-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Response Ops][Alerting] Should we send summary notifications when there are no alerts to report #155708
Comments
Pinging @elastic/response-ops (Team:ResponseOps) |
IINM we discussed this when we develop the summary feature and decided to send notification for summary alerts on custom interval. |
I think we should change it because summary and conditional action are around notification fatigue and we want to avoid too many notification on our users. |
@shanisagiv1 and I have a discussion around this and we think it will be better to not send any notification if we do NOT find any alerts. |
…6421) Resolves: #155708 Currently we always trigger summary actions on custom interval even if there are no alerts to report. This PR changes this behaviour to skip summary actions when there are no alerts. ## To verify Create a Security Rule with a summary action that is on custom interval (`Summary of alerts` -> `Custom Frequency`) Add an alerts filter to filter out all the alerts (e.g. by using host name that doesn't exist) Expect the summary action not to be triggered.
…stic#156421) Resolves: elastic#155708 Currently we always trigger summary actions on custom interval even if there are no alerts to report. This PR changes this behaviour to skip summary actions when there are no alerts. ## To verify Create a Security Rule with a summary action that is on custom interval (`Summary of alerts` -> `Custom Frequency`) Add an alerts filter to filter out all the alerts (e.g. by using host name that doesn't exist) Expect the summary action not to be triggered. (cherry picked from commit 506806f)
#156421) (#156617) # Backport This will backport the following commits from `main` to `8.8`: - [Don't trigger summary actions when there are no alerts to report (#156421)](#156421) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Ersin Erdal","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-05-03T19:15:01Z","message":"Don't trigger summary actions when there are no alerts to report (#156421)\n\nResolves: #155708\r\n\r\nCurrently we always trigger summary actions on custom interval even if\r\nthere are no alerts to report.\r\nThis PR changes this behaviour to skip summary actions when there are no\r\nalerts.\r\n\r\n## To verify\r\nCreate a Security Rule with a summary action that is on custom interval\r\n(`Summary of alerts` -> `Custom Frequency`)\r\nAdd an alerts filter to filter out all the alerts (e.g. by using host\r\nname that doesn't exist)\r\nExpect the summary action not to be triggered.","sha":"506806fee7f374205d98995a2754a0d296fbebb0","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:ResponseOps","v8.8.0","v8.9.0"],"number":156421,"url":"https://github.com/elastic/kibana/pull/156421","mergeCommit":{"message":"Don't trigger summary actions when there are no alerts to report (#156421)\n\nResolves: #155708\r\n\r\nCurrently we always trigger summary actions on custom interval even if\r\nthere are no alerts to report.\r\nThis PR changes this behaviour to skip summary actions when there are no\r\nalerts.\r\n\r\n## To verify\r\nCreate a Security Rule with a summary action that is on custom interval\r\n(`Summary of alerts` -> `Custom Frequency`)\r\nAdd an alerts filter to filter out all the alerts (e.g. by using host\r\nname that doesn't exist)\r\nExpect the summary action not to be triggered.","sha":"506806fee7f374205d98995a2754a0d296fbebb0"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/156421","number":156421,"mergeCommit":{"message":"Don't trigger summary actions when there are no alerts to report (#156421)\n\nResolves: #155708\r\n\r\nCurrently we always trigger summary actions on custom interval even if\r\nthere are no alerts to report.\r\nThis PR changes this behaviour to skip summary actions when there are no\r\nalerts.\r\n\r\n## To verify\r\nCreate a Security Rule with a summary action that is on custom interval\r\n(`Summary of alerts` -> `Custom Frequency`)\r\nAdd an alerts filter to filter out all the alerts (e.g. by using host\r\nname that doesn't exist)\r\nExpect the summary action not to be triggered.","sha":"506806fee7f374205d98995a2754a0d296fbebb0"}}]}] BACKPORT--> Co-authored-by: Ersin Erdal <[email protected]>
The alerting framework started supporting summary actions in 8.8 and detection rules have migrated to using framework alert summaries with this PR. We noticed a discrepancy in behavior between the two summary features when there are no alerts to report. The framework summary will trigger a notification in this case (where the action message would indicate there are 0 alerts to report) while the detection rule summary would skip notifications.
Should we be matching the previous detection rule summary behavior?
The text was updated successfully, but these errors were encountered: