[Response Ops][Alerting] Update common component template generation for framework alerts as data

packages/kbn-rule-data-utils/index.ts

@@ -7,6 +7,7 @@
  */
 
 export * from './src/default_alerts_as_data';
+export * from './src/legacy_alerts_as_data';
 export * from './src/technical_field_names';
 export * from './src/alerts_as_data_rbac';
 export * from './src/alerts_as_data_severity';

packages/kbn-rule-data-utils/src/default_alerts_as_data.ts

@@ -8,6 +8,9 @@
 
 import { ValuesType } from 'utility-types';
 
+const TIMESTAMP = '@timestamp' as const;
+
+// namespaces
 const KIBANA_NAMESPACE = 'kibana' as const;
 const ALERT_NAMESPACE = `${KIBANA_NAMESPACE}.alert` as const;
 const ALERT_RULE_NAMESPACE = `${ALERT_NAMESPACE}.rule` as const;
@@ -21,6 +24,9 @@ const VERSION = `${KIBANA_NAMESPACE}.version` as const;
 // kibana.alert.action_group - framework action group ID for this alert
 const ALERT_ACTION_GROUP = `${ALERT_NAMESPACE}.action_group` as const;
 
+// kibana.alert.case_ids - array of cases associated with the alert
+const ALERT_CASE_IDS = `${ALERT_NAMESPACE}.case_ids` as const;
+
 // kibana.alert.duration.us - alert duration in nanoseconds - updated each execution
 // that the alert is active
 const ALERT_DURATION = `${ALERT_NAMESPACE}.duration.us` as const;
@@ -31,8 +37,11 @@ const ALERT_END = `${ALERT_NAMESPACE}.end` as const;
 // kibana.alert.flapping - whether the alert is currently in a flapping state
 const ALERT_FLAPPING = `${ALERT_NAMESPACE}.flapping` as const;
 
-// kibana.alert.id - alert ID, also known as alert instance ID
-const ALERT_ID = `${ALERT_NAMESPACE}.id` as const;
+// kibana.alert.flapping_history - whether the alert is currently in a flapping state
+const ALERT_FLAPPING_HISTORY = `${ALERT_NAMESPACE}.flapping_history` as const;
+
+// kibana.alert.instance.id - alert ID, also known as alert instance ID
+const ALERT_INSTANCE_ID = `${ALERT_NAMESPACE}.instance.id` as const;
 
 // kibana.alert.last_detected - timestamp when the alert was last seen
 const ALERT_LAST_DETECTED = `${ALERT_NAMESPACE}.last_detected` as const;
@@ -90,10 +99,12 @@ const namespaces = {
 
 const fields = {
   ALERT_ACTION_GROUP,
+  ALERT_CASE_IDS,
   ALERT_DURATION,
   ALERT_END,
   ALERT_FLAPPING,
-  ALERT_ID,
+  ALERT_FLAPPING_HISTORY,
+  ALERT_INSTANCE_ID,
   ALERT_LAST_DETECTED,
   ALERT_REASON,
   ALERT_RULE_CATEGORY,
@@ -111,15 +122,24 @@ const fields = {
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
   SPACE_IDS,
+  TIMESTAMP,
   VERSION,
 };
 
 export {
+  // namespaces
+  ALERT_NAMESPACE,
+  ALERT_RULE_NAMESPACE,
+  KIBANA_NAMESPACE,
+
+  // fields
   ALERT_ACTION_GROUP,
+  ALERT_CASE_IDS,
   ALERT_DURATION,
   ALERT_END,
   ALERT_FLAPPING,
-  ALERT_ID,
+  ALERT_FLAPPING_HISTORY,
+  ALERT_INSTANCE_ID,
   ALERT_LAST_DETECTED,
   ALERT_REASON,
   ALERT_RULE_CATEGORY,
@@ -137,10 +157,8 @@ export {
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
   SPACE_IDS,
+  TIMESTAMP,
   VERSION,
-  ALERT_NAMESPACE,
-  ALERT_RULE_NAMESPACE,
-  KIBANA_NAMESPACE,
 };
 
 export type DefaultAlertFieldName = ValuesType<typeof fields & typeof namespaces>;

packages/kbn-rule-data-utils/src/legacy_alerts_as_data.ts

@@ -0,0 +1,84 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { ALERT_NAMESPACE, ALERT_RULE_NAMESPACE } from './default_alerts_as_data';
+
+const ECS_VERSION = 'ecs.version' as const;
+const EVENT_ACTION = 'event.action' as const;
+const EVENT_KIND = 'event.kind' as const;
+const TAGS = 'tags' as const;
+
+// These are the fields that are in the rule registry technical component template
+// that are NOT in the framework alerts as data common component template
+
+// We will maintain a legacy component template that can be used by legacy
+// rule registry rules with these fields.
+const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
+const ALERT_RULE_AUTHOR = `${ALERT_RULE_NAMESPACE}.author` as const;
+const ALERT_RULE_CREATED_AT = `${ALERT_RULE_NAMESPACE}.created_at` as const;
+const ALERT_RULE_CREATED_BY = `${ALERT_RULE_NAMESPACE}.created_by` as const;
+const ALERT_RULE_DESCRIPTION = `${ALERT_RULE_NAMESPACE}.description` as const;
+const ALERT_RULE_ENABLED = `${ALERT_RULE_NAMESPACE}.enabled` as const;
+const ALERT_RULE_FROM = `${ALERT_RULE_NAMESPACE}.from` as const;
+const ALERT_RULE_INTERVAL = `${ALERT_RULE_NAMESPACE}.interval` as const;
+const ALERT_RULE_LICENSE = `${ALERT_RULE_NAMESPACE}.license` as const;
+const ALERT_RULE_NOTE = `${ALERT_RULE_NAMESPACE}.note` as const;
+const ALERT_RULE_REFERENCES = `${ALERT_RULE_NAMESPACE}.references` as const;
+const ALERT_RULE_RULE_ID = `${ALERT_RULE_NAMESPACE}.rule_id` as const;
+const ALERT_RULE_RULE_NAME_OVERRIDE = `${ALERT_RULE_NAMESPACE}.rule_name_override` as const;
+const ALERT_RULE_TO = `${ALERT_RULE_NAMESPACE}.to` as const;
+const ALERT_RULE_TYPE = `${ALERT_RULE_NAMESPACE}.type` as const;
+const ALERT_RULE_UPDATED_AT = `${ALERT_RULE_NAMESPACE}.updated_at` as const;
+const ALERT_RULE_UPDATED_BY = `${ALERT_RULE_NAMESPACE}.updated_by` as const;
+const ALERT_RULE_VERSION = `${ALERT_RULE_NAMESPACE}.version` as const;
+const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const;
+const ALERT_SUPPRESSION_META = `${ALERT_NAMESPACE}.suppression` as const;
+const ALERT_SUPPRESSION_TERMS = `${ALERT_SUPPRESSION_META}.terms` as const;
+const ALERT_SUPPRESSION_FIELD = `${ALERT_SUPPRESSION_TERMS}.field` as const;
+const ALERT_SUPPRESSION_VALUE = `${ALERT_SUPPRESSION_TERMS}.value` as const;
+const ALERT_SUPPRESSION_START = `${ALERT_SUPPRESSION_META}.start` as const;
+const ALERT_SUPPRESSION_END = `${ALERT_SUPPRESSION_META}.end` as const;
+const ALERT_SUPPRESSION_DOCS_COUNT = `${ALERT_SUPPRESSION_META}.docs_count` as const;
+const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const;
+const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const;
+const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const;
+
+export {
+  ALERT_RISK_SCORE,
+  ALERT_RULE_AUTHOR,
+  ALERT_RULE_CREATED_AT,
+  ALERT_RULE_CREATED_BY,
+  ALERT_RULE_DESCRIPTION,
+  ALERT_RULE_ENABLED,
+  ALERT_RULE_FROM,
+  ALERT_RULE_INTERVAL,
+  ALERT_RULE_LICENSE,
+  ALERT_RULE_NOTE,
+  ALERT_RULE_REFERENCES,
+  ALERT_RULE_RULE_ID,
+  ALERT_RULE_RULE_NAME_OVERRIDE,
+  ALERT_RULE_TO,
+  ALERT_RULE_TYPE,
+  ALERT_RULE_UPDATED_AT,
+  ALERT_RULE_UPDATED_BY,
+  ALERT_RULE_VERSION,
+  ALERT_SEVERITY,
+  ALERT_SUPPRESSION_DOCS_COUNT,
+  ALERT_SUPPRESSION_END,
+  ALERT_SUPPRESSION_FIELD,
+  ALERT_SUPPRESSION_START,
+  ALERT_SUPPRESSION_TERMS,
+  ALERT_SUPPRESSION_VALUE,
+  ALERT_SYSTEM_STATUS,
+  ALERT_WORKFLOW_REASON,
+  ALERT_WORKFLOW_USER,
+  ECS_VERSION,
+  EVENT_ACTION,
+  EVENT_KIND,
+  TAGS,
+};

packages/kbn-rule-data-utils/src/technical_field_names.ts

@@ -8,11 +8,15 @@
 
 import { ValuesType } from 'utility-types';
 import {
+  ALERT_NAMESPACE,
+  ALERT_RULE_NAMESPACE,
   KIBANA_NAMESPACE,
   ALERT_ACTION_GROUP,
+  ALERT_CASE_IDS,
   ALERT_DURATION,
   ALERT_END,
   ALERT_FLAPPING,
+  ALERT_INSTANCE_ID,
   ALERT_REASON,
   ALERT_RULE_CATEGORY,
   ALERT_RULE_CONSUMER,
@@ -29,61 +33,61 @@ import {
   ALERT_UUID,
   ALERT_WORKFLOW_STATUS,
   SPACE_IDS,
+  TIMESTAMP,
   VERSION,
-  ALERT_NAMESPACE,
-  ALERT_RULE_NAMESPACE,
 } from './default_alerts_as_data';
 
+import {
+  ALERT_RISK_SCORE,
+  ALERT_RULE_AUTHOR,
+  ALERT_RULE_CREATED_AT,
+  ALERT_RULE_CREATED_BY,
+  ALERT_RULE_DESCRIPTION,
+  ALERT_RULE_ENABLED,
+  ALERT_RULE_FROM,
+  ALERT_RULE_INTERVAL,
+  ALERT_RULE_LICENSE,
+  ALERT_RULE_NOTE,
+  ALERT_RULE_REFERENCES,
+  ALERT_RULE_RULE_ID,
+  ALERT_RULE_RULE_NAME_OVERRIDE,
+  ALERT_RULE_TO,
+  ALERT_RULE_TYPE,
+  ALERT_RULE_UPDATED_AT,
+  ALERT_RULE_UPDATED_BY,
+  ALERT_RULE_VERSION,
+  ALERT_SEVERITY,
+  ALERT_SUPPRESSION_DOCS_COUNT,
+  ALERT_SUPPRESSION_END,
+  ALERT_SUPPRESSION_FIELD,
+  ALERT_SUPPRESSION_START,
+  ALERT_SUPPRESSION_TERMS,
+  ALERT_SUPPRESSION_VALUE,
+  ALERT_SYSTEM_STATUS,
+  ALERT_WORKFLOW_REASON,
+  ALERT_WORKFLOW_USER,
+  ECS_VERSION,
+  EVENT_ACTION,
+  EVENT_KIND,
+  TAGS,
+} from './legacy_alerts_as_data';
+
+// The following fields were identified as technical field names but were not defined in the
+// rule registry technical component template. We will leave these here for backwards
+// compatibility but these consts should be moved to the plugin that uses them
+
 const ALERT_RULE_THREAT_NAMESPACE = `${ALERT_RULE_NAMESPACE}.threat` as const;
 
-const ECS_VERSION = 'ecs.version' as const;
-const EVENT_ACTION = 'event.action' as const;
-const EVENT_KIND = 'event.kind' as const;
 const EVENT_MODULE = 'event.module' as const;
-const TAGS = 'tags' as const;
-const TIMESTAMP = '@timestamp' as const;
 
 // Fields pertaining to the alert
 const ALERT_BUILDING_BLOCK_TYPE = `${ALERT_NAMESPACE}.building_block_type` as const;
 const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const;
 const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const;
-const ALERT_INSTANCE_ID = `${ALERT_NAMESPACE}.instance.id` as const;
-const ALERT_RISK_SCORE = `${ALERT_NAMESPACE}.risk_score` as const;
-const ALERT_SEVERITY = `${ALERT_NAMESPACE}.severity` as const;
-const ALERT_SYSTEM_STATUS = `${ALERT_NAMESPACE}.system_status` as const;
-const ALERT_WORKFLOW_REASON = `${ALERT_NAMESPACE}.workflow_reason` as const;
-const ALERT_WORKFLOW_USER = `${ALERT_NAMESPACE}.workflow_user` as const;
-const ALERT_SUPPRESSION_META = `${ALERT_NAMESPACE}.suppression` as const;
-const ALERT_SUPPRESSION_TERMS = `${ALERT_SUPPRESSION_META}.terms` as const;
-const ALERT_SUPPRESSION_FIELD = `${ALERT_SUPPRESSION_TERMS}.field` as const;
-const ALERT_SUPPRESSION_VALUE = `${ALERT_SUPPRESSION_TERMS}.value` as const;
-const ALERT_SUPPRESSION_START = `${ALERT_SUPPRESSION_META}.start` as const;
-const ALERT_SUPPRESSION_END = `${ALERT_SUPPRESSION_META}.end` as const;
-const ALERT_SUPPRESSION_DOCS_COUNT = `${ALERT_SUPPRESSION_META}.docs_count` as const;
-
-// Fields pertaining to the cases associated with the alert
-const ALERT_CASE_IDS = `${ALERT_NAMESPACE}.case_ids` as const;
 
 // Fields pertaining to the rule associated with the alert
-const ALERT_RULE_AUTHOR = `${ALERT_RULE_NAMESPACE}.author` as const;
-const ALERT_RULE_CREATED_AT = `${ALERT_RULE_NAMESPACE}.created_at` as const;
-const ALERT_RULE_CREATED_BY = `${ALERT_RULE_NAMESPACE}.created_by` as const;
-const ALERT_RULE_DESCRIPTION = `${ALERT_RULE_NAMESPACE}.description` as const;
-const ALERT_RULE_ENABLED = `${ALERT_RULE_NAMESPACE}.enabled` as const;
 const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const;
-const ALERT_RULE_FROM = `${ALERT_RULE_NAMESPACE}.from` as const;
-const ALERT_RULE_INTERVAL = `${ALERT_RULE_NAMESPACE}.interval` as const;
-const ALERT_RULE_LICENSE = `${ALERT_RULE_NAMESPACE}.license` as const;
 const ALERT_RULE_NAMESPACE_FIELD = `${ALERT_RULE_NAMESPACE}.namespace` as const;
-const ALERT_RULE_NOTE = `${ALERT_RULE_NAMESPACE}.note` as const;
-const ALERT_RULE_REFERENCES = `${ALERT_RULE_NAMESPACE}.references` as const;
-const ALERT_RULE_RULE_ID = `${ALERT_RULE_NAMESPACE}.rule_id` as const;
-const ALERT_RULE_RULE_NAME_OVERRIDE = `${ALERT_RULE_NAMESPACE}.rule_name_override` as const;
-const ALERT_RULE_TO = `${ALERT_RULE_NAMESPACE}.to` as const;
-const ALERT_RULE_TYPE = `${ALERT_RULE_NAMESPACE}.type` as const;
-const ALERT_RULE_UPDATED_AT = `${ALERT_RULE_NAMESPACE}.updated_at` as const;
-const ALERT_RULE_UPDATED_BY = `${ALERT_RULE_NAMESPACE}.updated_by` as const;
-const ALERT_RULE_VERSION = `${ALERT_RULE_NAMESPACE}.version` as const;
 
 // Fields pertaining to the threat tactic associated with the rule
 const ALERT_THREAT_FRAMEWORK = `${ALERT_RULE_THREAT_NAMESPACE}.framework` as const;
@@ -186,36 +190,8 @@ export {
   ALERT_BUILDING_BLOCK_TYPE,
   ALERT_EVALUATION_THRESHOLD,
   ALERT_EVALUATION_VALUE,
-  ALERT_INSTANCE_ID,
-  ALERT_RISK_SCORE,
-  ALERT_WORKFLOW_REASON,
-  ALERT_WORKFLOW_USER,
-  ALERT_CASE_IDS,
-  ALERT_RULE_AUTHOR,
-  ALERT_RULE_CREATED_AT,
-  ALERT_RULE_CREATED_BY,
-  ALERT_RULE_DESCRIPTION,
-  ALERT_RULE_ENABLED,
   ALERT_RULE_EXCEPTIONS_LIST,
-  ALERT_RULE_FROM,
-  ALERT_RULE_INTERVAL,
-  ALERT_RULE_LICENSE,
   ALERT_RULE_NAMESPACE_FIELD,
-  ALERT_RULE_NOTE,
-  ALERT_RULE_REFERENCES,
-  ALERT_RULE_RULE_ID,
-  ALERT_RULE_RULE_NAME_OVERRIDE,
-  ALERT_RULE_TO,
-  ALERT_RULE_TYPE,
-  ALERT_RULE_UPDATED_AT,
-  ALERT_RULE_UPDATED_BY,
-  ALERT_RULE_VERSION,
-  ALERT_SEVERITY,
-  ALERT_SYSTEM_STATUS,
-  ECS_VERSION,
-  EVENT_ACTION,
-  EVENT_KIND,
-  EVENT_MODULE,
   ALERT_THREAT_FRAMEWORK,
   ALERT_THREAT_TACTIC_ID,
   ALERT_THREAT_TACTIC_NAME,
@@ -226,14 +202,7 @@ export {
   ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_ID,
   ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_NAME,
   ALERT_THREAT_TECHNIQUE_SUBTECHNIQUE_REFERENCE,
-  ALERT_SUPPRESSION_TERMS,
-  ALERT_SUPPRESSION_FIELD,
-  ALERT_SUPPRESSION_VALUE,
-  ALERT_SUPPRESSION_START,
-  ALERT_SUPPRESSION_END,
-  ALERT_SUPPRESSION_DOCS_COUNT,
-  TAGS,
-  TIMESTAMP,
+  EVENT_MODULE,
 };
 
 export type TechnicalRuleDataFieldName = ValuesType<typeof fields & typeof namespaces>;