[RAM] Adds revision to alerts schema

[spong]

Summary

Follow up from #147398, which adds revision to the alerts schema so the rule's current revision is included when creating alerts.

In Security Solution:

In Observability:

Note: this was originally a branched off #147398, so the large commit list is resulting from there as Github doesn't seem to re-write after after a rebase w/ main and a force push.

Checklist

Delete any items that are not applicable to this PR.

• Documentation was added for features that require explanation or tutorials
  • Base docs to be added for [RAM] Adds auto-incrementing revision field to rules #147398
• Unit or functional tests were updated or added to match the most common scenarios

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[mohamedhamed-ahmed]

LGTM, on behalf of Obs Infra UI team

[CoenWarmer]

AO Changes LGTM!

[XavierM]

It looks like o11y (@simianhacker) is ok to add this new field on the alert index and response ops is ok with it. I am still wondering the use case/feature for adding revision in the alert index. Can you give me some light? @paulewing

thinking a little bit more about it, I will know that this alert has been detected with this rule revisions and we might be able to explain the reason of why this happen or not thanks to our detection engineer that are updating our pre-package rules. All good!

[spong]

It looks like o11y (@simianhacker) is ok to add this new field on the alert index and response ops is ok with it. ~I am still wondering the use case/feature for adding revision in the alert index. Can you give me some light? @paulewing ~

thinking a little bit more about it, I will know that this alert has been detected with this rule revisions and we might be able to explain the reason of why this happen or not thanks to our detection engineer that are updating our pre-package rules. All good!

Yeah, the traceability through the system enables some nice opportunities like:

• Surfacing all alerts/executions (event-log PR coming... :) for a given revision. e.g. perhaps there was a bad rule configuration and the user needs to identify those alerts and the time window they need to re-evaluate
• Comparing perf & effectiveness between subsequent revisions of the same rule
• Clarity in debugging rule executions not resulting in alerts (on the event-log side), being able to trace back to the actual query from a specific rule revision, etc

Obviously more of this power comes when storing (or at least writing to the audit log) user rule revision changes, but this is a start and will be helpful in support scenarios from the get-go.

[dplumlee]

alerts area files lgtm!

[banderror]

Perfect, thank you @spong!

I tested it locally and reviewed the diff. Everything LGTM. The only super minor issue I noticed is this unknown field in the alert details flyout:

I thought maybe the alerts index mappings were not updated, but after checking them I found the revision field in the technical component template and in the concrete alerts index. In the end, I fixed this by reloading the page, so this feels like something related to caching fields data. We can probably safely ignore this.

[yctercero]

security-solution-platform codeowners review - LGTM!

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 095e1e8

Failed CI Steps

• Security Solution Tests #4
• Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution

Test Failures

• [job] [logs] Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution / Detection rules, bulk edit of rule actions Restricted action privileges User with no privileges can't add rule actions
• [job] [logs] Security Solution Tests #4 / Row renderers Selected renderer can be disabled and enabled

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
@kbn/rule-data-utils	98	99	+1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
apm	3.8MB	3.8MB	+42.0B
observability	1.1MB	1.1MB	+42.0B
securitySolution	15.8MB	15.8MB	+451.0B
triggersActionsUi	1.4MB	1.4MB	+42.0B
total			+577.0B

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id	before	after	diff
ruleRegistry	13	14	+1

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
apm	32.0KB	32.0KB	+55.0B
observability	89.1KB	89.2KB	+55.0B
triggersActionsUi	83.6KB	83.7KB	+55.0B
total			+165.0B

Unknown metric groups

API count

id	before	after	diff
@kbn/rule-data-utils	101	102	+1

ESLint disabled line counts

id	before	after	diff
securitySolution	433	436	+3

Total ESLint disabled count

id	before	after	diff
securitySolution	513	516	+3

History

• 💔 Build #116269 failed 510b108
• 💔 Build #116254 failed 20ce86c
• 💔 Build #116206 failed b7c544f
• 💔 Build #116115 failed 52013c4
• 💔 Build #115860 failed 1fc9861

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @spong