[Event Log] Populated rule.* ECS fields for alert events. (#101132)

* [Event Log] Populated rule.* ECS fields for alert events. * added mappings * changed the params passing * fixed tests * fixed type checks * used kibanaVersion for version event rule * fixed typos * fixed tests * fixed tests * fixed tests * fixed tests * fixed jest tests * removed references * removed not populated fields * fixed tests * fixed tests * fixed tests
elastic · Jun 10, 2021 · e55a93c · e55a93c
1 parent befd30f
commit e55a93c
Show file tree

Hide file tree

Showing 10 changed files with 696 additions and 37 deletions.
diff --git a/x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts b/x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts
@@ -67,7 +67,7 @@ const createExecutionHandlerParams: jest.Mocked<
   >
 > = {
   actionsPlugin: mockActionsPlugin,
-  spaceId: 'default',
+  spaceId: 'test1',
   alertId: '1',
   alertName: 'name-of-alert',
   tags: ['tag-A', 'tag-B'],
@@ -130,7 +130,7 @@ test('enqueues execution per selected action', async () => {
         "apiKey": "MTIzOmFiYw==",
         "id": "1",
         "params": Object {
-          "alertVal": "My 1 name-of-alert default tag-A,tag-B 2 goes here",
+          "alertVal": "My 1 name-of-alert test1 tag-A,tag-B 2 goes here",
           "contextVal": "My  goes here",
           "foo": true,
           "stateVal": "My  goes here",
@@ -142,7 +142,7 @@ test('enqueues execution per selected action', async () => {
           },
           "type": "SAVED_OBJECT",
         },
-        "spaceId": "default",
+        "spaceId": "test1",
       },
     ]
   `);
@@ -154,6 +154,10 @@ test('enqueues execution per selected action', async () => {
         Object {
           "event": Object {
             "action": "execute-action",
+            "category": Array [
+              "alerts",
+            ],
+            "kind": "alert",
           },
           "kibana": Object {
             "alerting": Object {
@@ -164,29 +168,39 @@ test('enqueues execution per selected action', async () => {
             "saved_objects": Array [
               Object {
                 "id": "1",
+                "namespace": "test1",
                 "rel": "primary",
                 "type": "alert",
                 "type_id": "test",
               },
               Object {
                 "id": "1",
+                "namespace": "test1",
                 "type": "action",
                 "type_id": "test",
               },
             ],
           },
           "message": "alert: test:1: 'name-of-alert' instanceId: '2' scheduled actionGroup: 'default' action: test:1",
+          "rule": Object {
+            "category": "test",
+            "id": "1",
+            "license": "basic",
+            "name": "name-of-alert",
+            "namespace": "test1",
+            "ruleset": "alerts",
+          },
         },
       ],
     ]
   `);
 
   expect(jest.requireMock('./inject_action_params').injectActionParams).toHaveBeenCalledWith({
     ruleId: '1',
-    spaceId: 'default',
+    spaceId: 'test1',
     actionTypeId: 'test',
     actionParams: {
-      alertVal: 'My 1 name-of-alert default tag-A,tag-B 2 goes here',
+      alertVal: 'My 1 name-of-alert test1 tag-A,tag-B 2 goes here',
       contextVal: 'My  goes here',
       foo: true,
       stateVal: 'My  goes here',
@@ -233,7 +247,7 @@ test(`doesn't call actionsPlugin.execute for disabled actionTypes`, async () =>
       id: '1',
       type: 'alert',
     }),
-    spaceId: 'default',
+    spaceId: 'test1',
     apiKey: createExecutionHandlerParams.apiKey,
   });
 });
@@ -308,7 +322,7 @@ test('context attribute gets parameterized', async () => {
         "apiKey": "MTIzOmFiYw==",
         "id": "1",
         "params": Object {
-          "alertVal": "My 1 name-of-alert default tag-A,tag-B 2 goes here",
+          "alertVal": "My 1 name-of-alert test1 tag-A,tag-B 2 goes here",
           "contextVal": "My context-val goes here",
           "foo": true,
           "stateVal": "My  goes here",
@@ -320,7 +334,7 @@ test('context attribute gets parameterized', async () => {
           },
           "type": "SAVED_OBJECT",
         },
-        "spaceId": "default",
+        "spaceId": "test1",
       },
     ]
   `);
@@ -341,7 +355,7 @@ test('state attribute gets parameterized', async () => {
         "apiKey": "MTIzOmFiYw==",
         "id": "1",
         "params": Object {
-          "alertVal": "My 1 name-of-alert default tag-A,tag-B 2 goes here",
+          "alertVal": "My 1 name-of-alert test1 tag-A,tag-B 2 goes here",
           "contextVal": "My  goes here",
           "foo": true,
           "stateVal": "My state-val goes here",
@@ -353,7 +367,7 @@ test('state attribute gets parameterized', async () => {
           },
           "type": "SAVED_OBJECT",
         },
-        "spaceId": "default",
+        "spaceId": "test1",
       },
     ]
   `);

diff --git a/x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts b/x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts
@@ -174,7 +174,11 @@ export function createExecutionHandler<
       const namespace = spaceId === 'default' ? {} : { namespace: spaceId };
 
       const event: IEvent = {
-        event: { action: EVENT_LOG_ACTIONS.executeAction },
+        event: {
+          action: EVENT_LOG_ACTIONS.executeAction,
+          kind: 'alert',
+          category: [alertType.producer],
+        },
         kibana: {
           alerting: {
             instance_id: alertInstanceId,
@@ -192,6 +196,14 @@ export function createExecutionHandler<
             { type: 'action', id: action.id, type_id: action.actionTypeId, ...namespace },
           ],
         },
+        rule: {
+          id: alertId,
+          license: alertType.minimumLicenseRequired,
+          category: alertType.id,
+          ruleset: alertType.producer,
+          ...namespace,
+          name: alertName,
+        },
       };
 
       event.message = `alert: ${alertLabel} instanceId: '${alertInstanceId}' scheduled ${