUID]: options.alertId, - [RULE_CATEGORY]: options.rule.ruleTypeName, - [RULE_NAME]: options.rule.name, + [ALERT_RULE_TYPE_ID]: options.rule.ruleTypeId, + [ALERT_RULE_UUID]: options.alertId, + [ALERT_RULE_CATEGORY]: options.rule.ruleTypeName, + [ALERT_RULE_NAME]: options.rule.name, [TAGS]: options.tags, - [ALERT_PRODUCER]: options.rule.producer, + [ALERT_RULE_PRODUCER]: options.rule.producer, }; } diff --git a/x-pack/plugins/security_solution/public/common/components/navigation/breadcrumbs/index.test.ts b/x-pack/plugins/security_solution/public/common/components/navigation/breadcrumbs/index.test.ts index f415dc287ca35..22916b90c084d 100644 --- a/x-pack/plugins/security_solution/public/common/components/navigation/breadcrumbs/index.test.ts +++ b/x-pack/plugins/security_solution/public/common/components/navigation/breadcrumbs/index.test.ts @@ -330,7 +330,7 @@ describe('Navigation Breadcrumbs', () => { test('should return Rules breadcrumbs when supplied rules Details pathname', () => { const mockDetailName = '5a4a0460-d822-11eb-8962-bfd4aff0a9b3'; - const mockRuleName = 'RULE_NAME'; + const mockRuleName = 'ALERT_RULE_NAME'; const breadcrumbs = getBreadcrumbsForRoute( { ...getMockObject('rules', `/rules/id/${mockDetailName}`, undefined), @@ -357,7 +357,7 @@ describe('Navigation Breadcrumbs', () => { test('should return Rules breadcrumbs when supplied rules Edit pathname', () => { const mockDetailName = '5a4a0460-d822-11eb-8962-bfd4aff0a9b3'; - const mockRuleName = 'RULE_NAME'; + const mockRuleName = 'ALERT_RULE_NAME'; const breadcrumbs = getBreadcrumbsForRoute( { ...getMockObject('rules', `/rules/id/${mockDetailName}/edit`, undefined), @@ -376,7 +376,7 @@ describe('Navigation Breadcrumbs', () => { "securitySolution/rules?sourcerer=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'2019-05-16T23:10:43.696Z',fromStr:now-24h,kind:relative,to:'2019-05-17T23:10:43.697Z',toStr:now)),timeline:(linkTo:!(global),timerange:(from:'2019-05-16T23:10:43.696Z',fromStr:now-24h,kind:relative,to:'2019-05-17T23:10:43.697Z',toStr:now)))", }, { - text: 'RULE_NAME', + text: 'ALERT_RULE_NAME', href: `securitySolution/rules/id/${mockDetailName}?sourcerer=()&timerange=(global:(linkTo:!(timeline),timerange:(from:'2019-05-16T23:10:43.696Z',fromStr:now-24h,kind:relative,to:'2019-05-17T23:10:43.697Z',toStr:now)),timeline:(linkTo:!(global),timerange:(from:'2019-05-16T23:10:43.696Z',fromStr:now-24h,kind:relative,to:'2019-05-17T23:10:43.697Z',toStr:now)))`, }, { diff --git a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx index 7ff6f82d40bdc..0519e3f2d4a75 100644 --- a/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx +++ b/x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx @@ -8,10 +8,14 @@ import { ALERT_DURATION, ALERT_ID, - ALERT_PRODUCER, + ALERT_RULE_PRODUCER, ALERT_START, ALERT_STATUS, ALERT_UUID, + ALERT_RULE_UUID, + ALERT_RULE_ID, + ALERT_RULE_NAME, + ALERT_RULE_CATEGORY, } from '@kbn/rule-data-utils'; import { defaultColumnHeaderType } from '../../../timelines/components/timeline/body/column_headers/default_headers'; @@ -185,11 +189,11 @@ export const requiredFieldMappingsForActionsRuleRegistry = { 'event.action': 'event.action', 'alert.status': ALERT_STATUS, 'alert.duration.us': ALERT_DURATION, - 'rule.uuid': 'rule.uuid', - 'rule.id': 'rule.id', - 'rule.name': 'rule.name', - 'rule.category': 'rule.category', - producer: ALERT_PRODUCER, + 'rule.uuid': ALERT_RULE_UUID, + 'rule.id': ALERT_RULE_ID, + 'rule.name': ALERT_RULE_NAME, + 'rule.category': ALERT_RULE_CATEGORY, + producer: ALERT_RULE_PRODUCER, tags: 'tags', }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap index 80ae8b9309f1f..9fd3e20f79b43 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap @@ -1583,10 +1583,6 @@ Object { "path": "signal.ancestors.type", "type": "alias", }, - "kibana.alert.consumers": Object { - "type": "constant_keyword", - "value": "siem", - }, "kibana.alert.depth": Object { "path": "signal.depth", "type": "alias", @@ -1675,10 +1671,6 @@ Object { "path": "signal.original_time", "type": "alias", }, - "kibana.alert.producer": Object { - "type": "constant_keyword", - "value": "siem", - }, "kibana.alert.risk_score": Object { "path": "signal.rule.risk_score", "type": "alias", @@ -1691,6 +1683,10 @@ Object { "path": "signal.rule.building_block_type", "type": "alias", }, + "kibana.alert.rule.consumer": Object { + "type": "constant_keyword", + "value": "siem", + }, "kibana.alert.rule.created_at": Object { "path": "signal.rule.created_at", "type": "alias", @@ -1751,6 +1747,10 @@ Object { "path": "signal.rule.note", "type": "alias", }, + "kibana.alert.rule.producer": Object { + "type": "constant_keyword", + "value": "siem", + }, "kibana.alert.rule.query": Object { "path": "signal.rule.query", "type": "alias", diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts index 88c549cec5579..3355b0659f284 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts @@ -109,8 +109,8 @@ describe('get_signals_template', () => { const constantKeywordsFound = recursiveConstantKeywordFound('', template); expect(constantKeywordsFound).toEqual([ 'template.mappings.properties.kibana.space_ids', - 'template.mappings.properties.kibana.alert.consumers', - 'template.mappings.properties.kibana.alert.producer', + 'template.mappings.properties.kibana.alert.rule.consumer', + 'template.mappings.properties.kibana.alert.rule.producer', 'template.mappings.properties.kibana.alert.rule.rule_type_id', ]); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts index bc41441e1a117..989c73f97997b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts @@ -7,8 +7,8 @@ import { SPACE_IDS, - ALERT_CONSUMERS, - ALERT_PRODUCER, + ALERT_RULE_CONSUMER, + ALERT_RULE_PRODUCER, ALERT_RULE_TYPE_ID, } from '@kbn/rule-data-utils'; import signalsMapping from './signals_mapping.json'; @@ -116,11 +116,11 @@ export const getRbacRequiredFields = (spaceId: string) => { type: 'constant_keyword', value: spaceId, }, - [ALERT_CONSUMERS]: { + [ALERT_RULE_CONSUMER]: { type: 'constant_keyword', value: 'siem', }, - [ALERT_PRODUCER]: { + [ALERT_RULE_PRODUCER]: { type: 'constant_keyword', value: 'siem', }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/rule_registry_log_client/rule_execution_field_map.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/rule_registry_log_client/rule_execution_field_map.ts index 700ce66e2770f..b3c70cd56d9e6 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/rule_registry_log_client/rule_execution_field_map.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/rule_registry_log_client/rule_execution_field_map.ts @@ -18,9 +18,6 @@ import { * @deprecated ruleExecutionFieldMap is kept here only as a reference. It will be superseded with EventLog implementation */ export const ruleExecutionFieldMap = { - // [ALERT_OWNER]: { type: 'keyword', required: true }, - // [SPACE_IDS]: { type: 'keyword', array: true, required: true }, - // [RULE_ID]: { type: 'keyword', required: true }, [MESSAGE]: { type: 'keyword' }, [EVENT_SEQUENCE]: { type: 'long' }, [EVENT_END]: { type: 'date' }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/rule_registry_log_client/rule_registry_log_client.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/rule_registry_log_client/rule_registry_log_client.ts index f5971475e2b16..1c19859eef432 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/rule_registry_log_client/rule_registry_log_client.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_execution_log/rule_registry_log_client/rule_registry_log_client.ts @@ -7,12 +7,13 @@ import { estypes } from '@elastic/elasticsearch'; import { - ALERT_OWNER, + ALERT_RULE_CONSUMER, + ALERT_RULE_TYPE_ID, EVENT_ACTION, EVENT_KIND, - RULE_ID, SPACE_IDS, TIMESTAMP, + ALERT_RULE_ID, } from '@kbn/rule-data-utils'; import { once } from 'lodash/fp'; import moment from 'moment'; @@ -95,7 +96,7 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient { } const filter: estypes.QueryDslQueryContainer[] = [ - { terms: { [RULE_ID]: ruleIds } }, + { terms: { [ALERT_RULE_ID]: ruleIds } }, { terms: { [SPACE_IDS]: [spaceId] } }, ]; @@ -114,7 +115,7 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient { aggs: { rules: { terms: { - field: RULE_ID, + field: ALERT_RULE_ID, size: ruleIds.length, }, aggs: { @@ -147,7 +148,10 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient { bucket.key, bucket.most_recent_logs.hits.hits.map((event) => { const logEntry = parseRuleExecutionLog(event._source); - invariant(logEntry['rule.id'], 'Malformed execution log entry: rule.id field not found'); + invariant( + logEntry[ALERT_RULE_ID] ?? '', + 'Malformed execution log entry: rule.id field not found' + ); const lastFailure = bucket.last_failure.event.hits.hits[0] ? parseRuleExecutionLog(bucket.last_failure.event.hits.hits[0]._source) @@ -179,7 +183,7 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient { ] : undefined; - const alertId = logEntry['rule.id']; + const alertId = logEntry[ALERT_RULE_ID] ?? ''; const statusDate = logEntry[TIMESTAMP]; const lastFailureAt = lastFailure?.[TIMESTAMP]; const lastFailureMessage = lastFailure?.[MESSAGE]; @@ -213,14 +217,6 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient { ); } - // { [x: string]: string | string[] | ExecutionMetricValue; - // [x: number]: string; - // "kibana.space_ids": string[]; - // "event.action": T; - // "event.kind": string; - // "rule.id": string; - // "@timestamp": string; } - public async logExecutionMetric({ ruleId, namespace, @@ -234,9 +230,10 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient { [EVENT_ACTION]: metric, [EVENT_KIND]: 'metric', [getMetricField(metric)]: value, - [RULE_ID]: ruleId, + [ALERT_RULE_ID]: ruleId ?? '', [TIMESTAMP]: new Date().toISOString(), - [ALERT_OWNER]: 'siem', + [ALERT_RULE_CONSUMER]: SERVER_APP_ID, + [ALERT_RULE_TYPE_ID]: SERVER_APP_ID, }, namespace ); @@ -256,11 +253,12 @@ export class RuleRegistryLogClient implements IRuleRegistryLogClient { [EVENT_KIND]: 'event', [EVENT_SEQUENCE]: this.sequence++, [MESSAGE]: message, - [RULE_ID]: ruleId, + [ALERT_RULE_ID]: ruleId ?? '', [RULE_STATUS_SEVERITY]: statusSeverityDict[newStatus], [RULE_STATUS]: newStatus, [TIMESTAMP]: new Date().toISOString(), - [ALERT_OWNER]: 'siem', + [ALERT_RULE_CONSUMER]: SERVER_APP_ID, + [ALERT_RULE_TYPE_ID]: SERVER_APP_ID, }, namespace ); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts index f9874478e7a5d..4c59063d39e60 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.test.ts @@ -6,7 +6,7 @@ */ import { - ALERT_OWNER, + ALERT_RULE_CONSUMER, ALERT_RULE_NAMESPACE, ALERT_STATUS, ALERT_WORKFLOW_STATUS, @@ -58,7 +58,7 @@ describe('buildAlert', () => { const expected = { '@timestamp': timestamp, [SPACE_IDS]: [SPACE_ID], - [ALERT_OWNER]: SERVER_APP_ID, + [ALERT_RULE_CONSUMER]: SERVER_APP_ID, [ALERT_ANCESTORS]: [ { id: 'd5e8eb51-a6a0-456d-8a15-4b79bfec3d71', @@ -127,7 +127,7 @@ describe('buildAlert', () => { const expected = { '@timestamp': timestamp, [SPACE_IDS]: [SPACE_ID], - [ALERT_OWNER]: SERVER_APP_ID, + [ALERT_RULE_CONSUMER]: SERVER_APP_ID, [ALERT_ANCESTORS]: [ { id: 'd5e8eb51-a6a0-456d-8a15-4b79bfec3d71', diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts index 641b37cb54bc4..ec667fa50934b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/utils/build_alert.ts @@ -6,7 +6,7 @@ */ import { - ALERT_OWNER, + ALERT_RULE_CONSUMER, ALERT_RULE_NAMESPACE, ALERT_STATUS, ALERT_WORKFLOW_STATUS, @@ -104,7 +104,7 @@ export const buildAlert = ( return ({ '@timestamp': new Date().toISOString(), - [ALERT_OWNER]: SERVER_APP_ID, + [ALERT_RULE_CONSUMER]: SERVER_APP_ID, [SPACE_IDS]: spaceId != null ? [spaceId] : [], [ALERT_ANCESTORS]: ancestors, [ALERT_STATUS]: 'open', diff --git a/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts b/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts index e419009354b42..5b60443fc6f51 100644 --- a/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts +++ b/x-pack/plugins/timelines/server/search_strategy/timeline/index.ts @@ -5,12 +5,11 @@ * 2.0. */ -import { ALERT_OWNER, RULE_ID, SPACE_IDS } from '@kbn/rule-data-utils'; +import { ALERT_RULE_CONSUMER, ALERT_RULE_TYPE_ID, SPACE_IDS } from '@kbn/rule-data-utils'; import { map, mergeMap, catchError } from 'rxjs/operators'; import { from } from 'rxjs'; import { - // TODO: Undo comment in fix here https://github.com/elastic/kibana/pull/107857 - // isValidFeatureId, + isValidFeatureId, mapConsumerToIndexName, AlertConsumers, } from '@kbn/rule-data-utils/target/alerts_as_data_rbac'; @@ -50,9 +49,7 @@ export const timelineSearchStrategyProvider = { const factoryQueryType = request.factoryQueryType; const entityType = request.entityType; - let alertConsumers = request.alertConsumers; - // TODO: Remove in fix here https://github.com/elastic/kibana/pull/107857 - alertConsumers = undefined; + const alertConsumers = request.alertConsumers; if (factoryQueryType == null) { throw new Error('factoryQueryType is required'); @@ -61,9 +58,7 @@ export const timelineSearchStrategyProvider = = timelineFactory[factoryQueryType]; if (alertConsumers != null && entityType != null && entityType === EntityType.ALERTS) { - // TODO: Thist won't be hit since alertConsumers = undefined - // TODO: remove in fix here https://github.com/elastic/kibana/pull/107857 - const allFeatureIdsValid = null; // alertConsumers.every((id) => isValidFeatureId(id)); + const allFeatureIdsValid = alertConsumers.every((id) => isValidFeatureId(id)); if (!allFeatureIdsValid) { throw new Error('An invalid alerts consumer feature id was provided'); @@ -134,7 +129,7 @@ const timelineAlertsSearchStrategy = ({ }) => { // Based on what solution alerts you want to see, figures out what corresponding // index to query (ex: siem --> .alerts-security.alerts) - const indices = alertConsumers.flatMap((consumer) => mapConsumerToIndexName[consumer]); + const indices = alertConsumers.flatMap((consumer) => `${mapConsumerToIndexName[consumer]}*`); const requestWithAlertsIndices = { ...request, defaultIndex: indices, indexName: indices }; // Note: Alerts RBAC are built off of the alerting's authorization class, which @@ -145,8 +140,8 @@ const timelineAlertsSearchStrategy = ({ type: AlertingAuthorizationFilterType.ESDSL, // Not passing in values, these are the paths for these fields fieldNames: { - consumer: ALERT_OWNER, - ruleTypeId: RULE_ID, + consumer: ALERT_RULE_CONSUMER, + ruleTypeId: ALERT_RULE_TYPE_ID, spaceIds: SPACE_IDS, }, }); diff --git a/x-pack/test/apm_api_integration/tests/alerts/rule_registry.ts b/x-pack/test/apm_api_integration/tests/alerts/rule_registry.ts index 8072064b2b1bf..6c83bba99abad 100644 --- a/x-pack/test/apm_api_integration/tests/alerts/rule_registry.ts +++ b/x-pack/test/apm_api_integration/tests/alerts/rule_registry.ts @@ -9,15 +9,11 @@ import expect from '@kbn/expect'; import { ALERT_DURATION, ALERT_END, - ALERT_EVALUATION_THRESHOLD, - ALERT_EVALUATION_VALUE, - ALERT_ID, - ALERT_OWNER, - ALERT_PRODUCER, ALERT_START, ALERT_STATUS, ALERT_UUID, EVENT_KIND, + ALERT_RULE_UUID, } from '@kbn/rule-data-utils'; import { merge, omit } from 'lodash'; import { format } from 'url'; @@ -350,7 +346,7 @@ export default function ApiTest({ getService }: FtrProviderContext) { any >; - const exclude = ['@timestamp', ALERT_START, ALERT_UUID, 'rule.uuid']; + const exclude = ['@timestamp', ALERT_START, ALERT_UUID, ALERT_RULE_UUID]; const toCompare = omit(alertEvent, exclude); @@ -362,25 +358,34 @@ export default function ApiTest({ getService }: FtrProviderContext) { "event.kind": Array [ "signal", ], - "${ALERT_DURATION}": Array [ + "kibana.alert.duration.us": Array [ 0, ], - "${ALERT_EVALUATION_THRESHOLD}": Array [ + "kibana.alert.evaluation.threshold": Array [ 30, ], - "${ALERT_EVALUATION_VALUE}": Array [ + "kibana.alert.evaluation.value": Array [ 50, ], - "${ALERT_ID}": Array [ + "kibana.alert.id": Array [ "apm.transaction_error_rate_opbeans-go_request_ENVIRONMENT_NOT_DEFINED", ], - "${ALERT_OWNER}": Array [ + "kibana.alert.rule.category": Array [ + "Transaction error rate threshold", + ], + "kibana.alert.rule.consumer": Array [ "apm", ], - "${ALERT_PRODUCER}": Array [ + "kibana.alert.rule.name": Array [ + "Transaction error rate threshold | opbeans-go", + ], + "kibana.alert.rule.producer": Array [ "apm", ], - "${ALERT_STATUS}": Array [ + "kibana.alert.rule.rule_type_id": Array [ + "apm.transaction_error_rate", + ], + "kibana.alert.status": Array [ "open", ], "kibana.space_ids": Array [ @@ -389,15 +394,6 @@ export default function ApiTest({ getService }: FtrProviderContext) { "processor.event": Array [ "transaction", ], - "rule.category": Array [ - "Transaction error rate threshold", - ], - "rule.id": Array [ - "apm.transaction_error_rate", - ], - "rule.name": Array [ - "Transaction error rate threshold | opbeans-go", - ], "service.name": Array [ "opbeans-go", ], @@ -438,25 +434,34 @@ export default function ApiTest({ getService }: FtrProviderContext) { "event.kind": Array [ "signal", ], - "${ALERT_DURATION}": Array [ + "kibana.alert.duration.us": Array [ 0, ], - "${ALERT_EVALUATION_THRESHOLD}": Array [ + "kibana.alert.evaluation.threshold": Array [ 30, ], - "${ALERT_EVALUATION_VALUE}": Array [ + "kibana.alert.evaluation.value": Array [ 50, ], - "${ALERT_ID}": Array [ + "kibana.alert.id": Array [ "apm.transaction_error_rate_opbeans-go_request_ENVIRONMENT_NOT_DEFINED", ], - "${ALERT_OWNER}": Array [ + "kibana.alert.rule.category": Array [ + "Transaction error rate threshold", + ], + "kibana.alert.rule.consumer": Array [ "apm", ], - "${ALERT_PRODUCER}": Array [ + "kibana.alert.rule.name": Array [ + "Transaction error rate threshold | opbeans-go", + ], + "kibana.alert.rule.producer": Array [ "apm", ], - "${ALERT_STATUS}": Array [ + "kibana.alert.rule.rule_type_id": Array [ + "apm.transaction_error_rate", + ], + "kibana.alert.status": Array [ "open", ], "kibana.space_ids": Array [ @@ -465,15 +470,6 @@ export default function ApiTest({ getService }: FtrProviderContext) { "processor.event": Array [ "transaction", ], - "rule.category": Array [ - "Transaction error rate threshold", - ], - "rule.id": Array [ - "apm.transaction_error_rate", - ], - "rule.name": Array [ - "Transaction error rate threshold | opbeans-go", - ], "service.name": Array [ "opbeans-go", ], @@ -545,22 +541,31 @@ export default function ApiTest({ getService }: FtrProviderContext) { "event.kind": Array [ "signal", ], - "${ALERT_EVALUATION_THRESHOLD}": Array [ + "kibana.alert.evaluation.threshold": Array [ 30, ], - "${ALERT_EVALUATION_VALUE}": Array [ + "kibana.alert.evaluation.value": Array [ 50, ], - "${ALERT_ID}": Array [ + "kibana.alert.id": Array [ "apm.transaction_error_rate_opbeans-go_request_ENVIRONMENT_NOT_DEFINED", ], - "${ALERT_OWNER}": Array [ + "kibana.alert.rule.category": Array [ + "Transaction error rate threshold", + ], + "kibana.alert.rule.consumer": Array [ "apm", ], - "${ALERT_PRODUCER}": Array [ + "kibana.alert.rule.name": Array [ + "Transaction error rate threshold | opbeans-go", + ], + "kibana.alert.rule.producer": Array [ "apm", ], - "${ALERT_STATUS}": Array [ + "kibana.alert.rule.rule_type_id": Array [ + "apm.transaction_error_rate", + ], + "kibana.alert.status": Array [ "closed", ], "kibana.space_ids": Array [ @@ -569,15 +574,6 @@ export default function ApiTest({ getService }: FtrProviderContext) { "processor.event": Array [ "transaction", ], - "rule.category": Array [ - "Transaction error rate threshold", - ], - "rule.id": Array [ - "apm.transaction_error_rate", - ], - "rule.name": Array [ - "Transaction error rate threshold | opbeans-go", - ], "service.name": Array [ "opbeans-go", ], diff --git a/x-pack/test/functional/es_archives/rule_registry/alerts/data.json b/x-pack/test/functional/es_archives/rule_registry/alerts/data.json index 940ebe5321b9d..81ff007903368 100644 --- a/x-pack/test/functional/es_archives/rule_registry/alerts/data.json +++ b/x-pack/test/functional/es_archives/rule_registry/alerts/data.json @@ -6,9 +6,9 @@ "source": { "event.kind" : "signal", "@timestamp": "2020-12-16T15:16:18.570Z", - "rule.id": "apm.error_rate", + "kibana.alert.rule.rule_type_id": "apm.error_rate", "message": "hello world 1", - "kibana.alert.owner": "apm", + "kibana.alert.rule.consumer": "apm", "kibana.alert.status": "open", "kibana.space_ids": ["space1", "space2"] } @@ -23,9 +23,9 @@ "source": { "event.kind" : "signal", "@timestamp": "2020-12-16T15:16:18.570Z", - "rule.id": "apm.error_rate", + "kibana.alert.rule.rule_type_id": "apm.error_rate", "message": "hello world 1", - "kibana.alert.owner": "apm", + "kibana.alert.rule.consumer": "apm", "kibana.alert.status": "open", "kibana.space_ids": ["space1"] } @@ -40,9 +40,9 @@ "source": { "event.kind" : "signal", "@timestamp": "2020-12-16T15:16:18.570Z", - "rule.id": "apm.error_rate", + "kibana.alert.rule.rule_type_id": "apm.error_rate", "message": "hello world 1", - "kibana.alert.owner": "apm", + "kibana.alert.rule.consumer": "apm", "kibana.alert.status": "open", "kibana.space_ids": ["space2"] } @@ -57,9 +57,9 @@ "source": { "event.kind" : "signal", "@timestamp": "2020-12-16T15:16:18.570Z", - "rule.id": "siem.signals", + "kibana.alert.rule.rule_type_id": "siem.signals", "message": "hello world security", - "kibana.alert.owner": "siem", + "kibana.alert.rule.consumer": "siem", "kibana.alert.status": "open", "kibana.space_ids": ["space1", "space2"] } @@ -74,9 +74,9 @@ "source": { "event.kind" : "signal", "@timestamp": "2020-12-16T15:16:18.570Z", - "rule.id": "siem.customRule", + "kibana.alert.rule.rule_type_id": "siem.customRule", "message": "hello world security", - "kibana.alert.owner": "siem", + "kibana.alert.rule.consumer": "siem", "kibana.alert.status": "open", "kibana.space_ids": ["space1", "space2"] } @@ -90,9 +90,9 @@ "id": "space1securityalert", "source": { "@timestamp": "2020-12-16T15:16:18.570Z", - "rule.id": "siem.signals", + "kibana.alert.rule.rule_type_id": "siem.signals", "message": "hello world security", - "kibana.alert.owner": "siem", + "kibana.alert.rule.consumer": "siem", "kibana.alert.status": "open", "kibana.space_ids": ["space1"] } @@ -106,9 +106,9 @@ "id": "space2securityalert", "source": { "@timestamp": "2020-12-16T15:16:18.570Z", - "rule.id": "siem.signals", + "kibana.alert.rule.rule_type_id": "siem.signals", "message": "hello world security", - "kibana.alert.owner": "siem", + "kibana.alert.rule.consumer": "siem", "kibana.alert.status": "open", "kibana.space_ids": ["space2"] } diff --git a/x-pack/test/functional/es_archives/rule_registry/alerts/mappings.json b/x-pack/test/functional/es_archives/rule_registry/alerts/mappings.json index 74d50ca402e45..943457ad6cd85 100644 --- a/x-pack/test/functional/es_archives/rule_registry/alerts/mappings.json +++ b/x-pack/test/functional/es_archives/rule_registry/alerts/mappings.json @@ -13,7 +13,7 @@ } } }, - "kibana.alert.owner": { + "kibana.alert.rule.consumer": { "type": "keyword", "ignore_above": 256 } @@ -37,7 +37,7 @@ } } }, - "kibana.alert.owner": { + "kibana.alert.rule.consumer": { "type": "keyword", "ignore_above": 256 } diff --git a/x-pack/test/plugin_functional/plugins/timelines_test/public/applications/timelines_test/index.tsx b/x-pack/test/plugin_functional/plugins/timelines_test/public/applications/timelines_test/index.tsx index 317010aca24bd..585470aff23b2 100644 --- a/x-pack/test/plugin_functional/plugins/timelines_test/public/applications/timelines_test/index.tsx +++ b/x-pack/test/plugin_functional/plugins/timelines_test/public/applications/timelines_test/index.tsx @@ -38,7 +38,7 @@ export function renderApp( ReactDOM.unmountComponentAtNode(parameters.element); }; } -const ALERT_CONSUMER = [AlertConsumers.SIEM]; +const ALERT_RULE_CONSUMER = [AlertConsumers.SIEM]; const AppRoot = React.memo( ({ @@ -63,7 +63,7 @@ const AppRoot = React.memo( {(timelinesPluginSetup && timelinesPluginSetup.getTGrid && timelinesPluginSetup.getTGrid<'standalone'>({ - alertConsumers: ALERT_CONSUMER, + alertConsumers: ALERT_RULE_CONSUMER, type: 'standalone', columns: [], indexNames: [], diff --git a/x-pack/test/timeline/security_and_spaces/tests/basic/events.ts b/x-pack/test/timeline/security_and_spaces/tests/basic/events.ts index 12f5012b0b08c..67371338a925f 100644 --- a/x-pack/test/timeline/security_and_spaces/tests/basic/events.ts +++ b/x-pack/test/timeline/security_and_spaces/tests/basic/events.ts @@ -7,7 +7,7 @@ import { JsonObject } from '@kbn/utility-types'; import expect from '@kbn/expect'; -import { ALERT_ID, ALERT_OWNER } from '@kbn/rule-data-utils'; +import { ALERT_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils'; import { User } from '../../../../rule_registry/common/lib/authentication/types'; import { TimelineEdges, TimelineNonEcsData } from '../../../../../plugins/timelines/common/'; @@ -74,7 +74,7 @@ export default ({ getService }: FtrProviderContext) => { field: '@timestamp', }, { - field: ALERT_OWNER, + field: ALERT_RULE_CONSUMER, }, { field: ALERT_ID, @@ -84,7 +84,7 @@ export default ({ getService }: FtrProviderContext) => { }, ], factoryQueryType: TimelineEventsQueries.all, - fieldRequested: ['@timestamp', 'message', ALERT_OWNER, ALERT_ID, 'event.kind'], + fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_ID, 'event.kind'], fields: [], filterQuery: { bool: { @@ -149,7 +149,9 @@ export default ({ getService }: FtrProviderContext) => { timeline.edges.every((hit: TimelineEdges) => { const data: TimelineNonEcsData[] = hit.node.data; return data.some(({ field, value }) => { - return field === ALERT_OWNER && featureIds.includes((value && value[0]) ?? ''); + return ( + field === ALERT_RULE_CONSUMER && featureIds.includes((value && value[0]) ?? '') + ); }); }) ).to.equal(true); diff --git a/x-pack/test/timeline/security_and_spaces/tests/trial/events.ts b/x-pack/test/timeline/security_and_spaces/tests/trial/events.ts index c51532967cd09..79fd9e6a4fb0b 100644 --- a/x-pack/test/timeline/security_and_spaces/tests/trial/events.ts +++ b/x-pack/test/timeline/security_and_spaces/tests/trial/events.ts @@ -7,7 +7,7 @@ import { JsonObject } from '@kbn/utility-types'; import expect from '@kbn/expect'; -import { ALERT_ID, ALERT_OWNER } from '@kbn/rule-data-utils'; +import { ALERT_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils'; import { User } from '../../../../rule_registry/common/lib/authentication/types'; import { TimelineEdges, TimelineNonEcsData } from '../../../../../plugins/timelines/common/'; @@ -57,7 +57,7 @@ export default ({ getService }: FtrProviderContext) => { field: '@timestamp', }, { - field: ALERT_OWNER, + field: ALERT_RULE_CONSUMER, }, { field: ALERT_ID, @@ -67,7 +67,7 @@ export default ({ getService }: FtrProviderContext) => { }, ], factoryQueryType: TimelineEventsQueries.all, - fieldRequested: ['@timestamp', 'message', ALERT_OWNER, ALERT_ID, 'event.kind'], + fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_ID, 'event.kind'], fields: [], filterQuery: { bool: { @@ -131,7 +131,9 @@ export default ({ getService }: FtrProviderContext) => { timeline.edges.every((hit: TimelineEdges) => { const data: TimelineNonEcsData[] = hit.node.data; return data.some(({ field, value }) => { - return field === ALERT_OWNER && featureIds.includes((value && value[0]) ?? ''); + return ( + field === ALERT_RULE_CONSUMER && featureIds.includes((value && value[0]) ?? '') + ); }); }) ).to.equal(true); diff --git a/x-pack/test/timeline/security_only/tests/basic/events.ts b/x-pack/test/timeline/security_only/tests/basic/events.ts index 8c118de8f3287..e1ab3c47e1117 100644 --- a/x-pack/test/timeline/security_only/tests/basic/events.ts +++ b/x-pack/test/timeline/security_only/tests/basic/events.ts @@ -6,7 +6,7 @@ */ import { JsonObject } from '@kbn/utility-types'; -import { ALERT_ID, ALERT_OWNER } from '@kbn/rule-data-utils'; +import { ALERT_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils'; import { getSpaceUrlPrefix } from '../../../../rule_registry/common/lib/authentication/spaces'; @@ -40,7 +40,7 @@ export default ({ getService }: FtrProviderContext) => { field: '@timestamp', }, { - field: ALERT_OWNER, + field: ALERT_RULE_CONSUMER, }, { field: ALERT_ID, @@ -50,7 +50,7 @@ export default ({ getService }: FtrProviderContext) => { }, ], factoryQueryType: TimelineEventsQueries.all, - fieldRequested: ['@timestamp', 'message', ALERT_OWNER, ALERT_ID, 'event.kind'], + fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_ID, 'event.kind'], fields: [], filterQuery: { bool: { diff --git a/x-pack/test/timeline/security_only/tests/trial/events.ts b/x-pack/test/timeline/security_only/tests/trial/events.ts index 8c118de8f3287..e1ab3c47e1117 100644 --- a/x-pack/test/timeline/security_only/tests/trial/events.ts +++ b/x-pack/test/timeline/security_only/tests/trial/events.ts @@ -6,7 +6,7 @@ */ import { JsonObject } from '@kbn/utility-types'; -import { ALERT_ID, ALERT_OWNER } from '@kbn/rule-data-utils'; +import { ALERT_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils'; import { getSpaceUrlPrefix } from '../../../../rule_registry/common/lib/authentication/spaces'; @@ -40,7 +40,7 @@ export default ({ getService }: FtrProviderContext) => { field: '@timestamp', }, { - field: ALERT_OWNER, + field: ALERT_RULE_CONSUMER, }, { field: ALERT_ID, @@ -50,7 +50,7 @@ export default ({ getService }: FtrProviderContext) => { }, ], factoryQueryType: TimelineEventsQueries.all, - fieldRequested: ['@timestamp', 'message', ALERT_OWNER, ALERT_ID, 'event.kind'], + fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_ID, 'event.kind'], fields: [], filterQuery: { bool: { diff --git a/x-pack/test/timeline/spaces_only/tests/events.ts b/x-pack/test/timeline/spaces_only/tests/events.ts index 2c2d221129721..3867279fda7f2 100644 --- a/x-pack/test/timeline/spaces_only/tests/events.ts +++ b/x-pack/test/timeline/spaces_only/tests/events.ts @@ -7,7 +7,7 @@ import { JsonObject } from '@kbn/utility-types'; import expect from '@kbn/expect'; -import { ALERT_ID, ALERT_OWNER } from '@kbn/rule-data-utils'; +import { ALERT_ID, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils'; import { FtrProviderContext } from '../../../rule_registry/common/ftr_provider_context'; import { getSpaceUrlPrefix } from '../../../rule_registry/common/lib/authentication/spaces'; @@ -35,7 +35,7 @@ export default ({ getService }: FtrProviderContext) => { field: '@timestamp', }, { - field: ALERT_OWNER, + field: ALERT_RULE_CONSUMER, }, { field: ALERT_ID, @@ -45,7 +45,7 @@ export default ({ getService }: FtrProviderContext) => { }, ], factoryQueryType: TimelineEventsQueries.all, - fieldRequested: ['@timestamp', 'message', ALERT_OWNER, ALERT_ID, 'event.kind'], + fieldRequested: ['@timestamp', 'message', ALERT_RULE_CONSUMER, ALERT_ID, 'event.kind'], fields: [], filterQuery: { bool: {