-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RAM][Security Solution][Alerts] Support the ability to trigger a rule action per alert generated #153611
Labels
8.8 candidate
enhancement
New value added to drive a business result
Feature:Rule Actions
Security Solution Detection Rule Actions area
Team:Detection Alerts
Security Detection Alerts Area Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Theme: correlation
Security Solution Advanced Correlation Theme
Comments
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
Here are the two POC which enable per-alert actions: |
e40pud
added a commit
to e40pud/kibana
that referenced
this issue
Apr 20, 2023
…e action per alert generated (elastic#153611)
1 task
e40pud
added a commit
that referenced
this issue
Apr 23, 2023
…ecurity solution rule page (#154990) ## Summary [Main ticket](#151916) This PR dependant on [these changes](#153101) These changes cover next two tickets: - [RAM][SECURITYSOLUTION][ALERTS] - Integrate per-action frequency field in security solution APIs #154532 - [RAM][SECURITYSOLUTION][ALERTS] - Integrate per-action frequency UI in security solution #154534 With this PR we will integrate per-action `frequency` field which already works within alert framework and will update security solution UI to incorporate the possibility to select "summary" vs "for each alert" type of actions. ![](https://user-images.githubusercontent.com/616158/227377473-f34a330e-81ce-42b4-af1b-e6e302c6319d.png) ## NOTES: - There will be no more "Perform no actions" option which mutes all the actions of the rule. For back compatibility, we need to show that rule is muted in the UI cc @peluja1012 @ARWNightingale - The ability to generate per-alert action will be done as part of #153611 ## Technical Notes: Here are the overview of the conversions and transformations that we are going to do as part of these changes for devs who are going to review. On rule **create**/**read**/**update**/**patch**: - We always gonna set rule level `throttle` to `undefined` from now on - If each action has `frequency` attribute set, then we just use those values - If actions do not have `frequency` attribute set (or for some reason there is a mix of actions with some of them having `frequency` attribute and some not), then we transform rule level `throttle` into `frequency` and set it for each action in the rule On rule **bulk editing**: - We always gonna set rule level `throttle` to `undefined` - If each action has `frequency` attribute set, then we just use those values - If actions do not have `frequency` attribute set, then we transform rule level `throttle` into `frequency` and set it for each action in the rule - If user passed only `throttle` attribute with empty actions (`actions = []`), this will only remove all actions from the rule This will bring breaking changes which we agreed on with the Advanced Correlation Group cc @XavierM @vitaliidm @peluja1012 ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Maxim Palenov <[email protected]>
e40pud
added a commit
that referenced
this issue
Apr 26, 2023
…e action per alert generated (#153611) (#155384) ## Summary These changes enable triggering of "per-alert" actions. Closes #153611 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Ying <[email protected]> Co-authored-by: Xavier Mouligneau <[email protected]>
jloleysens
added a commit
to jloleysens/kibana
that referenced
this issue
Apr 26, 2023
* main: (1294 commits) [SecuritySolution] Refactor security packages (elastic#155365) [Discover] Show "Temporary" badge for ad-hoc data views in Alerts flyout (elastic#155717) [RAM] Conditional actions feedback on pr review (elastic#155804) [Files] Adds bulk delete method (elastic#155628) [Lens] Use proper way to generate absolute short URL (elastic#155512) [Guided onboarding] Use Kibana features to grant access (elastic#155065) [Index Management] Fix duped mock (elastic#155844) [Lens] Enhance visualization modifier popup with layer palette (elastic#155280) Fix flaky combobox tests on role management screen (elastic#155711) [Infrastructure UI] Create InventoryViewsService and InventoryViewsClient (elastic#155126) [Fleet] always create agent upload write indices (elastic#155729) [Fleet] [Cloud Security Posture] Add CloudFormation agent install method (elastic#155045) Add tech preview label for search applications (elastic#155649) [ML] AIOps: Stabilize flaky functional tests. (elastic#155710) [ES UI Shared] Migrate JsonEditor to monaco (elastic#155610) [Security Solution] Fixes security_solution storybooks always rendering in a flyout (elastic#155814) [Synthetics] Make error popover disappear `onMouseLeave` of metric item card (elastic#155800) Remove Exploratory View components from Observability (elastic#155629) [Discover] Remove redundant "Filter was added" toast (elastic#155645) [RAM][Security Solution][Alerts] Support the ability to trigger a rule action per alert generated (elastic#153611) (elastic#155384) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
8.8 candidate
enhancement
New value added to drive a business result
Feature:Rule Actions
Security Solution Detection Rule Actions area
Team:Detection Alerts
Security Detection Alerts Area Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Theme: correlation
Security Solution Advanced Correlation Theme
Describe the feature:
As a user, I would like the ability to trigger a rule action (i.e email, slack, jira, etc) per alert generated. Currently, a single rule action is triggered for the group of alerts that were fired during the specified action frequency (i.e rule execution, hourly, daily).
When configuring rule action frequency, the user should have a few options:
Proposed Design
Design Link
The text was updated successfully, but these errors were encountered: