Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RAM][Security Solution][Alerts] Support the ability to trigger a rule action per alert generated #153611

Closed
peluja1012 opened this issue Mar 23, 2023 · 3 comments · Fixed by #155384
Assignees
Labels
8.8 candidate enhancement New value added to drive a business result Feature:Rule Actions Security Solution Detection Rule Actions area Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: correlation Security Solution Advanced Correlation Theme

Comments

@peluja1012
Copy link
Contributor

Describe the feature:
As a user, I would like the ability to trigger a rule action (i.e email, slack, jira, etc) per alert generated. Currently, a single rule action is triggered for the group of alerts that were fired during the specified action frequency (i.e rule execution, hourly, daily).

When configuring rule action frequency, the user should have a few options:

  • Summary of alerts
    • Per rule run
    • Custom Frequency
      • Every X hours/days/weeks
  • For each alert
    • Per rule run

Proposed Design
Design Link

image

@peluja1012 peluja1012 added enhancement New value added to drive a business result Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Rule Actions Security Solution Detection Rule Actions area Team:Detection Alerts Security Detection Alerts Area Team Theme: correlation Security Solution Advanced Correlation Theme 8.8 candidate labels Mar 23, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@e40pud e40pud moved this from Awaiting Triage to Todo in AppEx: ResponseOps - Rules & Alerts Management Apr 6, 2023
@e40pud e40pud changed the title [Security Solution] Support the ability to trigger a rule action per alert generated [RAM][Security Solution][Alerts] Support the ability to trigger a rule action per alert generated Apr 6, 2023
@e40pud
Copy link
Contributor

e40pud commented Apr 15, 2023

@e40pud e40pud moved this from Todo to In Progress in AppEx: ResponseOps - Rules & Alerts Management Apr 20, 2023
e40pud added a commit to e40pud/kibana that referenced this issue Apr 20, 2023
e40pud added a commit that referenced this issue Apr 23, 2023
…ecurity solution rule page (#154990)

## Summary

[Main ticket](#151916)
This PR dependant on [these
changes](#153101)

These changes cover next two tickets:
- [RAM][SECURITYSOLUTION][ALERTS] - Integrate per-action frequency field
in security solution APIs #154532
- [RAM][SECURITYSOLUTION][ALERTS] - Integrate per-action frequency UI in
security solution #154534

With this PR we will integrate per-action `frequency` field which
already works within alert framework and will update security solution
UI to incorporate the possibility to select "summary" vs "for each
alert" type of actions.



![](https://user-images.githubusercontent.com/616158/227377473-f34a330e-81ce-42b4-af1b-e6e302c6319d.png)


## NOTES:
- There will be no more "Perform no actions" option which mutes all the
actions of the rule. For back compatibility, we need to show that rule
is muted in the UI cc @peluja1012 @ARWNightingale
- The ability to generate per-alert action will be done as part of
#153611


## Technical Notes:
Here are the overview of the conversions and transformations that we are
going to do as part of these changes for devs who are going to review.

On rule **create**/**read**/**update**/**patch**:
- We always gonna set rule level `throttle` to `undefined` from now on
- If each action has `frequency` attribute set, then we just use those
values
- If actions do not have `frequency` attribute set (or for some reason
there is a mix of actions with some of them having `frequency` attribute
and some not), then we transform rule level `throttle` into `frequency`
and set it for each action in the rule

On rule **bulk editing**:
- We always gonna set rule level `throttle` to `undefined`
- If each action has `frequency` attribute set, then we just use those
values
- If actions do not have `frequency` attribute set, then we transform
rule level `throttle` into `frequency` and set it for each action in the
rule
- If user passed only `throttle` attribute with empty actions (`actions
= []`), this will only remove all actions from the rule

This will bring breaking changes which we agreed on with the Advanced
Correlation Group
cc @XavierM @vitaliidm @peluja1012 


### Checklist

Delete any items that are not applicable to this PR.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: Kibana Machine <[email protected]>
Co-authored-by: Maxim Palenov <[email protected]>
@e40pud e40pud moved this from In Progress to In Review in AppEx: ResponseOps - Rules & Alerts Management Apr 23, 2023
e40pud added a commit that referenced this issue Apr 26, 2023
…e action per alert generated (#153611) (#155384)

## Summary

These changes enable triggering of "per-alert" actions.

Closes #153611

### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: Kibana Machine <[email protected]>
Co-authored-by: Ying <[email protected]>
Co-authored-by: Xavier Mouligneau <[email protected]>
jloleysens added a commit to jloleysens/kibana that referenced this issue Apr 26, 2023
* main: (1294 commits)
  [SecuritySolution] Refactor security packages (elastic#155365)
  [Discover] Show "Temporary" badge for ad-hoc data views in Alerts flyout (elastic#155717)
  [RAM] Conditional actions feedback on pr review (elastic#155804)
  [Files] Adds bulk delete method (elastic#155628)
  [Lens] Use proper way to generate absolute short URL (elastic#155512)
  [Guided onboarding] Use Kibana features to grant access (elastic#155065)
  [Index Management] Fix duped mock (elastic#155844)
  [Lens] Enhance visualization modifier popup with layer palette (elastic#155280)
  Fix flaky combobox tests on role management screen (elastic#155711)
  [Infrastructure UI] Create InventoryViewsService and InventoryViewsClient (elastic#155126)
  [Fleet] always create agent upload write indices (elastic#155729)
  [Fleet] [Cloud Security Posture] Add CloudFormation agent install method (elastic#155045)
  Add tech preview label for search applications (elastic#155649)
  [ML] AIOps: Stabilize flaky functional tests. (elastic#155710)
  [ES UI Shared] Migrate JsonEditor to monaco (elastic#155610)
  [Security Solution] Fixes security_solution storybooks always rendering in a flyout (elastic#155814)
  [Synthetics] Make error popover disappear `onMouseLeave` of metric item card (elastic#155800)
  Remove Exploratory View components from Observability (elastic#155629)
  [Discover] Remove redundant "Filter was added" toast (elastic#155645)
  [RAM][Security Solution][Alerts] Support the ability to trigger a rule action per alert generated (elastic#153611) (elastic#155384)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
8.8 candidate enhancement New value added to drive a business result Feature:Rule Actions Security Solution Detection Rule Actions area Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: correlation Security Solution Advanced Correlation Theme
Projects
No open projects
3 participants