[Response Ops][Maintenance Window] Fix MW bug where rules that generate multiple alerts only has 1 alert that gets muted (#190935)

## Summary Issue: https://github.com/elastic/kibana/issues/190750 Fix a bug with maintenance window where only 1 alert from a rule that generates multiple alerts has the maintenance window ID associated. The fix was to remove a `size` field (not sure why that was there). To verify: 1. Create an active maintenance window with conditional filter 2. Create a rule that matches the maintenance window filter and let it generate multiple alerts (I use ES query rule on the task_manager index with runAt as timefield. Then use groupBy on the runAt field.). 3. Assert that all of the alerts generated have the maintenance window ID associated with it ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2025-04-24 17:59:23 -04:00 · 2024-08-26 17:28:38 -07:00 · 2024-08-26 17:28:38 -07:00 · d0319c6555
commit d0319c6555
parent c361abd78c
4 changed files with 71 additions and 4 deletions
--- a/x-pack/plugins/alerting/server/alerts_client/lib/get_summarized_alerts_query.ts
+++ b/x-pack/plugins/alerting/server/alerts_client/lib/get_summarized_alerts_query.ts
@ -324,7 +324,6 @@ export const getQueryByScopedQueries = ({
      aggs: {
        alertId: {
          top_hits: {
-            size: 1,
            _source: {
              includes: [ALERT_UUID],
            },
--- a/x-pack/test/alerting_api_integration/common/plugins/alerts/server/rule_types.ts
+++ b/x-pack/test/alerting_api_integration/common/plugins/alerts/server/rule_types.ts
@ -917,7 +917,7 @@ function getAlwaysFiringAlertAsDataRuleType(
    validate: {
      params: paramsSchema,
    },
-    category: 'kibana',
+    category: 'management',
    producer: 'alertsFixture',
    defaultActionGroupId: 'default',
    minimumLicenseRequired: 'basic',
--- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group3/maintenance_window_scoped_query.ts
+++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group3/maintenance_window_scoped_query.ts
@ -8,7 +8,7 @@
 import expect from '@kbn/expect';
 import type { Alert } from '@kbn/alerts-as-data-utils';
 import { ALERT_MAINTENANCE_WINDOW_IDS } from '@kbn/rule-data-utils';
-import { ObjectRemover } from '../../../../common/lib';
+import { getTestRuleData, getUrlPrefix, ObjectRemover } from '../../../../common/lib';
 import { FtrProviderContext } from '../../../../common/ftr_provider_context';
 import {
  createRule,
@ -18,6 +18,7 @@ import {
  expectNoActionsFired,
  runSoon,
 } from './test_helpers';
+import { Spaces } from '../../../scenarios';

 const alertAsDataIndex = '.internal.alerts-test.patternfiring.alerts-default-000001';

@ -177,5 +178,72 @@ export default function maintenanceWindowScopedQueryTests({ getService }: FtrPro
        getService,
      });
    });
+
+    it('should associate alerts for rules that generate multiple alerts', async () => {
+      await createMaintenanceWindow({
+        supertest,
+        objectRemover,
+        overwrites: {
+          scoped_query: {
+            kql: 'kibana.alert.rule.tags: "test"',
+            filters: [],
+          },
+          category_ids: ['management'],
+        },
+      });
+
+      // Create action and rule
+      const action = await await createAction({
+        supertest,
+        objectRemover,
+      });
+
+      const { body: rule } = await supertestWithoutAuth
+        .post(`${getUrlPrefix(Spaces.space1.id)}/api/alerting/rule`)
+        .set('kbn-xsrf', 'foo')
+        .send(
+          getTestRuleData({
+            name: 'test-rule',
+            rule_type_id: 'test.always-firing-alert-as-data',
+            schedule: { interval: '24h' },
+            tags: ['test'],
+            throttle: undefined,
+            notify_when: 'onActiveAlert',
+            params: {
+              index: alertAsDataIndex,
+              reference: 'test',
+            },
+            actions: [
+              {
+                id: action.id,
+                group: 'default',
+                params: {},
+              },
+              {
+                id: action.id,
+                group: 'recovered',
+                params: {},
+              },
+            ],
+          })
+        )
+        .expect(200);
+
+      objectRemover.add(Spaces.space1.id, rule.id, 'rule', 'alerting');
+
+      // Run the first time - active
+      await getRuleEvents({
+        id: rule.id,
+        activeInstance: 2,
+        retry,
+        getService,
+      });
+
+      await expectNoActionsFired({
+        id: rule.id,
+        supertest,
+        retry,
+      });
+    });
  });
 }
--- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group3/test_helpers.ts
+++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group3/test_helpers.ts
@ -22,7 +22,7 @@ export const createRule = async ({
  overwrites,
 }: {
  actionId: string;
-  pattern: { instance: boolean[] };
+  pattern?: { instance: boolean[] };
  supertest: SuperTestAgent;
  objectRemover: ObjectRemover;
  overwrites?: any;