* [RAC][Observability] remove severity fields from mapping keep only ALERT_SEVERITY
* temporarily remove severity value occurences
* remove ALERT_SEVERITY_VALUE occurences, this value is not being read and shown in the Observability alerts table
* remove duplicate ALERT_SEVERITY identifier
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Holy moly.
What is happening in this PR? 🤷🏽♀️ Let's break it down:
- Added a package `@kbn/alerts` - another one?! ...yes
- This is meant to add shared hooks and components around alerts as data
- `useGetUserAlertsPermissions` - accepts the Kibana capabilities object and returns whether the user has `read` and `crud` alerts privileges
- `AlertsFeatureNoPermissions` - component displayed when user does not have alerts privileges
- UI changes for user with NO alerts privileges
- `Alerts` tab hidden in security solution side navigation
- `Alerts` tab hidden in rule details page
- UI changes for user with alerts READ ONLY privileges
- alerts checkboxes hidden in alerts table
- alerts bulk actions hidden in alerts table
### Summary
### Fields used moving forward
`kibana.alert.rule.consumer` will refer to the context in which a rule instance is created. Rules created in:
- stack --> `alerts`
- security solution --> `siem`
- apm --> `apm`
`kibana.alert.rule.producer` will refer to the plugin that registered a rule type. Rules registered in:
- stack --> `alerts`
- security solution --> `siem`
- apm --> `apm`
So an `apm.error_rate` rule created in stack will have:
- consumer: `alerts` and producer: `apm`
An `apm.error_rate` rule created in apm will have:
- consumer: `apm` and producer: `apm`
`kibana.alert.rule.rule_type_id` will refer to a rule's rule type id. Examples:
- `apm.error_rate`
- `siem.signals`
- `siem.threshold`
Also renamed the following because `rule.*` fields are meant to be ecs fields pulled from the source/event document, not refer to our rule fields.
`rule.name` --> `kibana.alert.rule.name` will refer to the rule's name.
`rule.category` --> `kibana.alert.rule.category` will refer to the rule's category.
`rule.id` --> `kibana.alert.rule.uuid` will refer to the rule's uuid.
* [build_ts_refs] improve caches, allow building a subset of projects
* cleanup project def script and update refs in type check script
* rename browser_bazel config to avoid kebab-case
* remove execInProjects() helper
* list references for tsconfig.types.json for api-extractor workload
* disable composite features of tsconfig.types.json for api-extractor
* set declaration: true to avoid weird debug error
* fix jest tests
Co-authored-by: spalger <spalger@users.noreply.github.com>
* Add aliases mapping signal fields to alerts as data fields
* Add aliases mapping alerts as data fields to signal fields
* Replace siem signals templates per space and add AAD index aliases to siem signals indices
* Remove first version of new mapping json file
* Convert existing legacy siem-signals templates to new ES templates
* Catch 404 if siem signals templates were already updated
* Enhance error message when index exists but is not write index for alias
* Check if alias write index exists before creating new write index
* More robust write target creation logic
* Add RBAC required fields for AAD to siem signals indices
* Fix index name in index mapping update
* Throw errors if bulk retry fails or existing indices are not writeable
* Add new template to routes even without experimental rule registry flag enabled
* Check template version before updating template
* First pass at modifying routes to handle inserting field aliases
* Always insert field aliases when create_index_route is called
* Update snapshot test
* Remove template update logic from plugin setup
* Use aliases_version field to detect if aliases need update
* Fix bugs
* oops update snapshot
* Use internal user for PUT alias to fix perms issue
* Update comment
* Disable new resource creation if ruleRegistryEnabled
* Only attempt to add aliases if siem-signals index already exists
* Fix types, add aliases to aad indices, use package field names
* Undo adding aliases to AAD indices
* Remove unused import
* Update test and snapshot oops
* Filter out kibana.* fields from generated signals
* Update cypress test to account for new fields in table
* Properly handle space ids with dashes in them
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* incremental changes
* No more type errors
* Type guards
* Begin adding tests
* Flatten
* Reduce scope of branch
* Remove extraneous argument to filter_duplicate_signals
* injects bulkCreate and wrapHits to individual rule executors
* WIP create_security_rule_type_factory based on Marshall's work in #d3076ca54526ea0e61a9a99e1c1bce854806977e
* removes ruleStatusService from old rule executors, fixes executor unit tests
* fixes rebase
* Rename reference_rules to rule_types
* Fix type errors
* Fix type errors in base security rule factory
* Additional improvements to types and interfaces
* More type alignment
* Fix remaining type errors in query rule
* Add validation / inject lists plugin
* Formatting
* Improvements to typing
* Static typing on executors
* cleanup
* Hook up params for query/threshold rules... includes exceptionsList and daterange tuple
* Scaffolding for wrapHits and bulkCreate
* Add error handling / status reporting
* Fixup alert type state
* Begin threshold
* Begin work on threshold state
* Organize rule types
* Export base security rule types
* Fixup lifecycle static typing
* WrapHits / bulk changes
* Field mappings (partial)
* whoops
* Remove redundant params
* More flexibile implementation of bulkCreateFactory
* Add mappings
* Finish query rule
* Revert "Remove redundant params"
This reverts commit 87aff9c810.
* Revert "whoops"
This reverts commit a7771bd392.
* Fixup return types
* Use alertWithPersistence
* Fix import
* End-to-end rule mostly working
* Fix bulkCreate
* Bug fixes
* Bug fixes and mapping changes
* Fix indexing
* cleanup
* Fix type errors
* Test fixes
* Fix query tests
* cleanup / rename kibana.rac to kibana
* Remove eql/threshold (for now)
* Move technical fields to package
* Add indexAlias and buildRuleMessageFactory
* imports
* type errors
* Change 'kibana.rac.*' to 'kibana.*'
* Fix lifecycle tests
* Single alert instance
* fix import
* Fix type error
* Fix more type errors
* Fix query rule type test
* revert to previous ts-expect-error
* type errors again
* types / linting
* General readability improvements
* Add invariant function from Dmitrii's branch
* Use invariant and constants
* Improvements to field mappings
* More test failure fixes
* Add refresh param for bulk create
* Update more field refs
* Actually use refresh param
* cleanup
* test fixes
* changes to rule creation script
* Fix created signals count
* Use ruleId
* Updates to bulk indexing
* Mapping updates
* Cannot use 'strict' for dynamic setting
Co-authored-by: Marshall Main <marshall.main@elastic.co>
Co-authored-by: Ece Ozalp <ozale272@newschool.edu>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* kind of working solution... need to fix types.. would be great if all of this could go in the authorization class but I don't think we have access to the spaceids when we generate the kibana security action strings?
* update mapping type as array:true for space_ids field, fixes types, updates jest tests, adds integration tests
* undo changes in alerting authz class
* update snapshot for apm api integration test for rules writing alerts
* fix apm integration tests
* omit version and sequence from expected outcome
* re-add space id after this code was moved in master
* add another default space id to test
* fixes bug to remove duplicate spaceids
* add space ids filter to elasticsearch query, updates detection role
* update snapshot
* update type docs for alerts client
* remove dead code
* fix type error
* renames space ids field on alert documents from kibana.rac.alert.space_ids to kibana.space_ids
* fixes kb-rule-data-utils package
* update snapshots
* remove references to kibana.rac.alert.space_ids and replace with kibana.space_ids in rule registry integration tests and apm integration tests
* fix apm functional test snapshots
* undo index name changes I made in apm integration test configs
* update typedocs references to upstream, not local repo
This package was migrated to bazel, but the legacy style script commands
still exist in `package.json`. This removes these scripts to avoid
incorrectly building the package.
An MVP of the RBAC work required for the "alerts as data" effort. An example of the existing implementation for alerts would be that of the security solution. The security solution stores its alerts generated from rules in a single data index - .siem-signals. In order to gain or restrict access to alerts, users do so by following the Elasticsearch privilege architecture. A user would need to go into the Kibana role access UI and give explicit read/write/manage permissions for the index itself.
Kibana as a whole is moving away from this model and instead having all user interactions run through the Kibana privilege model. When solutions use saved objects, this authentication layer is abstracted away for them. Because we have chosen to use data indices for alerts, we cannot rely on this abstracted out layer that saved objects provide - we need to provide our own RBAC! Instead of giving users explicit permission to an alerts index, users are instead given access to features. They don't need to know anything about indices, that work we do under the covers now.
Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com>
Co-authored-by: Yara Tercero <yara.tercero@elastic.co>