[ResponseOps] Add kibana.alert.time_range field to Alert-As-Data mappings and populate it (#141309)

* [ResponseOps] Add kibana.alert.time_range field to Alert-As-Data mappings and populate it * Fixing snapshots to match new reality * Removing the lte (end of range) for active alerts. * Fixing expected resutls for mapping test * fixing tests * updating readme * Fixing field name in README Co-authored-by: Faisal Kanout <faisal.kanout@elastic.co>
2025-04-23 17:28:26 -04:00 · 2022-10-04 13:53:59 -06:00 · 2022-10-04 13:53:59 -06:00 · 71aebb7024
commit 71aebb7024
parent 77eb8029c8
6 changed files with 30 additions and 1 deletions
--- a/packages/kbn-rule-data-utils/src/technical_field_names.ts
+++ b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@ -34,6 +34,7 @@ const ALERT_REASON = `${ALERT_NAMESPACE}.reason` as const;
 const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
 const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const;
 const ALERT_START = `${ALERT_NAMESPACE}.start` as const;
+const ALERT_TIME_RANGE = `${ALERT_NAMESPACE}.time_range` as const;
 const ALERT_STATUS = `${ALERT_NAMESPACE}.status` as const;
 const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const;
 const ALERT_UUID = `${ALERT_NAMESPACE}.uuid` as const;
@ -126,6 +127,7 @@ const fields = {
  ALERT_RULE_UPDATED_BY,
  ALERT_RULE_VERSION,
  ALERT_START,
+  ALERT_TIME_RANGE,
  ALERT_SEVERITY,
  ALERT_STATUS,
  ALERT_SYSTEM_STATUS,
@ -183,6 +185,7 @@ export {
  ALERT_RULE_VERSION,
  ALERT_SEVERITY,
  ALERT_START,
+  ALERT_TIME_RANGE,
  ALERT_SYSTEM_STATUS,
  ALERT_UUID,
  ECS_VERSION,
--- a/x-pack/plugins/rule_registry/README.md
+++ b/x-pack/plugins/rule_registry/README.md
@ -143,6 +143,7 @@ The following fields are defined in the technical field component template and s
 - `kibana.alert.ancestors`: the array of ancestors (if any) for the alert.
 - `kibana.alert.depth`: the depth of the alert in the ancestral tree (default 0).
 - `kibana.alert.building_block_type`: the building block type of the alert (default undefined).
+- `kibana.alert.time_range`: the time range of an alert. (default undefined).

 # Alerts as data

--- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts
+++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.test.ts
@ -198,6 +198,10 @@ it('matches snapshot', () => {
        "required": false,
        "type": "keyword",
      },
+      "kibana.alert.time_range": Object {
+        "format": "epoch_millis||strict_date_optional_time",
+        "type": "date_range",
+      },
      "kibana.alert.uuid": Object {
        "required": true,
        "type": "keyword",
--- a/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts
+++ b/x-pack/plugins/rule_registry/common/assets/field_maps/technical_rule_field_map.ts
@ -25,6 +25,10 @@ export const technicalRuleFieldMap = {
  [Fields.ALERT_UUID]: { type: 'keyword', required: true },
  [Fields.ALERT_INSTANCE_ID]: { type: 'keyword', required: true },
  [Fields.ALERT_START]: { type: 'date' },
+  [Fields.ALERT_TIME_RANGE]: {
+    type: 'date_range',
+    format: 'epoch_millis||strict_date_optional_time',
+  },
  [Fields.ALERT_END]: { type: 'date' },
  [Fields.ALERT_DURATION]: { type: 'long' },
  [Fields.ALERT_SEVERITY]: { type: 'keyword' },
--- a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts
+++ b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts
@ -22,6 +22,7 @@ import {
 import { ParsedExperimentalFields } from '../../common/parse_experimental_fields';
 import { ParsedTechnicalFields } from '../../common/parse_technical_fields';
 import {
+  ALERT_TIME_RANGE,
  ALERT_DURATION,
  ALERT_END,
  ALERT_INSTANCE_ID,
@ -235,7 +236,12 @@ export const createLifecycleExecutor =
          ...commonRuleFields,
          ...currentAlertData,
          [ALERT_DURATION]: (options.startedAt.getTime() - new Date(started).getTime()) * 1000,
-
+          [ALERT_TIME_RANGE]: isRecovered
+            ? {
+                gte: started,
+                lte: commonRuleFields[TIMESTAMP],
+              }
+            : { gte: started },
          [ALERT_INSTANCE_ID]: alertId,
          [ALERT_START]: started,
          [ALERT_UUID]: alertUuid,
--- a/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts
+++ b/x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts
@ -12,6 +12,7 @@ import {
  ALERT_STATUS_ACTIVE,
  ALERT_STATUS_RECOVERED,
  ALERT_UUID,
+  ALERT_TIME_RANGE,
 } from '@kbn/rule-data-utils';
 import { loggerMock } from '@kbn/logging-mocks';
 import { castArray, omit } from 'lodash';
@ -245,6 +246,9 @@ describe('createLifecycleRuleTypeFactory', () => {
              "kibana.alert.rule.uuid": "alertId",
              "kibana.alert.start": "2021-06-16T09:01:00.000Z",
              "kibana.alert.status": "active",
+              "kibana.alert.time_range": Object {
+                "gte": "2021-06-16T09:01:00.000Z",
+              },
              "kibana.alert.workflow_status": "open",
              "kibana.space_ids": Array [
                "spaceId",
@ -273,6 +277,9 @@ describe('createLifecycleRuleTypeFactory', () => {
              "kibana.alert.rule.uuid": "alertId",
              "kibana.alert.start": "2021-06-16T09:01:00.000Z",
              "kibana.alert.status": "active",
+              "kibana.alert.time_range": Object {
+                "gte": "2021-06-16T09:01:00.000Z",
+              },
              "kibana.alert.workflow_status": "open",
              "kibana.space_ids": Array [
                "spaceId",
@ -443,6 +450,10 @@ describe('createLifecycleRuleTypeFactory', () => {

        expect(opbeansNodeAlertDoc['event.action']).toBe('close');
        expect(opbeansNodeAlertDoc[ALERT_STATUS]).toBe(ALERT_STATUS_RECOVERED);
+        expect(opbeansNodeAlertDoc[ALERT_TIME_RANGE]).toEqual({
+          gte: '2021-06-16T09:01:00.000Z',
+          lte: '2021-06-16T09:02:00.000Z',
+        });
      });
    });
  });