[POC] [Response Ops] Onboard detection rules to use alerting framework summaries.

x-pack/plugins/alerting/common/rule.ts

@@ -197,6 +197,25 @@ export interface AlertsHealth {
   };
 }
 
+export interface SummarizedAlertsWithAll {
+  new: {
+    count: number;
+    data: unknown[];
+  };
+  ongoing: {
+    count: number;
+    data: unknown[];
+  };
+  recovered: {
+    count: number;
+    data: unknown[];
+  };
+  all: {
+    count: number;
+    data: unknown[];
+  };
+}
+
 export interface ActionVariable {
   name: string;
   description: string;

x-pack/plugins/alerting/server/task_runner/execution_handler.ts

@@ -14,7 +14,7 @@ import { ExecuteOptions as EnqueueExecutionOptions } from '@kbn/actions-plugin/s
 import { ActionsClient } from '@kbn/actions-plugin/server/actions_client';
 import { chunk } from 'lodash';
 import { AlertingEventLogger } from '../lib/alerting_event_logger/alerting_event_logger';
-import { parseDuration, RawRule, ThrottledActions } from '../types';
+import { GetRuleUrlFnOpts, parseDuration, RawRule, ThrottledActions } from '../types';
 import { RuleRunMetricsStore } from '../lib/rule_run_metrics_store';
 import { injectActionParams } from './inject_action_params';
 import { ExecutionHandlerOptions, RuleTaskInstance } from './types';
@@ -201,7 +201,7 @@ export class ExecutionHandler<
           if (isSummaryActionPerRuleRun(action) && !this.hasAlerts(alerts)) {
             continue;
           }
-          const summarizedAlerts = await this.getSummarizedAlerts({
+          const { startMs, endMs, summarizedAlerts } = await this.getSummarizedAlerts({
             action,
             spaceId,
             ruleId,
@@ -222,7 +222,13 @@ export class ExecutionHandler<
                 actionsPlugin,
                 actionTypeId,
                 kibanaBaseUrl: this.taskRunnerContext.kibanaBaseUrl,
-                ruleUrl: this.buildRuleUrl(spaceId),
+                ruleUrl: this.buildRuleUrl({
+                  id: ruleId,
+                  spaceId,
+                  params: this.rule.params,
+                  startMs,
+                  endMs,
+                }),
               }),
             }),
           };
@@ -270,7 +276,11 @@ export class ExecutionHandler<
                 kibanaBaseUrl: this.taskRunnerContext.kibanaBaseUrl,
                 alertParams: this.rule.params,
                 actionParams: action.params,
-                ruleUrl: this.buildRuleUrl(spaceId),
+                ruleUrl: this.buildRuleUrl({
+                  id: ruleId,
+                  spaceId,
+                  params: this.rule.params,
+                }),
                 flapping: executableAlert.getFlapping(),
               }),
             }),
@@ -404,7 +414,24 @@ export class ExecutionHandler<
     return alert.getScheduledActionOptions()?.actionGroup || this.ruleType.recoveryActionGroup.id;
   }
 
-  private buildRuleUrl(spaceId: string): string | undefined {
+  private buildRuleUrl({
+    id,
+    params,
+    spaceId,
+    startMs,
+    endMs,
+  }: GetRuleUrlFnOpts<Params>): string | undefined {
+    // Use the rule type's getRuleUrl callback if defined
+    // This does not necessarily require `kibanaBaseUrl` to be defined
+    const ruleTypeUrl = this.ruleType.getRuleUrl
+      ? this.ruleType?.getRuleUrl({ id, params, spaceId, startMs, endMs })
+      : null;
+
+    if (ruleTypeUrl) {
+      return ruleTypeUrl;
+    }
+
+    // Fallback to generic rule urle
     if (!this.taskRunnerContext.kibanaBaseUrl) {
       return;
     }
@@ -546,13 +573,35 @@ export class ExecutionHandler<
     const alerts = await this.ruleType.getSummarizedAlerts!(options);
 
     const total = alerts.new.count + alerts.ongoing.count + alerts.recovered.count;
-    return {
+    const summarizedAlerts = {
       ...alerts,
       all: {
         count: total,
         data: [...alerts.new.data, ...alerts.ongoing.data, ...alerts.recovered.data],
       },
     };
+
+    if (summarizedAlerts.all.count > 0) {
+      // get the time bounds for this alert array
+      const timestampMillis: number[] = summarizedAlerts.all.data
+        .map((alert: unknown) => {
+          const timestamp = (alert as { '@timestamp': string })['@timestamp'];
+          if (timestamp) {
+            return new Date(timestamp).valueOf();
+          }
+          return null;
+        })
+        .filter((timeInMillis: number | null) => null != timeInMillis)
+        .sort() as number[];
+
+      return {
+        startMs: timestampMillis[0],
+        endMs: timestampMillis[timestampMillis.length - 1],
+        summarizedAlerts,
+      };
+    }
+
+    return { summarizedAlerts };
   }
 
   private async actionRunOrAddToBulk({

x-pack/plugins/alerting/server/task_runner/transform_action_params.ts

@@ -12,6 +12,7 @@ import {
   AlertInstanceContext,
   RuleTypeParams,
   SanitizedRule,
+  SummarizedAlertsWithAll,
 } from '../types';
 
 interface TransformActionParamsOptions {
@@ -35,25 +36,6 @@ interface TransformActionParamsOptions {
   flapping: boolean;
 }
 
-interface SummarizedAlertsWithAll {
-  new: {
-    count: number;
-    data: unknown[];
-  };
-  ongoing: {
-    count: number;
-    data: unknown[];
-  };
-  recovered: {
-    count: number;
-    data: unknown[];
-  };
-  all: {
-    count: number;
-    data: unknown[];
-  };
-}
-
 export function transformActionParams({
   actionsPlugin,
   alertId,
@@ -140,6 +122,15 @@ export function transformSummaryActionParams({
   const variables = {
     kibanaBaseUrl,
     date: new Date().toISOString(),
+    // For backwards compatibility with security solutions rules
+    context: {
+      alerts: alerts.new.data,
+      results_link: ruleUrl,
+      rule: rule.params,
+    },
+    state: {
+      signals_count: alerts.new.count,
+    },
     rule: {
       params: rule.params,
       id: rule.id,

x-pack/plugins/alerting/server/types.ts

@@ -167,6 +167,16 @@ export interface IRuleTypeAlerts {
   fieldMap: FieldMap;
 }
 
+export interface GetRuleUrlFnOpts<Params extends RuleTypeParams> {
+  id: string;
+  params: Params;
+  spaceId: string;
+  startMs?: number;
+  endMs?: number;
+}
+export type GetRuleUrlFn<Params extends RuleTypeParams> = (
+  opts: GetRuleUrlFnOpts<Params>
+) => string | null;
 export interface RuleType<
   Params extends RuleTypeParams = never,
   ExtractedParams extends RuleTypeParams = never,
@@ -212,6 +222,8 @@ export interface RuleType<
   cancelAlertsOnRuleTimeout?: boolean;
   doesSetRecoveryContext?: boolean;
   getSummarizedAlerts?: GetSummarizedAlertsFn;
+  getRuleUrl?: GetRuleUrlFn<Params>;
+
   alerts?: IRuleTypeAlerts;
   /**
    * Determines whether framework should

x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.ts

@@ -56,7 +56,7 @@ const mapAlertsToBulkCreate = <T>(alerts: Array<{ _id: string; _source: T }>) =>
 };
 
 export const createPersistenceRuleTypeWrapper: CreatePersistenceRuleTypeWrapper =
-  ({ logger, ruleDataClient }) =>
+  ({ logger, ruleDataClient, formatAlert }) =>
   (type) => {
     return {
       ...type,
@@ -160,17 +160,23 @@ export const createPersistenceRuleTypeWrapper: CreatePersistenceRuleTypeWrapper
                   return { createdAlerts: [], errors: {}, alertsWereTruncated };
                 }
 
+                const createdAlerts = augmentedAlerts
+                  .map((alert, idx) => {
+                    const responseItem = response.body.items[idx].create;
+                    return {
+                      _id: responseItem?._id ?? '',
+                      _index: responseItem?._index ?? '',
+                      ...alert._source,
+                    };
+                  })
+                  .filter((_, idx) => response.body.items[idx].create?.status === 201);
+
+                createdAlerts.forEach((alert) =>
+                  options.services.alertFactory.create(alert._id).scheduleActions('default', {})
+                );
+
                 return {
-                  createdAlerts: augmentedAlerts
-                    .map((alert, idx) => {
-                      const responseItem = response.body.items[idx].create;
-                      return {
-                        _id: responseItem?._id ?? '',
-                        _index: responseItem?._index ?? '',
-                        ...alert._source,
-                      };
-                    })
-                    .filter((_, idx) => response.body.items[idx].create?.status === 201),
+                  createdAlerts,
                   errors: errorAggregator(response.body, [409]),
                   alertsWereTruncated,
                 };
@@ -356,6 +362,7 @@ export const createPersistenceRuleTypeWrapper: CreatePersistenceRuleTypeWrapper
         ruleDataClient,
         useNamespace: true,
         isLifecycleAlert: false,
+        formatAlert,
       })(),
     };
   };

x-pack/plugins/rule_registry/server/utils/persistence_types.ts

@@ -90,6 +90,7 @@ export type PersistenceAlertType<
 export type CreatePersistenceRuleTypeWrapper = (options: {
   ruleDataClient: IRuleDataClient;
   logger: Logger;
+  formatAlert?: (alert: unknown) => unknown;
 }) => <
   TParams extends RuleTypeParams,
   TState extends RuleTypeState,

x-pack/plugins/security_solution/server/lib/detection_engine/rule_actions_legacy/logic/notifications/schedule_notification_actions.ts

@@ -50,16 +50,18 @@ export const normalizeAlertForNotificationActions = (alert: DetectionAlert) => {
  * the equivalent "legacy" alert context so that pre-8.0 actions will continue to work.
  */
 export const formatAlertsForNotificationActions = (alerts: unknown[]): unknown[] => {
-  return alerts.map((alert) => {
-    if (isDetectionAlert(alert)) {
-      const normalizedAlert = normalizeAlertForNotificationActions(alert);
-      return {
-        ...expandDottedObject(convertToLegacyAlert(normalizedAlert)),
-        ...expandDottedObject(normalizedAlert),
-      };
-    }
-    return alert;
-  });
+  return alerts.map((alert) => formatAlertForNotificationActions(alert));
+};
+
+export const formatAlertForNotificationActions = (alert: unknown): unknown => {
+  if (isDetectionAlert(alert)) {
+    const normalizedAlert = normalizeAlertForNotificationActions(alert);
+    return {
+      ...expandDottedObject(convertToLegacyAlert(normalizedAlert)),
+      ...expandDottedObject(normalizedAlert),
+    };
+  }
+  return alert;
 };
 
 interface ScheduleNotificationActions {

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/crud/update_rules.ts

@@ -76,9 +76,27 @@ export const updateRules = async ({
       ...typeSpecificParams,
     },
     schedule: { interval: ruleUpdate.interval ?? '5m' },
-    actions: ruleUpdate.actions != null ? ruleUpdate.actions.map(transformRuleToAlertAction) : [],
-    throttle: transformToAlertThrottle(ruleUpdate.throttle),
-    notifyWhen: transformToNotifyWhen(ruleUpdate.throttle),
+    actions:
+      ruleUpdate.actions != null
+        ? ruleUpdate.actions?.map((action) => {
+            const alertAction = transformRuleToAlertAction(action);
+            const notifyWhen = transformToNotifyWhen(ruleUpdate.throttle);
+            let throttle = transformToAlertThrottle(ruleUpdate.throttle);
+
+            // Uses the schedule interval as throttle when the throttle interval is null
+            if (!throttle && notifyWhen === 'onActiveAlert') {
+              throttle = ruleUpdate.interval ?? '5m';
+            }
+            return {
+              ...alertAction,
+              frequency: {
+                summary: true,
+                notifyWhen: 'onThrottleInterval',
+                throttle: throttle === '1h' ? '5m' : throttle,
+              },
+            };
+          })
+        : [],
   };
 
   const update = await rulesClient.update({

x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/rule_actions/legacy_action_migration.ts

@@ -169,6 +169,11 @@ export const getUpdatedActionsParams = ({
           ...resOfAction,
           id: actionReference[actionRef].id,
           actionTypeId,
+          frequency: {
+            summary: true,
+            notifyWhen: transformToNotifyWhen(ruleThrottle) ?? 'onThrottleInterval',
+            throttle: transformToAlertThrottle(ruleThrottle),
+          },
         },
       ];
     }, []),