Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Response Ops][Alerting] Appendable payload fields #169631

Closed
darnautov opened this issue Oct 24, 2023 · 4 comments · Fixed by #174919
Closed

[Response Ops][Alerting] Appendable payload fields #169631

darnautov opened this issue Oct 24, 2023 · 4 comments · Fixed by #174919
Assignees
@darnautov
Labels
discuss Feature:Alerting/Alerts-as-Data Issues related to Alerts-as-data and RuleRegistry Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v8.13.0

Comments

@darnautov
Copy link
Contributor

In Anomaly Detection alerting rule we have only one active alert per rule, as we use anomaly job ID as an alert name. Alert instance is created when the rule matched the condition and remains active if consecutive buckets also satisfy the criteria. With alerts-as-data integration we're able to examine the duration of alerts, which helps in identifying whether an adjustment to the lookback interval is needed.

image

But we can't keep track of the anomaly score change during the alert duration, as kibana.alert.anomaly_score contains only the latest score before alert is recovered. The user can receive alerts based on interim results, and score can also adjust after the normalization process.
Therefore, it would be beneficial to have the capability to append values to an ADD field, enabling us to preserve changes in the anomaly score over time. This would provide a more comprehensive view of which scores have kept alerts active, compared to the latest results visible in the Anomaly Explorer.
@darnautov darnautov added discuss Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Alerting/Alerts-as-Data Issues related to Alerts-as-data and RuleRegistry labels Oct 24, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@ymao1 ymao1 moved this from Awaiting Triage to Todo in AppEx: ResponseOps - Execution & Connectors Oct 26, 2023
@ymao1 ymao1 moved this from Todo to Awaiting Triage in AppEx: ResponseOps - Execution & Connectors Oct 26, 2023
@pmuellr
Copy link
Member

pmuellr commented Oct 26, 2023

We discussed in triage that sending the current alert "doc" into the rule is probably the way we would go. The rule can then modify the existing data or replace completely (which is the only option today).

@mikecote mikecote moved this from Awaiting Triage to Todo in AppEx: ResponseOps - Execution & Connectors Nov 2, 2023
@mikecote
Copy link
Contributor

mikecote commented Nov 2, 2023

@darnautov if the team comes up with a technical approach, would this be a PR you're willing to do? (with our guidance). Not sure what the level of priority is for ML, but this could help unblock you.

@peteharverson
Copy link
Contributor

As discussed with @mikecote and @darnautov , we're happy to work on this - it will allow an enhancement to the work in progress for 8.12, to indicate how the anomaly score changes over the duration of the alert. We'll add it to the tentative plan for 8.13.

@darnautov darnautov mentioned this issue Jan 16, 2024
Merged
3 tasks
darnautov added a commit that referenced this issue Jan 25, 2024
@darnautov
[Response Ops][Alerting] Provide the latest alert payload on reportin…
d497e4b 
…g an existing alert (#174919)

## Summary

Closes #169631 

- Updates the `report` method of the `AlertsClient` to optionally return
the latest alert payload for reported alert instance
- Updates the `kibana.alert.anomaly_score` field to an array type to
preserve an anomaly score history

### Checklist

- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
CoenWarmer pushed a commit to CoenWarmer/kibana that referenced this issue Feb 15, 2024
@darnautov @CoenWarmer
[Response Ops][Alerting] Provide the latest alert payload on reportin…
51c242e 
…g an existing alert (elastic#174919)

## Summary

Closes elastic#169631 

- Updates the `report` method of the `AlertsClient` to optionally return
the latest alert payload for reported alert instance
- Updates the `kibana.alert.anomaly_score` field to an array type to
preserve an anomaly score history

### Checklist

- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@darnautov darnautov

Labels
discuss Feature:Alerting/Alerts-as-Data Issues related to Alerts-as-data and RuleRegistry Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v8.13.0
Projects
No open projects
AppEx: ResponseOps - Execution & Connectors
Status: Done
Milestone
No milestone
5 participants
@pmuellr @mikecote @darnautov @peteharverson @elasticmachine