[8.19] [AI4DSOC] Change the logic to query the last alert ingested in an integration (#228602)#229767
Merged
PhilippeOberti merged 2 commits intoelastic:8.19from Aug 1, 2025
Merged
Conversation
1 task
Contributor
⏳ Build in-progress, with failures
Failed CI StepsHistory |
logeekal
approved these changes
Jul 29, 2025
…egration (elastic#228602) ## Summary This PR changes the logic used in the AI4DSOC alert summary page integration section to display the last sync value for each integration card displayed at the top of the page In the previous logic we were fetching all dataStreams and use the `last_activity_ms` value to display as the last sync for the integration. We [realized](elastic#220617) that some dataStreams have event not related to ingested alert. For example it could be event mentioning that an error is happening... This meant that the alert summary UI was showing an incorrect last sync value. The new logic leverage a call using ESQL that works as follow: ``` FROM logs-integrationName.alert-default | WHERE event.kind == "alert" | SORT event.ingested DESC | KEEP event.ingested | LIMIT 1 ``` We fetch the information for each integration. We retrieve the last document with `event.kind == 'alert'` then we sort to get the most recent first, select only the `event.ingested` field/value pair and keep only the first document. The value from the `event.ingested` field is then passed to the integration card and displayed for the last sync. The PR also sets up a 30 second interval, to make sure that the values in the integration card last sync section are updated periodically. This will give the user an indication that the rest of the page below (charts and table) might be out of date. https://github.com/user-attachments/assets/b3524777-f994-40dd-90d1-0c757d1ec892 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios elastic#220617 (cherry picked from commit 5729233) # Conflicts: # x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_integrations_last_activity.test.ts
PhilippeOberti
force-pushed
the
backport/8.19/pr-228602
branch
from
1c5ddd7 to
3681375
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto8.19:Questions ?
Please refer to the Backport tool documentation