[Observability] [Alerts] Recovered alert notifications can have wrongly mapped group values

[benakansara]

When group by fields of the rule are modified, the recovered alert notifications that use context.group or context.groupByKeys can have wrongly mapped group values.

Example scenario

1. Custom threshold rule is created with group by on host.name and container.id and alert action message uses context.group or context.groupByKeys depending on the rule
2. Alert notification for "active" alert contains correct group values as:

• in case of context.group: "group":[{"field":"host.name","value":"host-0"},{"field":"container.id","value":"container-0"}]
• in case of context.groupByKeys: {"host":{"name":"host-0"},"container":{"id":"container-0"}}

3. Rule is modified to have group by on container.name and host.name
4. Existing alerts are recovered due to change in group by fields
5. Recovered alert notification has wrongly mapped group values as:

• in case of context.group: "group":[{"field":"container.name","value":"host-0"},{"field":"host.name","value":"container-0"}]
• in case of context.groupByKeys: {"container":{"name":"host-0"},"host":{"name":"container-0"}}

This is due to relying on rule parameters to generate group context for recovered alerts as at this point rule parameters have changed which don't match with recovered alert Id anymore. Instead we should use alert document to extract rule parameters with either kibana.alert.rule.parameters.groupBy or kibana.alert.group.field.

Rules where this issue can happen

• Custom threshold rule
• Metric threshold rule
• Log threshold rule

[elasticmachine]

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)