diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts index e6b6494e68a56..672c25d4e8fab 100644 --- a/packages/kbn-rule-data-utils/src/technical_field_names.ts +++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts @@ -34,6 +34,7 @@ const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const; const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const; const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const; const ALERT_START = `${ALERT_NAMESPACE}.start` as const; +const ALERT_TIME_RANGE = `${ALERT_NAMESPACE}.time_range` as const; const ALERT_STATUS = `${ALERT_NAMESPACE}.status` as const; const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const; const ALERT_UUID = `${ALERT_NAMESPACE}.uuid` as const; @@ -126,6 +127,7 @@ const fields = { ALERT_RULE_UPDATED_BY, ALERT_RULE_VERSION, ALERT_START, + ALERT_TIME_RANGE, ALERT_SEVERITY, ALERT_STATUS, ALERT_SYSTEM_STATUS, @@ -183,6 +185,7 @@ export { ALERT_RULE_VERSION, ALERT_SEVERITY, ALERT_START, + ALERT_TIME_RANGE, ALERT_SYSTEM_STATUS, ALERT_UUID, ECS_VERSION, diff --git a/x-pack/plugins/rule_registry/README.md b/x-pack/plugins/rule_registry/README.md index 6ca34fc9ece18..e0d79482e29f7 100644 --- a/x-pack/plugins/rule_registry/README.md +++ b/x-pack/plugins/rule_registry/README.md @@ -143,6 +143,7 @@ The following fields are defined in the technical field component template and s - `kibana.alert.ancestors`: the array of ancestors (if any) for the alert. - `kibana.alert.depth`: the depth of the alert in the ancestral tree (default 0). - `kibana.alert.building_block_type`: the building block type of the alert (default undefined). +- `kibana.alert.time_range`: the time range of an alert. (default undefined). # Alerts as data diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts index 06f00d9b6e6f8..32406f7a87fca 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts @@ -198,6 +198,10 @@ it('matches snapshot', () => { "required": false, "type": "keyword", }, + "kibana.alert.time_range": Object { + "format": "epoch_millis||strict_date_optional_time", + "type": "date_range", + }, "kibana.alert.uuid": Object { "required": true, "type": "keyword", diff --git a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts index ba1703b8be5da..2233f2d977010 100644 --- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts +++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts @@ -25,6 +25,10 @@ export const technicalRuleFieldMap = { [Fields.ALERT_UUID]: { type: 'keyword', required: true }, [Fields.ALERT_INSTANCE_ID]: { type: 'keyword', required: true }, [Fields.ALERT_START]: { type: 'date' }, + [Fields.ALERT_TIME_RANGE]: { + type: 'date_range', + format: 'epoch_millis||strict_date_optional_time', + }, [Fields.ALERT_END]: { type: 'date' }, [Fields.ALERT_DURATION]: { type: 'long' }, [Fields.ALERT_SEVERITY]: { type: 'keyword' }, diff --git a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts index da68ef3c4c7b6..160e06d03e92a 100644 --- a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts +++ b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts @@ -22,6 +22,7 @@ import { import { ParsedExperimentalFields } from '../../common/parse_experimental_fields'; import { ParsedTechnicalFields } from '../../common/parse_technical_fields'; import { + ALERT_TIME_RANGE, ALERT_DURATION, ALERT_END, ALERT_INSTANCE_ID, @@ -235,7 +236,12 @@ export const createLifecycleExecutor = ...commonRuleFields, ...currentAlertData, [ALERT_DURATION]: (options.startedAt.getTime() - new Date(started).getTime()) * 1000, - + [ALERT_TIME_RANGE]: isRecovered + ? { + gte: started, + lte: commonRuleFields[TIMESTAMP], + } + : { gte: started }, [ALERT_INSTANCE_ID]: alertId, [ALERT_START]: started, [ALERT_UUID]: alertUuid, diff --git a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts index 6a3660494d181..acb12645cbaed 100644 --- a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts +++ b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts @@ -12,6 +12,7 @@ import { ALERT_STATUS_ACTIVE, ALERT_STATUS_RECOVERED, ALERT_UUID, + ALERT_TIME_RANGE, } from '@kbn/rule-data-utils'; import { loggerMock } from '@kbn/logging-mocks'; import { castArray, omit } from 'lodash'; @@ -245,6 +246,9 @@ describe('createLifecycleRuleTypeFactory', () => { "kibana.alert.rule.uuid": "alertId", "kibana.alert.start": "2021-06-16T09:01:00.000Z", "kibana.alert.status": "active", + "kibana.alert.time_range": Object { + "gte": "2021-06-16T09:01:00.000Z", + }, "kibana.alert.workflow_status": "open", "kibana.space_ids": Array [ "spaceId", @@ -273,6 +277,9 @@ describe('createLifecycleRuleTypeFactory', () => { "kibana.alert.rule.uuid": "alertId", "kibana.alert.start": "2021-06-16T09:01:00.000Z", "kibana.alert.status": "active", + "kibana.alert.time_range": Object { + "gte": "2021-06-16T09:01:00.000Z", + }, "kibana.alert.workflow_status": "open", "kibana.space_ids": Array [ "spaceId", @@ -443,6 +450,10 @@ describe('createLifecycleRuleTypeFactory', () => { expect(opbeansNodeAlertDoc['event.action']).toBe('close'); expect(opbeansNodeAlertDoc[ALERT_STATUS]).toBe(ALERT_STATUS_RECOVERED); + expect(opbeansNodeAlertDoc[ALERT_TIME_RANGE]).toEqual({ + gte: '2021-06-16T09:01:00.000Z', + lte: '2021-06-16T09:02:00.000Z', + }); }); }); });