[Event Log] add rel=primary to saved objects for query targets (#64615)

resolves #62668

Adds a property named `rel` to the nested saved objects in the event
documents, whose value should not be set, or set to `primary`.
The query by saved object function changes to only match event documents
with that saved objects if it has the `rel: primary` value.

This is used to limit searching alerting's executeAction event document
with only the alert saved object, and not the action saved object (this
document has an alert and action saved object). The alert saved object
has the `rel: primary` field set, and the action does not.  Previously,
those documents were returned with a query of the action saved object.

Author: pmuellr

x-pack/plugins/actions/server/lib/action_executor.ts

@@ -17,7 +17,7 @@ import {
 import { EncryptedSavedObjectsPluginStart } from '../../../encrypted_saved_objects/server';
 import { SpacesServiceSetup } from '../../../spaces/server';
 import { EVENT_LOG_ACTIONS } from '../plugin';
-import { IEvent, IEventLogger } from '../../../event_log/server';
+import { IEvent, IEventLogger, SAVED_OBJECT_REL_PRIMARY } from '../../../event_log/server';
 
 export interface ActionExecutorContext {
   logger: Logger;
@@ -110,7 +110,16 @@ export class ActionExecutor {
     const actionLabel = `${actionTypeId}:${actionId}: ${name}`;
     const event: IEvent = {
       event: { action: EVENT_LOG_ACTIONS.execute },
-      kibana: { saved_objects: [{ type: 'action', id: actionId, ...namespace }] },
+      kibana: {
+        saved_objects: [
+          {
+            rel: SAVED_OBJECT_REL_PRIMARY,
+            type: 'action',
+            id: actionId,
+            ...namespace,
+          },
+        ],
+      },
     };
 
     eventLogger.startTiming(event);

x-pack/plugins/alerting/server/task_runner/create_execution_handler.test.ts

@@ -95,6 +95,7 @@ test('calls actionsPlugin.execute per selected action', async () => {
             "saved_objects": Array [
               Object {
                 "id": "1",
+                "rel": "primary",
                 "type": "alert",
               },
               Object {

x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts

@@ -9,7 +9,7 @@ import { AlertAction, State, Context, AlertType } from '../types';
 import { Logger } from '../../../../../src/core/server';
 import { transformActionParams } from './transform_action_params';
 import { PluginStartContract as ActionsPluginStartContract } from '../../../../plugins/actions/server';
-import { IEventLogger, IEvent } from '../../../event_log/server';
+import { IEventLogger, IEvent, SAVED_OBJECT_REL_PRIMARY } from '../../../event_log/server';
 import { EVENT_LOG_ACTIONS } from '../plugin';
 
 interface CreateExecutionHandlerOptions {
@@ -96,7 +96,7 @@ export function createExecutionHandler({
             instance_id: alertInstanceId,
           },
           saved_objects: [
-            { type: 'alert', id: alertId, ...namespace },
+            { rel: SAVED_OBJECT_REL_PRIMARY, type: 'alert', id: alertId, ...namespace },
             { type: 'action', id: action.id, ...namespace },
           ],
         },

x-pack/plugins/alerting/server/task_runner/task_runner.test.ts

@@ -172,6 +172,7 @@ describe('Task Runner', () => {
             Object {
               "id": "1",
               "namespace": undefined,
+              "rel": "primary",
               "type": "alert",
             },
           ],
@@ -234,6 +235,7 @@ describe('Task Runner', () => {
                 Object {
                   "id": "1",
                   "namespace": undefined,
+                  "rel": "primary",
                   "type": "alert",
                 },
               ],
@@ -254,6 +256,7 @@ describe('Task Runner', () => {
                 Object {
                   "id": "1",
                   "namespace": undefined,
+                  "rel": "primary",
                   "type": "alert",
                 },
               ],
@@ -274,6 +277,7 @@ describe('Task Runner', () => {
                 Object {
                   "id": "1",
                   "namespace": undefined,
+                  "rel": "primary",
                   "type": "alert",
                 },
                 Object {
@@ -351,6 +355,7 @@ describe('Task Runner', () => {
                 Object {
                   "id": "1",
                   "namespace": undefined,
+                  "rel": "primary",
                   "type": "alert",
                 },
               ],
@@ -371,6 +376,7 @@ describe('Task Runner', () => {
                 Object {
                   "id": "1",
                   "namespace": undefined,
+                  "rel": "primary",
                   "type": "alert",
                 },
               ],
@@ -568,6 +574,7 @@ describe('Task Runner', () => {
                 Object {
                   "id": "1",
                   "namespace": undefined,
+                  "rel": "primary",
                   "type": "alert",
                 },
               ],

x-pack/plugins/alerting/server/task_runner/task_runner.ts

@@ -25,7 +25,7 @@ import { promiseResult, map, Resultable, asOk, asErr, resolveErr } from '../lib/
 import { taskInstanceToAlertTaskInstance } from './alert_task_instance';
 import { AlertInstances } from '../alert_instance/alert_instance';
 import { EVENT_LOG_ACTIONS } from '../plugin';
-import { IEvent, IEventLogger } from '../../../event_log/server';
+import { IEvent, IEventLogger, SAVED_OBJECT_REL_PRIMARY } from '../../../event_log/server';
 import { isAlertSavedObjectNotFoundError } from '../lib/is_alert_not_found_error';
 
 const FALLBACK_RETRY_INTERVAL: IntervalSchedule = { interval: '5m' };
@@ -174,7 +174,16 @@ export class TaskRunner {
     const alertLabel = `${this.alertType.id}:${alertId}: '${name}'`;
     const event: IEvent = {
       event: { action: EVENT_LOG_ACTIONS.execute },
-      kibana: { saved_objects: [{ type: 'alert', id: alertId, namespace }] },
+      kibana: {
+        saved_objects: [
+          {
+            rel: SAVED_OBJECT_REL_PRIMARY,
+            type: 'alert',
+            id: alertId,
+            namespace,
+          },
+        ],
+      },
     };
     eventLogger.startTiming(event);
 
@@ -393,7 +402,14 @@ function generateNewAndResolvedInstanceEvents(params: GenerateNewAndResolvedInst
         alerting: {
           instance_id: id,
         },
-        saved_objects: [{ type: 'alert', id: params.alertId, namespace: params.namespace }],
+        saved_objects: [
+          {
+            rel: SAVED_OBJECT_REL_PRIMARY,
+            type: 'alert',
+            id: params.alertId,
+            namespace: params.namespace,
+          },
+        ],
       },
       message,
     };

x-pack/plugins/event_log/generated/mappings.json

@@ -86,6 +86,10 @@
                 },
                 "saved_objects": {
                     "properties": {
+                        "rel": {
+                            "type": "keyword",
+                            "ignore_above": 1024
+                        },
                         "namespace": {
                             "type": "keyword",
                             "ignore_above": 1024

x-pack/plugins/event_log/generated/schemas.ts

@@ -65,6 +65,7 @@ export const EventSchema = schema.maybe(
         saved_objects: schema.maybe(
           schema.arrayOf(
             schema.object({
+              rel: ecsString(),
               namespace: ecsString(),
               id: ecsString(),
               type: ecsString(),

x-pack/plugins/event_log/scripts/mappings.js

@@ -24,6 +24,11 @@ exports.EcsKibanaExtensionsMappings = {
     saved_objects: {
       type: 'nested',
       properties: {
+        // relation; currently only supports "primary" or not set
+        rel: {
+          type: 'keyword',
+          ignore_above: 1024,
+        },
         // relevant kibana space
         namespace: {
           type: 'keyword',
@@ -58,6 +63,7 @@ exports.EcsEventLogProperties = [
   'user.name',
   'kibana.server_uuid',
   'kibana.alerting.instance_id',
+  'kibana.saved_objects.rel',
   'kibana.saved_objects.namespace',
   'kibana.saved_objects.id',
   'kibana.saved_objects.name',

x-pack/plugins/event_log/server/es/cluster_client_adapter.test.ts

@@ -236,6 +236,13 @@ describe('queryEventsBySavedObject', () => {
                   query: {
                     bool: {
                       must: [
+                        {
+                          term: {
+                            'kibana.saved_objects.rel': {
+                              value: 'primary',
+                            },
+                          },
+                        },
                         {
                           term: {
                             'kibana.saved_objects.type': {
@@ -319,6 +326,13 @@ describe('queryEventsBySavedObject', () => {
                   query: {
                     bool: {
                       must: [
+                        {
+                          term: {
+                            'kibana.saved_objects.rel': {
+                              value: 'primary',
+                            },
+                          },
+                        },
                         {
                           term: {
                             'kibana.saved_objects.type': {
@@ -388,6 +402,13 @@ describe('queryEventsBySavedObject', () => {
                   query: {
                     bool: {
                       must: [
+                        {
+                          term: {
+                            'kibana.saved_objects.rel': {
+                              value: 'primary',
+                            },
+                          },
+                        },
                         {
                           term: {
                             'kibana.saved_objects.type': {

x-pack/plugins/event_log/server/es/cluster_client_adapter.ts

@@ -7,7 +7,7 @@
 import { reject, isUndefined } from 'lodash';
 import { SearchResponse, Client } from 'elasticsearch';
 import { Logger, ClusterClient } from '../../../../../src/core/server';
-import { IEvent } from '../types';
+import { IEvent, SAVED_OBJECT_REL_PRIMARY } from '../types';
 import { FindOptionsType } from '../event_log_client';
 
 export type EsClusterClient = Pick<ClusterClient, 'callAsInternalUser' | 'asScoped'>;
@@ -155,6 +155,13 @@ export class ClusterClientAdapter {
                       query: {
                         bool: {
                           must: [
+                            {
+                              term: {
+                                'kibana.saved_objects.rel': {
+                                  value: SAVED_OBJECT_REL_PRIMARY,
+                                },
+                              },
+                            },
                             {
                               term: {
                                 'kibana.saved_objects.type': {