[AWS] Introduce initial alert rule templates

[gpop63]

Overview

This PR introduces the first set of alert rule templates for key AWS data streams. For each stream, we selected the two most critical metrics to monitor.

ec2_metrics

• High CPU Utilization
  • This alarm is used to detect high CPU utilization.
• Status Check failed
  • This alarm is used to detect the underlying problems with instances, including both system status check failures and instance status check failures.

lambda

• High Number of Throttles
  • The alarm helps detect a high number of throttled invocation requests for a Lambda function.
• High Number of Errors
  • The alarm helps detect high error counts in function invocations.

sqs

• Oldest Message Name is Too High
  • This alarm is used to detect whether the age of the oldest message in the QueueName queue is too high. Threshold depends on situation.
• High Number of Visible Messages
  • This alarm is used to detect whether the message count of the active queue is too high and consumers are slow to process the messages or there are not enough consumers to process them. Threshold depends on situation.

sns

• Any Message Delivery Fails
  • This alarm helps you proactively find issues with the delivery of notifications and take appropriate actions to address them. Threshold depends on situation.
• Number of Notifications Filtered Out - Invalid Attributes
  • The alarm is used to detect if the published messages are not valid or if inappropriate filters have been applied to a subscriber.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Closes elastic/obs-integration-team/issues/536

Screenshots

[cla-checker-service]

💚 CLA has been signed

[ishleenk17]

@gpop63 : The template will be usable from 9.2 onwards .
If yes, lets mark the PR as DON'T MERGE.

Can you please share a screenshot of how a particular alert looks like. Also, are we not adding any information about alert support in the README's ?

[muthu-mps]

Can we add tags?

[daniela-elastic]

What tags were you thinking of, Muthu?

[muthu-mps]

The tags can have the service name and the Alert metrics name. Similar to what I have added here in Azure AI Foundry.
e.g., [AWS EC2, AWS EC2 CPU Utilization].

[muthu-mps]

Should the id match with the file name of the rule_template?
Error: defines non-matching ID

[gpop63]

@ishleenk17 right now the support is not fully there we only see them under assets and in saved objects

[muthu-mps]

Can the time field be @timestamp? Is there a reason for choosing event.ingested instead of @timestamp?

[gpop63]

I tried using the @timestamp field but it wasn't generating alerts. For some AWS data streams @timestamp is when the actual metric happened in AWS.

[muthu-mps]

Is this groupBy not applicable while using ESQL query?

[gpop63]

The group by of actual data happens in the esql query itself, this has to be a property of the alert.

[muthu-mps]

Applying dataset filter help fetch only the specific data for the alerting metrics. WDYT?

[gpop63]

How do we do that? also this esql query targets documents from a specific data stream/index (metrics-aws.ec2_metrics-default)

[muthu-mps]

We can ignore this as we directly target against specific datastream.

[muthu-mps]

Similar to groupby. Check whether the threshold value is applied directly from ESQL query and not from here.

[gpop63]

The threshold is set in the esql query, this is a different property of the alert.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elastic-sonarqube]

Quality Gate failed

Failed conditions
0.7% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

[daniela-elastic]

Where do we declare which service (entity) this alert template applies to? Something like resource : aws.ec2

[gpop63]

I have included the service name in the name of the alert rule template. I suppose Kibana should allow us to filter by tags or by partial matches on the title of the alert rule template.

[muthu-mps]

The field aws.ec2.metrics.CPUUtilization.avg is renamed here. Do you think this field should be changed to host.cpu.usage field?

[gpop63]

Both metrics are present but switching to the ECS field seems like the better option. Switched to host.cpu.usage in d28dd85. I had to multiply it by 100 to use percentages.

[MichelLosier]

Configuration looks good to me!

[agithomas]

This is applicable for all the configurations.

Should we keep this so frequently? I suggest, this be equal to the default period value for metrics ingestion. Following so, it helps to avoid any no-data found alert (when user decides to extend the configuration)

[gpop63]

Should we set timeWindowSize to match the integration period? That way, for example, every 5 minutes we’d check for alerts in documents from the past 5 minutes.

[agithomas]

I think, thats a resonable thing to do. The impact I assume here will be that instead of an alert being notified at the period + 1m interval, the alert will be notified at 2 x period internal. Here period is 5m for most AWS servies.

@tommyers-elastic , what would be your recommendation?

[tommyers-elastic]

i don't think we have any way to couple configs in agent policy templates with these rule configurations, so whatever we choose will have to be always added by hand.

my only thinking here is that it doesn't make sense to run a rule more frequently than the integration collection period. matching the rule frequency with the collection period seems sensible to me.

[tommyers-elastic]

it's a shame there's no way to put hints in the form such that we could have something that shows up and says "should match the integration collection period" or something. if we think it's worthwhile we could suggest this as a feature.

[muthu-mps]

@elastic/security-service-integrations team, This feature is supported starting from 9.2.1 release version. The minimum stack version gets upgraded to 9.2.1. Since AWS integrations involve co-ownership, Could you confirm if the stack version upgrade is fine with the integrations managed by security team?

[gpop63]

/test

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: ca349a8

Failed CI Steps

• Check integrations aws

History

• 💔 Build #33817 failed 9fefffa
• 💔 Build #33759 failed 9fefffa
• 💔 Build #33698 failed 6f3758b
• 💔 Build #33692 failed 1efc93b
• 💔 Build #33430 failed 4cc98a2

cc @gpop63