Open marshallmain opened 1 week ago
Pinging @elastic/security-detection-engine (Team:Detection Engine)
Possible way to do this is to extend what properties we include in alert id.
Currently, for non-agg queries we include id, index, version, ruleId, spaceId
By using utilities from @kbn/esql-ast
package, I believe we would be able extract mv_expand
field and retrieve its value from processed result row. Then we can include it key-value object into id generator. In this case, this would allow to generate unique alert id per each "expanded" value.
One corner case, we should keep in mind, user might drop or rename "expanded" field. In this case we might resort to remove all identical values from result rows and use the rest values in id generation.
The
MV_EXPAND
command is in preview and was added to ES|QL for 8.11 (https://www.elastic.co/guide/en/elasticsearch/reference/8.15/esql-commands.html#esql-mv_expand). This command takes a multi-valued column and produces a separate row in the results for each value. As a consequence, the results can have multiple rows with the same_id
and_index
values but the DE rule logic will only create an alert for one of these rows due to deduplication. We should investigate what the correct handling is in this scenario.