[AWS] Introduce initial alert rule templates

[gpop63]

Overview

This PR introduces the first set of alert rule templates for key AWS data streams. For each stream, we selected the two most critical metrics to monitor.

ec2_metrics

• High CPU Utilization
  • This alarm is used to detect high CPU utilization.
• Status Check failed
  • This alarm is used to detect the underlying problems with instances, including both system status check failures and instance status check failures.

lambda

• High Number of Throttles
  • The alarm helps detect a high number of throttled invocation requests for a Lambda function.
• High Number of Errors
  • The alarm helps detect high error counts in function invocations.

sqs

• Oldest Message Name is Too High
  • This alarm is used to detect whether the age of the oldest message in the QueueName queue is too high. Threshold depends on situation.
• High Number of Visible Messages
  • This alarm is used to detect whether the message count of the active queue is too high and consumers are slow to process the messages or there are not enough consumers to process them. Threshold depends on situation.

sns

• Any Message Delivery Fails
  • This alarm helps you proactively find issues with the delivery of notifications and take appropriate actions to address them. Threshold depends on situation.
• Number of Notifications Filtered Out - Invalid Attributes
  • The alarm is used to detect if the published messages are not valid or if inappropriate filters have been applied to a subscriber.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Closes elastic/obs-integration-team/issues/536

Screenshots

[cla-checker-service]

💚 CLA has been signed

[ishleenk17]

@gpop63 : The template will be usable from 9.2 onwards .
If yes, lets mark the PR as DON'T MERGE.

Can you please share a screenshot of how a particular alert looks like. Also, are we not adding any information about alert support in the README's ?

[muthu-mps]

Can we add tags?

[daniela-elastic]

What tags were you thinking of, Muthu?

[muthu-mps]

The tags can have the service name and the Alert metrics name. Similar to what I have added here in Azure AI Foundry.
e.g., [AWS EC2, AWS EC2 CPU Utilization].

[muthu-mps]

Should the id match with the file name of the rule_template?
Error: defines non-matching ID

[gpop63]

@ishleenk17 right now the support is not fully there we only see them under assets and in saved objects

[muthu-mps]

Can the time field be @timestamp? Is there a reason for choosing event.ingested instead of @timestamp?

[gpop63]

I tried using the @timestamp field but it wasn't generating alerts. For some AWS data streams @timestamp is when the actual metric happened in AWS.

[muthu-mps]

Is this groupBy not applicable while using ESQL query?

[gpop63]

The group by of actual data happens in the esql query itself, this has to be a property of the alert.

[muthu-mps]

Applying dataset filter help fetch only the specific data for the alerting metrics. WDYT?

[gpop63]

How do we do that? also this esql query targets documents from a specific data stream/index (metrics-aws.ec2_metrics-default)

[muthu-mps]

We can ignore this as we directly target against specific datastream.

[muthu-mps]

Similar to groupby. Check whether the threshold value is applied directly from ESQL query and not from here.

[gpop63]

The threshold is set in the esql query, this is a different property of the alert.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elastic-sonarqube]

Quality Gate failed

Failed conditions
0.7% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

[daniela-elastic]

Where do we declare which service (entity) this alert template applies to? Something like resource : aws.ec2

[gpop63]

I have included the service name in the name of the alert rule template. I suppose Kibana should allow us to filter by tags or by partial matches on the title of the alert rule template.

[agithomas]

This is applicable for all the configurations.

Should we keep this so frequently? I suggest, this be equal to the default period value for metrics ingestion. Following so, it helps to avoid any no-data found alert (when user decides to extend the configuration)

[gpop63]

Should we set timeWindowSize to match the integration period? That way, for example, every 5 minutes we’d check for alerts in documents from the past 5 minutes.

[agithomas]

I think, thats a resonable thing to do. The impact I assume here will be that instead of an alert being notified at the period + 1m interval, the alert will be notified at 2 x period internal. Here period is 5m for most AWS servies.

@tommyers-elastic , what would be your recommendation?

[tommyers-elastic]

i don't think we have any way to couple configs in agent policy templates with these rule configurations, so whatever we choose will have to be always added by hand.

my only thinking here is that it doesn't make sense to run a rule more frequently than the integration collection period. matching the rule frequency with the collection period seems sensible to me.

[tommyers-elastic]

it's a shame there's no way to put hints in the form such that we could have something that shows up and says "should match the integration collection period" or something. if we think it's worthwhile we could suggest this as a feature.

[muthu-mps]

@elastic/security-service-integrations team, This feature is supported starting from 9.2.1 release version. The minimum stack version gets upgraded to 9.2.1. Since AWS integrations involve co-ownership, Could you confirm if the stack version upgrade is fine with the integrations managed by security team?

[chrisberkhout]

Ad discussed elsewhere, I think this version constraint should be left unchanged. The alerting rule template files will be built into the package and they will be installed and used on stack versions that support them

[gpop63]

/test

[muthu-mps]

/test

[agithomas]

Sharing a suggestion here:

Could we follows a more structured comment style - helping user to identify the purpose, default value, condition, group-by information with easily and make suggestions easier? When followed, these descriptions could be combined with other platform capabilities including AI assistant (in future, if & when needed)

Examples:

1. 
// Alert triggers when the maximum number of visible messages in an SQS queue
// reaches or exceeds the defined threshold (default: 1000) within the lookback window.
//
// The alert is grouped by cloud account, region, and queue name to identify
// which specific queue is experiencing backlog.
//
// To adjust sensitivity, change the `msgsvisible` threshold value in the WHERE clause.

2.
// Alert triggers when SNS notifications are being filtered out by subscription filter policies.
// A non-zero value usually indicates a mismatch between published messages and subscriber
// filter rules, which may result in messages not reaching intended consumers.
//
// The alert is grouped by cloud account, region, and topic name to identify the affected topic.
//
// To adjust sensitivity, change the `notificationsfilteredout` threshold in the WHERE clause.

[gpop63]

/test

[muthu-mps]

@agithomas - Apart from version dependency, Can you help with the review and approval if everything looks good?

[agithomas]

@agithomas - Apart from version dependency, Can you help with the review and approval if everything looks good?

LGTM from the alerts configuration. Looking forward to have a common agreement on the version dependency before proceeding.

[muthu-mps]

/test

[muthu-mps]

/test

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: be02468

History

• 💚 Build #35809 succeeded adb5f1f
• 💚 Build #35502 succeeded 28d6878
• 💔 Build #34545 failed edb21dc
• 💔 Build #34448 failed d4820d0
• 💔 Build #34289 failed d4820d0
• 💔 Build #34228 failed d721a61

cc @gpop63

[elastic-vault-github-plugin-prod]

Package aws - 5.4.0 containing this change is available at https://epr.elastic.co/package/aws/5.4.0/