[ResponseOps][Alerting] Alerting v2: Director

[cnasikas]

Summary

Note

Dear reviewers. This PR is getting merged into a feature branch. Only the ResponseOps review is needed it at the moment. We will request for your review when we open the feature branch PR to be merged on main.

This PR implements the Director component of the alerting v2 core engine. The Director is an asynchronous state engine responsible for deriving alert state transitions (e.g., Pending → Active) from the immutable stream of raw alert events.

Architecture

Strategy Pattern

To ensure the Director remains agnostic of specific business logic, we implemented the Strategy Pattern. The Director facilitates the data flow, while an ITransitionStrategy defines the actual state machine logic. This allows us to support different transition behaviors, based on rule configuration or alert event type, without modifying the core service. It may seem overengineering at the moment, but I think it will help us in the long run. At the moment, only one strategy is supported, the BasicTransitionStrategy, which moves the states like inactive -> pending -> active -> recovering -> inactive based on a) the status of the alert event and the latest episode status if exist.

Episode Lifecycle Management

The state is calculated as:

• Inactive + Breached → Pending: A new alert has started, but must wait in Pending before becoming Active.
• Pending + Recoverde → Inactive: The condition cleared before it could become Active.
• Active + Recovered → Recovering: An active alert has stopped breaching and enters the recovery phase.
• Recovering + Breached → Active: An alert that was recovering has breached again.

The episode ID is preserved across pending, active, and recovering states. A new episode ID is generated only when transitioning from inactive to a non-inactive state (a new episode starts).

Important

Calculating the states based on counts or timeframes will be implemented on the next PR to avoid growing the size of the PR and make reviewing the fundamentals of the director easier. Same for streaming the ESQL results to the director and to the datastream.

flowchart LR
    subgraph Lifecycle["Episode Lifecycle"]
        direction LR
        
        INACTIVE((INACTIVE))
        PENDING((PENDING))
        ACTIVE((ACTIVE))
        RECOVERING((RECOVERING))
        
        INACTIVE -->|"breached<br/>New Episode ID"| PENDING
        PENDING -->|breached| ACTIVE
        ACTIVE -->|recovered| RECOVERING
        RECOVERING -->|recovered| INACTIVE
        
        RECOVERING -->|"breached<br/>"| ACTIVE
        PENDING -->|"recovered<br/>Episode Ends"| INACTIVE
    end

    style INACTIVE fill:#9e9e9e,color:#fff
    style PENDING fill:#ffc107,color:#000
    style ACTIVE fill:#f44336,color:#fff
    style RECOVERING fill:#ff9800,color:#000

Loading

Example

Alert events

Row	@timestamp	Status	Episode status	Episode ID
1	10:00	breached	pending	uuid-1
2	10:05	breached	active	uuid-1
3	10:10	recovered	recovering	uuid-1
4	10:15	recovered	recovered	uuid-1
5	10:20	breached	pending	uuid-2

Out of scope

• Changed state transitions based on counts or timeframes.
• Streaming of ES|QL results

Testing

1. Create a rule that fires breach events.

2. Maturation:

   • Verify that the alert event documents have the correct episode status, alert event status, and the episode ID on each run.

Recovering is not possible to be tested atm as we need the rule executor to produce these alert events.

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

• Unit or functional tests were updated or added to match the most common scenarios

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[Copilot]

Pull request overview

This PR introduces the alerting v2 “Director” component and rewires the alerting pipeline to compute and persist episode-aware alert states using ES|QL directly via the Elasticsearch client instead of the Kibana search strategy.

Changes:

• Refactors QueryService and related consumers to use esClient.esql.query with scoped/internal variants, updating ES|QL-related types and helpers.
• Introduces the Director service plus transition strategies to derive episode state (inactive → pending → active → recovering → inactive) and integrates it into the rule execution steps, including a new storage step.
• Updates alert event mappings and schemas to use a nested episode object, and adjusts alert event building, actions client queries, and fixtures accordingly.

Reviewed changes

Copilot reviewed 36 out of 36 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
x-pack/platform/plugins/shared/alerting_v2/tsconfig.json	Removes obsolete @kbn/search-types reference now that search strategy is no longer used.
x-pack/platform/plugins/shared/alerting_v2/server/setup/bind_services.ts	Binds new QueryService tokens, Director service, and transition strategy to the DI container.
x-pack/platform/plugins/shared/alerting_v2/server/setup/bind_rule_executor.ts	Wires new DirectorStep and StoreAlertEventsStep into the rule execution pipeline.
x-pack/platform/plugins/shared/alerting_v2/server/resources/alert_events.ts	Changes alert event mapping/schema to a nested episode object and renames episode-related enums/types.
x-pack/platform/plugins/shared/alerting_v2/server/lib/test_utils.ts	Switches to DeeplyMockedApi<ElasticsearchClient> and removes the now-unused search client helper.
x-pack/platform/plugins/shared/alerting_v2/server/lib/services/storage_service/storage_service.ts	Simplifies bulk indexing to always use create operations and adjusts error extraction accordingly.
x-pack/platform/plugins/shared/alerting_v2/server/lib/services/query_service/tokens.ts	Adds DI tokens for scoped and internal QueryService flavors.
x-pack/platform/plugins/shared/alerting_v2/server/lib/services/query_service/query_service.ts	Reimplements QueryService on top of esClient.esql.query and adapts logging and types to the ES client.
x-pack/platform/plugins/shared/alerting_v2/server/lib/services/query_service/query_service.test.ts	Updates tests to use the ES client mock and validate the new QueryService behavior.
x-pack/platform/plugins/shared/alerting_v2/server/lib/services/query_service/query_service.mock.ts	Provides a factory that creates a QueryService backed by a mocked ES client and logger.
x-pack/platform/plugins/shared/alerting_v2/server/lib/services/query_service/query_response_to_records.ts	Adjusts the helper to accept EsqlQueryResponse instead of the old search response type.
x-pack/platform/plugins/shared/alerting_v2/server/lib/rule_executor/types.ts	Updates pipeline state to use EsqlQueryResponse and store plain AlertEvent[].
x-pack/platform/plugins/shared/alerting_v2/server/lib/rule_executor/type_guards.ts	Replaces specific type guards with a generic hasState helper for pipeline state.
x-pack/platform/plugins/shared/alerting_v2/server/lib/rule_executor/test_utils.ts	Updates ES
x-pack/platform/plugins/shared/alerting_v2/server/lib/rule_executor/steps/wait_for_resources_step.ts	Adds structured logging around waiting for shared resources.
x-pack/platform/plugins/shared/alerting_v2/server/lib/rule_executor/steps/validate_rule_step.ts	Uses the new generic state guard and adds detailed debug logging.
x-pack/platform/plugins/shared/alerting_v2/server/lib/rule_executor/steps/store_alert_events.ts.ts	Adds a step that writes the computed alert events to the alert events data stream.
x-pack/platform/plugins/shared/alerting_v2/server/lib/rule_executor/steps/fetch_rule_step.ts	Adds debug logging for rule fetch success/failure and rule-deleted handling.
x-pack/platform/plugins/shared/alerting_v2/server/lib/rule_executor/steps/execute_rule_query_step.ts	Switches to the scoped QueryService token and enriches logging and row-count reporting.
x-pack/platform/plugins/shared/alerting_v2/server/lib/rule_executor/steps/execute_rule_query_step.test.ts	Adapts tests to the ES client-based query execution and new logging.
x-pack/platform/plugins/shared/alerting_v2/server/lib/rule_executor/steps/director_step.ts	Introduces a pipeline step that delegates alert events to the Director and replaces them with enriched events.
x-pack/platform/plugins/shared/alerting_v2/server/lib/rule_executor/steps/create_alert_events_step.ts	Stops writing to storage directly and instead returns constructed AlertEvent[] into pipeline state.
x-pack/platform/plugins/shared/alerting_v2/server/lib/rule_executor/get_query_payload.ts	Migrates query payload building to EsqlQueryRequest types and adapts parameter handling.
x-pack/platform/plugins/shared/alerting_v2/server/lib/rule_executor/build_alert_events.ts	Returns plain AlertEvent documents with updated types and removes deterministic _id handling.
x-pack/platform/plugins/shared/alerting_v2/server/lib/rule_executor/build_alert_events.test.ts	Adjusts tests to new return shape and ES
x-pack/platform/plugins/shared/alerting_v2/server/lib/director/strategies/types.ts	Defines the strategy interface and transition context for episode state transitions.
x-pack/platform/plugins/shared/alerting_v2/server/lib/director/strategies/strategy_resolver.ts	Adds a resolver that registers and returns the default transition strategy.
x-pack/platform/plugins/shared/alerting_v2/server/lib/director/strategies/strategy_resolver.test.ts	Tests that the resolver correctly registers and returns the basic strategy.
x-pack/platform/plugins/shared/alerting_v2/server/lib/director/strategies/basic_strategy.ts	Implements the basic state machine for episode transitions based on alert event status.
x-pack/platform/plugins/shared/alerting_v2/server/lib/director/strategies/basic_strategy.test.ts	Tests all main state transitions and defensive fallbacks for the basic strategy.
x-pack/platform/plugins/shared/alerting_v2/server/lib/director/queries.ts	Adds an ES
x-pack/platform/plugins/shared/alerting_v2/server/lib/director/director.ts	Implements the Director service that queries previous state and computes new episode IDs/statuses.
x-pack/platform/plugins/shared/alerting_v2/server/lib/director/director.test.ts	Provides comprehensive tests for Director state/eisode transitions and error propagation.
x-pack/platform/plugins/shared/alerting_v2/server/lib/alert_actions_client/fixtures/query_responses.ts	Updates fixtures to use EsqlQueryResponse types.
x-pack/platform/plugins/shared/alerting_v2/server/lib/alert_actions_client/alert_actions_client.ts	Adapts alert actions ES
x-pack/platform/plugins/shared/alerting_v2/server/lib/alert_actions_client/alert_actions_client.test.ts	Updates alert actions tests to use the ES client–backed QueryService mock and new fixtures.

[darnautov]

LGTM overall! Left some minor suggestions.
And a question regarding the hashes: we discussed the approach of using ES pipelines for that. Did you get a chance to experiment with it?

[darnautov]

I wonder if we should disallow unsupported states and throw an error instead?

[cnasikas]

Not sure, tbh. Do we consider it a rule failure or a graceful error due to malformed data? @mikecote Any opinion on this?

[mikecote]

Assuming a new episode, and preferably logging the issue, make sense to me.

[darnautov]

I'd add a comment here from the PR description with the reasoning behind the transition strategy and resolver

[cnasikas]

I added a README in 13b4572.

[darnautov]

?

Suggested change

	resolve(): ITransitionStrategy {
	getDefaultStrategy(): ITransitionStrategy {

[cnasikas]

Do you mind if I go with getStrategy because very soon it will be configurable, and you can get any strategy based on some criteria?

[darnautov]

Should we call factory or a registry?

[cnasikas]

Ok! I will go with the factory word.

[cnasikas]

LGTM overall! Left some minor suggestions. And a question regarding the hashes: we discussed the approach of using ES pipelines for that. Did you get a chance to experiment with it?

Not yet. We can put it as a work item for later.

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: b143474

Failed CI Steps

• Jest Integration Tests #1
• Jest Integration Tests #1
• FTR Configs #3
• FTR Configs #3
• FTR Configs #5
• FTR Configs #5
• FTR Configs #13
• FTR Configs #13
• FTR Configs #24
• FTR Configs #24
• FTR Configs #26
• FTR Configs #26
• FTR Configs #33
• FTR Configs #33
• FTR Configs #34
• FTR Configs #34
• FTR Configs #35
• FTR Configs #35
• FTR Configs #39
• FTR Configs #39
• FTR Configs #47
• FTR Configs #47
• FTR Configs #48
• FTR Configs #48
• FTR Configs #59
• FTR Configs #59
• FTR Configs #62
• FTR Configs #62
• FTR Configs #76
• FTR Configs #76
• FTR Configs #80
• FTR Configs #80
• FTR Configs #86
• FTR Configs #86
• FTR Configs #88
• FTR Configs #92
• FTR Configs #92
• FTR Configs #93
• FTR Configs #93
• FTR Configs #98
• FTR Configs #98
• FTR Configs #115
• FTR Configs #115
• FTR Configs #127
• FTR Configs #127
• Post-Build

Test Failures

• [job] [logs] FTR Configs #115 / Advanced Settings security feature controls no advanced_settings privileges does not show Management navlink
• [job] [logs] FTR Configs #115 / Advanced Settings security feature controls no advanced_settings privileges does not show Management navlink
• [job] [logs] FTR Configs #88 / Agent Builder converse Conversation Error Handling shows error message when there is an error and allows user to retry
• [job] [logs] FTR Configs #92 / API Keys app feature controls security global dashboard read with manage_security should render the "Security" section with API Keys
• [job] [logs] FTR Configs #92 / API Keys app feature controls security global dashboard read with manage_security should render the "Security" section with API Keys
• [job] [logs] FTR Configs #93 / apis alerting_v2 Create Alert Action API should return 204 for ack action and write action document
• [job] [logs] FTR Configs #93 / apis alerting_v2 Create Alert Action API should return 204 for ack action and write action document
• [job] [logs] FTR Configs #98 / Canvas Canvas app security feature controls global canvas read-only privileges shows canvas navlink
• [job] [logs] FTR Configs #98 / Canvas Canvas app security feature controls global canvas read-only privileges shows canvas navlink
• [job] [logs] FTR Configs #39 / Cross Cluster Replication app feature controls security global dashboard read with ccr_user "Data" section with CCR should render
• [job] [logs] FTR Configs #39 / Cross Cluster Replication app feature controls security global dashboard read with ccr_user "Data" section with CCR should render
• [job] [logs] FTR Configs #127 / dashboard feature controls dashboard feature controls security global dashboard read-only privileges shows dashboard navlink
• [job] [logs] FTR Configs #127 / dashboard feature controls dashboard feature controls security global dashboard read-only privileges shows dashboard navlink
• [job] [logs] FTR Configs #26 / Data Views feature controls security no data views privileges does not show Management navlink
• [job] [logs] FTR Configs #26 / Data Views feature controls security no data views privileges does not show Management navlink
• [job] [logs] FTR Configs #5 / Dev Tools feature controls security global dev_tools all privileges shows Dev Tools navlink
• [job] [logs] FTR Configs #5 / Dev Tools feature controls security global dev_tools all privileges shows Dev Tools navlink
• [job] [logs] FTR Configs #35 / discover - group 2 feature controls discover feature controls security global discover read-only privileges shows discover navlink
• [job] [logs] FTR Configs #35 / discover - group 2 feature controls discover feature controls security global discover read-only privileges shows discover navlink
• [job] [logs] Jest Integration Tests #1 / DispatcherService integration tests when some episodes already have fire-events should only dispatch the new events
• [job] [logs] Jest Integration Tests #1 / DispatcherService integration tests when some episodes already have fire-events should only dispatch the new events
• [job] [logs] Jest Integration Tests #1 / DispatcherService integration tests when there are alert events without prior fire-events should dispatch all unique episodes
• [job] [logs] Jest Integration Tests #1 / DispatcherService integration tests when there are alert events without prior fire-events should dispatch all unique episodes
• [job] [logs] Jest Integration Tests #1 / DispatcherService integration tests when there are no alert events should not dispatch any episodes
• [job] [logs] Jest Integration Tests #1 / DispatcherService integration tests when there are no alert events should not dispatch any episodes
• [job] [logs] FTR Configs #86 / graph app feature controls security global graph all privileges shows graph navlink
• [job] [logs] FTR Configs #86 / graph app feature controls security global graph all privileges shows graph navlink
• [job] [logs] FTR Configs #13 / Index Lifecycle Management app feature controls security global dashboard read with manage_ilm "Data" section with ILM should render
• [job] [logs] FTR Configs #13 / Index Lifecycle Management app feature controls security global dashboard read with manage_ilm "Data" section with ILM should render
• [job] [logs] FTR Configs #62 / Index Management app feature controls security global dashboard read with index_management_user "Data" section with index management should render
• [job] [logs] FTR Configs #62 / Index Management app feature controls security global dashboard read with index_management_user "Data" section with index management should render
• [job] [logs] FTR Configs #80 / Ingest pipelines app feature controls security global dashboard read with ingest_pipelines_user "Ingest" section with ingest pipelines should render
• [job] [logs] FTR Configs #80 / Ingest pipelines app feature controls security global dashboard read with ingest_pipelines_user "Ingest" section with ingest pipelines should render
• [job] [logs] FTR Configs #34 / License app feature controls security global dashboard read with license_management_user [SkipCloud] global dashboard with license management user : skip cloud should render the "Stack" section with License Management
• [job] [logs] FTR Configs #34 / License app feature controls security global dashboard read with license_management_user [SkipCloud] global dashboard with license management user : skip cloud should render the "Stack" section with License Management
• [job] [logs] FTR Configs #93 / logstash feature controls security global dashboard read with logstash_read_user "Ingest" section with Logstash Pipelines should render
• [job] [logs] FTR Configs #93 / logstash feature controls security global dashboard read with logstash_read_user "Ingest" section with Logstash Pipelines should render
• [job] [logs] FTR Configs #93 / management feature controls security no management privileges should not show the Stack Management nav link
• [job] [logs] FTR Configs #93 / management feature controls security no management privileges should not show the Stack Management nav link
• [job] [logs] FTR Configs #3 / maps app maps security feature controls global maps read-only privileges shows Maps navlink
• [job] [logs] FTR Configs #3 / maps app maps security feature controls global maps read-only privileges shows Maps navlink
• [job] [logs] FTR Configs #76 / Remote Clusters app feature controls security global dashboard read with license_management_user "Data" section with Remote Clusters should render
• [job] [logs] FTR Configs #76 / Remote Clusters app feature controls security global dashboard read with license_management_user "Data" section with Remote Clusters should render
• [job] [logs] FTR Configs #35 / Saved objects management feature controls saved objects management global visualize all privileges listing can't navigate to listing page
• [job] [logs] FTR Configs #35 / Saved objects management feature controls saved objects management global visualize all privileges listing can't navigate to listing page
• [job] [logs] FTR Configs #59 / search sessions management Search Sessions Management UI permissions Sessions management is not available if no apps enable search sessions
• [job] [logs] FTR Configs #59 / search sessions management Search Sessions Management UI permissions Sessions management is not available if no apps enable search sessions
• [job] [logs] FTR Configs #47 / Serverless Observability - Deployment-agnostic platform API integration tests alerting_v2 Create Alert Action API "after all" hook for "should filter by episode_id when provided in request body"
• [job] [logs] FTR Configs #47 / Serverless Observability - Deployment-agnostic platform API integration tests alerting_v2 Create Alert Action API "after all" hook for "should filter by episode_id when provided in request body"
• [job] [logs] FTR Configs #47 / Serverless Observability - Deployment-agnostic platform API integration tests alerting_v2 Create Alert Action API "after each" hook for "should return 204 for ack action and write action document"
• [job] [logs] FTR Configs #47 / Serverless Observability - Deployment-agnostic platform API integration tests alerting_v2 Create Alert Action API "after each" hook for "should return 204 for ack action and write action document"
• [job] [logs] FTR Configs #47 / Serverless Observability - Deployment-agnostic platform API integration tests alerting_v2 Create Alert Action API should return 204 for ack action and write action document
• [job] [logs] FTR Configs #47 / Serverless Observability - Deployment-agnostic platform API integration tests alerting_v2 Create Alert Action API should return 204 for ack action and write action document
• [job] [logs] FTR Configs #33 / transform - feature controls security global dashboard read with transform_user "Data" section with Transform should render
• [job] [logs] FTR Configs #33 / transform - feature controls security global dashboard read with transform_user "Data" section with Transform should render
• [job] [logs] FTR Configs #24 / transform basic license transform - feature controls security global dashboard read with transform_user "Data" section with Transform should render
• [job] [logs] FTR Configs #24 / transform basic license transform - feature controls security global dashboard read with transform_user "Data" section with Transform should render
• [job] [logs] FTR Configs #48 / Visualize visualize feature controls security global visualize read-only privileges shows visualize navlink
• [job] [logs] FTR Configs #48 / Visualize visualize feature controls security global visualize read-only privileges shows visualize navlink

Metrics [docs]

‼️ ERROR: no builds found for mergeBase sha [b545c38]

History

• 💔 Build #389388 failed 1779e52
• 💔 Build #389079 failed 43e595d
• 💔 Build #388721 failed 7eed764
• 💔 Build #388507 failed f88743b

cc @cnasikas