Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cases] Bulk add alerts to a case #128875

Closed
5 tasks done
cnasikas opened this issue Mar 30, 2022 · 2 comments
Closed
5 tasks done

[Cases] Bulk add alerts to a case #128875

cnasikas opened this issue Mar 30, 2022 · 2 comments
Assignees
@cnasikas
Labels
Feature:Cases Cases feature Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v8.3.0

Comments

@cnasikas
Copy link
Member

cnasikas commented Mar 30, 2022
edited by academo
Loading

Summary

At the moment of writing, users can attach one alert to a case per time. This limits users and can be a usability hurdle when users want to attach multiple alerts at once.

Architecture

Each attachment is saved as a saved object record on the cases-comments saved object. Each attachment has a type. The type alert is for alert attachments. The schema of the attachment is:

alertId: string[] | string;
index: string[] | string;
rule: { id: string, name: string }

Cases provide two hooks for attaching attachments to a case. Both of them accept an array of attachments. With the current schema, alert attachments are grouped by rule so the consumer of the hooks should group the alerts by rule and create one attachment for each group. For example:

const attachments = groupByRule(selectedAlerts);
cases.hooks.getUseCasesAddToExistingCaseModal({
    attachments,
  });

An internal bulk creates API will be created so one call will be made to create the attachments.

UI

A single event in the comment list (user action) will be created for each bulk action. The user can click on the <number> alerts text and view the alerts on the alert's table.

Screenshot 2022-03-30 at 3 23 11 PM

Reference: https://github.com/elastic/stack-design-team/issues/90#issuecomment-953167079

Limits

Circuit breakers should be put in place to ensure performance. Specifically, one for how many alerts can a user attach with a single action and one for how many alerts a user can attach to a case in total. The first limit is to ensure that not many alert ids and indexes will be saved on the same saved object. The second limit is to ensure that the list of the activity in the single case page view will not grow a lot. Having a load more button on the activity timeline could allow for this limit to be relaxed.

We decided with @kobelb to limit users to 1K alerts per case and per action and relaxed it if needed in the future.

Current user flow

alerts.mp4

Tasks

Related issues
@cnasikas cnasikas self-assigned this Mar 30, 2022
@cnasikas cnasikas added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Cases Cases feature v8.3.0 labels Mar 30, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops-cases (Feature:Cases)

@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@nastasha-solomon nastasha-solomon mentioned this issue Jun 2, 2022
Closed
This was referenced Jun 7, 2022
Closed
Closed
@lcawl lcawl mentioned this issue Jun 16, 2022
Closed
15 tasks
@cnasikas cnasikas mentioned this issue Jul 19, 2022
Closed
@lcawl lcawl mentioned this issue Jul 20, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cnasikas cnasikas

Labels
Feature:Cases Cases feature Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v8.3.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cnasikas @elasticmachine