Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Response Ops][Alerting] Migrate installation of preview resources to framework alerts-as-data #152490

Closed
ymao1 opened this issue Mar 1, 2023 · 2 comments · Fixed by #152849
Closed

[Response Ops][Alerting] Migrate installation of preview resources to framework alerts-as-data #152490

ymao1 opened this issue Mar 1, 2023 · 2 comments · Fixed by #152849
Assignees
@ymao1
Labels
Feature:Alerting/Alerts-as-Data Issues related to Alerts-as-data and RuleRegistry Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@ymao1
Copy link
Contributor

ymao1 commented Mar 1, 2023

Security solutions currently uses the rule registry to install preview indices for detection rules. These are a set of indices that use the same mappings as normal alert indices but they use a different ILM policy that deletes the preview data within a day. As part of framework alerts as data, we'd like to migrate all resource installation out of the rule registry and into the alerting plugin so we either need to provide a specific way to install preview indices for any rule types or generic functions that can be called to install custom resources.
@ymao1 ymao1 added Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Alerting/Alerts-as-Data Issues related to Alerts-as-data and RuleRegistry labels Mar 1, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@ymao1 ymao1 self-assigned this Mar 1, 2023
@ymao1 ymao1 moved this from Awaiting Triage to Todo in AppEx: ResponseOps - Execution & Connectors Mar 1, 2023
@ymao1 ymao1 moved this from Todo to In Progress in AppEx: ResponseOps - Execution & Connectors Mar 1, 2023
@mikecote
Copy link
Contributor

mikecote commented Mar 6, 2023

As part of framework alerts as data, we'd like to migrate all resource installation out of the rule registry and into the alerting plugin so we either need to provide a specific way to install preview indices for any rule types or generic functions that can be called to install custom resources.

@ymao1 and I spoke on this last week. Feels going the path of having generic functions would be best and allow to defer how the framework would do previews/simulations for all.

@ymao1 ymao1 mentioned this issue Mar 9, 2023
Merged
@ymao1 ymao1 moved this from In Progress to In Review in AppEx: ResponseOps - Execution & Connectors Mar 10, 2023
ymao1 added a commit that referenced this issue Mar 20, 2023
@ymao1 @kibanamachine
[Response Ops][Alerting] Reusable functions for FAAD resource install…
49a0996 
…ation (#152849)

Resolves #152490

## Summary

This PR refactors the resource installation methods in `AlertsService`
to be reusable library functions. It exports them from the alerting
plugin and changes the rule registry resource installer to use them as
well.

## To Verify
1. Run this branch with `enableFrameworkAlerts: true`. Verify that we
can create a detection rule in the default space & a different space and
generate a rule preview. The logs should show that the rule registry
creates the resources for the preview indices and for indices in the
non-default space.
2. Verify that when running this branch on rule registry rules from
`main` or a previous version, the rules continue to run successfully.

Co-authored-by: Kibana Machine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ymao1 ymao1

Labels
Feature:Alerting/Alerts-as-Data Issues related to Alerts-as-data and RuleRegistry Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
No open projects
AppEx: ResponseOps - Execution & Connectors
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Response Ops][Alerting] Reusable functions for FAAD resource installation ymao1/kibana
3 participants
@mikecote @ymao1 @elasticmachine