Good day to all of you!
I'm interacting with the Elastic 8.1 free version.
Some alert rules are created that way, that alerts will be active forever I would like to close such alerts manually - for example, an alert informing that the docker container is down and is planned to be down forever.
I found in the documentation for this version how to close alert:
"In the alert’s row, click the More actions button, then select the appropriate status (Mark as open, Mark as acknowledged, or Mark as closed)."
The issue is I don't have such options available under 'more actions'. There is only:
- Add to existing case
- Add to new case
- View rule details.
Is the "closing alerts" paid feature or there is something to be set up in Elastic to use that feature?
Hi @xonicman Welcome to the Community.
First question what kind of alerts are you looking at Creating / Managing?
Observability Alerts (like Metrics, Logs, APM)
Security (Cyber Security Alerts)
The Documentation you pointed to is the Security Solution : Manage detection alerts etc and that is Related to Cases and Alerts etc.
The behavior you are describing is under the Observability : Alerting here
Depending on your answer perhaps we can help.
But no Cases / Case Management is not a paid for feature, but perhaps you are looking in the wrong spot.
And now in 8.4 etc there are Cases for Observability Alerts see here
And there is the Concept of an Alert Rule Alert vs Recovered see here
Where are action can be triggered and Alert "Fires" and when the Alert Recovers.
There has been a lot added since 8.1 perhaps you could upgrade to 8.4 if you want to use Cases for Observability Alerts.
You are correct. I have mixed up the documentation of the types of alerts. I'm looking for closing Observality Alerts, not Cyber Security Alerts.
I know the concept of an Alert Rule, which should define the condition when the Alert is Active and outside this condition is Recovered. The issue in my case is some alerts can remain active forever. I will give an example for better understanding.
There is Alert Rule to check if the docker container is exited/stopped. The condition is based on the metric threshold - when the document count is below or equals 0 for the last 5 minutes - then the alert is active. Alerts are grouped by environment, agent.hostname and container.name.
When the container is down, there are no metrics about this particular container name on a particular hostname for 5 minutes, and the alert is active. When the container is started - the alert is recovered. That is the expected scenario.
But there can be a scenario where someone manually runs a temporary container that started once, exited, and will never be rerun on that host. Then observability alert remains active, and there is no possibility for UI to close it.
Is there a way how to treat such alerts? I found one workaround, but that requires temporary editing of the existing rule two times, which I would like to avoid.
Hmm not that I know of off hand If I understand what you're asking for... Basically when a container comes online he gets monitored, goes offline the alert fires and because it never comes back online it never sends a recovered alert.
perhaps open a feature request.
Also, there is a lot of work going on on alerts right now so your three significant releases behind so you might check if there's something different in 8.4.
I understand 8.5 and 8.6 there will be more work on the alerts management.