[Detection Engine] Threshold rule alert suppression docs #4315
Assignees
Labels
Docset: ESS
Issues that apply to docs in the Stack release
Docset: Serverless
Issues for Serverless Security
Feature: Rules
Team: Detection Engine
v8.12.0
Comments
6 tasks
joepeeples
added
Docset: Serverless
vitaliidm
added a commit
to elastic/kibana
that referenced
this issue
Dec 4, 2023
…shold rule (#171423) ## Summary - addresses milestone 1 of elastic/security-team#7773 epic - adds alerts suppression capabilities to threshold rule type - to enable alerts suppression for threshold rule type use experimental feature flag `alertSuppressionForThresholdRuleEnabled` in kibana.yml ``` xpack.securitySolution.enableExperimental: - alertSuppressionForThresholdRuleEnabled ``` - similarly to query rule Platinum license is required ### UI Few changes in comparison with custom query alerts suppression 1. Suppress by fields removed, since suppression is performed on Threshold Groups By fields 2. Instead, we show checkbox - so user can opt-in for alert suppression (either by selected threshold fields or w/o any) 3. Only time interval is radio button is available, suppression in rule execution is disabled(Threshold rule itself 'suppress' by grouping during rule execution) Demo video, shows suppression on interval when users select threshold group by fields and when do not https://github.com/elastic/kibana/assets/92328789/7dc476ad-0d0f-4e40-8042-d4dd552759d9 <details> <summary> Suppression is enabled, threshold fields selected </summary> <img width="1056" alt="Screenshot 2023-11-27 at 16 44 04" src="https://github.com/elastic/kibana/assets/92328789/c654a7b2-6f70-4a04-8a85-48b2a2445014"> </details> <details> <summary> Suppression is not enabled, threshold fields selected </summary> <img width="1036" alt="Screenshot 2023-11-27 at 16 44 27" src="https://github.com/elastic/kibana/assets/92328789/1cd4145f-df17-4b41-954b-c64de9eac0ff"> </details> <details> <summary> Suppression is not enabled, threshold fields not selected </summary> <img width="1050" alt="Screenshot 2023-11-27 at 16 44 42" src="https://github.com/elastic/kibana/assets/92328789/8b64a65b-4abd-4334-a1a5-e2b00fe7d8a5"> </details> ### Checklist - [x] Functional changes are hidden behind a feature flag Feature flag `alertSuppressionForThresholdRuleEnabled` - [x] Functional changes are covered with a test plan and automated tests. Test plan in progress(cc @vgomez-el), unit/ftr/cypress tests added to cover alert suppression functionality added - [x] Stability of new and changed tests is verified using the [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner). [FTR ESS & Serverless tests](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/4057) [Cypress ESS](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/4058) [Cypress Serverless](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/4059) - [ ] Comprehensive manual testing is done by two engineers: the PR author and one of the PR reviewers. Changes are tested in both ESS and Serverless. - [x] Mapping changes are accompanied by a technical design document. It can be a GitHub issue or an RFC explaining the changes. The design document is shared with and approved by the appropriate teams and individual stakeholders. Existing AlertSuppression schema field is used for Threshold rule, similarly to Query. But only `duration` field is applicable and required - [x] Functional changes are communicated to the Docs team. A ticket or PR is opened in https://github.com/elastic/security-docs. The following information is included: any feature flags used, affected environments (Serverless, ESS, or both). elastic/security-docs#4315 --------- Co-authored-by: kibanamachine <[email protected]>
joepeeples
changed the title
joepeeples
changed the title
This was referenced Dec 13, 2023
vitaliidm
added a commit
to elastic/kibana
that referenced
this issue
Dec 21, 2023
…sion feature flag (#173762) ## Summary - removes threshold alert suppression experimental feature flag introduced in #171423 - docs [issue](elastic/security-docs#4315) for reference
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Dec 21, 2023
…sion feature flag (elastic#173762) ## Summary - removes threshold alert suppression experimental feature flag introduced in elastic#171423 - docs [issue](elastic/security-docs#4315) for reference (cherry picked from commit f1deae8)
kibanamachine
added a commit
to elastic/kibana
that referenced
this issue
Dec 21, 2023
…suppression feature flag (#173762) (#173851) # Backport This will backport the following commits from `main` to `8.12`: - [[Security Solution][Detection Engine] removes threshold alert suppression feature flag (#173762)](#173762) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Vitalii Dmyterko","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-12-21T15:41:52Z","message":"[Security Solution][Detection Engine] removes threshold alert suppression feature flag (#173762)\n\n## Summary\r\n\r\n- removes threshold alert suppression experimental feature flag\r\nintroduced in https://github.com/elastic/kibana/pull/171423\r\n- docs [issue](elastic/security-docs#4315) for\r\nreference","sha":"f1deae8bd62ecaf97d41a3078bc5c85f4df17b70","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Detections and Resp","Team: SecuritySolution","backport:prev-minor","Team:Detection Engine","v8.12.0","v8.13.0"],"number":173762,"url":"https://github.com/elastic/kibana/pull/173762","mergeCommit":{"message":"[Security Solution][Detection Engine] removes threshold alert suppression feature flag (#173762)\n\n## Summary\r\n\r\n- removes threshold alert suppression experimental feature flag\r\nintroduced in https://github.com/elastic/kibana/pull/171423\r\n- docs [issue](elastic/security-docs#4315) for\r\nreference","sha":"f1deae8bd62ecaf97d41a3078bc5c85f4df17b70"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","labelRegex":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/173762","number":173762,"mergeCommit":{"message":"[Security Solution][Detection Engine] removes threshold alert suppression feature flag (#173762)\n\n## Summary\r\n\r\n- removes threshold alert suppression experimental feature flag\r\nintroduced in https://github.com/elastic/kibana/pull/171423\r\n- docs [issue](elastic/security-docs#4315) for\r\nreference","sha":"f1deae8bd62ecaf97d41a3078bc5c85f4df17b70"}}]}] BACKPORT--> Co-authored-by: Vitalii Dmyterko <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Few changes in comparison with custom query alerts suppression UI behaviour
Demo video, shows suppression on interval when users select threshold group by fields and when do not
Screen.Recording.2023-11-27.at.16.54.52.mov
Suppression is enabled, threshold fields selected
Suppression is not enabled, threshold fields selected
Suppression is not enabled, threshold fields not selected
Before doc published, feature is hidden behind
alertSuppressionForThresholdRuleEnabledflag.Available for ESS - Platinum license, Serverless - Essentials
Acceptance Test Criteria
Docs PRs
Tasks
The text was updated successfully, but these errors were encountered: