[RAC][Alerting][Security Solution] Adds Rule Execution UUID (#113058)

## Summary Resolves: #110135 This PR is for introducing a new UUID (`kibana.alert.rule.execution.uuid` as defined in the AAD schema) for identifying individual rule executions. This id is introduced as a `private readonly` member of the [alerting server task_manager](https:/elastic/kibana/blob/a993668663dd4fc25d3336e2d474101ed8d1b74d/x-pack/plugins/alerting/server/task_runner/task_runner.ts#L123), and plumbed through the `executionHandler` and to all appropriate alert event and event-log touch points. For persistence when writing alerts within the RuleRegistry, `kibana.alert.rule.execution.uuid` is plumbed through [`getCommonAlertFields()`](https:/elastic/kibana/blob/c81341c325edcb0eaca1dab2521b2a86fea18389/x-pack/plugins/rule_registry/server/utils/get_common_alert_fields.ts#L52) so it is grouped with like fields and is picked up by both the [`createPersistenceRuleTypeWrapper`](https:/elastic/kibana/blob/c81341c325edcb0eaca1dab2521b2a86fea18389/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.ts#L38) used by Security Solution, and [`createLifecycleExecutor`](https:/elastic/kibana/blob/d152ca5b6bf7f56fcba1d1d8c2cfee5404a821de/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts#L157) used by Observability rules. Additionally on the Security Solution side, `kibana.alert.rule.execution.uuid` was plumbed through the `RuleExecutionLog` so that all events written to the event-log will now include this id so individual rule status events/metrics can be correlated with specific rule executions. No UI facing changes were made, however `kibana.alert.rule.execution.uuid` is now available within the Alerts Table FieldBrowser, and can be toggled and viewed alongside alerts: <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/149594433-b16e369b-adf4-4ae3-b6e9-98189b214d51.png" /> </p> As visible when exploring `event-log` in Discover: <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/149595237-155d25d7-8324-4981-9ec2-faf0af8e7bd7.png" /> </p> ### Checklist Delete any items that are not applicable to this PR. - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - Will need to sync with Doc folks on updates here. - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
elastic · Jan 21, 2022 · 48693d1 · 48693d1
1 parent 735948d
commit 48693d1
Show file tree

Hide file tree

Showing 34 changed files with 716 additions and 12 deletions.
diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -47,6 +47,7 @@ const ALERT_RULE_CREATED_AT = `${ALERT_RULE_NAMESPACE}.created_at` as const;
 const ALERT_RULE_CREATED_BY = `${ALERT_RULE_NAMESPACE}.created_by` as const;
 const ALERT_RULE_DESCRIPTION = `${ALERT_RULE_NAMESPACE}.description` as const;
 const ALERT_RULE_ENABLED = `${ALERT_RULE_NAMESPACE}.enabled` as const;
+const ALERT_RULE_EXECUTION_UUID = `${ALERT_RULE_NAMESPACE}.execution.uuid` as const;
 const ALERT_RULE_FROM = `${ALERT_RULE_NAMESPACE}.from` as const;
 const ALERT_RULE_INTERVAL = `${ALERT_RULE_NAMESPACE}.interval` as const;
 const ALERT_RULE_LICENSE = `${ALERT_RULE_NAMESPACE}.license` as const;
@@ -103,6 +104,7 @@ const fields = {
  ALERT_RULE_CREATED_BY,
  ALERT_RULE_DESCRIPTION,
  ALERT_RULE_ENABLED,
+ ALERT_RULE_EXECUTION_UUID,
  ALERT_RULE_FROM,
  ALERT_RULE_INTERVAL,
  ALERT_RULE_LICENSE,
@@ -156,6 +158,7 @@ export {
  ALERT_RULE_CREATED_BY,
  ALERT_RULE_DESCRIPTION,
  ALERT_RULE_ENABLED,
+ ALERT_RULE_EXECUTION_UUID,
  ALERT_RULE_FROM,
  ALERT_RULE_INTERVAL,
  ALERT_RULE_LICENSE,

diff --git a/x-pack/plugins/alerting/server/lib/create_alert_event_log_record_object.test.ts b/x-pack/plugins/alerting/server/lib/create_alert_event_log_record_object.test.ts
@@ -25,6 +25,7 @@ describe('createAlertEventLogRecordObject', () => {
  test('created alert event "execute-start"', async () => {
  expect(
  createAlertEventLogRecordObject({
+ executionId: '7a7065d7-6e8b-4aae-8d20-c93613dec9fb',
  ruleId: '1',
  ruleType,
  action: 'execute-start',
@@ -50,6 +51,13 @@ describe('createAlertEventLogRecordObject', () => {
  kind: 'alert',
  },
  kibana: {
+ alert: {
+ rule: {
+ execution: {
+ uuid: '7a7065d7-6e8b-4aae-8d20-c93613dec9fb',
+ },
+ },
+ },
  saved_objects: [
  {
  id: '1',
@@ -76,6 +84,7 @@ describe('createAlertEventLogRecordObject', () => {
  test('created alert event "recovered-instance"', async () => {
  expect(
  createAlertEventLogRecordObject({
+ executionId: '7a7065d7-6e8b-4aae-8d20-c93613dec9fb',
  ruleId: '1',
  ruleName: 'test name',
  ruleType,
@@ -109,6 +118,13 @@ describe('createAlertEventLogRecordObject', () => {
  start: '1970-01-01T00:00:00.000Z',
  },
  kibana: {
+ alert: {
+ rule: {
+ execution: {
+ uuid: '7a7065d7-6e8b-4aae-8d20-c93613dec9fb',
+ },
+ },
+ },
  alerting: {
  action_group_id: 'group 1',
  action_subgroup: 'subgroup value',
@@ -138,6 +154,7 @@ describe('createAlertEventLogRecordObject', () => {
  test('created alert event "execute-action"', async () => {
  expect(
  createAlertEventLogRecordObject({
+ executionId: '7a7065d7-6e8b-4aae-8d20-c93613dec9fb',
  ruleId: '1',
  ruleName: 'test name',
  ruleType,
@@ -176,6 +193,13 @@ describe('createAlertEventLogRecordObject', () => {
  start: '1970-01-01T00:00:00.000Z',
  },
  kibana: {
+ alert: {
+ rule: {
+ execution: {
+ uuid: '7a7065d7-6e8b-4aae-8d20-c93613dec9fb',
+ },
+ },
+ },
  alerting: {
  action_group_id: 'group 1',
  action_subgroup: 'subgroup value',

diff --git a/x-pack/plugins/alerting/server/lib/create_alert_event_log_record_object.ts b/x-pack/plugins/alerting/server/lib/create_alert_event_log_record_object.ts
@@ -12,6 +12,7 @@ import { UntypedNormalizedRuleType } from '../rule_type_registry';
 export type Event = Exclude<IEvent, undefined>;
 
 interface CreateAlertEventLogRecordParams {
+ executionId?: string;
  ruleId: string;
  ruleType: UntypedNormalizedRuleType;
  action: string;
@@ -36,7 +37,18 @@ interface CreateAlertEventLogRecordParams {
 }
 
 export function createAlertEventLogRecordObject(params: CreateAlertEventLogRecordParams): Event {
- const { ruleType, action, state, message, task, ruleId, group, subgroup, namespace } = params;
+ const {
+ executionId,
+ ruleType,
+ action,
+ state,
+ message,
+ task,
+ ruleId,
+ group,
+ subgroup,
+ namespace,
+ } = params;
  const alerting =
  params.instanceId || group || subgroup
  ? {
@@ -59,6 +71,17 @@ export function createAlertEventLogRecordObject(params: CreateAlertEventLogRecor
  },
  kibana: {
  ...(alerting ? alerting : {}),
+ ...(executionId
+ ? {
+ alert: {
+ rule: {
+ execution: {
+ uuid: executionId,
+ },
+ },
+ },
+ }
+ : {}),
  saved_objects: params.savedObjects.map((so) => ({
  ...(so.relation ? { rel: so.relation } : {}),
  type: so.type,

diff --git a/x-pack/plugins/alerting/server/rules_client/tests/disable.test.ts b/x-pack/plugins/alerting/server/rules_client/tests/disable.test.ts
@@ -21,6 +21,10 @@ import { getBeforeSetup, setGlobalDate } from './lib';
 import { eventLoggerMock } from '../../../../event_log/server/event_logger.mock';
 import { TaskStatus } from '../../../../task_manager/server';
 
+jest.mock('uuid', () => ({
+ v4: () => '5f6aa57d-3e22-484e-bae8-cbed868f4d28',
+}));
+
 const taskManager = taskManagerMock.createStart();
 const ruleTypeRegistry = ruleTypeRegistryMock.create();
 const unsecuredSavedObjectsClient = savedObjectsClientMock.create();

diff --git a/x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts b/x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts
@@ -73,6 +73,7 @@ const createExecutionHandlerParams: jest.Mocked<
  spaceId: 'test1',
  ruleId: '1',
  ruleName: 'name-of-alert',
+ executionId: '5f6aa57d-3e22-484e-bae8-cbed868f4d28',
  tags: ['tag-A', 'tag-B'],
  apiKey: 'MTIzOmFiYw==',
  kibanaBaseUrl: 'http://localhost:5601',
@@ -173,6 +174,13 @@ test('enqueues execution per selected action', async () => {
  "kind": "alert",
  },
  "kibana": Object {
+ "alert": Object {
+ "rule": Object {
+ "execution": Object {
+ "uuid": "5f6aa57d-3e22-484e-bae8-cbed868f4d28",
+ },
+ },
+ },
  "alerting": Object {
  "action_group_id": "default",
  "instance_id": "2",

diff --git a/x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts b/x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts
@@ -36,6 +36,7 @@ export interface CreateExecutionHandlerOptions<
 > {
  ruleId: string;
  ruleName: string;
+ executionId: string;
  tags?: string[];
  actionsPlugin: ActionsPluginStartContract;
  actions: AlertAction[];
@@ -83,6 +84,7 @@ export function createExecutionHandler<
  logger,
  ruleId,
  ruleName,
+ executionId,
  tags,
  actionsPlugin,
  actions: ruleActions,
@@ -206,6 +208,7 @@ export function createExecutionHandler<
  ruleId,
  ruleType: ruleType as UntypedNormalizedRuleType,
  action: EVENT_LOG_ACTIONS.executeAction,
+ executionId,
  instanceId: alertId,
  group: actionGroup,
  subgroup: actionSubgroup,