elasticmachine
commented
4 months ago Pinging @elastic/response-ops (Team:ResponseOps)
Open shanisagiv1 opened 4 months ago
elasticmachine
commented
4 months ago Pinging @elastic/response-ops (Team:ResponseOps)
shanisagiv1
commented
4 months ago an open question - should we use the "action group/run when" as part of the template setup? since this field is coupled to the rule type and not to the action. probably its better to setup a template without that. but then there is a question, how to support a bulk action? e.g: as a user I want to apply "Slack Teamplate for Active alerts" to all 13 rules with slack actions when the action group is "active". (probably I should have a diff template for recovered state). but what user should input in the bulk action? select 13 rules --> apply template "Slack Active rules" --> select the action group = Active --> save?
Also, how do we manage errors when users try to save templates when the action doesn't exist?
@cnasikas
cnasikas
commented
3 months ago Hey! What do you think instead of having one template for each action group to have one template for each connector type but inside the template you can specify how you want the fields to be populated for each action group? This will reduce the amount of templates a user has to create and maintain.
As a users, I'd like to be able to override an existing template and save it as a new template or without saving it and it will be applied just to the particular action without the ability to reuse in other actions/rules.
Could you elaborate more on this? I am not sure I get it.
Preview capability will be a huge improvement to the current experience when allowing users to preview the context (by generating random alerts to show the values).
This would be awesome but technically it is not straightforward. I would suggest leaving it for phase 2 until we figure out how to do it. I remember @ymao1 did something similar in her ON-Week.
select 13 rules --> apply template "Slack Active rules" --> select the action group = Active --> save?
If in a template I can specify the message for each available action group, then when I apply the template to the selected rules it will automatically set the fields for each action without the user bothering about it. Wdyt?
shanisagiv1
commented
3 months ago that's a good idea Christos, but the problem is that the action group is per Rule type. so we should kind of support all the combinations as part of the template which might be weird (Active, New, Query matched, etc.. all means the same right).. lets discuss the alternatives
cnasikas
commented
3 months ago that's a good idea Christos, but the problem is that the action group is per Rule type
But the template would be per rule type, correct?
so we should kind of support all the combinations as part of the template which might be weird (Active, New, Query matched, etc.. all means the same right).. lets discuss the alternatives
The action could have its configuration inside the template and can be optional. It will reduce the burden of having to configure multiple templates for the same rule type.
Goal: Allow users to streamline the rule and action definition by allowing reuse of existing action templates with rich context. This also improves the visibility and understanding of an alert when triggering to 3rd parties.
Problem: Today, most users struggle with the available context variables and the supported functions to manage the alert fields. and hence most actions are pretty limited to the common fields. In addition, most customers manage between 20-100 rules but use only 1-2 connectors which means they have to copy and paste the action context again and again manually or do manual adjustments to all rules when something should change in the action body (e.g: adding a field to email)
User stories:
Requirements: