Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RAC][Rule Registry] Rule registry executors skip writing AAD when execution is cancelled #113804

Closed
ymao1 opened this issue Oct 4, 2021 · 5 comments · Fixed by #114518
Closed

[RAC][Rule Registry] Rule registry executors skip writing AAD when execution is cancelled #113804

ymao1 opened this issue Oct 4, 2021 · 5 comments · Fixed by #114518
Assignees
@ymao1
Labels
estimate:small Small Estimated Level of Effort Feature:Observability RAC Feature:RAC label obsolete Team:Observability Team label for Observability Team (for things that are handled across all of observability) Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete

Comments

@ymao1
Copy link
Contributor

ymao1 commented Oct 4, 2021

As part of this investigation, we have identified improvements in the way the alerting framework can respond to being cancelled. With this issue, we are planning to (configurably) skip scheduling actions for rules that have been cancelled due to task timeout. With this issue, we are planning to pass a helper function executionIsCancelled() that allows executors to check whether or not they should continue execution.

In order to be consistent with these framework changes, the rule registry executors should be checking whether or not rule execution is cancelled before writing AAD, otherwise this will lead to inconsistencies. For example, if the rule registry continues to write out AAD documents when the rule execution status is in error, with reason timeout and no notifications are sent.
@botelastic botelastic bot added the needs-team Issues missing a team label label Oct 4, 2021
@ymao1
Copy link
Contributor Author

ymao1 commented Oct 4, 2021

It looks like there are currently two rule registry executors types: lifecycle_rule_type and persistence_rule_type.

Inside the lifecycle_rule_type, we could add a check to this existing check:

kibana/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts

Lines 284 to 295 in bbb2e96

if (allEventsToIndex.length > 0 && ruleDataClient.isWriteEnabled()) {
logger.debug(`Preparing to index ${allEventsToIndex.length} alerts.`);
await ruleDataClient.getWriter().bulk({
body: allEventsToIndex.flatMap(({ event, indexName }) => [
indexName
? { index: { _id: event[ALERT_UUID]!, _index: indexName, require_alias: false } }
: { index: { _id: event[ALERT_UUID]! } },
event,
]),
});
}

to ensure !executionIsCancelled() AND rule type is not skipping actions

Inside the persistence_rule_type, we could add a check to this existing check:

kibana/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_factory.ts

Lines 26 to 42 in bbb2e96

if (ruleDataClient.isWriteEnabled() && numAlerts) {
const commonRuleFields = getCommonAlertFields(options);
const response = await ruleDataClient.getWriter().bulk({
body: alerts.flatMap((alert) => [
{ index: {} },
{
[ALERT_INSTANCE_ID]: alert.id,
[VERSION]: ruleDataClient.kibanaVersion,
...commonRuleFields,
...alert.fields,
},
]),
refresh,
});
return response;
} else {

@ymao1
Copy link
Contributor Author

ymao1 commented Oct 4, 2021

Blocked by #113459 and #113462

@ymao1 ymao1 added Feature:RAC label obsolete Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Theme: rac label obsolete labels Oct 4, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Oct 4, 2021
@ymao1 ymao1 added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 4, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ymao1 ymao1 added Feature:Observability RAC Team:Observability Team label for Observability Team (for things that are handled across all of observability) labels Oct 4, 2021
@gmmorris gmmorris added the estimate:small Small Estimated Level of Effort label Oct 6, 2021
@gmmorris
Copy link
Contributor

gmmorris commented Oct 6, 2021

Blocked on #113804

@gmmorris gmmorris mentioned this issue Oct 7, 2021
Open
3 tasks
@ymao1 ymao1 self-assigned this Oct 11, 2021
@ymao1 ymao1 mentioned this issue Nov 23, 2021
Merged
1 task
@ymao1 ymao1 removed the blocked label Nov 23, 2021
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ymao1 ymao1

Labels
estimate:small Small Estimated Level of Effort Feature:Observability RAC Feature:RAC label obsolete Team:Observability Team label for Observability Team (for things that are handled across all of observability) Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Alerting] Skip writing alerts when rule execution times out ymao1/kibana
4 participants
@gmmorris @kobelb @ymao1 @elasticmachine