[ResponseOps][Connectors] Opsgenie Connector

[jonathan-buttner]

Summary

This issue describes the work for the MVP Opsgenie connector.

Users would like to push Kibana alerts to Opsgenie. To facilitate this we will create an external integration.

Related issue: #56403

Requirements

• A user can create an alert within Opsgenie when an alert is triggered within the Kibana alerting framework
• A user can close an alert within Opsgenie when an alert is recovered within the Kibana alerting framework

The MVP does not include creating incidents from Cases.

License

• The Opsgenie connector will be available to users with platinum level

Limitations

• The connector will only support closing alerts within Opsgenie when an alert is recovered. It will not support closing the alert when a user directly closes an alert (for example closing a Security alert).

Design

In the current actions framework design, a user will need to create two separate actions to manage creating and closing Opsgenie alerts. The work for this connector will include investigating how to make it easier for users to setup the action to close the alert within Opsgenie when the alert recovers within Kibana.

Deduplication

Opsgenie provides the alias key to provide alert deduplication (their docs). The connector will expose this field and default it to the mustache template {{rule.id}}:{{alert.id}}. The same key will be used to close an alert. Opsgenie guarantees that only one alert can be open with a single alias. If another Kibana alert is generate that would create another Opsgenie alert with the same alias, Opsgenie will increase a counter within the existing alert.

Opsgenie requires that the alias be no more than 512 characters. It is possible (but unlikely) that {{rule.id}}:{{alert.id}} can result in a value longer than the Opsgenie limit. If the resulting alias would be greater than 512 characters, the connector will hash the value using sha256 and use the result as the alias instead.

Implementation

We use multiple phases to implement the functionality for the connector. This section will outline the functionality that will be built within each phase. The goal is to complete phases 1-3.

Phase 1 - Completed

• The backend implementation for creating and closing alerts ([ResponseOps][Stack Connectors] Opsgenie backend #142164)
  • The backend will have support for the following fields
    • Creating an alert: alias, description, responders, visibleTo, actions, tags, details, entity, source, priority, user, and note Opsgenie create alert docs
    • Closing an alert: user, source, note Opsgenie close alert docs
• The frontend implementation for creating and closing alerts ([ResponseOps][Stack Connectors] Opsgenie connector UI #142411)
  • Two separate actions must be used for creating and closing
  • Only the message, description, and alias fields will be supported for creating an alert
  • Only the alias and note fields will be included in the form for closing an alert

Phase 2 (#143480)

• Include support for the remain Opsgenie fields for creating and closing alerts
• If the run when is trigger/create then default the action's value to create and hide the field for selecting the action
• If the run when is recover then default the action's value to close and hide the field for selecting the action
• When going through the testing form, the action's field will be shown so the create and close action can be tested
• Add a component that allows the user to select the field they are interested in rather than adding all the fields by default
  • We didn't have time to implement this, instead we added most of the simple fields in a More options section that is initially hidden. For the complex fields, users can leverage the JSON editor to create them

Phase 3

• Add a button to automatically add the recover action within the create alert action
• Add a default value to the description field when creating an alert
  • A link back to the alert/rule/detection ([ResponseOps][Rules] Adding rule.url variable #145035)
  • A link back to the rule in the specific solution ([ResponseOps][Actions] Add rule callback for each rule type #145190)
  • A link back to the query/filter/threshold - (Not sure if this is feasible)

Open questions

• What license level is required for access to this connector? platinum

Leverage Opsgenie Integration

Opsgenie has an integration marketplace, we need to investigate what support an Elastic integration would provide. Depending on the level of effort to create the integration it could be included in the MVP.

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[shanisagiv1]

Thanks @jonathan-buttner for the summary. LGTM it's aligned with everything we've discussed. You can remove the open question, I see you mention it in the Req section ;) Thanks!

[pmuellr]

If the resulting alias would be greater than 512 characters, the connector will hash the value using sha256 and use the result as the alias instead.

This sounds good, and just saw a demo of it. One thought would be to prefix the sha'd strings with sha- or such, so we'll hopefully be able to recognize this is a sha'd dedup id, and not something the user passed directly or via context vars.