Allow usage of saved object references in alerts

[timroes]

When storing alerts at the moment there is no way (as far as I could tell) for the alert type (implementation) to make use of saved object references if the alert itself needs to reference other saved objects.

As an example the discover alert will serialize a search source and thus have a reference onto an index pattern saved object stored inside the alert. If this is not properly put into the saved object references when storing, this would break sharing between spaces (and other security related efforts) again. As soon as you'd share an index pattern now with another space its id will be changed and all existing alerts on that index pattern would be broken, since they reference a now non existing id.

Thus an alert need to be able to emit SavedObjectReferences besides it's params when saving and needs to get the parameters and saved object references back for injection in all places the alert is "loaded"/"used" again (like the executor).

This is blocking building any alerts that would make use/reference any other saved object (like index pattern).

cc @legrego

[elasticmachine]

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

[mikecote]

Relates to: #85173

[mikecote]

Another use case from @spong (#85173)

In discussing ways to resolve data integrity issues between Detection Rules and Exception Lists the best path forward seems to be leveraging the existing Saved Object References array, however this isn't currently exposed to those building on top of Alerting SO's. As a workaround, we've been storing our references within AlertParams, which is not searchable, and makes linking back to Rules slow (table scan) unless a back-reference is stored.

[mikecote]

Another feature that may require the usage of references is the import/export of alerts (#50266). We may need to link alerts to another saved object to properly support import/export functionality (ex: creating new ids on import).

[pmuellr]

Thinking through what we need here. If we just wanted to extend the existing APIs, it would be something like this:

• ability to pass SO refs on create and update
• ability to return SO refs on get and find

There's a bit of a collision in that we currently already use SO refs for actions. So we'll need to make sure that when we create the names of the SO refs for the actions, they don't collide with whatever names are being passed for the new SO refs params. We have a simplistic scheme for it now where the name is action_${index of action in actions list}, but I think we'll have to do better. UUID, perhaps?

Or we could say if you are going to add SO refs, you should follow a pattern of using a unique prefix, and action_ is already taken.

I'm wondering if we will have any issues with multiple clients trying to manage these. I guess given the current requirements, we'll have Discover (and other Kibana apps) adding SO refs, and also RAC and Security adding SO refs. Will this get cumbersome for clients to search for and update the SO refs they are interested in? Could one client inadvertently delete an SO ref another client needs?

And I wonder if we should expose the current action SO refs in the same fashion. I think not, but then we'll have a weird disconnect that looking at the SO refs in the alert objects at the client level won't show the actions, but they are actually there in the raw SO's.

Also wondering if this is something we'd expose at the API client level but not the HTTP level. At least the create/update - I suspect returning them on get/find is fine for HTTP. Keeping them out of the HTTP API means less of chance of a customer accidentally deleting critical SO refs.

[mikecote]

Also wondering if this is something we'd expose at the API client level but not the HTTP level. At least the create/update - I suspect returning them on get/find is fine for HTTP. Keeping them out of the HTTP API means less of chance of a customer accidentally deleting critical SO refs.

Yeah, in theory, the alert type will know how to extract the references from the params object and we could get away without changing out APIs.

There's a bit of a collision in that we currently already use SO refs for actions.

Since we have control over this, we could catch the collision between the rule type / API-provided references and our "reserved" reference names and return an error.

[spong]

Thinking through what we need here. If we just wanted to extend the existing APIs, it would be something like this:

• ability to pass SO refs on create and update
• ability to return SO refs on get and find

The above implementation sounds good to me @pmuellr, with the note that we could also add items to the references array during an SO migration as well (covering the case here #85173 where we would move over the exceptions reference from a dedicated field when migrating the security rule type).

@mikecote and I spoke about this earlier today with regards to being able to use the SO Management UI to export Security Rules and all associated Exceptions and Value lists. We're planning to do the rule migration in 7.14-7.15, and so having these changes for 7.15 if possible would be ideal.