[ML] Alerts as data integration for Anomaly Detection rule type

packages/kbn-alerts-as-data-utils/src/field_maps/types.ts

@@ -34,6 +34,7 @@ export interface EcsMetadata {
   scaling_factor?: number;
   short: string;
   type: string;
+  properties?: Record<string, { type: string }>;
 }
 
 export interface FieldMap {
@@ -50,5 +51,6 @@ export interface FieldMap {
     path?: string;
     scaling_factor?: number;
     dynamic?: boolean | 'strict';
+    properties?: Record<string, { type: string }>;
   };
 }

packages/kbn-alerts-as-data-utils/src/schemas/create_schema_from_field_map.ts

@@ -198,6 +198,7 @@ const generateSchemaLines = ({
         break;
       case 'float':
       case 'integer':
+      case 'double':
         lineWriter.addLine(`${keyToWrite}: ${getSchemaDefinition('schemaNumber', isArray)},`);
         break;
       case 'boolean':

packages/kbn-alerts-as-data-utils/src/schemas/generated/ml_anomaly_detection_schema.ts

@@ -0,0 +1,120 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+// ---------------------------------- WARNING ----------------------------------
+// this file was generated, and should not be edited by hand
+// ---------------------------------- WARNING ----------------------------------
+import * as rt from 'io-ts';
+import { Either } from 'fp-ts/lib/Either';
+import { AlertSchema } from './alert_schema';
+const ISO_DATE_PATTERN = /^d{4}-d{2}-d{2}Td{2}:d{2}:d{2}.d{3}Z$/;
+export const IsoDateString = new rt.Type<string, string, unknown>(
+  'IsoDateString',
+  rt.string.is,
+  (input, context): Either<rt.Errors, string> => {
+    if (typeof input === 'string' && ISO_DATE_PATTERN.test(input)) {
+      return rt.success(input);
+    } else {
+      return rt.failure(input, context);
+    }
+  },
+  rt.identity
+);
+export type IsoDateStringC = typeof IsoDateString;
+export const schemaDate = IsoDateString;
+export const schemaDateArray = rt.array(IsoDateString);
+export const schemaDateRange = rt.partial({
+  gte: schemaDate,
+  lte: schemaDate,
+});
+export const schemaDateRangeArray = rt.array(schemaDateRange);
+export const schemaUnknown = rt.unknown;
+export const schemaUnknownArray = rt.array(rt.unknown);
+export const schemaString = rt.string;
+export const schemaStringArray = rt.array(schemaString);
+export const schemaNumber = rt.number;
+export const schemaNumberArray = rt.array(schemaNumber);
+export const schemaStringOrNumber = rt.union([schemaString, schemaNumber]);
+export const schemaStringOrNumberArray = rt.array(schemaStringOrNumber);
+export const schemaBoolean = rt.boolean;
+export const schemaBooleanArray = rt.array(schemaBoolean);
+const schemaGeoPointCoords = rt.type({
+  type: schemaString,
+  coordinates: schemaNumberArray,
+});
+const schemaGeoPointString = schemaString;
+const schemaGeoPointLatLon = rt.type({
+  lat: schemaNumber,
+  lon: schemaNumber,
+});
+const schemaGeoPointLocation = rt.type({
+  location: schemaNumberArray,
+});
+const schemaGeoPointLocationString = rt.type({
+  location: schemaString,
+});
+export const schemaGeoPoint = rt.union([
+  schemaGeoPointCoords,
+  schemaGeoPointString,
+  schemaGeoPointLatLon,
+  schemaGeoPointLocation,
+  schemaGeoPointLocationString,
+]);
+export const schemaGeoPointArray = rt.array(schemaGeoPoint);
+// prettier-ignore
+const MlAnomalyDetectionAlertRequired = rt.type({
+  kibana: rt.type({
+    alert: rt.type({
+      job_id: schemaString,
+    }),
+  }),
+});
+const MlAnomalyDetectionAlertOptional = rt.partial({
+  kibana: rt.partial({
+    alert: rt.partial({
+      anomaly_score: schemaNumber,
+      anomaly_timestamp: schemaDate,
+      is_interim: schemaBoolean,
+      top_influencers: rt.array(
+        rt.partial({
+          influencer_field_name: schemaString,
+          influencer_field_value: schemaString,
+          influencer_score: schemaNumber,
+          initial_influencer_score: schemaNumber,
+          is_interim: schemaBoolean,
+          job_id: schemaString,
+          timestamp: schemaDate,
+        })
+      ),
+      top_records: rt.array(
+        rt.partial({
+          actual: schemaNumber,
+          by_field_name: schemaString,
+          by_field_value: schemaString,
+          detector_index: schemaNumber,
+          field_name: schemaString,
+          function: schemaString,
+          initial_record_score: schemaNumber,
+          is_interim: schemaBoolean,
+          job_id: schemaString,
+          over_field_name: schemaString,
+          over_field_value: schemaString,
+          partition_field_name: schemaString,
+          partition_field_value: schemaString,
+          record_score: schemaNumber,
+          timestamp: schemaDate,
+          typical: schemaNumber,
+        })
+      ),
+    }),
+  }),
+});
+
+// prettier-ignore
+export const MlAnomalyDetectionAlertSchema = rt.intersection([MlAnomalyDetectionAlertRequired, MlAnomalyDetectionAlertOptional, AlertSchema]);
+// prettier-ignore
+export type MlAnomalyDetectionAlert = rt.TypeOf<typeof MlAnomalyDetectionAlertSchema>;

packages/kbn-alerts-as-data-utils/src/schemas/index.ts

@@ -13,6 +13,7 @@ import type { ObservabilityMetricsAlert } from './generated/observability_metric
 import type { ObservabilitySloAlert } from './generated/observability_slo_schema';
 import type { ObservabilityUptimeAlert } from './generated/observability_uptime_schema';
 import type { SecurityAlert } from './generated/security_schema';
+import type { MlAnomalyDetectionAlert } from './generated/ml_anomaly_detection_schema';
 
 export * from './create_schema_from_field_map';
 
@@ -24,6 +25,7 @@ export type { ObservabilitySloAlert } from './generated/observability_slo_schema
 export type { ObservabilityUptimeAlert } from './generated/observability_uptime_schema';
 export type { SecurityAlert } from './generated/security_schema';
 export type { StackAlert } from './generated/stack_schema';
+export type { MlAnomalyDetectionAlert } from './generated/ml_anomaly_detection_schema';
 
 export type AADAlert =
   | Alert
@@ -32,4 +34,5 @@ export type AADAlert =
   | ObservabilityMetricsAlert
   | ObservabilitySloAlert
   | ObservabilityUptimeAlert
-  | SecurityAlert;
+  | SecurityAlert
+  | MlAnomalyDetectionAlert;

x-pack/plugins/alerting/common/alert_schema/context_to_schema_name.ts

@@ -9,7 +9,7 @@ import { capitalize } from 'lodash';
 
 export const contextToSchemaName = (context: string) => {
   return `${context
-    .split('.')
+    .split(/[.\-]/)
     .map((part: string) => capitalize(part))
     .join('')}Alert`;
 };

x-pack/plugins/ml/common/types/alerts.ts

@@ -44,6 +44,35 @@ interface BaseAnomalyAlertDoc {
   unique_key: string;
 }
 
+export interface TopRecordAADDoc {
+  job_id: string;
+  record_score: number;
+  initial_record_score: number;
+  timestamp: number;
+  is_interim: boolean;
+  function: string;
+  field_name?: string;
+  by_field_name?: string;
+  by_field_value?: string | number;
+  over_field_name?: string;
+  over_field_value?: string | number;
+  partition_field_name?: string;
+  partition_field_value?: string | number;
+  typical: number[];
+  actual: number[];
+  detector_index: number;
+}
+
+export interface TopInfluencerAADDoc {
+  job_id: string;
+  influencer_score: number;
+  initial_influencer_score: number;
+  is_interim: boolean;
+  timestamp: number;
+  influencer_field_name: string;
+  influencer_field_value: string | number;
+}
+
 export interface RecordAnomalyAlertDoc extends BaseAnomalyAlertDoc {
   result_type: typeof ML_ANOMALY_RESULT_TYPE.RECORD;
   function: string;