[Response Ops][Actions] Keep track of action execution source and show in connector exec log #152030
Conversation
…ce type in action task params. Writing source to event log
ymao1
changed the title
| @@ -45,6 +45,10 @@ | |||
| "relatedSavedObjects": { | |||
| "enabled": false, | |||
| "type": "object" | |||
| }, | |||
| "source": { | |||
There was a problem hiding this comment.
Adding source field but not indexing it because we don't need to query on it. Also not adding a migration because this is not a required field.
There was a problem hiding this comment.
Do you really need to add it explicitly to the mappings then?
There was a problem hiding this comment.
I thought we had dynamic: strict for saved object mappings so we had to identify all the fields even if we didn't need to map them? If that's not the case, I am happy to remove!
There was a problem hiding this comment.
We're using dynamic:strict at the root level, but you can add dynamic: false at the top level of your type's mapping to override it. I thought it was already the case for response ops types tbh.
There was a problem hiding this comment.
It looks like that is the case for the cases SO type but not for action, action_task_params or alert SO types. Is that the preferred method? I can add it to action_task_params in this PR and create a separate PR for the other SO types if so
There was a problem hiding this comment.
I think check w/ @XavierM - he's been working on fine-tuning the mappings for dynamic false; he probably has a feel whether we should do these adhoc or wait and do them all at once.
We did recently just add a dynamic: false to an "inner" struct in the rule SO, and I posted some comments on it. https://github.com/elastic/kibana/pull/148038/files#r1091213922
There was a problem hiding this comment.
he probably has a feel whether we should do these adhoc or wait and do them all at once
Doing it in another PR works for me, as long as we make sure this new field is in the radar of the other PR/PR author.
I'll approve to unblock and will let you figure out how/when you want to do the field removal.
There was a problem hiding this comment.
Discussed with Xavier and I will add dynamic:false to the action_task_params mappings in this PR, he will make note of the new source field in his PR: #152857 which will also set dynamic:false for the other Response Ops SO types.
| @@ -9,6 +9,5 @@ export const EVENT_LOG_PROVIDER = 'actions'; | |||
| export const EVENT_LOG_ACTIONS = { | |||
| execute: 'execute', | |||
| executeStart: 'execute-start', | |||
| executeViaHttp: 'execute-via-http', | |||
There was a problem hiding this comment.
Typically different event log actions means a different document is written out (we write out separate docs for execute and execute-start. In this case, it doesn't seem to make sense to write out a different doc for execute-via-http and it made more sense to store the source in the execute doc. This value was unused anyway, so I removed it.
…to actions/execution-source
ymao1
added
Feature:Actions
Team:ResponseOps
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
@lcawl What do you think would be more user friendly text to show in the UI instead of |
I think that depends on who we think will make use of this information. If it's for debugging purposes only and is hidden by default, then it's less important to clarify their meanings. If, however, we want users to make sense of them, IMO we can keep the keywords but add a legend to explain their meanings (i.e. akin to what you've put in the PR summary). This legend/explanation could exist in a tooltip or popover on that column. If you choose to go that route, I can help with the text. |
Thanks @lcawl! With that feedback, I will leave it as is but lowercase the word so it doesn't sound like it's shouting at you. |
ymao1
force-pushed
the
actions/execution-source
branch
from
2d6b8a4 to
91209de
Compare
|
@elasticmachine merge upstream |
| @@ -7,19 +7,17 @@ | |||
|
|
|||
| import { v4 as uuidv4 } from 'uuid'; | |||
| import { pick } from 'lodash'; | |||
| import { pipe } from 'fp-ts/lib/pipeable'; | |||
| import { map, fromNullable, getOrElse } from 'fp-ts/lib/Option'; | |||
| @@ -95,6 +96,7 @@ export default function ({ getService }: FtrProviderContext) { | |||
| outcome: 'success', | |||
| message: `action executed: test.index-record:${createdAction.id}: My action`, | |||
| startMessage: `action started: test.index-record:${createdAction.id}: My action`, | |||
| source: ActionExecutionSourceType.HTTP_REQUEST, | |||
There was a problem hiding this comment.
Doesn't seem like we have explicit tests for notification? I imagine there must be a cases FT to test changing assignees that presumably would check to make sure the notification was attempted. That we could add an event log check to. If not, feels like we should open an issue to add one, unless it's super-simple to do in this PR.
There was a problem hiding this comment.
I looked up the PR for notifications and there's a comment in the description that there were no integration tests: #144391
I did not add integration tests due to the complexity of simulating an email server. I added unit test coverage. If integration test coverage is needed we can add the tests on another PR.
I can create a followup issue for it.
There was a problem hiding this comment.
Ya, please do, and reference that PR. I think we have a fairly simple way of simulating an email server, maybe it's not appropriate for this behavior though.
There was a problem hiding this comment.
Created issue here: #152950
…to actions/execution-source
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Public APIs missing comments
Async chunks
Public APIs missing exports
Unknown metric groupsAPI count
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @ymao1 |
…w in connector exec log (elastic#152030) Resolves elastic#143984 ## Summary This PR persists an execution source field to the action event log `execute` document which indicates the source of the action. Currently, we have 3 sources of action execution: * `http_request` - these are executions triggered from the `_execute` route in the actions API. This is used by the test connector functionality in the UI but could also be used directly via curl command. We do not differentiate between the two. * `notification` - these are executions triggered by the notifications service. currently, this only occurs when a case is assigned to a user. * `saved_object` - these are executions triggered by another saved object, like the `alert` saved object. Cases also triggers action execution in `x-pack/plugins/cases/server/client/cases/push.ts`. The source will be saved as the type of the saved object that triggered the action After persisting the source, we also updated the connector exec log to show the source in a new column (hidden by default). <img width="1710" alt="Screenshot 2023-03-01 at 4 12 35 PM" src="https://user-images.githubusercontent.com/13104637/222266192-2877ad2b-0309-408e-ad44-ec37ef597afb.png"> ## To Verify 1. Create a connector and run it via the Test Connector tab 2. Create a rule that will fire an action using the connector and let it run 3. Create a case an assign it to a user (other than yourself) 4. Go to the connector exec log view, add the "Source" column and see that it is populated. You can also inspect the event log docs for `provider: "actions"` and see that `kibana.action.execution.source` is populated. --------- Co-authored-by: kibanamachine <[email protected]>
Resolves #143984
Summary
This PR persists an execution source field to the action event log
executedocument which indicates the source of the action. Currently, we have 3 sources of action execution:http_request- these are executions triggered from the_executeroute in the actions API. This is used by the test connector functionality in the UI but could also be used directly via curl command. We do not differentiate between the two.notification- these are executions triggered by the notifications service. currently, this only occurs when a case is assigned to a user.saved_object- these are executions triggered by another saved object, like thealertsaved object. Cases also triggers action execution inx-pack/plugins/cases/server/client/cases/push.ts. The source will be saved as the type of the saved object that triggered the actionAfter persisting the source, we also updated the connector exec log to show the source in a new column (hidden by default).
To Verify
provider: "actions"and see thatkibana.action.execution.sourceis populated.