From f93b190d4cf3ff4da22903677324344959d327ea Mon Sep 17 00:00:00 2001 From: Ying Mao Date: Fri, 28 May 2021 13:53:29 -0400 Subject: [PATCH 1/7] Adding new fields to event log mapping --- .../plugins/event_log/generated/mappings.json | 26 ++++++++++++++++--- x-pack/plugins/event_log/generated/schemas.ts | 10 ++++++- x-pack/plugins/event_log/scripts/mappings.js | 26 ++++++++++++++++--- 3 files changed, 55 insertions(+), 7 deletions(-) diff --git a/x-pack/plugins/event_log/generated/mappings.json b/x-pack/plugins/event_log/generated/mappings.json index f2515d0a6a8fb5..127d15d263e115 100644 --- a/x-pack/plugins/event_log/generated/mappings.json +++ b/x-pack/plugins/event_log/generated/mappings.json @@ -239,15 +239,35 @@ }, "alerting": { "properties": { - "instance_id": { + "action_group_id": { "type": "keyword", "ignore_above": 1024 }, - "action_group_id": { + "action_subgroup": { "type": "keyword", "ignore_above": 1024 }, - "action_subgroup": { + "instance_id": { + "type": "keyword", + "ignore_above": 1024 + }, + "primary_saved_object": { + "properties": { + "id": { + "type": "keyword", + "ignore_above": 1024 + }, + "type": { + "type": "keyword", + "ignore_above": 1024 + }, + "namespace": { + "type": "keyword", + "ignore_above": 1024 + } + } + }, + "rule_type_id": { "type": "keyword", "ignore_above": 1024 }, diff --git a/x-pack/plugins/event_log/generated/schemas.ts b/x-pack/plugins/event_log/generated/schemas.ts index 31d8b7201cfc61..812d65edf1b63e 100644 --- a/x-pack/plugins/event_log/generated/schemas.ts +++ b/x-pack/plugins/event_log/generated/schemas.ts @@ -103,9 +103,17 @@ export const EventSchema = schema.maybe( server_uuid: ecsString(), alerting: schema.maybe( schema.object({ - instance_id: ecsString(), action_group_id: ecsString(), action_subgroup: ecsString(), + instance_id: ecsString(), + primary_saved_object: schema.maybe( + schema.object({ + id: ecsString(), + type: ecsString(), + namespace: ecsString(), + }) + ), + rule_type_id: ecsString(), status: ecsString(), }) ), diff --git a/x-pack/plugins/event_log/scripts/mappings.js b/x-pack/plugins/event_log/scripts/mappings.js index a7e5f4ae6cb1e7..805692ec6222cc 100644 --- a/x-pack/plugins/event_log/scripts/mappings.js +++ b/x-pack/plugins/event_log/scripts/mappings.js @@ -20,15 +20,35 @@ exports.EcsCustomPropertyMappings = { // alerting specific fields alerting: { properties: { - instance_id: { + action_group_id: { type: 'keyword', ignore_above: 1024, }, - action_group_id: { + action_subgroup: { type: 'keyword', ignore_above: 1024, }, - action_subgroup: { + instance_id: { + type: 'keyword', + ignore_above: 1024, + }, + primary_saved_object: { + properties: { + id: { + type: 'keyword', + ignore_above: 1024, + }, + type: { + type: 'keyword', + ignore_above: 1024, + }, + namespace: { + type: 'keyword', + ignore_above: 1024, + }, + }, + }, + rule_type_id: { type: 'keyword', ignore_above: 1024, }, From 9fc0b8f7dd62787ce056746ad9e2041a67d13734 Mon Sep 17 00:00:00 2001 From: Ying Mao Date: Fri, 28 May 2021 14:34:45 -0400 Subject: [PATCH 2/7] Populating new event log fields when executing rules and actions --- .../actions/server/lib/action_executor.ts | 7 + .../create_execution_handler.test.ts | 5 + .../task_runner/create_execution_handler.ts | 8 +- .../server/task_runner/task_runner.test.ts | 132 ++++++++++++++++++ .../server/task_runner/task_runner.ts | 45 +++++- .../tests/actions/execute.ts | 6 + .../spaces_only/tests/alerting/event_log.ts | 20 ++- 7 files changed, 218 insertions(+), 5 deletions(-) diff --git a/x-pack/plugins/actions/server/lib/action_executor.ts b/x-pack/plugins/actions/server/lib/action_executor.ts index b08985e516f84f..976541025fb2f1 100644 --- a/x-pack/plugins/actions/server/lib/action_executor.ts +++ b/x-pack/plugins/actions/server/lib/action_executor.ts @@ -124,6 +124,13 @@ export class ActionExecutor { const event: IEvent = { event: { action: EVENT_LOG_ACTIONS.execute }, kibana: { + alerting: { + primary_saved_object: { + id: actionId, + type: 'action', + ...namespace, + }, + }, saved_objects: [ { rel: SAVED_OBJECT_REL_PRIMARY, diff --git a/x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts b/x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts index 120ab6de296dd8..5ed57deca12a57 100644 --- a/x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts +++ b/x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts @@ -160,6 +160,11 @@ test('enqueues execution per selected action', async () => { "action_group_id": "default", "action_subgroup": undefined, "instance_id": "2", + "primary_saved_object": Object { + "id": "1", + "type": "alert", + }, + "rule_type_id": "test", }, "saved_objects": Array [ Object { diff --git a/x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts b/x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts index 2ecf5404856954..a2ad43d4cccf33 100644 --- a/x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts +++ b/x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts @@ -176,9 +176,15 @@ export function createExecutionHandler< event: { action: EVENT_LOG_ACTIONS.executeAction }, kibana: { alerting: { - instance_id: alertInstanceId, action_group_id: actionGroup, action_subgroup: actionSubgroup, + instance_id: alertInstanceId, + primary_saved_object: { + id: alertId, + type: 'alert', + ...namespace, + }, + rule_type_id: alertType.id, }, saved_objects: [ { rel: SAVED_OBJECT_REL_PRIMARY, type: 'alert', id: alertId, ...namespace }, diff --git a/x-pack/plugins/alerting/server/task_runner/task_runner.test.ts b/x-pack/plugins/alerting/server/task_runner/task_runner.test.ts index 9c5ef25e5dfa0c..a346b2f2c8f717 100644 --- a/x-pack/plugins/alerting/server/task_runner/task_runner.test.ts +++ b/x-pack/plugins/alerting/server/task_runner/task_runner.test.ts @@ -270,6 +270,12 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", "status": "ok", }, "saved_objects": Array [ @@ -378,6 +384,12 @@ describe('Task Runner', () => { action_group_id: 'default', action_subgroup: 'subDefault', instance_id: '1', + primary_saved_object: { + id: '1', + namespace: undefined, + type: 'alert', + }, + rule_type_id: 'test', }, saved_objects: [ { @@ -399,6 +411,12 @@ describe('Task Runner', () => { instance_id: '1', action_group_id: 'default', action_subgroup: 'subDefault', + primary_saved_object: { + id: '1', + namespace: undefined, + type: 'alert', + }, + rule_type_id: 'test', }, saved_objects: [ { @@ -421,6 +439,12 @@ describe('Task Runner', () => { instance_id: '1', action_group_id: 'default', action_subgroup: 'subDefault', + primary_saved_object: { + id: '1', + namespace: undefined, + type: 'alert', + }, + rule_type_id: 'test', }, saved_objects: [ { @@ -447,6 +471,12 @@ describe('Task Runner', () => { }, kibana: { alerting: { + primary_saved_object: { + id: '1', + namespace: undefined, + type: 'alert', + }, + rule_type_id: 'test', status: 'active', }, saved_objects: [ @@ -524,6 +554,12 @@ describe('Task Runner', () => { alerting: { action_group_id: 'default', instance_id: '1', + primary_saved_object: { + id: '1', + namespace: undefined, + type: 'alert', + }, + rule_type_id: 'test', }, saved_objects: [ { @@ -544,6 +580,12 @@ describe('Task Runner', () => { alerting: { instance_id: '1', action_group_id: 'default', + primary_saved_object: { + id: '1', + namespace: undefined, + type: 'alert', + }, + rule_type_id: 'test', }, saved_objects: [ { @@ -564,6 +606,12 @@ describe('Task Runner', () => { }, kibana: { alerting: { + primary_saved_object: { + id: '1', + namespace: undefined, + type: 'alert', + }, + rule_type_id: 'test', status: 'active', }, saved_objects: [ @@ -695,6 +743,12 @@ describe('Task Runner', () => { "alerting": Object { "action_group_id": "default", "instance_id": "1", + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", }, "saved_objects": Array [ Object { @@ -717,6 +771,12 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", "status": "active", }, "saved_objects": Array [ @@ -924,6 +984,12 @@ describe('Task Runner', () => { "alerting": Object { "action_group_id": "default", "instance_id": "1", + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", }, "saved_objects": Array [ Object { @@ -946,6 +1012,12 @@ describe('Task Runner', () => { "alerting": Object { "action_group_id": "default", "instance_id": "1", + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", }, "saved_objects": Array [ Object { @@ -969,6 +1041,12 @@ describe('Task Runner', () => { "action_group_id": "default", "action_subgroup": undefined, "instance_id": "1", + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", }, "saved_objects": Array [ Object { @@ -996,6 +1074,12 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", "status": "active", }, "saved_objects": Array [ @@ -1379,6 +1463,12 @@ describe('Task Runner', () => { "alerting": Object { "action_group_id": "default", "instance_id": "2", + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", }, "saved_objects": Array [ Object { @@ -1401,6 +1491,12 @@ describe('Task Runner', () => { "alerting": Object { "action_group_id": "default", "instance_id": "1", + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", }, "saved_objects": Array [ Object { @@ -1423,6 +1519,12 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", "status": "active", }, "saved_objects": Array [ @@ -1633,6 +1735,12 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", "status": "error", }, "saved_objects": Array [ @@ -1692,6 +1800,12 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", "status": "error", }, "saved_objects": Array [ @@ -1759,6 +1873,12 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", "status": "error", }, "saved_objects": Array [ @@ -1826,6 +1946,12 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", "status": "error", }, "saved_objects": Array [ @@ -1892,6 +2018,12 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { + "primary_saved_object": Object { + "id": "1", + "namespace": undefined, + "type": "alert", + }, + "rule_type_id": "test", "status": "error", }, "saved_objects": Array [ diff --git a/x-pack/plugins/alerting/server/task_runner/task_runner.ts b/x-pack/plugins/alerting/server/task_runner/task_runner.ts index 043f30ddca3712..06660c17ce1ed5 100644 --- a/x-pack/plugins/alerting/server/task_runner/task_runner.ts +++ b/x-pack/plugins/alerting/server/task_runner/task_runner.ts @@ -331,6 +331,7 @@ export class TaskRunner< alertId, alertLabel, namespace, + ruleTypeId: alert.alertTypeId, }); if (!muteAll) { @@ -488,6 +489,14 @@ export class TaskRunner< '@timestamp': runDate, event: { action: EVENT_LOG_ACTIONS.execute }, kibana: { + alerting: { + primary_saved_object: { + id: alertId, + type: 'alert', + namespace, + }, + rule_type_id: this.alertType.id, + }, saved_objects: [ { rel: SAVED_OBJECT_REL_PRIMARY, @@ -598,6 +607,7 @@ interface GenerateNewAndRecoveredInstanceEventsParams< alertId: string; alertLabel: string; namespace: string | undefined; + ruleTypeId: string; } function generateNewAndRecoveredInstanceEvents< @@ -611,6 +621,7 @@ function generateNewAndRecoveredInstanceEvents< currentAlertInstances, originalAlertInstances, recoveredAlertInstances, + ruleTypeId, } = params; const originalAlertInstanceIds = Object.keys(originalAlertInstances); const currentAlertInstanceIds = Object.keys(currentAlertInstances); @@ -621,14 +632,28 @@ function generateNewAndRecoveredInstanceEvents< const { group: actionGroup, subgroup: actionSubgroup } = recoveredAlertInstances[id].getLastScheduledActions() ?? {}; const message = `${params.alertLabel} instance '${id}' has recovered`; - logInstanceEvent(id, EVENT_LOG_ACTIONS.recoveredInstance, message, actionGroup, actionSubgroup); + logInstanceEvent( + id, + EVENT_LOG_ACTIONS.recoveredInstance, + message, + ruleTypeId, + actionGroup, + actionSubgroup + ); } for (const id of newIds) { const { actionGroup, subgroup: actionSubgroup } = currentAlertInstances[id].getScheduledActionOptions() ?? {}; const message = `${params.alertLabel} created new instance: '${id}'`; - logInstanceEvent(id, EVENT_LOG_ACTIONS.newInstance, message, actionGroup, actionSubgroup); + logInstanceEvent( + id, + EVENT_LOG_ACTIONS.newInstance, + message, + ruleTypeId, + actionGroup, + actionSubgroup + ); } for (const id of currentAlertInstanceIds) { @@ -639,13 +664,21 @@ function generateNewAndRecoveredInstanceEvents< ? `actionGroup(subgroup): '${actionGroup}(${actionSubgroup})'` : `actionGroup: '${actionGroup}'` }`; - logInstanceEvent(id, EVENT_LOG_ACTIONS.activeInstance, message, actionGroup, actionSubgroup); + logInstanceEvent( + id, + EVENT_LOG_ACTIONS.activeInstance, + message, + ruleTypeId, + actionGroup, + actionSubgroup + ); } function logInstanceEvent( instanceId: string, action: string, message: string, + ruleId: string, group?: string, subgroup?: string ) { @@ -658,6 +691,12 @@ function generateNewAndRecoveredInstanceEvents< instance_id: instanceId, ...(group ? { action_group_id: group } : {}), ...(subgroup ? { action_subgroup: subgroup } : {}), + primary_saved_object: { + id: alertId, + type: 'alert', + namespace, + }, + rule_type_id: ruleId, }, saved_objects: [ { diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/tests/actions/execute.ts b/x-pack/test/alerting_api_integration/security_and_spaces/tests/actions/execute.ts index 03ae0e6daf9333..3c4a266c645441 100644 --- a/x-pack/test/alerting_api_integration/security_and_spaces/tests/actions/execute.ts +++ b/x-pack/test/alerting_api_integration/security_and_spaces/tests/actions/execute.ts @@ -544,6 +544,12 @@ export default function ({ getService }: FtrProviderContext) { expect(event?.event?.outcome).to.equal(outcome); + expect(event?.kibana?.alerting?.primary_saved_object).to.eql({ + type: 'action', + id: connectorId, + namespace: spaceId, + }); + expect(event?.kibana?.saved_objects).to.eql([ { rel: 'primary', diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/event_log.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/event_log.ts index 5d54fe3d2b1f78..1aae5a9188b88c 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/event_log.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/event_log.ts @@ -127,6 +127,7 @@ export default function eventLogTests({ getService }: FtrProviderContext) { switch (event?.event?.action) { case 'execute': validateEvent(event, { + ruleTypeId: 'test.patternFiring', spaceId: Spaces.space1.id, savedObjects: [{ type: 'alert', id: alertId, rel: 'primary' }], outcome: 'success', @@ -136,6 +137,7 @@ export default function eventLogTests({ getService }: FtrProviderContext) { break; case 'execute-action': validateEvent(event, { + ruleTypeId: 'test.patternFiring', spaceId: Spaces.space1.id, savedObjects: [ { type: 'alert', id: alertId, rel: 'primary' }, @@ -163,6 +165,7 @@ export default function eventLogTests({ getService }: FtrProviderContext) { function validateInstanceEvent(event: IValidatedEvent, subMessage: string) { validateEvent(event, { + ruleTypeId: 'test.patternFiring', spaceId: Spaces.space1.id, savedObjects: [{ type: 'alert', id: alertId, rel: 'primary' }], message: `test.patternFiring:${alertId}: 'abc' ${subMessage}`, @@ -259,6 +262,7 @@ export default function eventLogTests({ getService }: FtrProviderContext) { switch (event?.event?.action) { case 'execute': validateEvent(event, { + ruleTypeId: 'test.patternFiring', spaceId: Spaces.space1.id, savedObjects: [{ type: 'alert', id: alertId, rel: 'primary' }], outcome: 'success', @@ -271,6 +275,7 @@ export default function eventLogTests({ getService }: FtrProviderContext) { [firstSubgroup, secondSubgroup].includes(event?.kibana?.alerting?.action_subgroup!) ).to.be(true); validateEvent(event, { + ruleTypeId: 'test.patternFiring', spaceId: Spaces.space1.id, savedObjects: [ { type: 'alert', id: alertId, rel: 'primary' }, @@ -304,6 +309,7 @@ export default function eventLogTests({ getService }: FtrProviderContext) { function validateInstanceEvent(event: IValidatedEvent, subMessage: string) { validateEvent(event, { + ruleTypeId: 'test.patternFiring', spaceId: Spaces.space1.id, savedObjects: [{ type: 'alert', id: alertId, rel: 'primary' }], message: `test.patternFiring:${alertId}: 'abc' ${subMessage}`, @@ -344,6 +350,7 @@ export default function eventLogTests({ getService }: FtrProviderContext) { expect(event).to.be.ok(); validateEvent(event, { + ruleTypeId: 'test.throw', spaceId: Spaces.space1.id, savedObjects: [{ type: 'alert', id: alertId, rel: 'primary' }], outcome: 'failure', @@ -367,6 +374,7 @@ interface ValidateEventLogParams { savedObjects: SavedObject[]; outcome?: string; message: string; + ruleTypeId: string; errorMessage?: string; status?: string; actionGroupId?: string; @@ -376,7 +384,7 @@ interface ValidateEventLogParams { export function validateEvent(event: IValidatedEvent, params: ValidateEventLogParams): void { const { spaceId, savedObjects, outcome, message, errorMessage } = params; - const { status, actionGroupId, instanceId, reason } = params; + const { status, actionGroupId, instanceId, reason, ruleTypeId } = params; if (status) { expect(event?.kibana?.alerting?.status).to.be(status); @@ -416,6 +424,16 @@ export function validateEvent(event: IValidatedEvent, params: ValidateEventLogPa expect(event?.event?.outcome).to.equal(outcome); + expect(event?.kibana?.alerting?.rule_type_id).to.be(ruleTypeId); + + const primarySavedObject = savedObjects.find((obj) => obj.rel === 'primary'); + if (primarySavedObject) { + expect(event?.kibana?.alerting?.primary_saved_object).to.eql({ + id: primarySavedObject.id, + type: primarySavedObject.type, + }); + } + for (const savedObject of savedObjects) { expect( isSavedObjectInEvent(event, spaceId, savedObject.type, savedObject.id, savedObject.rel) From 31c439f09257a460505b325c2fdaa904717539cf Mon Sep 17 00:00:00 2001 From: Ying Mao Date: Fri, 28 May 2021 16:14:49 -0400 Subject: [PATCH 3/7] Fixing functional tests --- .../security_and_spaces/tests/alerting/event_log.ts | 1 + .../spaces_only/tests/alerting/event_log.ts | 1 + 2 files changed, 2 insertions(+) diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/event_log.ts b/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/event_log.ts index 825ade55cb4b05..377002e18ff428 100644 --- a/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/event_log.ts +++ b/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/event_log.ts @@ -74,6 +74,7 @@ export default function eventLogTests({ getService }: FtrProviderContext) { expect(event).to.be.ok(); validateEvent(event, { + ruleTypeId: 'test.noop', spaceId, savedObjects: [{ type: 'alert', id: alertId, rel: 'primary' }], outcome: 'failure', diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/event_log.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/event_log.ts index 1aae5a9188b88c..1134c92dd8a34c 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/event_log.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/event_log.ts @@ -430,6 +430,7 @@ export function validateEvent(event: IValidatedEvent, params: ValidateEventLogPa if (primarySavedObject) { expect(event?.kibana?.alerting?.primary_saved_object).to.eql({ id: primarySavedObject.id, + namespace: spaceId, type: primarySavedObject.type, }); } From f99ecd08c2067bce07c611034a3bda9819503eb1 Mon Sep 17 00:00:00 2001 From: Ying Mao Date: Wed, 2 Jun 2021 09:26:26 -0400 Subject: [PATCH 4/7] Adding actionTypeId --- x-pack/plugins/actions/server/lib/action_executor.ts | 1 + x-pack/plugins/event_log/generated/mappings.json | 4 ++++ x-pack/plugins/event_log/generated/schemas.ts | 1 + x-pack/plugins/event_log/scripts/mappings.js | 4 ++++ .../security_and_spaces/tests/actions/execute.ts | 5 ++++- .../spaces_only/tests/actions/execute.ts | 12 +++++++++++- 6 files changed, 25 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/actions/server/lib/action_executor.ts b/x-pack/plugins/actions/server/lib/action_executor.ts index 976541025fb2f1..ad194e79b524ad 100644 --- a/x-pack/plugins/actions/server/lib/action_executor.ts +++ b/x-pack/plugins/actions/server/lib/action_executor.ts @@ -125,6 +125,7 @@ export class ActionExecutor { event: { action: EVENT_LOG_ACTIONS.execute }, kibana: { alerting: { + action_type_id: actionTypeId, primary_saved_object: { id: actionId, type: 'action', diff --git a/x-pack/plugins/event_log/generated/mappings.json b/x-pack/plugins/event_log/generated/mappings.json index 127d15d263e115..631b8386d62d9e 100644 --- a/x-pack/plugins/event_log/generated/mappings.json +++ b/x-pack/plugins/event_log/generated/mappings.json @@ -247,6 +247,10 @@ "type": "keyword", "ignore_above": 1024 }, + "action_type_id": { + "type": "keyword", + "ignore_above": 1024 + }, "instance_id": { "type": "keyword", "ignore_above": 1024 diff --git a/x-pack/plugins/event_log/generated/schemas.ts b/x-pack/plugins/event_log/generated/schemas.ts index 812d65edf1b63e..7d3ed022f62c68 100644 --- a/x-pack/plugins/event_log/generated/schemas.ts +++ b/x-pack/plugins/event_log/generated/schemas.ts @@ -105,6 +105,7 @@ export const EventSchema = schema.maybe( schema.object({ action_group_id: ecsString(), action_subgroup: ecsString(), + action_type_id: ecsString(), instance_id: ecsString(), primary_saved_object: schema.maybe( schema.object({ diff --git a/x-pack/plugins/event_log/scripts/mappings.js b/x-pack/plugins/event_log/scripts/mappings.js index 805692ec6222cc..be24c702334b56 100644 --- a/x-pack/plugins/event_log/scripts/mappings.js +++ b/x-pack/plugins/event_log/scripts/mappings.js @@ -28,6 +28,10 @@ exports.EcsCustomPropertyMappings = { type: 'keyword', ignore_above: 1024, }, + action_type_id: { + type: 'keyword', + ignore_above: 1024, + }, instance_id: { type: 'keyword', ignore_above: 1024, diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/tests/actions/execute.ts b/x-pack/test/alerting_api_integration/security_and_spaces/tests/actions/execute.ts index 3c4a266c645441..77e98f7a7083e8 100644 --- a/x-pack/test/alerting_api_integration/security_and_spaces/tests/actions/execute.ts +++ b/x-pack/test/alerting_api_integration/security_and_spaces/tests/actions/execute.ts @@ -119,6 +119,7 @@ export default function ({ getService }: FtrProviderContext) { spaceId: space.id, connectorId: createdAction.id, outcome: 'success', + actionTypeId: 'test.index-record', message: `action executed: test.index-record:${createdAction.id}: My action`, }); break; @@ -502,13 +503,14 @@ export default function ({ getService }: FtrProviderContext) { interface ValidateEventLogParams { spaceId: string; connectorId: string; + actionTypeId: string; outcome: string; message: string; errorMessage?: string; } async function validateEventLog(params: ValidateEventLogParams): Promise { - const { spaceId, connectorId, outcome, message, errorMessage } = params; + const { spaceId, connectorId, actionTypeId, outcome, message, errorMessage } = params; const events: IValidatedEvent[] = await retry.try(async () => { return await getEventLog({ @@ -544,6 +546,7 @@ export default function ({ getService }: FtrProviderContext) { expect(event?.event?.outcome).to.equal(outcome); + expect(event?.kibana?.alerting?.action_type_id).to.equal(actionTypeId); expect(event?.kibana?.alerting?.primary_saved_object).to.eql({ type: 'action', id: connectorId, diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/actions/execute.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/actions/execute.ts index fbdde2104dd615..08474b46d0e3ca 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/actions/execute.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/actions/execute.ts @@ -97,6 +97,7 @@ export default function ({ getService }: FtrProviderContext) { await validateEventLog({ spaceId: Spaces.space1.id, actionId: createdAction.id, + actionTypeId: 'test.index-record', outcome: 'success', message: `action executed: test.index-record:${createdAction.id}: My action`, }); @@ -138,6 +139,7 @@ export default function ({ getService }: FtrProviderContext) { await validateEventLog({ spaceId: Spaces.space1.id, actionId: createdAction.id, + actionTypeId: 'test.failing', outcome: 'failure', message: `action execution failure: test.failing:${createdAction.id}: failing action`, errorMessage: `an error occurred while running the action executor: expected failure for .kibana-alerting-test-data actions-failure-1:space1`, @@ -330,13 +332,14 @@ export default function ({ getService }: FtrProviderContext) { interface ValidateEventLogParams { spaceId: string; actionId: string; + actionTypeId: string; outcome: string; message: string; errorMessage?: string; } async function validateEventLog(params: ValidateEventLogParams): Promise { - const { spaceId, actionId, outcome, message, errorMessage } = params; + const { spaceId, actionId, actionTypeId, outcome, message, errorMessage } = params; const events: IValidatedEvent[] = await retry.try(async () => { return await getEventLog({ @@ -371,6 +374,13 @@ export default function ({ getService }: FtrProviderContext) { expect(event?.event?.outcome).to.equal(outcome); + expect(event?.kibana?.alerting?.action_type_id).to.equal(actionTypeId); + expect(event?.kibana?.alerting?.primary_saved_object).to.eql({ + type: 'action', + id: actionId, + namespace: 'space1', + }); + expect(event?.kibana?.saved_objects).to.eql([ { rel: 'primary', From 3b8b3faf3f248a87b4eb0d4d50449b08ff72808f Mon Sep 17 00:00:00 2001 From: Ying Mao Date: Wed, 2 Jun 2021 13:19:59 -0400 Subject: [PATCH 5/7] Putting type ids into saved object array --- .../actions/server/lib/action_executor.ts | 9 +- .../create_execution_handler.test.ts | 7 +- .../task_runner/create_execution_handler.ts | 16 +- .../server/task_runner/task_runner.test.ts | 156 +++--------------- .../server/task_runner/task_runner.ts | 16 +- .../plugins/event_log/generated/mappings.json | 34 +--- x-pack/plugins/event_log/generated/schemas.ts | 12 +- x-pack/plugins/event_log/scripts/mappings.js | 34 +--- .../tests/actions/execute.ts | 8 +- .../tests/alerting/event_log.ts | 3 +- .../spaces_only/tests/actions/execute.ts | 8 +- .../spaces_only/tests/alerting/event_log.ts | 48 +++--- 12 files changed, 75 insertions(+), 276 deletions(-) diff --git a/x-pack/plugins/actions/server/lib/action_executor.ts b/x-pack/plugins/actions/server/lib/action_executor.ts index ad194e79b524ad..e74f3a27efe701 100644 --- a/x-pack/plugins/actions/server/lib/action_executor.ts +++ b/x-pack/plugins/actions/server/lib/action_executor.ts @@ -124,19 +124,12 @@ export class ActionExecutor { const event: IEvent = { event: { action: EVENT_LOG_ACTIONS.execute }, kibana: { - alerting: { - action_type_id: actionTypeId, - primary_saved_object: { - id: actionId, - type: 'action', - ...namespace, - }, - }, saved_objects: [ { rel: SAVED_OBJECT_REL_PRIMARY, type: 'action', id: actionId, + type_id: actionTypeId, ...namespace, }, ], diff --git a/x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts b/x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts index 2c163172b50cb4..5ab25fbfa39e7a 100644 --- a/x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts +++ b/x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts @@ -160,21 +160,18 @@ test('enqueues execution per selected action', async () => { "action_group_id": "default", "action_subgroup": undefined, "instance_id": "2", - "primary_saved_object": Object { - "id": "1", - "type": "alert", - }, - "rule_type_id": "test", }, "saved_objects": Array [ Object { "id": "1", "rel": "primary", "type": "alert", + "type_id": "test", }, Object { "id": "1", "type": "action", + "type_id": "test", }, ], }, diff --git a/x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts b/x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts index e5cea34c3c9fc6..ef93179bdaba16 100644 --- a/x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts +++ b/x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts @@ -177,19 +177,19 @@ export function createExecutionHandler< event: { action: EVENT_LOG_ACTIONS.executeAction }, kibana: { alerting: { + instance_id: alertInstanceId, action_group_id: actionGroup, action_subgroup: actionSubgroup, - instance_id: alertInstanceId, - primary_saved_object: { - id: alertId, + }, + saved_objects: [ + { + rel: SAVED_OBJECT_REL_PRIMARY, type: 'alert', + id: alertId, + type_id: alertType.id, ...namespace, }, - rule_type_id: alertType.id, - }, - saved_objects: [ - { rel: SAVED_OBJECT_REL_PRIMARY, type: 'alert', id: alertId, ...namespace }, - { type: 'action', id: action.id, ...namespace }, + { type: 'action', id: action.id, type_id: action.actionTypeId, ...namespace }, ], }, }; diff --git a/x-pack/plugins/alerting/server/task_runner/task_runner.test.ts b/x-pack/plugins/alerting/server/task_runner/task_runner.test.ts index a346b2f2c8f717..c157765afb3590 100644 --- a/x-pack/plugins/alerting/server/task_runner/task_runner.test.ts +++ b/x-pack/plugins/alerting/server/task_runner/task_runner.test.ts @@ -270,12 +270,6 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", "status": "ok", }, "saved_objects": Array [ @@ -284,6 +278,7 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, ], }, @@ -384,12 +379,6 @@ describe('Task Runner', () => { action_group_id: 'default', action_subgroup: 'subDefault', instance_id: '1', - primary_saved_object: { - id: '1', - namespace: undefined, - type: 'alert', - }, - rule_type_id: 'test', }, saved_objects: [ { @@ -397,6 +386,7 @@ describe('Task Runner', () => { namespace: undefined, rel: 'primary', type: 'alert', + type_id: 'test', }, ], }, @@ -411,12 +401,6 @@ describe('Task Runner', () => { instance_id: '1', action_group_id: 'default', action_subgroup: 'subDefault', - primary_saved_object: { - id: '1', - namespace: undefined, - type: 'alert', - }, - rule_type_id: 'test', }, saved_objects: [ { @@ -424,6 +408,7 @@ describe('Task Runner', () => { namespace: undefined, rel: 'primary', type: 'alert', + type_id: 'test', }, ], }, @@ -439,12 +424,6 @@ describe('Task Runner', () => { instance_id: '1', action_group_id: 'default', action_subgroup: 'subDefault', - primary_saved_object: { - id: '1', - namespace: undefined, - type: 'alert', - }, - rule_type_id: 'test', }, saved_objects: [ { @@ -452,11 +431,13 @@ describe('Task Runner', () => { namespace: undefined, rel: 'primary', type: 'alert', + type_id: 'test', }, { id: '1', namespace: undefined, type: 'action', + type_id: 'action', }, ], }, @@ -471,12 +452,6 @@ describe('Task Runner', () => { }, kibana: { alerting: { - primary_saved_object: { - id: '1', - namespace: undefined, - type: 'alert', - }, - rule_type_id: 'test', status: 'active', }, saved_objects: [ @@ -485,6 +460,7 @@ describe('Task Runner', () => { namespace: undefined, rel: 'primary', type: 'alert', + type_id: 'test', }, ], }, @@ -554,12 +530,6 @@ describe('Task Runner', () => { alerting: { action_group_id: 'default', instance_id: '1', - primary_saved_object: { - id: '1', - namespace: undefined, - type: 'alert', - }, - rule_type_id: 'test', }, saved_objects: [ { @@ -567,6 +537,7 @@ describe('Task Runner', () => { namespace: undefined, rel: 'primary', type: 'alert', + type_id: 'test', }, ], }, @@ -580,12 +551,6 @@ describe('Task Runner', () => { alerting: { instance_id: '1', action_group_id: 'default', - primary_saved_object: { - id: '1', - namespace: undefined, - type: 'alert', - }, - rule_type_id: 'test', }, saved_objects: [ { @@ -593,6 +558,7 @@ describe('Task Runner', () => { namespace: undefined, rel: 'primary', type: 'alert', + type_id: 'test', }, ], }, @@ -606,12 +572,6 @@ describe('Task Runner', () => { }, kibana: { alerting: { - primary_saved_object: { - id: '1', - namespace: undefined, - type: 'alert', - }, - rule_type_id: 'test', status: 'active', }, saved_objects: [ @@ -620,6 +580,7 @@ describe('Task Runner', () => { namespace: undefined, rel: 'primary', type: 'alert', + type_id: 'test', }, ], }, @@ -743,12 +704,6 @@ describe('Task Runner', () => { "alerting": Object { "action_group_id": "default", "instance_id": "1", - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", }, "saved_objects": Array [ Object { @@ -756,6 +711,7 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, ], }, @@ -771,12 +727,6 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", "status": "active", }, "saved_objects": Array [ @@ -785,6 +735,7 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, ], }, @@ -984,12 +935,6 @@ describe('Task Runner', () => { "alerting": Object { "action_group_id": "default", "instance_id": "1", - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", }, "saved_objects": Array [ Object { @@ -997,6 +942,7 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, ], }, @@ -1012,12 +958,6 @@ describe('Task Runner', () => { "alerting": Object { "action_group_id": "default", "instance_id": "1", - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", }, "saved_objects": Array [ Object { @@ -1025,6 +965,7 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, ], }, @@ -1041,12 +982,6 @@ describe('Task Runner', () => { "action_group_id": "default", "action_subgroup": undefined, "instance_id": "1", - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", }, "saved_objects": Array [ Object { @@ -1054,11 +989,13 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, Object { "id": "1", "namespace": undefined, "type": "action", + "type_id": "action", }, ], }, @@ -1074,12 +1011,6 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", "status": "active", }, "saved_objects": Array [ @@ -1088,6 +1019,7 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, ], }, @@ -1463,12 +1395,6 @@ describe('Task Runner', () => { "alerting": Object { "action_group_id": "default", "instance_id": "2", - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", }, "saved_objects": Array [ Object { @@ -1476,6 +1402,7 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, ], }, @@ -1491,12 +1418,6 @@ describe('Task Runner', () => { "alerting": Object { "action_group_id": "default", "instance_id": "1", - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", }, "saved_objects": Array [ Object { @@ -1504,6 +1425,7 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, ], }, @@ -1519,12 +1441,6 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", "status": "active", }, "saved_objects": Array [ @@ -1533,6 +1449,7 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, ], }, @@ -1735,12 +1652,6 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", "status": "error", }, "saved_objects": Array [ @@ -1749,6 +1660,7 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, ], }, @@ -1800,12 +1712,6 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", "status": "error", }, "saved_objects": Array [ @@ -1814,6 +1720,7 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, ], }, @@ -1873,12 +1780,6 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", "status": "error", }, "saved_objects": Array [ @@ -1887,6 +1788,7 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, ], }, @@ -1946,12 +1848,6 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", "status": "error", }, "saved_objects": Array [ @@ -1960,6 +1856,7 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, ], }, @@ -2018,12 +1915,6 @@ describe('Task Runner', () => { }, "kibana": Object { "alerting": Object { - "primary_saved_object": Object { - "id": "1", - "namespace": undefined, - "type": "alert", - }, - "rule_type_id": "test", "status": "error", }, "saved_objects": Array [ @@ -2032,6 +1923,7 @@ describe('Task Runner', () => { "namespace": undefined, "rel": "primary", "type": "alert", + "type_id": "test", }, ], }, diff --git a/x-pack/plugins/alerting/server/task_runner/task_runner.ts b/x-pack/plugins/alerting/server/task_runner/task_runner.ts index 06660c17ce1ed5..7f25e38c57c97c 100644 --- a/x-pack/plugins/alerting/server/task_runner/task_runner.ts +++ b/x-pack/plugins/alerting/server/task_runner/task_runner.ts @@ -489,19 +489,12 @@ export class TaskRunner< '@timestamp': runDate, event: { action: EVENT_LOG_ACTIONS.execute }, kibana: { - alerting: { - primary_saved_object: { - id: alertId, - type: 'alert', - namespace, - }, - rule_type_id: this.alertType.id, - }, saved_objects: [ { rel: SAVED_OBJECT_REL_PRIMARY, type: 'alert', id: alertId, + type_id: this.alertType.id, namespace, }, ], @@ -691,18 +684,13 @@ function generateNewAndRecoveredInstanceEvents< instance_id: instanceId, ...(group ? { action_group_id: group } : {}), ...(subgroup ? { action_subgroup: subgroup } : {}), - primary_saved_object: { - id: alertId, - type: 'alert', - namespace, - }, - rule_type_id: ruleId, }, saved_objects: [ { rel: SAVED_OBJECT_REL_PRIMARY, type: 'alert', id: alertId, + type_id: ruleId, namespace, }, ], diff --git a/x-pack/plugins/event_log/generated/mappings.json b/x-pack/plugins/event_log/generated/mappings.json index 631b8386d62d9e..da04db1086aa89 100644 --- a/x-pack/plugins/event_log/generated/mappings.json +++ b/x-pack/plugins/event_log/generated/mappings.json @@ -239,39 +239,15 @@ }, "alerting": { "properties": { - "action_group_id": { - "type": "keyword", - "ignore_above": 1024 - }, - "action_subgroup": { - "type": "keyword", - "ignore_above": 1024 - }, - "action_type_id": { + "instance_id": { "type": "keyword", "ignore_above": 1024 }, - "instance_id": { + "action_group_id": { "type": "keyword", "ignore_above": 1024 }, - "primary_saved_object": { - "properties": { - "id": { - "type": "keyword", - "ignore_above": 1024 - }, - "type": { - "type": "keyword", - "ignore_above": 1024 - }, - "namespace": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "rule_type_id": { + "action_subgroup": { "type": "keyword", "ignore_above": 1024 }, @@ -299,6 +275,10 @@ "type": { "type": "keyword", "ignore_above": 1024 + }, + "type_id": { + "type": "keyword", + "ignore_above": 1024 } } } diff --git a/x-pack/plugins/event_log/generated/schemas.ts b/x-pack/plugins/event_log/generated/schemas.ts index 7d3ed022f62c68..a13b304e8adab0 100644 --- a/x-pack/plugins/event_log/generated/schemas.ts +++ b/x-pack/plugins/event_log/generated/schemas.ts @@ -103,18 +103,9 @@ export const EventSchema = schema.maybe( server_uuid: ecsString(), alerting: schema.maybe( schema.object({ + instance_id: ecsString(), action_group_id: ecsString(), action_subgroup: ecsString(), - action_type_id: ecsString(), - instance_id: ecsString(), - primary_saved_object: schema.maybe( - schema.object({ - id: ecsString(), - type: ecsString(), - namespace: ecsString(), - }) - ), - rule_type_id: ecsString(), status: ecsString(), }) ), @@ -125,6 +116,7 @@ export const EventSchema = schema.maybe( namespace: ecsString(), id: ecsString(), type: ecsString(), + type_id: ecsString(), }) ) ), diff --git a/x-pack/plugins/event_log/scripts/mappings.js b/x-pack/plugins/event_log/scripts/mappings.js index be24c702334b56..f2020e76b46baa 100644 --- a/x-pack/plugins/event_log/scripts/mappings.js +++ b/x-pack/plugins/event_log/scripts/mappings.js @@ -20,39 +20,15 @@ exports.EcsCustomPropertyMappings = { // alerting specific fields alerting: { properties: { - action_group_id: { - type: 'keyword', - ignore_above: 1024, - }, - action_subgroup: { - type: 'keyword', - ignore_above: 1024, - }, - action_type_id: { + instance_id: { type: 'keyword', ignore_above: 1024, }, - instance_id: { + action_group_id: { type: 'keyword', ignore_above: 1024, }, - primary_saved_object: { - properties: { - id: { - type: 'keyword', - ignore_above: 1024, - }, - type: { - type: 'keyword', - ignore_above: 1024, - }, - namespace: { - type: 'keyword', - ignore_above: 1024, - }, - }, - }, - rule_type_id: { + action_subgroup: { type: 'keyword', ignore_above: 1024, }, @@ -84,6 +60,10 @@ exports.EcsCustomPropertyMappings = { type: 'keyword', ignore_above: 1024, }, + type_id: { + type: 'keyword', + ignore_above: 1024, + }, }, }, }, diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/tests/actions/execute.ts b/x-pack/test/alerting_api_integration/security_and_spaces/tests/actions/execute.ts index 77e98f7a7083e8..f7d7c1df8fd46b 100644 --- a/x-pack/test/alerting_api_integration/security_and_spaces/tests/actions/execute.ts +++ b/x-pack/test/alerting_api_integration/security_and_spaces/tests/actions/execute.ts @@ -546,18 +546,12 @@ export default function ({ getService }: FtrProviderContext) { expect(event?.event?.outcome).to.equal(outcome); - expect(event?.kibana?.alerting?.action_type_id).to.equal(actionTypeId); - expect(event?.kibana?.alerting?.primary_saved_object).to.eql({ - type: 'action', - id: connectorId, - namespace: spaceId, - }); - expect(event?.kibana?.saved_objects).to.eql([ { rel: 'primary', type: 'action', id: connectorId, + type_id: actionTypeId, namespace: spaceId, }, ]); diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/event_log.ts b/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/event_log.ts index 377002e18ff428..d5e55a66ecf086 100644 --- a/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/event_log.ts +++ b/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/event_log.ts @@ -74,9 +74,8 @@ export default function eventLogTests({ getService }: FtrProviderContext) { expect(event).to.be.ok(); validateEvent(event, { - ruleTypeId: 'test.noop', spaceId, - savedObjects: [{ type: 'alert', id: alertId, rel: 'primary' }], + savedObjects: [{ type: 'alert', id: alertId, rel: 'primary', type_id: 'test.noop' }], outcome: 'failure', message: `test.noop:${alertId}: execution failed`, errorMessage: 'Unable to decrypt attribute "apiKey"', diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/actions/execute.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/actions/execute.ts index 08474b46d0e3ca..147b6abfb88d14 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/actions/execute.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/actions/execute.ts @@ -374,19 +374,13 @@ export default function ({ getService }: FtrProviderContext) { expect(event?.event?.outcome).to.equal(outcome); - expect(event?.kibana?.alerting?.action_type_id).to.equal(actionTypeId); - expect(event?.kibana?.alerting?.primary_saved_object).to.eql({ - type: 'action', - id: actionId, - namespace: 'space1', - }); - expect(event?.kibana?.saved_objects).to.eql([ { rel: 'primary', type: 'action', id: actionId, namespace: 'space1', + type_id: actionTypeId, }, ]); diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/event_log.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/event_log.ts index 1134c92dd8a34c..40c0fe398bc57e 100644 --- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/event_log.ts +++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/event_log.ts @@ -127,9 +127,10 @@ export default function eventLogTests({ getService }: FtrProviderContext) { switch (event?.event?.action) { case 'execute': validateEvent(event, { - ruleTypeId: 'test.patternFiring', spaceId: Spaces.space1.id, - savedObjects: [{ type: 'alert', id: alertId, rel: 'primary' }], + savedObjects: [ + { type: 'alert', id: alertId, rel: 'primary', type_id: 'test.patternFiring' }, + ], outcome: 'success', message: `alert executed: test.patternFiring:${alertId}: 'abc'`, status: executeStatuses[executeCount++], @@ -137,11 +138,10 @@ export default function eventLogTests({ getService }: FtrProviderContext) { break; case 'execute-action': validateEvent(event, { - ruleTypeId: 'test.patternFiring', spaceId: Spaces.space1.id, savedObjects: [ - { type: 'alert', id: alertId, rel: 'primary' }, - { type: 'action', id: createdAction.id }, + { type: 'alert', id: alertId, rel: 'primary', type_id: 'test.patternFiring' }, + { type: 'action', id: createdAction.id, type_id: 'test.noop' }, ], message: `alert: test.patternFiring:${alertId}: 'abc' instanceId: 'instance' scheduled actionGroup: 'default' action: test.noop:${createdAction.id}`, instanceId: 'instance', @@ -165,9 +165,10 @@ export default function eventLogTests({ getService }: FtrProviderContext) { function validateInstanceEvent(event: IValidatedEvent, subMessage: string) { validateEvent(event, { - ruleTypeId: 'test.patternFiring', spaceId: Spaces.space1.id, - savedObjects: [{ type: 'alert', id: alertId, rel: 'primary' }], + savedObjects: [ + { type: 'alert', id: alertId, rel: 'primary', type_id: 'test.patternFiring' }, + ], message: `test.patternFiring:${alertId}: 'abc' ${subMessage}`, instanceId: 'instance', actionGroupId: 'default', @@ -262,9 +263,10 @@ export default function eventLogTests({ getService }: FtrProviderContext) { switch (event?.event?.action) { case 'execute': validateEvent(event, { - ruleTypeId: 'test.patternFiring', spaceId: Spaces.space1.id, - savedObjects: [{ type: 'alert', id: alertId, rel: 'primary' }], + savedObjects: [ + { type: 'alert', id: alertId, rel: 'primary', type_id: 'test.patternFiring' }, + ], outcome: 'success', message: `alert executed: test.patternFiring:${alertId}: 'abc'`, status: executeStatuses[executeCount++], @@ -275,11 +277,10 @@ export default function eventLogTests({ getService }: FtrProviderContext) { [firstSubgroup, secondSubgroup].includes(event?.kibana?.alerting?.action_subgroup!) ).to.be(true); validateEvent(event, { - ruleTypeId: 'test.patternFiring', spaceId: Spaces.space1.id, savedObjects: [ - { type: 'alert', id: alertId, rel: 'primary' }, - { type: 'action', id: createdAction.id }, + { type: 'alert', id: alertId, rel: 'primary', type_id: 'test.patternFiring' }, + { type: 'action', id: createdAction.id, type_id: 'test.noop' }, ], message: `alert: test.patternFiring:${alertId}: 'abc' instanceId: 'instance' scheduled actionGroup(subgroup): 'default(${event?.kibana?.alerting?.action_subgroup})' action: test.noop:${createdAction.id}`, instanceId: 'instance', @@ -309,9 +310,10 @@ export default function eventLogTests({ getService }: FtrProviderContext) { function validateInstanceEvent(event: IValidatedEvent, subMessage: string) { validateEvent(event, { - ruleTypeId: 'test.patternFiring', spaceId: Spaces.space1.id, - savedObjects: [{ type: 'alert', id: alertId, rel: 'primary' }], + savedObjects: [ + { type: 'alert', id: alertId, rel: 'primary', type_id: 'test.patternFiring' }, + ], message: `test.patternFiring:${alertId}: 'abc' ${subMessage}`, instanceId: 'instance', actionGroupId: 'default', @@ -350,9 +352,8 @@ export default function eventLogTests({ getService }: FtrProviderContext) { expect(event).to.be.ok(); validateEvent(event, { - ruleTypeId: 'test.throw', spaceId: Spaces.space1.id, - savedObjects: [{ type: 'alert', id: alertId, rel: 'primary' }], + savedObjects: [{ type: 'alert', id: alertId, rel: 'primary', type_id: 'test.throw' }], outcome: 'failure', message: `alert execution failure: test.throw:${alertId}: 'abc'`, errorMessage: 'this alert is intended to fail', @@ -367,6 +368,7 @@ interface SavedObject { type: string; id: string; rel?: string; + type_id: string; } interface ValidateEventLogParams { @@ -374,7 +376,6 @@ interface ValidateEventLogParams { savedObjects: SavedObject[]; outcome?: string; message: string; - ruleTypeId: string; errorMessage?: string; status?: string; actionGroupId?: string; @@ -384,7 +385,7 @@ interface ValidateEventLogParams { export function validateEvent(event: IValidatedEvent, params: ValidateEventLogParams): void { const { spaceId, savedObjects, outcome, message, errorMessage } = params; - const { status, actionGroupId, instanceId, reason, ruleTypeId } = params; + const { status, actionGroupId, instanceId, reason } = params; if (status) { expect(event?.kibana?.alerting?.status).to.be(status); @@ -424,17 +425,6 @@ export function validateEvent(event: IValidatedEvent, params: ValidateEventLogPa expect(event?.event?.outcome).to.equal(outcome); - expect(event?.kibana?.alerting?.rule_type_id).to.be(ruleTypeId); - - const primarySavedObject = savedObjects.find((obj) => obj.rel === 'primary'); - if (primarySavedObject) { - expect(event?.kibana?.alerting?.primary_saved_object).to.eql({ - id: primarySavedObject.id, - namespace: spaceId, - type: primarySavedObject.type, - }); - } - for (const savedObject of savedObjects) { expect( isSavedObjectInEvent(event, spaceId, savedObject.type, savedObject.id, savedObject.rel) From 323de9d506a6b72965dc15955523a95677a52002 Mon Sep 17 00:00:00 2001 From: Ying Mao Date: Wed, 2 Jun 2021 15:28:58 -0400 Subject: [PATCH 6/7] Fixing functional tests --- .../security_and_spaces/tests/alerting/alerts.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/alerts.ts b/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/alerts.ts index 24799888ac5b23..4aa6ed830059e7 100644 --- a/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/alerts.ts +++ b/x-pack/test/alerting_api_integration/security_and_spaces/tests/alerting/alerts.ts @@ -214,6 +214,7 @@ instanceStateValue: true await validateEventLog({ spaceId: space.id, alertId, + ruleTypeId: 'test.always-firing', outcome: 'success', message: `alert executed: test.always-firing:${alertId}: 'abc'`, }); @@ -1244,13 +1245,14 @@ instanceStateValue: true interface ValidateEventLogParams { spaceId: string; alertId: string; + ruleTypeId: string; outcome: string; message: string; errorMessage?: string; } async function validateEventLog(params: ValidateEventLogParams): Promise { - const { spaceId, alertId, outcome, message, errorMessage } = params; + const { spaceId, alertId, ruleTypeId, outcome, message, errorMessage } = params; const events: IValidatedEvent[] = await retry.try(async () => { return await getEventLog({ @@ -1291,6 +1293,7 @@ instanceStateValue: true type: 'alert', id: alertId, namespace: spaceId, + type_id: ruleTypeId, }, ]); From 4031aeaab748cac7654caa00bb50043248ed4ec4 Mon Sep 17 00:00:00 2001 From: Ying Mao Date: Fri, 4 Jun 2021 08:39:43 -0400 Subject: [PATCH 7/7] Cleanup --- .../server/task_runner/task_runner.ts | 30 +++---------------- 1 file changed, 4 insertions(+), 26 deletions(-) diff --git a/x-pack/plugins/alerting/server/task_runner/task_runner.ts b/x-pack/plugins/alerting/server/task_runner/task_runner.ts index 7f25e38c57c97c..fd82b38b493d79 100644 --- a/x-pack/plugins/alerting/server/task_runner/task_runner.ts +++ b/x-pack/plugins/alerting/server/task_runner/task_runner.ts @@ -625,28 +625,14 @@ function generateNewAndRecoveredInstanceEvents< const { group: actionGroup, subgroup: actionSubgroup } = recoveredAlertInstances[id].getLastScheduledActions() ?? {}; const message = `${params.alertLabel} instance '${id}' has recovered`; - logInstanceEvent( - id, - EVENT_LOG_ACTIONS.recoveredInstance, - message, - ruleTypeId, - actionGroup, - actionSubgroup - ); + logInstanceEvent(id, EVENT_LOG_ACTIONS.recoveredInstance, message, actionGroup, actionSubgroup); } for (const id of newIds) { const { actionGroup, subgroup: actionSubgroup } = currentAlertInstances[id].getScheduledActionOptions() ?? {}; const message = `${params.alertLabel} created new instance: '${id}'`; - logInstanceEvent( - id, - EVENT_LOG_ACTIONS.newInstance, - message, - ruleTypeId, - actionGroup, - actionSubgroup - ); + logInstanceEvent(id, EVENT_LOG_ACTIONS.newInstance, message, actionGroup, actionSubgroup); } for (const id of currentAlertInstanceIds) { @@ -657,21 +643,13 @@ function generateNewAndRecoveredInstanceEvents< ? `actionGroup(subgroup): '${actionGroup}(${actionSubgroup})'` : `actionGroup: '${actionGroup}'` }`; - logInstanceEvent( - id, - EVENT_LOG_ACTIONS.activeInstance, - message, - ruleTypeId, - actionGroup, - actionSubgroup - ); + logInstanceEvent(id, EVENT_LOG_ACTIONS.activeInstance, message, actionGroup, actionSubgroup); } function logInstanceEvent( instanceId: string, action: string, message: string, - ruleId: string, group?: string, subgroup?: string ) { @@ -690,7 +668,7 @@ function generateNewAndRecoveredInstanceEvents< rel: SAVED_OBJECT_REL_PRIMARY, type: 'alert', id: alertId, - type_id: ruleId, + type_id: ruleTypeId, namespace, }, ],