[Rule Registry][RAC] Rename kibana.alert.id to kibana.alert.instance.…

…id (#110528)

* Rename kibana.alert.id to kibana.alert.instance.id

* Update test snapshot

* Fix test

* One more fix

packages/kbn-rule-data-utils/src/technical_field_names.ts

@@ -28,7 +28,7 @@ const ALERT_DURATION = `${ALERT_NAMESPACE}.duration.us` as const;
 const ALERT_END = `${ALERT_NAMESPACE}.end` as const;
 const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const;
 const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const;
-const ALERT_ID = `${ALERT_NAMESPACE}.id` as const;
+const ALERT_INSTANCE_ID = `${ALERT_NAMESPACE}.instance.id` as const;
 const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const;
 const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
 const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const;
@@ -94,7 +94,7 @@ const fields = {
   ALERT_END,
   ALERT_EVALUATION_THRESHOLD,
   ALERT_EVALUATION_VALUE,
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_PRODUCER,
   ALERT_REASON,
@@ -143,7 +143,7 @@ export {
   ALERT_END,
   ALERT_EVALUATION_THRESHOLD,
   ALERT_EVALUATION_VALUE,
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
   ALERT_NAMESPACE,
   ALERT_RULE_NAMESPACE,
   ALERT_RULE_CONSUMER,

x-pack/plugins/apm/public/components/shared/charts/helper/get_alert_annotations.test.tsx

@@ -10,7 +10,7 @@ import {
   ALERT_EVALUATION_THRESHOLD,
   ALERT_RULE_TYPE_ID,
   ALERT_EVALUATION_VALUE,
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
   ALERT_RULE_PRODUCER,
   ALERT_RULE_CONSUMER,
   ALERT_SEVERITY,
@@ -54,7 +54,7 @@ const alert: Alert = {
   [ALERT_RULE_UUID]: ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'],
   'event.action': ['active'],
   '@timestamp': ['2021-06-01T16:16:05.183Z'],
-  [ALERT_ID]: ['apm.transaction_duration_All'],
+  [ALERT_INSTANCE_ID]: ['apm.transaction_duration_All'],
   'processor.event': ['transaction'],
   [ALERT_EVALUATION_THRESHOLD]: [500000],
   [ALERT_START]: ['2021-06-01T16:15:02.304Z'],

x-pack/plugins/apm/public/components/shared/charts/latency_chart/latency_chart.stories.tsx

@@ -10,7 +10,7 @@ import {
   ALERT_EVALUATION_THRESHOLD,
   ALERT_RULE_TYPE_ID,
   ALERT_EVALUATION_VALUE,
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
   ALERT_SEVERITY,
   ALERT_START,
   ALERT_STATUS,
@@ -142,7 +142,7 @@ Example.args = {
         [ALERT_RULE_UUID]: ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'],
         'event.action': ['active'],
         '@timestamp': ['2021-06-01T20:27:48.833Z'],
-        [ALERT_ID]: ['apm.transaction_duration_All'],
+        [ALERT_INSTANCE_ID]: ['apm.transaction_duration_All'],
         'processor.event': ['transaction'],
         [ALERT_EVALUATION_THRESHOLD]: [500000],
         [ALERT_START]: ['2021-06-02T04:00:00.000Z'],
@@ -164,7 +164,7 @@ Example.args = {
         [ALERT_RULE_UUID]: ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'],
         'event.action': ['active'],
         '@timestamp': ['2021-06-01T20:27:48.833Z'],
-        [ALERT_ID]: ['apm.transaction_duration_All'],
+        [ALERT_INSTANCE_ID]: ['apm.transaction_duration_All'],
         'processor.event': ['transaction'],
         [ALERT_EVALUATION_THRESHOLD]: [500000],
         [ALERT_START]: ['2021-06-02T10:45:00.000Z'],
@@ -186,7 +186,7 @@ Example.args = {
         [ALERT_RULE_UUID]: ['82e0ee40-c2f4-11eb-9a42-a9da66a1722f'],
         'event.action': ['active'],
         '@timestamp': ['2021-06-01T20:27:48.833Z'],
-        [ALERT_ID]: ['apm.transaction_duration_All'],
+        [ALERT_INSTANCE_ID]: ['apm.transaction_duration_All'],
         'processor.event': ['transaction'],
         [ALERT_EVALUATION_THRESHOLD]: [500000],
         [ALERT_START]: ['2021-06-02T16:50:00.000Z'],

x-pack/plugins/observability/public/pages/alerts/example_data.ts

@@ -8,7 +8,7 @@
 import {
   ALERT_DURATION,
   ALERT_END,
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
   ALERT_SEVERITY,
   ALERT_RULE_TYPE_ID,
   ALERT_START,
@@ -35,7 +35,7 @@ export const apmAlertResponseExample = [
     [ALERT_RULE_UUID]: ['474920d0-93e9-11eb-ac86-0b455460de81'],
     'event.action': ['active'],
     '@timestamp': ['2021-04-12T13:53:49.550Z'],
-    [ALERT_ID]: ['apm.error_rate_opbeans-java_production'],
+    [ALERT_INSTANCE_ID]: ['apm.error_rate_opbeans-java_production'],
     [ALERT_START]: ['2021-04-12T13:50:49.493Z'],
     [ALERT_RULE_PRODUCER]: ['apm'],
     'event.kind': ['state'],
@@ -55,7 +55,7 @@ export const apmAlertResponseExample = [
     [ALERT_RULE_UUID]: ['474920d0-93e9-11eb-ac86-0b455460de81'],
     'event.action': ['close'],
     '@timestamp': ['2021-04-12T13:49:49.446Z'],
-    [ALERT_ID]: ['apm.error_rate_opbeans-java_production'],
+    [ALERT_INSTANCE_ID]: ['apm.error_rate_opbeans-java_production'],
     [ALERT_START]: ['2021-04-12T13:09:30.441Z'],
     [ALERT_RULE_PRODUCER]: ['apm'],
     'event.kind': ['state'],
@@ -116,7 +116,7 @@ export const dynamicIndexPattern = {
       readFromDocValues: true,
     },
     {
-      name: ALERT_ID,
+      name: ALERT_INSTANCE_ID,
       type: 'string',
       esTypes: ['keyword'],
       searchable: true,

x-pack/plugins/rule_registry/README.md

@@ -130,7 +130,7 @@ The following fields are defined in the technical field component template and s
 - `kibana.alert.rule.name`: the name of the rule (as specified by the user).
 - `kibana.alert.rule.category`: the name of the rule type (as defined by the rule type producer)
 - `kibana.alert.rule.consumer`: the feature which produced the alert (inherited from the rule producer field). Usually a Kibana feature id like `apm`, `siem`...
-- `kibana.alert.id`: the id of the alert, that is unique within the context of the rule execution it was created in. E.g., for a rule that monitors latency for all services in all environments, this might be `opbeans-java:production`.
+- `kibana.alert.instance.id`: the id of the alert instance, that is unique within the context of the rule execution it was created in. E.g., for a rule that monitors latency for all services in all environments, this might be `opbeans-java:production`.
 - `kibana.alert.uuid`: the unique identifier for the alert during its lifespan. If an alert recovers (or closes), this identifier is re-generated when it is opened again.
 - `kibana.alert.status`: the status of the alert. Can be `active` or `recovered`.
 - `kibana.alert.start`: the ISO timestamp of the time at which the alert started.

x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts

@@ -21,7 +21,7 @@ export const technicalRuleFieldMap = {
   [Fields.ALERT_RULE_PRODUCER]: { type: 'keyword', required: true },
   [Fields.SPACE_IDS]: { type: 'keyword', array: true, required: true },
   [Fields.ALERT_UUID]: { type: 'keyword', required: true },
-  [Fields.ALERT_ID]: { type: 'keyword', required: true },
+  [Fields.ALERT_INSTANCE_ID]: { type: 'keyword', required: true },
   [Fields.ALERT_START]: { type: 'date' },
   [Fields.ALERT_END]: { type: 'date' },
   [Fields.ALERT_DURATION]: { type: 'long' },

x-pack/plugins/rule_registry/server/routes/get_alert_by_id.test.ts

@@ -6,7 +6,7 @@
  */
 
 import {
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_NAME,
@@ -30,7 +30,7 @@ import { getReadRequest } from './__mocks__/request_responses';
 import { requestMock, serverMock } from './__mocks__/server';
 
 const getMockAlert = (): ParsedTechnicalFields => ({
-  [ALERT_ID]: 'fake-alert-id',
+  [ALERT_INSTANCE_ID]: 'fake-alert-id',
   [ALERT_RULE_CATEGORY]: 'apm.error_rate',
   [ALERT_RULE_CONSUMER]: 'apm',
   [ALERT_RULE_NAME]: 'Check error rate',

x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.test.ts

@@ -7,7 +7,7 @@
 
 import { loggerMock } from '@kbn/logging/mocks';
 import {
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_NAME,
@@ -91,14 +91,14 @@ describe('createLifecycleExecutor', () => {
           // alert documents
           { index: { _id: expect.any(String) } },
           expect.objectContaining({
-            [ALERT_ID]: 'TEST_ALERT_0',
+            [ALERT_INSTANCE_ID]: 'TEST_ALERT_0',
             [ALERT_STATUS]: ALERT_STATUS_ACTIVE,
             [EVENT_ACTION]: 'open',
             [EVENT_KIND]: 'signal',
           }),
           { index: { _id: expect.any(String) } },
           expect.objectContaining({
-            [ALERT_ID]: 'TEST_ALERT_1',
+            [ALERT_INSTANCE_ID]: 'TEST_ALERT_1',
             [ALERT_STATUS]: ALERT_STATUS_ACTIVE,
             [EVENT_ACTION]: 'open',
             [EVENT_KIND]: 'signal',
@@ -128,7 +128,7 @@ describe('createLifecycleExecutor', () => {
           {
             fields: {
               '@timestamp': '',
-              [ALERT_ID]: 'TEST_ALERT_0',
+              [ALERT_INSTANCE_ID]: 'TEST_ALERT_0',
               [ALERT_UUID]: 'ALERT_0_UUID',
               [ALERT_RULE_CATEGORY]: 'RULE_TYPE_NAME',
               [ALERT_RULE_CONSUMER]: 'CONSUMER',
@@ -145,7 +145,7 @@ describe('createLifecycleExecutor', () => {
           {
             fields: {
               '@timestamp': '',
-              [ALERT_ID]: 'TEST_ALERT_1',
+              [ALERT_INSTANCE_ID]: 'TEST_ALERT_1',
               [ALERT_UUID]: 'ALERT_1_UUID',
               [ALERT_RULE_CATEGORY]: 'RULE_TYPE_NAME',
               [ALERT_RULE_CONSUMER]: 'CONSUMER',
@@ -206,7 +206,7 @@ describe('createLifecycleExecutor', () => {
           // alert document
           { index: { _id: 'TEST_ALERT_0_UUID' } },
           expect.objectContaining({
-            [ALERT_ID]: 'TEST_ALERT_0',
+            [ALERT_INSTANCE_ID]: 'TEST_ALERT_0',
             [ALERT_WORKFLOW_STATUS]: 'closed',
             [ALERT_STATUS]: ALERT_STATUS_ACTIVE,
             labels: { LABEL_0_KEY: 'LABEL_0_VALUE' },
@@ -216,7 +216,7 @@ describe('createLifecycleExecutor', () => {
           }),
           { index: { _id: 'TEST_ALERT_1_UUID' } },
           expect.objectContaining({
-            [ALERT_ID]: 'TEST_ALERT_1',
+            [ALERT_INSTANCE_ID]: 'TEST_ALERT_1',
             [ALERT_WORKFLOW_STATUS]: 'open',
             [ALERT_STATUS]: ALERT_STATUS_ACTIVE,
 
@@ -248,7 +248,7 @@ describe('createLifecycleExecutor', () => {
           {
             fields: {
               '@timestamp': '',
-              [ALERT_ID]: 'TEST_ALERT_0',
+              [ALERT_INSTANCE_ID]: 'TEST_ALERT_0',
               [ALERT_UUID]: 'ALERT_0_UUID',
               [ALERT_RULE_CATEGORY]: 'RULE_TYPE_NAME',
               [ALERT_RULE_CONSUMER]: 'CONSUMER',
@@ -264,7 +264,7 @@ describe('createLifecycleExecutor', () => {
           {
             fields: {
               '@timestamp': '',
-              [ALERT_ID]: 'TEST_ALERT_1',
+              [ALERT_INSTANCE_ID]: 'TEST_ALERT_1',
               [ALERT_UUID]: 'ALERT_1_UUID',
               [ALERT_RULE_CATEGORY]: 'RULE_TYPE_NAME',
               [ALERT_RULE_CONSUMER]: 'CONSUMER',
@@ -321,15 +321,15 @@ describe('createLifecycleExecutor', () => {
           // alert document
           { index: { _id: 'TEST_ALERT_0_UUID' } },
           expect.objectContaining({
-            [ALERT_ID]: 'TEST_ALERT_0',
+            [ALERT_INSTANCE_ID]: 'TEST_ALERT_0',
             [ALERT_STATUS]: ALERT_STATUS_RECOVERED,
             labels: { LABEL_0_KEY: 'LABEL_0_VALUE' },
             [EVENT_ACTION]: 'close',
             [EVENT_KIND]: 'signal',
           }),
           { index: { _id: 'TEST_ALERT_1_UUID' } },
           expect.objectContaining({
-            [ALERT_ID]: 'TEST_ALERT_1',
+            [ALERT_INSTANCE_ID]: 'TEST_ALERT_1',
             [ALERT_STATUS]: ALERT_STATUS_ACTIVE,
             [EVENT_ACTION]: 'active',
             [EVENT_KIND]: 'signal',

x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts

@@ -22,7 +22,7 @@ import { ParsedTechnicalFields, parseTechnicalFields } from '../../common/parse_
 import {
   ALERT_DURATION,
   ALERT_END,
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
   ALERT_RULE_UUID,
   ALERT_START,
   ALERT_STATUS,
@@ -228,7 +228,7 @@ export const createLifecycleExecutor = (
 
     hits.hits.forEach((hit) => {
       const fields = parseTechnicalFields(hit.fields);
-      const alertId = fields[ALERT_ID];
+      const alertId = fields[ALERT_INSTANCE_ID];
       alertsDataMap[alertId] = {
         ...commonRuleFields,
         ...fields,
@@ -255,7 +255,7 @@ export const createLifecycleExecutor = (
       ...alertData,
       ...commonRuleFields,
       [ALERT_DURATION]: (options.startedAt.getTime() - new Date(started).getTime()) * 1000,
-      [ALERT_ID]: alertId,
+      [ALERT_INSTANCE_ID]: alertId,
       [ALERT_START]: started,
       [ALERT_STATUS]: isActive ? ALERT_STATUS_ACTIVE : ALERT_STATUS_RECOVERED,
       [ALERT_WORKFLOW_STATUS]: alertData[ALERT_WORKFLOW_STATUS] ?? 'open',
@@ -281,7 +281,7 @@ export const createLifecycleExecutor = (
     eventsToIndex
       .filter((event) => event[ALERT_STATUS] !== 'closed')
       .map((event) => {
-        const alertId = event[ALERT_ID]!;
+        const alertId = event[ALERT_INSTANCE_ID]!;
         const alertUuid = event[ALERT_UUID]!;
         const started = new Date(event[ALERT_START]!).toISOString();
         return [alertId, { alertId, alertUuid, started }];

x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts

@@ -198,7 +198,7 @@ describe('createLifecycleRuleTypeFactory', () => {
               "event.action": "open",
               "event.kind": "signal",
               "kibana.alert.duration.us": 0,
-              "kibana.alert.id": "opbeans-java",
+              "kibana.alert.instance.id": "opbeans-java",
               "kibana.alert.rule.category": "ruleTypeName",
               "kibana.alert.rule.consumer": "consumer",
               "kibana.alert.rule.name": "name",
@@ -222,7 +222,7 @@ describe('createLifecycleRuleTypeFactory', () => {
               "event.action": "open",
               "event.kind": "signal",
               "kibana.alert.duration.us": 0,
-              "kibana.alert.id": "opbeans-node",
+              "kibana.alert.instance.id": "opbeans-node",
               "kibana.alert.rule.category": "ruleTypeName",
               "kibana.alert.rule.consumer": "consumer",
               "kibana.alert.rule.name": "name",

x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_factory.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { ALERT_ID, VERSION } from '@kbn/rule-data-utils';
+import { ALERT_INSTANCE_ID, VERSION } from '@kbn/rule-data-utils';
 import { getCommonAlertFields } from './get_common_alert_fields';
 import { CreatePersistenceRuleTypeFactory } from './persistence_types';
 
@@ -31,7 +31,7 @@ export const createPersistenceRuleTypeFactory: CreatePersistenceRuleTypeFactory
                 body: alerts.flatMap((event) => [
                   { index: {} },
                   {
-                    [ALERT_ID]: event.id,
+                    [ALERT_INSTANCE_ID]: event.id,
                     [VERSION]: ruleDataClient.kibanaVersion,
                     ...commonRuleFields,
                     ...event.fields,

x-pack/plugins/rule_registry/server/utils/get_common_alert_fields.ts

@@ -9,7 +9,7 @@ import { Values } from '@kbn/utility-types';
 import { AlertExecutorOptions } from '../../../alerting/server';
 import { ParsedTechnicalFields } from '../../common/parse_technical_fields';
 import {
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
   ALERT_UUID,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
@@ -35,7 +35,7 @@ const commonAlertFieldNames = [
 ];
 export type CommonAlertFieldName = Values<typeof commonAlertFieldNames>;
 
-const commonAlertIdFieldNames = [ALERT_ID, ALERT_UUID];
+const commonAlertIdFieldNames = [ALERT_INSTANCE_ID, ALERT_UUID];
 export type CommonAlertIdFieldName = Values<typeof commonAlertIdFieldNames>;
 
 export type CommonAlertFields = Pick<ParsedTechnicalFields, CommonAlertFieldName>;

x-pack/plugins/rule_registry/server/utils/rule_executor_test_utils.ts

@@ -24,7 +24,7 @@ export const createDefaultAlertExecutorOptions = <
   InstanceContext extends AlertInstanceContext = {},
   ActionGroupIds extends string = ''
 >({
-  alertId = 'ALERT_ID',
+  alertId = 'ALERT_INSTANCE_ID',
   ruleName = 'ALERT_RULE_NAME',
   params,
   state,

x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx

@@ -7,7 +7,7 @@
 
 import {
   ALERT_DURATION,
-  ALERT_ID,
+  ALERT_INSTANCE_ID,
   ALERT_RULE_PRODUCER,
   ALERT_START,
   ALERT_WORKFLOW_STATUS,
@@ -275,7 +275,7 @@ export const buildShowBuildingBlockFilterRuleRegistry = (
 
 export const requiredFieldMappingsForActionsRuleRegistry = {
   '@timestamp': '@timestamp',
-  'alert.id': ALERT_ID,
+  'alert.instance.id': ALERT_INSTANCE_ID,
   'event.kind': 'event.kind',
   'alert.start': ALERT_START,
   'alert.uuid': ALERT_UUID,

x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts

@@ -12,7 +12,7 @@ import uuidv5 from 'uuid/v5';
 import dateMath from '@elastic/datemath';
 import type { estypes } from '@elastic/elasticsearch';
 import { ApiResponse, Context } from '@elastic/elasticsearch/lib/Transport';
-import { ALERT_ID } from '@kbn/rule-data-utils';
+import { ALERT_INSTANCE_ID } from '@kbn/rule-data-utils';
 import type { ListArray, ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-types';
 import { MAX_EXCEPTION_LIST_SIZE } from '@kbn/securitysolution-list-constants';
 import { hasLargeValueList } from '@kbn/securitysolution-list-utils';
@@ -987,7 +987,7 @@ export const isWrappedSignalHit = (event: SimpleHit): event is WrappedSignalHit
 };
 
 export const isWrappedRACAlert = (event: SimpleHit): event is WrappedRACAlert => {
-  return (event as WrappedRACAlert)?._source?.[ALERT_ID] != null;
+  return (event as WrappedRACAlert)?._source?.[ALERT_INSTANCE_ID] != null;
 };
 
 export const getField = <T extends SearchTypes>(event: SimpleHit, field: string): T | undefined => {