Adding autoRecoverAlerts flag to rule type to determine whether recov…

…ery alerts should be calculated and alerts stored in task state. Hacking 1h throttle to 5m for testing
elastic · Dec 14, 2022 · 526f376 · 526f376
1 parent 81b1a67
commit 526f376
Show file tree

Hide file tree

Showing 8 changed files with 41 additions and 11 deletions.
diff --git a/x-pack/plugins/alerting/server/lib/process_alerts.ts b/x-pack/plugins/alerting/server/lib/process_alerts.ts
@@ -20,6 +20,7 @@ interface ProcessAlertsOpts<
   previouslyRecoveredAlerts: Record<string, Alert<State, Context>>;
   hasReachedAlertLimit: boolean;
   alertLimit: number;
+  autoRecoverAlerts: boolean;
   // flag used to determine whether or not we want to push the flapping state on to the flappingHistory array
   setFlapping: boolean;
 }
@@ -47,6 +48,7 @@ export function processAlerts<
   previouslyRecoveredAlerts,
   hasReachedAlertLimit,
   alertLimit,
+  autoRecoverAlerts,
   setFlapping,
 }: ProcessAlertsOpts<State, Context>): ProcessAlertsResult<
   State,
@@ -62,7 +64,13 @@ export function processAlerts<
         alertLimit,
         setFlapping
       )
-    : processAlertsHelper(alerts, existingAlerts, previouslyRecoveredAlerts, setFlapping);
+    : processAlertsHelper(
+        alerts,
+        existingAlerts,
+        previouslyRecoveredAlerts,
+        autoRecoverAlerts,
+        setFlapping
+      );
 }
 
 function processAlertsHelper<
@@ -74,6 +82,7 @@ function processAlertsHelper<
   alerts: Record<string, Alert<State, Context>>,
   existingAlerts: Record<string, Alert<State, Context>>,
   previouslyRecoveredAlerts: Record<string, Alert<State, Context>>,
+  autoRecoverAlerts: boolean,
   setFlapping: boolean
 ): ProcessAlertsResult<State, Context, ActionGroupIds, RecoveryActionGroupId> {
   const existingAlertIds = new Set(Object.keys(existingAlerts));
@@ -123,7 +132,7 @@ function processAlertsHelper<
             updateAlertFlappingHistory(activeAlerts[id], false);
           }
         }
-      } else if (existingAlertIds.has(id)) {
+      } else if (existingAlertIds.has(id) && autoRecoverAlerts) {
         recoveredAlerts[id] = alerts[id];
         currentRecoveredAlerts[id] = alerts[id];
 

diff --git a/x-pack/plugins/alerting/server/plugin.ts b/x-pack/plugins/alerting/server/plugin.ts
@@ -335,6 +335,8 @@ export class AlertingPlugin {
         ruleType.cancelAlertsOnRuleTimeout =
           ruleType.cancelAlertsOnRuleTimeout ?? this.config.cancelAlertsOnRuleTimeout;
         ruleType.doesSetRecoveryContext = ruleType.doesSetRecoveryContext ?? false;
+        ruleType.autoRecoverAlerts =
+          ruleType.autoRecoverAlerts === undefined ? true : ruleType.autoRecoverAlerts;
         ruleTypeRegistry.register(ruleType);
       },
       getSecurityHealth: async () => {

diff --git a/x-pack/plugins/alerting/server/task_runner/task_runner.ts b/x-pack/plugins/alerting/server/task_runner/task_runner.ts
@@ -49,6 +49,7 @@ import {
   RuleTypeState,
   parseDuration,
   WithoutReservedActionGroups,
+  RawAlertInstance,
 } from '../../common';
 import { NormalizedRuleType, UntypedNormalizedRuleType } from '../rule_type_registry';
 import { getEsErrorMessage } from '../lib/errors';
@@ -415,6 +416,8 @@ export class TaskRunner<
           previouslyRecoveredAlerts: originalRecoveredAlerts,
           hasReachedAlertLimit,
           alertLimit: this.maxAlerts,
+          autoRecoverAlerts:
+            this.ruleType.autoRecoverAlerts !== undefined ? this.ruleType.autoRecoverAlerts : true,
           setFlapping: true,
         });
 
@@ -479,12 +482,20 @@ export class TaskRunner<
       }
     });
 
-    const { alertsToReturn, recoveredAlertsToReturn } = determineAlertsToReturn<
-      State,
-      Context,
-      ActionGroupIds,
-      RecoveryActionGroupId
-    >(activeAlerts, recoveredAlerts);
+    let alertsToReturn: Record<string, RawAlertInstance> = {};
+    let recoveredAlertsToReturn: Record<string, RawAlertInstance> = {};
+
+    // Only serialize alerts into task state if we're auto-recovering, otherwise
+    // we don't need to keep this information around.
+    if (this.ruleType.autoRecoverAlerts) {
+      const { alertsToReturn: alerts, recoveredAlertsToReturn: recovered } =
+        determineAlertsToReturn<State, Context, ActionGroupIds, RecoveryActionGroupId>(
+          activeAlerts,
+          recoveredAlerts
+        );
+      alertsToReturn = alerts;
+      recoveredAlertsToReturn = recovered;
+    }
 
     return {
       metrics: ruleRunMetricsStore.getMetrics(),

diff --git a/x-pack/plugins/alerting/server/types.ts b/x-pack/plugins/alerting/server/types.ts
@@ -196,6 +196,12 @@ export interface RuleType<
   cancelAlertsOnRuleTimeout?: boolean;
   doesSetRecoveryContext?: boolean;
   getSummarizedAlerts?: GetSummarizedAlertsFn;
+
+  /**
+   * Determines whether framework should
+   * automatically make recovery determination. Defaults to true.
+   */
+  autoRecoverAlerts?: boolean;
 }
 export type UntypedRuleType = RuleType<
   RuleTypeParams,

diff --git a/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.ts b/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.ts
@@ -137,6 +137,7 @@ export const createPersistenceRuleTypeWrapper: CreatePersistenceRuleTypeWrapper
                     };
                   })
                   .filter((_, idx) => response.body.items[idx].create?.status === 201);
+                console.log(`persistence alerts ${createdAlerts.length}`);
 
                 createdAlerts.forEach((alert) =>
                   options.services.alertFactory.create(alert._id).scheduleActions('default', {})

diff --git a/.../security_solution/server/lib/detection_engine/rule_management/logic/crud/update_rules.ts b/.../security_solution/server/lib/detection_engine/rule_management/logic/crud/update_rules.ts
@@ -87,7 +87,7 @@ export const updateRules = async ({
               frequency: {
                 summary: throttle !== null,
                 notifyWhen,
-                throttle,
+                throttle: throttle === '1h' ? '5m' : throttle,
               },
             };
           })

diff --git a/...ity_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts b/...ity_solution/server/lib/detection_engine/rule_management/normalization/rule_converters.ts
@@ -476,7 +476,7 @@ export const convertPatchAPIToInternalSchema = (
             frequency: {
               summary: throttle !== null,
               notifyWhen,
-              throttle,
+              throttle: throttle === '1h' ? '5m' : throttle,
             },
           };
         })
@@ -546,7 +546,7 @@ export const convertCreateAPIToInternalSchema = (
           frequency: {
             summary: throttle !== null,
             notifyWhen,
-            throttle,
+            throttle: throttle === '1h' ? '5m' : throttle,
           },
         };
       }) ?? [],

diff --git a/...rity_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts b/...rity_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts
@@ -54,6 +54,7 @@ export const createSecurityRuleTypeWrapper: CreateSecurityRuleTypeWrapper =
         injectReferences: (params, savedObjectReferences) =>
           injectReferences({ logger, params, savedObjectReferences }),
       },
+      autoRecoverAlerts: false,
       async executor(options) {
         agent.setTransactionName(`${options.rule.ruleTypeId} execution`);
         return withSecuritySpan('securityRuleTypeExecutor', async () => {