Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Custom threshold] Save the ECS group by fields at the AAD root level #188241

Merged
merged 2 commits into from
Jul 15, 2024
Merged

[Custom threshold] Save the ECS group by fields at the AAD root level #188241

merged 2 commits into from
Jul 15, 2024

Conversation

maryam-saeidi
Copy link
Member

@maryam-saeidi maryam-saeidi commented Jul 12, 2024
edited
Loading

Related to #183220

Summary

This PR saves the ECS group by fields at the AAD root level.

Group by fields AAD document
image image

🧪 How to test

  • Create a custom threshold rule with multiple groups (both ECS and non-ECS fields)
  • Check the related AAD document; you should be able to see the ECS fields at the root level and not seeing non-ECS fields there
  • Check the same information for the recovered alerts
  • Rules without group by should work as before

@maryam-saeidi maryam-saeidi added release_note:feature Makes this part of the condensed release notes Feature: Custom threshold Observability custom threshold rule type labels Jul 12, 2024
@maryam-saeidi maryam-saeidi self-assigned this Jul 12, 2024
@maryam-saeidi maryam-saeidi requested a review from a team as a code owner July 12, 2024 15:20
@botelastic botelastic bot added ci:project-deploy-observability Create an Observability project Team:obs-ux-management Observability Management User Experience Team labels Jul 12, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)

@obltmachine
Copy link

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@maryam-saeidi maryam-saeidi mentioned this pull request Jul 12, 2024
Closed
7 tasks
dominiqueclarke
dominiqueclarke reviewed Jul 12, 2024
View reviewed changes
Copy link
Contributor

@dominiqueclarke dominiqueclarke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My event.action is a different value on the nested field versus the root field

Screenshot 2024-07-12 at 4 56 42 PM Screenshot 2024-07-12 at 4 58 15 PM

@maryam-saeidi
Copy link
Member Author

maryam-saeidi commented Jul 13, 2024
edited
Loading

My event.action is a different value on the nested field versus the root field

@dominiqueclarke Good catch! (I don't know how you found this case; I am glad that we are aware of it now. Thanks!)
I checked bolt-lite, and this field is something that is added by the alerting framework, so it will override the value that we are passing.
Do you think it should be handled differently? I feel like we can first focus on adding the fields that are not shared with the alerting framework and accept not having this field available for now, users can still filter it from kibana.alert.group if they want to. What do you think?

@elasticmachine
Copy link
Contributor

elasticmachine commented Jul 15, 2024
edited
Loading

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

cc @maryam-saeidi

dominiqueclarke
dominiqueclarke approved these changes Jul 15, 2024
View reviewed changes
Copy link
Contributor

@dominiqueclarke dominiqueclarke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@maryam-saeidi maryam-saeidi merged commit 913a80a into elastic:main Jul 15, 2024
23 checks passed
@maryam-saeidi maryam-saeidi deleted the 183220-save-ecs-groups-in-aad-ct branch July 15, 2024 14:01
@kibanamachine kibanamachine added v8.16.0 backport:skip This commit does not require backporting labels Jul 15, 2024
This was referenced Jul 17, 2024
Open
Merged
maryam-saeidi added a commit that referenced this pull request Jul 19, 2024
@maryam-saeidi
[Custom threshold] Fix adding ECS groups multiple times to recovered …
80ea217 
…alert context (#188629)

## Summary

Fix adding ECS group fields to the recovered alert document for the
custom threshold rule; previously
([PR](#188241)), it was added to
the context instead of the root level.

|Before|After|
|---|---|

|![image](https://github.com/user-attachments/assets/4e733454-7a89-4f89-9d0f-9abe396f6437)|![image](https://github.com/user-attachments/assets/8c043966-8a59-451d-99e8-1267dd08569e)|

The ECS group by fields should be in AAD for all alerts:
|Active|Recovered|No data|
|---|---|---|

|![image](https://github.com/user-attachments/assets/68181106-df92-4b1d-be0c-3471c28d2207)|![image](https://github.com/user-attachments/assets/0bc3b38b-f1f6-4e05-b565-7b7a1a6896f5)|![image](https://github.com/user-attachments/assets/f6950b3f-bc47-48b1-ad8d-3a8ecabc8bd8)|
@jasonrhodes jasonrhodes mentioned this pull request Aug 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dominiqueclarke dominiqueclarke dominiqueclarke approved these changes

Assignees

@maryam-saeidi maryam-saeidi

Labels
backport:skip This commit does not require backporting ci:project-deploy-observability Create an Observability project Feature: Custom threshold Observability custom threshold rule type release_note:feature Makes this part of the condensed release notes Team:obs-ux-management Observability Management User Experience Team v8.16.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@maryam-saeidi @elasticmachine @obltmachine @dominiqueclarke @kibanamachine