[Response Ops] Onboard metric threshold rule type to use framework al…

…erts as data (#166664)

Resolves #164220

## Summary

Removes the lifecycle executor wrapper around the metric threshold rule
type executor so that this rule type is using the framework alerts
client to write alerts as data documents.

### Response ops changes
- Passing in task `startedAt` date to the alerts client. Lifecycle
executor rules use this standardized timestamp for the `@timestamp`
field of the AaD doc, as well as for the start and end time of an alert

### Metric threshold rule changes
- Switch to using the alerts client in the executor to report alerts and
to get recovered alert information.

---------

Co-authored-by: Kibana Machine <[email protected]>

packages/kbn-alerts-as-data-utils/src/schemas/create_schema_from_field_map.ts

@@ -150,7 +150,7 @@ const generateSchemaLines = ({
         break;
       case 'object':
       case 'nested':
-        if (!isEnabled) {
+        if (!isEnabled || !isArray) {
           lineWriter.addLine(`${keyToWrite}: ${getSchemaDefinition('schemaUnknown', isArray)},`);
         } else if (isArray && null != fieldMap.properties) {
           lineWriter.addLineAndIndent(`${keyToWrite}: rt.array(`);

packages/kbn-alerts-as-data-utils/src/schemas/generated/ecs_schema.ts

@@ -152,6 +152,7 @@ const EcsOptional = rt.partial({
   'container.image.hash.all': schemaStringArray,
   'container.image.name': schemaString,
   'container.image.tag': schemaStringArray,
+  'container.labels': schemaUnknown,
   'container.memory.usage': schemaStringOrNumber,
   'container.name': schemaString,
   'container.network.egress.bytes': schemaStringOrNumber,
@@ -307,6 +308,7 @@ const EcsOptional = rt.partial({
   'faas.execution': schemaString,
   'faas.id': schemaString,
   'faas.name': schemaString,
+  'faas.trigger': schemaUnknown,
   'faas.version': schemaString,
   'file.accessed': schemaDate,
   'file.attributes': schemaStringArray,
@@ -471,26 +473,30 @@ const EcsOptional = rt.partial({
   'http.response.mime_type': schemaString,
   'http.response.status_code': schemaStringOrNumber,
   'http.version': schemaString,
+  labels: schemaUnknown,
   'log.file.path': schemaString,
   'log.level': schemaString,
   'log.logger': schemaString,
   'log.origin.file.line': schemaStringOrNumber,
   'log.origin.file.name': schemaString,
   'log.origin.function': schemaString,
+  'log.syslog': schemaUnknown,
   message: schemaString,
   'network.application': schemaString,
   'network.bytes': schemaStringOrNumber,
   'network.community_id': schemaString,
   'network.direction': schemaString,
   'network.forwarded_ip': schemaString,
   'network.iana_number': schemaString,
+  'network.inner': schemaUnknown,
   'network.name': schemaString,
   'network.packets': schemaStringOrNumber,
   'network.protocol': schemaString,
   'network.transport': schemaString,
   'network.type': schemaString,
   'network.vlan.id': schemaString,
   'network.vlan.name': schemaString,
+  'observer.egress': schemaUnknown,
   'observer.geo.city_name': schemaString,
   'observer.geo.continent_code': schemaString,
   'observer.geo.continent_name': schemaString,
@@ -503,6 +509,7 @@ const EcsOptional = rt.partial({
   'observer.geo.region_name': schemaString,
   'observer.geo.timezone': schemaString,
   'observer.hostname': schemaString,
+  'observer.ingress': schemaUnknown,
   'observer.ip': schemaStringArray,
   'observer.mac': schemaStringArray,
   'observer.name': schemaString,
@@ -628,6 +635,7 @@ const EcsOptional = rt.partial({
   'process.entry_leader.start': schemaDate,
   'process.entry_leader.supplemental_groups.id': schemaString,
   'process.entry_leader.supplemental_groups.name': schemaString,
+  'process.entry_leader.tty': schemaUnknown,
   'process.entry_leader.user.id': schemaString,
   'process.entry_leader.user.name': schemaString,
   'process.entry_leader.working_directory': schemaString,
@@ -656,6 +664,7 @@ const EcsOptional = rt.partial({
   'process.group_leader.start': schemaDate,
   'process.group_leader.supplemental_groups.id': schemaString,
   'process.group_leader.supplemental_groups.name': schemaString,
+  'process.group_leader.tty': schemaUnknown,
   'process.group_leader.user.id': schemaString,
   'process.group_leader.user.name': schemaString,
   'process.group_leader.working_directory': schemaString,
@@ -667,6 +676,7 @@ const EcsOptional = rt.partial({
   'process.hash.ssdeep': schemaString,
   'process.hash.tlsh': schemaString,
   'process.interactive': schemaBoolean,
+  'process.io': schemaUnknown,
   'process.name': schemaString,
   'process.parent.args': schemaStringArray,
   'process.parent.args_count': schemaStringOrNumber,
@@ -757,6 +767,7 @@ const EcsOptional = rt.partial({
   'process.parent.thread.id': schemaStringOrNumber,
   'process.parent.thread.name': schemaString,
   'process.parent.title': schemaString,
+  'process.parent.tty': schemaUnknown,
   'process.parent.uptime': schemaStringOrNumber,
   'process.parent.user.id': schemaString,
   'process.parent.user.name': schemaString,
@@ -810,6 +821,7 @@ const EcsOptional = rt.partial({
   'process.session_leader.start': schemaDate,
   'process.session_leader.supplemental_groups.id': schemaString,
   'process.session_leader.supplemental_groups.name': schemaString,
+  'process.session_leader.tty': schemaUnknown,
   'process.session_leader.user.id': schemaString,
   'process.session_leader.user.name': schemaString,
   'process.session_leader.working_directory': schemaString,
@@ -819,6 +831,7 @@ const EcsOptional = rt.partial({
   'process.thread.id': schemaStringOrNumber,
   'process.thread.name': schemaString,
   'process.title': schemaString,
+  'process.tty': schemaUnknown,
   'process.uptime': schemaStringOrNumber,
   'process.user.id': schemaString,
   'process.user.name': schemaString,
@@ -951,6 +964,7 @@ const EcsOptional = rt.partial({
   tags: schemaStringArray,
   'threat.enrichments': rt.array(
     rt.partial({
+      indicator: schemaUnknown,
       'matched.atomic': schemaString,
       'matched.field': schemaString,
       'matched.id': schemaString,

packages/kbn-alerts-as-data-utils/src/schemas/generated/observability_apm_schema.ts

@@ -73,6 +73,7 @@ const ObservabilityApmAlertOptional = rt.partial({
   'agent.name': schemaString,
   'error.grouping_key': schemaString,
   'error.grouping_name': schemaString,
+  'kibana.alert.context': schemaUnknown,
   'kibana.alert.evaluation.threshold': schemaStringOrNumber,
   'kibana.alert.evaluation.value': schemaStringOrNumber,
   'kibana.alert.evaluation.values': schemaStringOrNumberArray,
@@ -82,6 +83,7 @@ const ObservabilityApmAlertOptional = rt.partial({
       value: schemaString,
     })
   ),
+  labels: schemaUnknown,
   'processor.event': schemaString,
   'service.environment': schemaString,
   'service.language.name': schemaString,

packages/kbn-alerts-as-data-utils/src/schemas/generated/observability_logs_schema.ts

@@ -71,6 +71,7 @@ export const schemaGeoPointArray = rt.array(schemaGeoPoint);
 const ObservabilityLogsAlertRequired = rt.type({
 });
 const ObservabilityLogsAlertOptional = rt.partial({
+  'kibana.alert.context': schemaUnknown,
   'kibana.alert.evaluation.threshold': schemaStringOrNumber,
   'kibana.alert.evaluation.value': schemaStringOrNumber,
   'kibana.alert.evaluation.values': schemaStringOrNumberArray,

packages/kbn-alerts-as-data-utils/src/schemas/generated/observability_metrics_schema.ts

@@ -71,6 +71,7 @@ export const schemaGeoPointArray = rt.array(schemaGeoPoint);
 const ObservabilityMetricsAlertRequired = rt.type({
 });
 const ObservabilityMetricsAlertOptional = rt.partial({
+  'kibana.alert.context': schemaUnknown,
   'kibana.alert.evaluation.threshold': schemaStringOrNumber,
   'kibana.alert.evaluation.value': schemaStringOrNumber,
   'kibana.alert.evaluation.values': schemaStringOrNumberArray,

packages/kbn-alerts-as-data-utils/src/schemas/generated/observability_slo_schema.ts

@@ -70,6 +70,7 @@ export const schemaGeoPointArray = rt.array(schemaGeoPoint);
 const ObservabilitySloAlertRequired = rt.type({
 });
 const ObservabilitySloAlertOptional = rt.partial({
+  'kibana.alert.context': schemaUnknown,
   'kibana.alert.evaluation.threshold': schemaStringOrNumber,
   'kibana.alert.evaluation.value': schemaStringOrNumber,
   'kibana.alert.evaluation.values': schemaStringOrNumberArray,

packages/kbn-alerts-as-data-utils/src/schemas/generated/observability_uptime_schema.ts

@@ -74,6 +74,7 @@ const ObservabilityUptimeAlertOptional = rt.partial({
   'anomaly.bucket_span.minutes': schemaString,
   'anomaly.start': schemaDate,
   'error.message': schemaString,
+  'kibana.alert.context': schemaUnknown,
   'kibana.alert.evaluation.threshold': schemaStringOrNumber,
   'kibana.alert.evaluation.value': schemaStringOrNumber,
   'kibana.alert.evaluation.values': schemaStringOrNumberArray,

packages/kbn-alerts-as-data-utils/src/schemas/generated/security_schema.ts

@@ -182,6 +182,7 @@ const SecurityAlertOptional = rt.partial({
   'kibana.alert.suppression.terms.field': schemaStringArray,
   'kibana.alert.suppression.terms.value': schemaStringArray,
   'kibana.alert.system_status': schemaString,
+  'kibana.alert.threshold_result.cardinality': schemaUnknown,
   'kibana.alert.threshold_result.count': schemaStringOrNumber,
   'kibana.alert.threshold_result.from': schemaDate,
   'kibana.alert.threshold_result.terms': rt.array(