Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ResponseOps] move alert UUID generation from rule registry to alerting framework #142874

Closed
pmuellr opened this issue Oct 6, 2022 · 1 comment · Fixed by #143489
Closed

[ResponseOps] move alert UUID generation from rule registry to alerting framework #142874

pmuellr opened this issue Oct 6, 2022 · 1 comment · Fixed by #143489
Assignees
@pmuellr
Labels
Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@pmuellr
Copy link
Member

pmuellr commented Oct 6, 2022

Currently the Rule Registry generates a unique UUID for every alert, which will be reused when the same alert with the same id is active during the next execution. When the alert recovers, and becomes active again, with the same alert id, a new UUID will be generated.

This functionality needs to be moved into the alerting framework itself, so it can manage the UUIDs. Instead of the Rule Registry generating the UUID, we'll make it available via the alert functions from the alert factory.

This is a blocker to implement flapping alert detection in alerting, as per current design, alerts that are flapping will reuse the same UUID even after they recover. Only after the alert is no long flapping will the UUID stop being used. Because the alerting framework determines flapping state, and because the rule registry operates as a "wrapper" over the existing alert executors it's used with, the easiest way to deal with this is to have the alerting framework generate the UUID.

Additional advantage - assuming we write these UUIDs into the event log, we'll be able to "join" over this field in searches over the event log and AAD indices combined.

Another advantage is that we'll save some space. The rule registry currently "wraps" a rule's task state to maintain the alert id / uuid relationship. Below is an example of what the task state looks like for a rule with one alert.

The Rule Registry takes the task state returned by a rule, set's it to be the value of the wrapped property, and then adds trackedAlerts which contains the id / uuid mapping. The other top-level properties are maintained by the alerting framework. And you can see that alertInstances contains everything in trackedAlerts but the alert UUID. So, we should be able to remove this wrapped wrapping completely, once we add the alert UUID to ... state? meta? not sure where.

That implies either a migration, or having code that can read both the old wrapped style or new unwrapped style (and presumably always write the new style). But we typically handle these with migrations.

{
  "alertTypeState": {
    "wrapped": {
      "groups": [ "some-thing, metricbeat" ],
      "groupBy": [ "fields.eks_cluster_name", "agent.type" ],
      "filterQuery": ""
    },
    "trackedAlerts": {
      "some-thing, metricbeat": {
        "alertId": "some-thing, metricbeat",
        "alertUuid": "5cee8f86-5d0b-4d4a-92f7-a3c731b7ecc3",
        "started": "2022-03-11T20:46:24.170Z"
      },
    }
  },
  "alertInstances": {
    "some-thing, metricbeat": {
      "state": {
        "start": "2022-03-11T20:46:24.383Z",
        "duration": 16913558599000000
      },
      "meta": {
        "lastScheduledActions": {
          "group": "metrics.threshold.fired",
          "date": "2022-03-11T20:46:24.390Z"
        }
      }
    },
  },
  "previousStartedAt": "2022-09-23T14:59:02.346Z"
}
@pmuellr pmuellr added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework labels Oct 6, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@pmuellr pmuellr mentioned this issue Oct 6, 2022
Open
10 tasks
@mikecote mikecote moved this from Awaiting Triage to Todo in AppEx: ResponseOps - Execution & Connectors Oct 6, 2022
@pmuellr pmuellr self-assigned this Oct 6, 2022
@mikecote mikecote moved this from Todo to In Progress in AppEx: ResponseOps - Execution & Connectors Oct 17, 2022
@pmuellr pmuellr mentioned this issue Oct 18, 2022
Merged
3 tasks
pmuellr added a commit to pmuellr/kibana that referenced this issue Nov 9, 2022
@pmuellr
[ResponseOps] move alert UUID generation from rule registry to alerti…
08868bd 
…ng framework

resolves elastic#142874
@mikecote mikecote moved this from In Progress to Blocked / On hold in AppEx: ResponseOps - Execution & Connectors Jan 23, 2023
@ymao1 ymao1 mentioned this issue Jan 26, 2023
Closed
@mikecote mikecote moved this from Blocked / On hold to In Progress in AppEx: ResponseOps - Execution & Connectors Feb 2, 2023
pmuellr added a commit that referenced this issue Apr 3, 2023
@pmuellr
[ResponseOps] move alert UUID generation from rule registry to the al…
cd727fa 
…erting framework (#143489)

resolves #142874

The alerting framework now generates an alert UUID for every alert it
creates. The UUID will be reused for alerts which continue to be active
on subsequent runs, until the alert recovers. When the same alert (alert
instance id) becomes active again, a new UUID will be generated. These
UUIDs then identify a "span" of events for a single alert.

The rule registry plugin was already adding these UUIDs to it's own
alerts-as-data indices, and that code has now been changed to make use
of the new UUID the alerting framework generates.

- adds property in the rule task state
`alertInstances[alertInstanceId].meta.uuid`; this is where the alert
UUID is persisted across runs
- adds a new `Alert` method getUuid(): string` that can be used by rule
executors to obtain the UUID of the alert they just retrieved from the
factory; the rule registry uses this to get the UUID generated by the
alerting framework
- for the event log, adds the property `kibana.alert.uuid` to
`*-instance` event log events; this is the same field the rule registry
writes into the alerts-as-data indices
- various changes to tests to accommodate new UUID data / methods
- migrates the UUID previous stored with lifecycle alerts in the alert
state, via the rule registry *INTO* the new `meta.uuid` field in the
existing alert state.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pmuellr pmuellr

Labels
Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
No open projects
AppEx: ResponseOps - Execution & Connectors
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[ResponseOps] move alert UUID generation from rule registry to the alerting framework pmuellr/kibana
2 participants
@pmuellr @elasticmachine