Additional context for log threshold rule (#148503)

## Summary

Resolves #146348

- Adds new context variables for count and ratio alerts in Log threshold
rule
- Indexes new context variables to AAD
- Adds new context variables to recovered count and ratio alerts

The context variables are added based on group by and filter used when
creating the rule.

When the prefix of `group by` or filter (`WITH` condition) includes one
of the following, contextual attributes for that entity are added.

- `cloud`
- `host`
- `orchestrator`
- `container`
- `labels`
- `tags`

Following fields are excluded from the context: `*.cpu`, `*.network`,
`*.disk`, `*.memory`

In case of ratio alerts without `group by`, the prefix from numerator
query is considered to add contextual attributes. In both count and
ratio alerts, only positive criteria is used from filter (with `is` or
`matches` condition) for adding contextual attributes.

### Manual Testing
1. Create different Log threshold rules (Count, Ratio, With group by,
Without group by)
2. Configure action template with `{{context}}`
3. Observe additional context to be included in alert notification
4. Let alerts be recovered
5. Observe additional context to be included in recovery notification
6. Observe additional context fields are indexed in AAD

### Checklist

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: kibanamachine <[email protected]>

Author: benakansara

x-pack/plugins/infra/common/alerting/logs/log_threshold/types.ts

@@ -270,12 +270,26 @@ const chartPreviewHistogramBucket = rt.type({
   doc_count: rt.number,
 });
 
+const AdditionalContext = rt.type({
+  hits: rt.type({
+    hits: rt.array(
+      rt.type({
+        fields: rt.record(rt.string, rt.array(rt.unknown)),
+      })
+    ),
+  }),
+});
+
 const ChartPreviewBucketsRT = rt.partial({
   histogramBuckets: rt.type({
     buckets: rt.array(chartPreviewHistogramBucket),
   }),
 });
 
+const additionalContextRT = rt.partial({
+  additionalContext: AdditionalContext,
+});
+
 // ES query responses //
 const hitsRT = rt.type({
   total: rt.type({
@@ -299,7 +313,7 @@ export const UngroupedSearchQueryResponseRT = rt.intersection([
       hits: hitsRT,
     }),
     rt.partial({
-      aggregations: ChartPreviewBucketsRT,
+      aggregations: rt.intersection([ChartPreviewBucketsRT, additionalContextRT]),
     }),
   ]),
 ]);
@@ -320,6 +334,7 @@ export const UnoptimizedGroupedSearchQueryResponseRT = rt.intersection([
                   doc_count: rt.number,
                 }),
                 ChartPreviewBucketsRT,
+                additionalContextRT,
               ]),
             })
           ),
@@ -341,7 +356,9 @@ export const OptimizedGroupedSearchQueryResponseRT = rt.intersection([
     aggregations: rt.type({
       groups: rt.intersection([
         rt.type({
-          buckets: rt.array(rt.intersection([bucketFieldsRT, ChartPreviewBucketsRT])),
+          buckets: rt.array(
+            rt.intersection([bucketFieldsRT, ChartPreviewBucketsRT, additionalContextRT])
+          ),
         }),
         afterKeyRT,
       ]),

x-pack/plugins/infra/server/lib/alerting/common/utils.ts

@@ -12,9 +12,13 @@ import type { ElasticsearchClient, IBasePath } from '@kbn/core/server';
 import { addSpaceIdToPath } from '@kbn/spaces-plugin/common';
 import { ObservabilityConfig } from '@kbn/observability-plugin/server';
 import { ALERT_RULE_PARAMETERS, TIMESTAMP } from '@kbn/rule-data-utils';
-import { parseTechnicalFields } from '@kbn/rule-registry-plugin/common/parse_technical_fields';
+import {
+  ParsedTechnicalFields,
+  parseTechnicalFields,
+} from '@kbn/rule-registry-plugin/common/parse_technical_fields';
 import { ES_FIELD_TYPES } from '@kbn/field-types';
 import { set } from '@kbn/safer-lodash-set';
+import { ParsedExperimentalFields } from '@kbn/rule-registry-plugin/common/parse_experimental_fields';
 import { LINK_TO_METRICS_EXPLORER } from '../../../../common/alerting/metrics';
 import { getInventoryViewInAppUrl } from '../../../../common/alerting/metrics/alert_link';
 import {
@@ -237,18 +241,17 @@ export const flattenAdditionalContext = (
 };
 
 export const getContextForRecoveredAlerts = (
-  alertHits: AdditionalContext[] | undefined | null
+  alertHitSource: Partial<ParsedTechnicalFields & ParsedExperimentalFields> | undefined | null
 ): AdditionalContext => {
-  const alertHitsSource =
-    alertHits && alertHits.length > 0 ? unflattenObject(alertHits[0]._source) : undefined;
+  const alert = alertHitSource ? unflattenObject(alertHitSource) : undefined;
 
   return {
-    cloud: alertHitsSource?.[ALERT_CONTEXT_CLOUD],
-    host: alertHitsSource?.[ALERT_CONTEXT_HOST],
-    orchestrator: alertHitsSource?.[ALERT_CONTEXT_ORCHESTRATOR],
-    container: alertHitsSource?.[ALERT_CONTEXT_CONTAINER],
-    labels: alertHitsSource?.[ALERT_CONTEXT_LABELS],
-    tags: alertHitsSource?.[ALERT_CONTEXT_TAGS],
+    cloud: alert?.[ALERT_CONTEXT_CLOUD],
+    host: alert?.[ALERT_CONTEXT_HOST],
+    orchestrator: alert?.[ALERT_CONTEXT_ORCHESTRATOR],
+    container: alert?.[ALERT_CONTEXT_CONTAINER],
+    labels: alert?.[ALERT_CONTEXT_LABELS],
+    tags: alert?.[ALERT_CONTEXT_TAGS],
   };
 };
 

x-pack/plugins/infra/server/lib/alerting/log_threshold/log_threshold_executor.test.ts

@@ -6,8 +6,8 @@
  */
 
 import {
-  getPositiveComparators,
-  getNegativeComparators,
+  positiveComparators,
+  negativeComparators,
   queryMappings,
   buildFiltersFromCriteria,
   getUngroupedESQuery,
@@ -155,15 +155,15 @@ const runtimeMappings: estypes.MappingRuntimeFields = {
 describe('Log threshold executor', () => {
   describe('Comparators', () => {
     test('Correctly categorises positive comparators', () => {
-      expect(getPositiveComparators().length).toBe(7);
+      expect(positiveComparators.length).toBe(7);
     });
 
     test('Correctly categorises negative comparators', () => {
-      expect(getNegativeComparators().length).toBe(3);
+      expect(negativeComparators.length).toBe(3);
     });
 
     test('There is a query mapping for every comparator', () => {
-      const comparators = [...getPositiveComparators(), ...getNegativeComparators()];
+      const comparators = [...positiveComparators, ...negativeComparators];
       expect(Object.keys(queryMappings).length).toBe(comparators.length);
     });
   });
@@ -220,6 +220,7 @@ describe('Log threshold executor', () => {
           ignore_unavailable: true,
           body: {
             track_total_hits: true,
+            aggregations: {},
             query: {
               bool: {
                 filter: [
@@ -290,6 +291,15 @@ describe('Log threshold executor', () => {
               },
               aggregations: {
                 groups: {
+                  aggregations: {
+                    additionalContext: {
+                      top_hits: {
+                        _source: false,
+                        fields: ['host.*'],
+                        size: 1,
+                      },
+                    },
+                  },
                   composite: {
                     size: 2000,
                     sources: [
@@ -390,6 +400,15 @@ describe('Log threshold executor', () => {
                           must_not: [...expectedNegativeFilterClauses],
                         },
                       },
+                      aggregations: {
+                        additionalContext: {
+                          top_hits: {
+                            _source: false,
+                            fields: ['host.*'],
+                            size: 1,
+                          },
+                        },
+                      },
                     },
                   },
                 },
@@ -548,6 +567,17 @@ describe('Log threshold executor', () => {
             doc_count: 100,
             filtered_results: {
               doc_count: 10,
+              additionalContext: {
+                hits: {
+                  hits: [
+                    {
+                      fields: {
+                        'host.name': ['i-am-a-host-name-1'],
+                      },
+                    },
+                  ],
+                },
+              },
             },
           },
           {
@@ -558,6 +588,17 @@ describe('Log threshold executor', () => {
             doc_count: 100,
             filtered_results: {
               doc_count: 2,
+              additionalContext: {
+                hits: {
+                  hits: [
+                    {
+                      fields: {
+                        'host.name': ['i-am-a-host-name-2'],
+                      },
+                    },
+                  ],
+                },
+              },
             },
           },
           {
@@ -568,6 +609,17 @@ describe('Log threshold executor', () => {
             doc_count: 100,
             filtered_results: {
               doc_count: 20,
+              additionalContext: {
+                hits: {
+                  hits: [
+                    {
+                      fields: {
+                        'host.name': ['i-am-a-host-name-3'],
+                      },
+                    },
+                  ],
+                },
+              },
             },
           },
         ] as GroupedSearchQueryResponse['aggregations']['groups']['buckets'];
@@ -594,6 +646,9 @@ describe('Log threshold executor', () => {
               isRatio: false,
               reason:
                 '10 log entries in the last 5 mins for i-am-a-host-name-1, i-am-a-dataset-1. Alert when > 5.',
+              host: {
+                name: 'i-am-a-host-name-1',
+              },
             },
           },
         ]);
@@ -617,6 +672,9 @@ describe('Log threshold executor', () => {
               isRatio: false,
               reason:
                 '20 log entries in the last 5 mins for i-am-a-host-name-3, i-am-a-dataset-3. Alert when > 5.',
+              host: {
+                name: 'i-am-a-host-name-3',
+              },
             },
           },
         ]);
@@ -644,6 +702,17 @@ describe('Log threshold executor', () => {
             doc_count: 100,
             filtered_results: {
               doc_count: 10,
+              additionalContext: {
+                hits: {
+                  hits: [
+                    {
+                      fields: {
+                        'host.name': ['i-am-a-host-name-1'],
+                      },
+                    },
+                  ],
+                },
+              },
             },
           },
           {
@@ -654,6 +723,17 @@ describe('Log threshold executor', () => {
             doc_count: 100,
             filtered_results: {
               doc_count: 2,
+              additionalContext: {
+                hits: {
+                  hits: [
+                    {
+                      fields: {
+                        'host.name': ['i-am-a-host-name-2'],
+                      },
+                    },
+                  ],
+                },
+              },
             },
           },
           {
@@ -664,6 +744,17 @@ describe('Log threshold executor', () => {
             doc_count: 100,
             filtered_results: {
               doc_count: 20,
+              additionalContext: {
+                hits: {
+                  hits: [
+                    {
+                      fields: {
+                        'host.name': ['i-am-a-host-name-3'],
+                      },
+                    },
+                  ],
+                },
+              },
             },
           },
         ] as GroupedSearchQueryResponse['aggregations']['groups']['buckets'];
@@ -696,6 +787,17 @@ describe('Log threshold executor', () => {
             doc_count: 100,
             filtered_results: {
               doc_count: 10,
+              additionalContext: {
+                hits: {
+                  hits: [
+                    {
+                      fields: {
+                        'host.name': ['i-am-a-host-name-1'],
+                      },
+                    },
+                  ],
+                },
+              },
             },
           },
           {
@@ -706,6 +808,17 @@ describe('Log threshold executor', () => {
             doc_count: 100,
             filtered_results: {
               doc_count: 2,
+              additionalContext: {
+                hits: {
+                  hits: [
+                    {
+                      fields: {
+                        'host.name': ['i-am-a-host-name-2'],
+                      },
+                    },
+                  ],
+                },
+              },
             },
           },
           {
@@ -716,6 +829,17 @@ describe('Log threshold executor', () => {
             doc_count: 100,
             filtered_results: {
               doc_count: 20,
+              additionalContext: {
+                hits: {
+                  hits: [
+                    {
+                      fields: {
+                        'host.name': ['i-am-a-host-name-3'],
+                      },
+                    },
+                  ],
+                },
+              },
             },
           },
         ] as GroupedSearchQueryResponse['aggregations']['groups']['buckets'];