[ResponseOps] Add kibana.alert.time_range field to Alert-As-Data mapp…

…ings and populate it (#141309) * [ResponseOps] Add kibana.alert.time_range field to Alert-As-Data mappings and populate it * Fixing snapshots to match new reality * Removing the lte (end of range) for active alerts. * Fixing expected resutls for mapping test * fixing tests * updating readme * Fixing field name in README Co-authored-by: Faisal Kanout <[email protected]>
elastic · Oct 4, 2022 · 71aebb7 · 71aebb7
1 parent 77eb802
commit 71aebb7
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 1 deletion.
diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -34,6 +34,7 @@ const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const;
 const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
 const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const;
 const ALERT_START = `${ALERT_NAMESPACE}.start` as const;
+const ALERT_TIME_RANGE = `${ALERT_NAMESPACE}.time_range` as const;
 const ALERT_STATUS = `${ALERT_NAMESPACE}.status` as const;
 const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const;
 const ALERT_UUID = `${ALERT_NAMESPACE}.uuid` as const;
@@ -126,6 +127,7 @@ const fields = {
   ALERT_RULE_UPDATED_BY,
   ALERT_RULE_VERSION,
   ALERT_START,
+  ALERT_TIME_RANGE,
   ALERT_SEVERITY,
   ALERT_STATUS,
   ALERT_SYSTEM_STATUS,
@@ -183,6 +185,7 @@ export {
   ALERT_RULE_VERSION,
   ALERT_SEVERITY,
   ALERT_START,
+  ALERT_TIME_RANGE,
   ALERT_SYSTEM_STATUS,
   ALERT_UUID,
   ECS_VERSION,

diff --git a/x-pack/plugins/rule_registry/README.md b/x-pack/plugins/rule_registry/README.md
@@ -143,6 +143,7 @@ The following fields are defined in the technical field component template and s
 - `kibana.alert.ancestors`: the array of ancestors (if any) for the alert.
 - `kibana.alert.depth`: the depth of the alert in the ancestral tree (default 0).
 - `kibana.alert.building_block_type`: the building block type of the alert (default undefined).
+- `kibana.alert.time_range`: the time range of an alert. (default undefined).
 
 # Alerts as data
 

diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts
@@ -198,6 +198,10 @@ it('matches snapshot', () => {
         "required": false,
         "type": "keyword",
       },
+      "kibana.alert.time_range": Object {
+        "format": "epoch_millis||strict_date_optional_time",
+        "type": "date_range",
+      },
       "kibana.alert.uuid": Object {
         "required": true,
         "type": "keyword",

diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts
@@ -25,6 +25,10 @@ export const technicalRuleFieldMap = {
   [Fields.ALERT_UUID]: { type: 'keyword', required: true },
   [Fields.ALERT_INSTANCE_ID]: { type: 'keyword', required: true },
   [Fields.ALERT_START]: { type: 'date' },
+  [Fields.ALERT_TIME_RANGE]: {
+    type: 'date_range',
+    format: 'epoch_millis||strict_date_optional_time',
+  },
   [Fields.ALERT_END]: { type: 'date' },
   [Fields.ALERT_DURATION]: { type: 'long' },
   [Fields.ALERT_SEVERITY]: { type: 'keyword' },

diff --git a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts
@@ -22,6 +22,7 @@ import {
 import { ParsedExperimentalFields } from '../../common/parse_experimental_fields';
 import { ParsedTechnicalFields } from '../../common/parse_technical_fields';
 import {
+  ALERT_TIME_RANGE,
   ALERT_DURATION,
   ALERT_END,
   ALERT_INSTANCE_ID,
@@ -235,7 +236,12 @@ export const createLifecycleExecutor =
           ...commonRuleFields,
           ...currentAlertData,
           [ALERT_DURATION]: (options.startedAt.getTime() - new Date(started).getTime()) * 1000,
-
+          [ALERT_TIME_RANGE]: isRecovered
+            ? {
+                gte: started,
+                lte: commonRuleFields[TIMESTAMP],
+              }
+            : { gte: started },
           [ALERT_INSTANCE_ID]: alertId,
           [ALERT_START]: started,
           [ALERT_UUID]: alertUuid,

diff --git a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts
@@ -12,6 +12,7 @@ import {
   ALERT_STATUS_ACTIVE,
   ALERT_STATUS_RECOVERED,
   ALERT_UUID,
+  ALERT_TIME_RANGE,
 } from '@kbn/rule-data-utils';
 import { loggerMock } from '@kbn/logging-mocks';
 import { castArray, omit } from 'lodash';
@@ -245,6 +246,9 @@ describe('createLifecycleRuleTypeFactory', () => {
               "kibana.alert.rule.uuid": "alertId",
               "kibana.alert.start": "2021-06-16T09:01:00.000Z",
               "kibana.alert.status": "active",
+              "kibana.alert.time_range": Object {
+                "gte": "2021-06-16T09:01:00.000Z",
+              },
               "kibana.alert.workflow_status": "open",
               "kibana.space_ids": Array [
                 "spaceId",
@@ -273,6 +277,9 @@ describe('createLifecycleRuleTypeFactory', () => {
               "kibana.alert.rule.uuid": "alertId",
               "kibana.alert.start": "2021-06-16T09:01:00.000Z",
               "kibana.alert.status": "active",
+              "kibana.alert.time_range": Object {
+                "gte": "2021-06-16T09:01:00.000Z",
+              },
               "kibana.alert.workflow_status": "open",
               "kibana.space_ids": Array [
                 "spaceId",
@@ -443,6 +450,10 @@ describe('createLifecycleRuleTypeFactory', () => {
 
         expect(opbeansNodeAlertDoc['event.action']).toBe('close');
         expect(opbeansNodeAlertDoc[ALERT_STATUS]).toBe(ALERT_STATUS_RECOVERED);
+        expect(opbeansNodeAlertDoc[ALERT_TIME_RANGE]).toEqual({
+          gte: '2021-06-16T09:01:00.000Z',
+          lte: '2021-06-16T09:02:00.000Z',
+        });
       });
     });
   });