Add flapping state object and interface in AAD index and Event Log

packages/kbn-rule-data-utils/src/technical_field_names.ts

@@ -30,6 +30,7 @@ const ALERT_DURATION = `${ALERT_NAMESPACE}.duration.us` as const;
 const ALERT_END = `${ALERT_NAMESPACE}.end` as const;
 const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const;
 const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const;
+const ALERT_FLAPPING = `${ALERT_NAMESPACE}.flapping` as const;
 const ALERT_INSTANCE_ID = `${ALERT_NAMESPACE}.instance.id` as const;
 const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const;
 const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
@@ -115,6 +116,7 @@ const fields = {
   ALERT_END,
   ALERT_EVALUATION_THRESHOLD,
   ALERT_EVALUATION_VALUE,
+  ALERT_FLAPPING,
   ALERT_INSTANCE_ID,
   ALERT_RULE_CONSUMER,
   ALERT_RULE_PRODUCER,
@@ -176,6 +178,7 @@ export {
   ALERT_END,
   ALERT_EVALUATION_THRESHOLD,
   ALERT_EVALUATION_VALUE,
+  ALERT_FLAPPING,
   ALERT_INSTANCE_ID,
   ALERT_NAMESPACE,
   ALERT_RULE_NAMESPACE,

x-pack/plugins/alerting/common/alert_summary.ts

@@ -36,4 +36,5 @@ export interface AlertStatus {
   muted: boolean;
   actionGroupId?: string;
   activeStartDate?: string;
+  flapping: boolean;
 }

x-pack/plugins/alerting/server/lib/alert_summary_from_event_log.test.ts

@@ -122,12 +122,14 @@ describe('alertSummaryFromEventLog', () => {
           "alert-1": Object {
             "actionGroupId": undefined,
             "activeStartDate": undefined,
+            "flapping": false,
             "muted": true,
             "status": "OK",
           },
           "alert-2": Object {
             "actionGroupId": undefined,
             "activeStartDate": undefined,
+            "flapping": false,
             "muted": true,
             "status": "OK",
           },
@@ -232,6 +234,7 @@ describe('alertSummaryFromEventLog', () => {
           "alert-1": Object {
             "actionGroupId": undefined,
             "activeStartDate": undefined,
+            "flapping": false,
             "muted": false,
             "status": "OK",
           },
@@ -272,6 +275,7 @@ describe('alertSummaryFromEventLog', () => {
           "alert-1": Object {
             "actionGroupId": undefined,
             "activeStartDate": undefined,
+            "flapping": false,
             "muted": false,
             "status": "OK",
           },
@@ -311,6 +315,7 @@ describe('alertSummaryFromEventLog', () => {
           "alert-1": Object {
             "actionGroupId": undefined,
             "activeStartDate": undefined,
+            "flapping": false,
             "muted": false,
             "status": "OK",
           },
@@ -351,6 +356,7 @@ describe('alertSummaryFromEventLog', () => {
           "alert-1": Object {
             "actionGroupId": "action group A",
             "activeStartDate": "2020-06-18T00:00:00.000Z",
+            "flapping": false,
             "muted": false,
             "status": "Active",
           },
@@ -391,6 +397,7 @@ describe('alertSummaryFromEventLog', () => {
           "alert-1": Object {
             "actionGroupId": undefined,
             "activeStartDate": "2020-06-18T00:00:00.000Z",
+            "flapping": false,
             "muted": false,
             "status": "Active",
           },
@@ -431,6 +438,7 @@ describe('alertSummaryFromEventLog', () => {
           "alert-1": Object {
             "actionGroupId": "action group B",
             "activeStartDate": "2020-06-18T00:00:00.000Z",
+            "flapping": false,
             "muted": false,
             "status": "Active",
           },
@@ -469,6 +477,7 @@ describe('alertSummaryFromEventLog', () => {
           "alert-1": Object {
             "actionGroupId": "action group A",
             "activeStartDate": undefined,
+            "flapping": false,
             "muted": false,
             "status": "Active",
           },
@@ -511,12 +520,14 @@ describe('alertSummaryFromEventLog', () => {
           "alert-1": Object {
             "actionGroupId": "action group A",
             "activeStartDate": "2020-06-18T00:00:00.000Z",
+            "flapping": false,
             "muted": true,
             "status": "Active",
           },
           "alert-2": Object {
             "actionGroupId": undefined,
             "activeStartDate": undefined,
+            "flapping": false,
             "muted": true,
             "status": "OK",
           },
@@ -566,12 +577,14 @@ describe('alertSummaryFromEventLog', () => {
           "alert-1": Object {
             "actionGroupId": "action group B",
             "activeStartDate": "2020-06-18T00:00:00.000Z",
+            "flapping": false,
             "muted": false,
             "status": "Active",
           },
           "alert-2": Object {
             "actionGroupId": undefined,
             "activeStartDate": undefined,
+            "flapping": false,
             "muted": false,
             "status": "OK",
           },
@@ -584,6 +597,43 @@ describe('alertSummaryFromEventLog', () => {
     testExecutionDurations(eventsFactory.getExecutionDurations(), executionDuration);
   });
 
+  test('rule with currently active alert, flapping', async () => {
+    const rule = createRule({});
+    const eventsFactory = new EventsFactory();
+    const events = eventsFactory
+      .addExecute()
+      .addActiveAlert('alert-1', 'action group A', true)
+      .getEvents();
+
+    const executionEvents = eventsFactory.getEvents();
+
+    const summary: AlertSummary = alertSummaryFromEventLog({
+      rule,
+      events,
+      executionEvents,
+      dateStart,
+      dateEnd,
+    });
+    const { lastRun, status, alerts, executionDuration } = summary;
+    expect({ lastRun, status, alerts }).toMatchInlineSnapshot(`
+      Object {
+        "alerts": Object {
+          "alert-1": Object {
+            "actionGroupId": "action group A",
+            "activeStartDate": undefined,
+            "flapping": true,
+            "muted": false,
+            "status": "Active",
+          },
+        },
+        "lastRun": "2020-06-18T00:00:00.000Z",
+        "status": "Active",
+      }
+    `);
+
+    testExecutionDurations(eventsFactory.getExecutionDurations(), executionDuration);
+  });
+
   const testExecutionDurations = (
     actualDurations: Record<string, number>,
     executionDuration?: {
@@ -642,7 +692,11 @@ export class EventsFactory {
     return this;
   }
 
-  addActiveAlert(alertId: string, actionGroupId: string | undefined): EventsFactory {
+  addActiveAlert(
+    alertId: string,
+    actionGroupId: string | undefined,
+    flapping = false
+  ): EventsFactory {
     const kibanaAlerting = actionGroupId
       ? { instance_id: alertId, action_group_id: actionGroupId }
       : { instance_id: alertId };
@@ -652,7 +706,7 @@ export class EventsFactory {
         provider: EVENT_LOG_PROVIDER,
         action: EVENT_LOG_ACTIONS.activeInstance,
       },
-      kibana: { alerting: kibanaAlerting },
+      kibana: { alerting: kibanaAlerting, alert: { flapping } },
     });
     return this;
   }

x-pack/plugins/alerting/server/lib/alert_summary_from_event_log.ts

@@ -80,6 +80,11 @@ export function alertSummaryFromEventLog(params: AlertSummaryFromEventLogParams)
     if (alertId === undefined) continue;
 
     const status = getAlertStatus(alerts, alertId);
+
+    if (event?.kibana?.alert?.flapping) {
+      status.flapping = true;
+    }
+
     switch (action) {
       case EVENT_LOG_ACTIONS.newInstance:
         status.activeStartDate = timeStamp;
@@ -152,6 +157,7 @@ function getAlertStatus(alerts: Map<string, AlertStatus>, alertId: string): Aler
     muted: false,
     actionGroupId: undefined,
     activeStartDate: undefined,
+    flapping: false,
   };
   alerts.set(alertId, status);
   return status;

x-pack/plugins/alerting/server/lib/alerting_event_logger/alerting_event_logger.test.ts

@@ -66,6 +66,7 @@ const alert = {
     end: '2020-01-01T03:00:00.000Z',
     duration: '2343252346',
   },
+  flapping: false,
 };
 
 const action = {

x-pack/plugins/alerting/server/lib/alerting_event_logger/alerting_event_logger.ts

@@ -48,6 +48,7 @@ interface AlertOpts {
   message: string;
   group?: string;
   state?: AlertInstanceState;
+  flapping: boolean;
 }
 
 interface ActionOpts {
@@ -247,6 +248,7 @@ export function createAlertRecord(context: RuleContextOpts, alert: AlertOpts) {
       },
     ],
     ruleName: context.ruleName,
+    flapping: alert.flapping,
   });
 }
 

x-pack/plugins/alerting/server/lib/create_alert_event_log_record_object.ts

@@ -35,6 +35,7 @@ interface CreateAlertEventLogRecordParams {
     typeId: string;
     relation?: string;
   }>;
+  flapping?: boolean;
 }
 
 export function createAlertEventLogRecordObject(params: CreateAlertEventLogRecordParams): Event {
@@ -50,6 +51,7 @@ export function createAlertEventLogRecordObject(params: CreateAlertEventLogRecor
     namespace,
     consumer,
     spaceId,
+    flapping,
   } = params;
   const alerting =
     params.instanceId || group
@@ -72,6 +74,7 @@ export function createAlertEventLogRecordObject(params: CreateAlertEventLogRecor
     },
     kibana: {
       alert: {
+        ...(flapping !== undefined ? { flapping } : {}),
         rule: {
           rule_type_id: ruleType.id,
           ...(consumer ? { consumer } : {}),

x-pack/plugins/alerting/server/rules_client/tests/get_alert_summary.test.ts

@@ -128,7 +128,7 @@ describe('getAlertSummary()', () => {
       .advanceTime(10000)
       .addExecute()
       .addRecoveredAlert('alert-previously-active')
-      .addActiveAlert('alert-currently-active', 'action group A')
+      .addActiveAlert('alert-currently-active', 'action group A', true)
       .getEvents();
     const eventsResult = {
       ...AlertSummaryFindEventsResult,
@@ -157,18 +157,21 @@ describe('getAlertSummary()', () => {
           "alert-currently-active": Object {
             "actionGroupId": "action group A",
             "activeStartDate": "2019-02-12T21:01:22.479Z",
+            "flapping": true,
             "muted": false,
             "status": "Active",
           },
           "alert-muted-no-activity": Object {
             "actionGroupId": undefined,
             "activeStartDate": undefined,
+            "flapping": false,
             "muted": true,
             "status": "OK",
           },
           "alert-previously-active": Object {
             "actionGroupId": undefined,
             "activeStartDate": undefined,
+            "flapping": false,
             "muted": false,
             "status": "OK",
           },

x-pack/plugins/alerting/server/task_runner/fixtures.ts

@@ -198,6 +198,7 @@ export const generateAlertOpts = ({ action, group, state, id }: GeneratorParams
     message,
     state,
     ...(group ? { group } : {}),
+    flapping: false,
   };
 };
 

x-pack/plugins/alerting/server/task_runner/log_alerts.test.ts

@@ -158,48 +158,56 @@ describe('logAlerts', () => {
       id: '7',
       message: "test-rule-type-id:123: 'test rule' alert '7' has recovered",
       state: {},
+      flapping: false,
     });
     expect(alertingEventLogger.logAlert).toHaveBeenNthCalledWith(2, {
       action: 'recovered-instance',
       id: '8',
       message: "test-rule-type-id:123: 'test rule' alert '8' has recovered",
       state: {},
+      flapping: false,
     });
     expect(alertingEventLogger.logAlert).toHaveBeenNthCalledWith(3, {
       action: 'recovered-instance',
       id: '9',
       message: "test-rule-type-id:123: 'test rule' alert '9' has recovered",
       state: {},
+      flapping: false,
     });
     expect(alertingEventLogger.logAlert).toHaveBeenNthCalledWith(4, {
       action: 'recovered-instance',
       id: '10',
       message: "test-rule-type-id:123: 'test rule' alert '10' has recovered",
       state: {},
+      flapping: false,
     });
     expect(alertingEventLogger.logAlert).toHaveBeenNthCalledWith(5, {
       action: 'new-instance',
       id: '4',
       message: "test-rule-type-id:123: 'test rule' created new alert: '4'",
       state: {},
+      flapping: false,
     });
     expect(alertingEventLogger.logAlert).toHaveBeenNthCalledWith(6, {
       action: 'active-instance',
       id: '1',
       message: "test-rule-type-id:123: 'test rule' active alert: '1' in actionGroup: 'undefined'",
       state: {},
+      flapping: false,
     });
     expect(alertingEventLogger.logAlert).toHaveBeenNthCalledWith(7, {
       action: 'active-instance',
       id: '2',
       message: "test-rule-type-id:123: 'test rule' active alert: '2' in actionGroup: 'undefined'",
       state: {},
+      flapping: false,
     });
     expect(alertingEventLogger.logAlert).toHaveBeenNthCalledWith(8, {
       action: 'active-instance',
       id: '4',
       message: "test-rule-type-id:123: 'test rule' active alert: '4' in actionGroup: 'undefined'",
       state: {},
+      flapping: false,
     });
   });
 

x-pack/plugins/alerting/server/task_runner/log_alerts.ts

@@ -102,6 +102,7 @@ export function logAlerts<
         group: actionGroup,
         message,
         state,
+        flapping: false,
       });
     }
 
@@ -115,6 +116,7 @@ export function logAlerts<
         group: actionGroup,
         message,
         state,
+        flapping: false,
       });
     }
 
@@ -128,6 +130,7 @@ export function logAlerts<
         group: actionGroup,
         message,
         state,
+        flapping: false,
       });
     }
   }

x-pack/plugins/event_log/generated/mappings.json

@@ -276,6 +276,9 @@
                 },
                 "alert": {
                     "properties": {
+                        "flapping": {
+                            "type": "boolean"
+                        },
                         "rule": {
                             "properties": {
                                 "consumer": {