Alert summaries and conditional actions

[nastasha-solomon]

Description

In 8.8, users could specify how often alert notifications were to third-party systems (e.g., Slack, JIRA, email, etc.). The action frequency configuration applied to all actions that were added to the rule.

In 8.8, users can set notification frequency on a per-action basis. Now, they have more control over specifying how often actions send notifications about alerts.

On top of more control over action notification frequency, users can choose to be notified on a per alert basis or with alert summaries:

• Per alert basis: You'll receive a notification for each alert that's generated.
• Alert summaries: You'll receive a single notification on the interval schedule that you choose and the notification will summarize multiple alerts.

From here, you can define additional conditions that must be met for the connector to send a notification:

• if alert matches a query: Notifications are only sent if alerts match the conditions of the KQL query that the user writes. Note that this query searches alert documents in the rule's specified index.
• if alert is generated during timeframe: Notifications are only sent if alerts are generated within the specified timeframe.

Related:

• META - [RAM][SECURITYSOLUTION][ALERTS] - Integrate Alert summary inside of security solution rule page kibana#151916: Main meta for implementing this feature in the Security app
• [RAM][SECURITYSOLUTION][ALERTS] - Update action form UI to fit security solution needs kibana#154531 and [RAM][SECURITYSOLUTION][ALERTS] - Integrate per-action frequency UI in security solution kibana#154534: Adds UI options for sending notifications per-action or as alert summaries.
• [RAM][SECURITYSOLUTION][ALERTS] - Integrate per-action frequency field in security solution APIs kibana#154532: Adding support for the new per-action frequency field in Security rule API.
• [DOCS] Alert summaries kibana#150655: Example docs issue that shows how this feature was doc'd in the Observability docs.

Questions

• What new fields/parameters will be added to/changed in the following APIs:
  • Create rule | actions schema
  • Update rule | actions schema
  • Bulk rule actions | actions schema

Required doc updates

• Make the following changes to the Set up alert notifications (optional) section:
  • Add new mandatory and optional configuration options.
  • Refresh screenshots: available-action-types.png and selected-action-type.png
• Make the following changes to the Alert notification placeholders section:
  • Explain that variables will differ based on the action frequency that's selected.
  • Point users towards the Action frequency: Summary of alerts section for a list of Summary of alerts variables that they can use.
• Update docs for notification placeholder fields. Notes for organization are here:
  • Create a section for placeholder fields that are only available when users choose the per-alert option.
  • Create a section for fields that are available if users choose either the per alert option or the alert summary option.
  • Add in the Alert.flapping field to the section that details placeholder fields available for the per alert option. (Verifying this with Zhenia)
• Note that after a user upgrades to 8.8, actions on rules will have their own frequency. In 8.7 and earlier, action frequency was set on a rule-level, meaning users would set action frequency once and that configuration would apply to all actions added to the rule:
  • Upgrade Elastic Security | Upgrade from a 7.x version: Create a new section detailing what will happen to "old" rules.
  • Manage detection rules | Modify existing rule settings: Expand the notes for the Add rule actions bullet under step 2.
• Rule API docs updates will be tracked in a separate doc issue: Add a note that in 8.8 rule's APIs (create, update, bulk, get, find) won't return throttle in a response payload #3257

Notes

• The two notification options were described in the Kibana Actions docs. Might be able to reference those docs or re-use the content when explaining this feature in the Security docs.
• When users import rules with actions created in 8.7, actions are automatically set to run on a per-alert frequency.
• @e40pud to create a doc issue for the rule API doc updates.

[lcawl]

Since the conditional actions feature is only available to rules in the Security app, IMO it makes sense to add it only in the Security 8.8 highlights. If you agree, here's what's proposed for the release blog:

Conditional Actions

When you create a rule, you define conditions that must be met for an alert to occur. Now you can also add conditions that affect the actions associated with an alert. For example, you might choose to send notifications only if the alert is received between defined hours.