elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.67k stars 8.23k forks source link

Future of alerts-as-data #140403

Open kobelb opened 2 years ago

kobelb commented 2 years ago

Goals

Changes

1) All alert indices have the same mappings

2) All alerts will be written to the same "datastream"

3) All alerts authorization will be the same

Implementation

Scope

The following phases are focused on stabilizing and standardizing the alert mappings and "datastreams", which will allow the Alerting framework to persist all alerts-as-data documents and enable us to build framework level features that take advantage of these alerts. These phases can be delivered in the short term. A longer term parallel effort will be ongoing to create a unified authorization model for all alerts.

As a result, not all of the changes from the will be implemented with the following phases. Notably, the following short-comings will be present:

Even with these short-comings, these changes will greatly improve the maintainability of alerting features for the response ops and solution teams while allowing us to create additional framework features that work with and benefit from alerts-as-data.

Phases

Future of alerts-as-data phases@2x (5)

Phase 1 - Standardize default alert fields (https://github.com/elastic/kibana/issues/140090)

Summary

The goal of this phase is to standardize the default list of alert fields in preparation for the future phases. All ECS fields will be part of the default alert fields. As a result, this effort will be solely concerned with standardized the use of the ECS fields and standardizing the kibana.* fields. It will require a collaborative effort between the response ops team and the solution teams to come to agreement on the full list of fields that will by default be included in alert documents. In phase 3A, these default alert fields will be supplemented by user-defined custom fields. The output of this phase will be a full schema for the alerts.

We do not anticipate this effort significantly impacting existing consumers of the alerts-as-data indices. However, some due diligence and investigation will be required to ensure that any changes do not require additional mitigations.

Phase 2 - Framework persists alerts-as-data documents

Summary

Currently, alerting rule implementations must explicitly use the rule_registry plugin to write alerts-as-data documents in addition to returning the legacy alert instances to the alerting framework to trigger actions. This puts a significant unnecessary burden on alerting rule implementers and has led to only some alerting rules creating alerts-as-data documents. This phase will be focused on making it so that all alerting rule implementations will write alerts-as-data documents in a uniform manner while taking advantage of the standardized alert fields defined in phase 1.

The alerting framework will create a new .alerts-default index on startup with the standardized fields created in phase 1. This will allow all alerting rule implementations to return alerts with the standardized fields to the framework, which will then be persisted to the .alerts-default index automatically. Additionally, facilities will be put in place to allow non-standardized alerts to be returned that will be written to an explicit index. This will allow security detection alerts to continue to be written to the existing .alerts-security.alerts-{spaceId} indices while the unified alert authorization project is ongoing and there are still dependencies on the non-standardized "datastream" naming scheme.

1. Special considerations may need to be made to maintain security solution's custom action triggering logic 2. Until we resolve authorization discrepancies we won't be able to list all alerts in the same table at the same time

Phase 3a - User-defined custom alert fields

Summary

To facilitate pivoting and second-order analytics on the generated alerts, we will be adding a UI and HTTP API to allow users to specify ECS-complaint custom mapped alert fields. These custom fields will behave identically to the standardized default alert fields and will be searchable and sortable. Additional analysis will be required to determine the restrictions that must be put in place on the custom alert fields to minimize the conflicts these custom fields may have with future default fields.

1. There's the potential for these custom fields to only work with the standardized alert indices, or also with the non-standardized alert indices. This decision is being delayed until a later time to allow us to make a more educated decision.

Phase 3b - All alerting rule actions have access to alerts

Summary

Currently, only a few alerting rules expose the alerts-as-data to their alerting rule actions, and they are forced to do so by adding a custom context.alerts action variable. This creates an inconsistent and frustrating experience for our end users. Now that alerting rules are all returning their alerts to the framework with the alerts-as-data fields, these alerts can be exposed to all alerting rule actions by adding either an alert or alerts action variable.

1. There's the potential for the alert action variables to only work with the standardized alert, or also with the non-standardized alerts. This decision is being delayed until a later time to allow us to make a more educated decision.

elasticmachine commented 2 years ago

Pinging @elastic/response-ops (Team:ResponseOps)

ymao1 commented 2 years ago

Issues for Phase 2: