[8.19] [Response Ops][Alerting] Adding dangerouslyCreateAlertsInAllSpaces rule type option for alert creation (elastic#224507) (elastic#224938)

# Backport

This will backport the following commits from `main` to `8.19`:
- [[Response Ops][Alerting] Adding `dangerouslyCreateAlertsInAllSpaces`
rule type option for alert creation
(elastic#224507)](elastic#224507)

<!--- Backport version: 10.0.1 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Ying
Mao","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-06-23T17:41:27Z","message":"[Response
Ops][Alerting] Adding `dangerouslyCreateAlertsInAllSpaces` rule type
option for alert creation (elastic#224507)\n\nResolves
https://github.com/elastic/kibana/issues/222104\n\n## Summary\n\nAdds
optional flag when registering a rule type for \"dangerously\ncreating
alerts in all spaces\". If a rule type opts into this flag,\nalerts
created during rule execution will persist the `kibana.space_ids`\nfield
as `\"*\"` instead of the space ID of the rule. Note that we
store\n`kibana.space_ids` as a string array, so the final alert document
will\nhave\n\n```\n'kibana.space_ids': ['*']\n```\n\nThis PR just adds
the flag and updates the code to respect the flag. It\ndoes not opt any
rule types into using it. You can look at the\nfunctional tests to see
example test rule types that use it.\n\nBecause the streams rule type
that we expect to be the first user of\nthis flag uses the
`persistenceRuleTypeWrapper` in the rule registry for\nwriting alerts,
we also had to update the rule registry
code.\n\n---------\n\nCo-authored-by: kibanamachine
<[email protected]>\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"e1b02be28b654a8a1714cf6ab19f64b5ba16048c","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:Alerting","release_note:skip","Team:ResponseOps","backport:version","v9.1.0","v8.19.0"],"title":"[Response
Ops][Alerting] Adding `dangerouslyCreateAlertsInAllSpaces` rule type
option for alert
creation","number":224507,"url":"https://github.com/elastic/kibana/pull/224507","mergeCommit":{"message":"[Response
Ops][Alerting] Adding `dangerouslyCreateAlertsInAllSpaces` rule type
option for alert creation (elastic#224507)\n\nResolves
https://github.com/elastic/kibana/issues/222104\n\n## Summary\n\nAdds
optional flag when registering a rule type for \"dangerously\ncreating
alerts in all spaces\". If a rule type opts into this flag,\nalerts
created during rule execution will persist the `kibana.space_ids`\nfield
as `\"*\"` instead of the space ID of the rule. Note that we
store\n`kibana.space_ids` as a string array, so the final alert document
will\nhave\n\n```\n'kibana.space_ids': ['*']\n```\n\nThis PR just adds
the flag and updates the code to respect the flag. It\ndoes not opt any
rule types into using it. You can look at the\nfunctional tests to see
example test rule types that use it.\n\nBecause the streams rule type
that we expect to be the first user of\nthis flag uses the
`persistenceRuleTypeWrapper` in the rule registry for\nwriting alerts,
we also had to update the rule registry
code.\n\n---------\n\nCo-authored-by: kibanamachine
<[email protected]>\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"e1b02be28b654a8a1714cf6ab19f64b5ba16048c"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/224507","number":224507,"mergeCommit":{"message":"[Response
Ops][Alerting] Adding `dangerouslyCreateAlertsInAllSpaces` rule type
option for alert creation (elastic#224507)\n\nResolves
https://github.com/elastic/kibana/issues/222104\n\n## Summary\n\nAdds
optional flag when registering a rule type for \"dangerously\ncreating
alerts in all spaces\". If a rule type opts into this flag,\nalerts
created during rule execution will persist the `kibana.space_ids`\nfield
as `\"*\"` instead of the space ID of the rule. Note that we
store\n`kibana.space_ids` as a string array, so the final alert document
will\nhave\n\n```\n'kibana.space_ids': ['*']\n```\n\nThis PR just adds
the flag and updates the code to respect the flag. It\ndoes not opt any
rule types into using it. You can look at the\nfunctional tests to see
example test rule types that use it.\n\nBecause the streams rule type
that we expect to be the first user of\nthis flag uses the
`persistenceRuleTypeWrapper` in the rule registry for\nwriting alerts,
we also had to update the rule registry
code.\n\n---------\n\nCo-authored-by: kibanamachine
<[email protected]>\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"e1b02be28b654a8a1714cf6ab19f64b5ba16048c"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Author: ymao1

x-pack/platform/plugins/shared/alerting/server/alerts_client/alerts_client.ts

@@ -64,6 +64,7 @@ import {
   getMaintenanceWindowAlertsQuery,
   getContinualAlertsQuery,
   isAlertImproving,
+  shouldCreateAlertsInAllSpaces,
 } from './lib';
 import { isValidAlertIndexName } from '../alerts_service';
 import { resolveAlertConflicts } from './lib/alert_conflict_resolver';
@@ -488,6 +489,11 @@ export class AlertsClient<
     const currentTime = this.startedAtString ?? new Date().toISOString();
     const esClient = await this.options.elasticsearchClientPromise;
 
+    const createAlertsInAllSpaces = shouldCreateAlertsInAllSpaces({
+      ruleTypeId: this.ruleType.id,
+      ruleTypeAlertDef: this.ruleType.alerts,
+      logger: this.options.logger,
+    });
     const { rawActiveAlerts, rawRecoveredAlerts } = this.getRawAlertInstancesForState();
 
     const activeAlerts = this.legacyAlertsClient.getProcessedAlerts(ALERT_STATUS_ACTIVE);
@@ -526,6 +532,7 @@ export class AlertsClient<
               timestamp: currentTime,
               payload: this.reportedAlerts[id],
               kibanaVersion: this.options.kibanaVersion,
+              dangerouslyCreateAlertsInAllSpaces: createAlertsInAllSpaces,
             })
           );
         } else {
@@ -548,6 +555,7 @@ export class AlertsClient<
               timestamp: currentTime,
               payload: this.reportedAlerts[id],
               kibanaVersion: this.options.kibanaVersion,
+              dangerouslyCreateAlertsInAllSpaces: createAlertsInAllSpaces,
             })
           );
         }
@@ -582,6 +590,7 @@ export class AlertsClient<
                 payload: this.reportedAlerts[id],
                 recoveryActionGroup: this.options.ruleType.recoveryActionGroup.id,
                 kibanaVersion: this.options.kibanaVersion,
+                dangerouslyCreateAlertsInAllSpaces: createAlertsInAllSpaces,
               })
             : buildUpdatedRecoveredAlert<AlertData>({
                 alert: trackedAlert,

x-pack/platform/plugins/shared/alerting/server/alerts_client/index.ts

@@ -8,5 +8,9 @@
 export { type LegacyAlertsClientParams, LegacyAlertsClient } from './legacy_alerts_client';
 export { AlertsClient } from './alerts_client';
 export type { AlertRuleData } from './types';
-export { sanitizeBulkErrorResponse, initializeAlertsClient } from './lib';
+export {
+  sanitizeBulkErrorResponse,
+  initializeAlertsClient,
+  shouldCreateAlertsInAllSpaces,
+} from './lib';
 export { AlertsClientError } from './alerts_client_error';

x-pack/platform/plugins/shared/alerting/server/alerts_client/lib/build_new_alert.test.ts

@@ -105,6 +105,41 @@ describe('buildNewAlert', () => {
     });
   });
 
+  test(`should set kibana.space_ids to '*' if dangerouslyCreateAlertsInAllSpaces=true`, () => {
+    const legacyAlert = new LegacyAlert<{}, {}, 'default'>('alert-A');
+    legacyAlert.scheduleActions('default');
+
+    expect(
+      buildNewAlert<{}, {}, {}, 'default', 'recovered'>({
+        legacyAlert,
+        rule: alertRule,
+        timestamp: '2023-03-28T12:27:28.159Z',
+        kibanaVersion: '8.9.0',
+        dangerouslyCreateAlertsInAllSpaces: true,
+      })
+    ).toEqual({
+      ...alertRule,
+      [TIMESTAMP]: '2023-03-28T12:27:28.159Z',
+      [EVENT_ACTION]: 'open',
+      [EVENT_KIND]: 'signal',
+      [ALERT_ACTION_GROUP]: 'default',
+      [ALERT_CONSECUTIVE_MATCHES]: 0,
+      [ALERT_FLAPPING]: false,
+      [ALERT_FLAPPING_HISTORY]: [],
+      [ALERT_INSTANCE_ID]: 'alert-A',
+      [ALERT_MAINTENANCE_WINDOW_IDS]: [],
+      [ALERT_PENDING_RECOVERED_COUNT]: 0,
+      [ALERT_RULE_EXECUTION_TIMESTAMP]: '2023-03-28T12:27:28.159Z',
+      [ALERT_SEVERITY_IMPROVING]: false,
+      [ALERT_STATUS]: 'active',
+      [ALERT_UUID]: legacyAlert.getUuid(),
+      [ALERT_WORKFLOW_STATUS]: 'open',
+      [SPACE_IDS]: ['*'],
+      [VERSION]: '8.9.0',
+      [TAGS]: ['rule-', '-tags'],
+    });
+  });
+
   test('should include flapping history and maintenance window ids if set', () => {
     const legacyAlert = new LegacyAlert<{}, {}, 'default'>('alert-A');
     legacyAlert.scheduleActions('default');

x-pack/platform/plugins/shared/alerting/server/alerts_client/lib/build_new_alert.ts

@@ -52,6 +52,7 @@ interface BuildNewAlertOpts<
   runTimestamp?: string;
   timestamp: string;
   kibanaVersion: string;
+  dangerouslyCreateAlertsInAllSpaces?: boolean;
 }
 
 /**
@@ -72,6 +73,7 @@ export const buildNewAlert = <
   timestamp,
   payload,
   kibanaVersion,
+  dangerouslyCreateAlertsInAllSpaces,
 }: BuildNewAlertOpts<
   AlertData,
   LegacyState,
@@ -109,7 +111,7 @@ export const buildNewAlert = <
               [ALERT_TIME_RANGE]: { gte: legacyAlert.getState().start },
             }
           : {}),
-        [SPACE_IDS]: rule[SPACE_IDS],
+        [SPACE_IDS]: dangerouslyCreateAlertsInAllSpaces === true ? ['*'] : rule[SPACE_IDS],
         [VERSION]: kibanaVersion,
         [TAGS]: Array.from(
           new Set([...((cleanedPayload?.tags as string[]) ?? []), ...(rule[ALERT_RULE_TAGS] ?? [])])

x-pack/platform/plugins/shared/alerting/server/alerts_client/lib/build_ongoing_alert.test.ts

@@ -244,6 +244,88 @@ for (const flattened of [true, false]) {
       });
     });
 
+    test(`should return alert document with kibana.space_ids set to '*' if dangerouslyCreateAlertsInAllSpaces=true`, () => {
+      const legacyAlert = new LegacyAlert<{}, {}, 'error' | 'warning'>('alert-A', {
+        meta: { uuid: 'abcdefg' },
+      });
+      legacyAlert
+        .scheduleActions('error')
+        .replaceState({ start: '2023-03-28T12:27:28.159Z', duration: '36000000' });
+      legacyAlert.setFlappingHistory([false, false, true, true]);
+      legacyAlert.setMaintenanceWindowIds(['maint-xyz']);
+
+      const alert = flattened
+        ? {
+            ...existingAlert,
+            [ALERT_FLAPPING_HISTORY]: [true, false, false, false, true, true],
+            [ALERT_MAINTENANCE_WINDOW_IDS]: ['maint-1', 'maint-321'],
+          }
+        : {
+            ...existingAlert,
+            kibana: {
+              // @ts-expect-error
+              ...existingAlert.kibana,
+              alert: {
+                // @ts-expect-error
+                ...existingAlert.kibana.alert,
+                flapping_history: [true, false, false, false, true, true],
+                maintenance_window_ids: ['maint-1', 'maint-321'],
+              },
+            },
+          };
+
+      expect(
+        buildOngoingAlert<{}, {}, {}, 'error' | 'warning', 'recovered'>({
+          // @ts-expect-error
+          alert,
+          legacyAlert,
+          rule: alertRule,
+          isImproving: null,
+          timestamp: '2023-03-29T12:27:28.159Z',
+          kibanaVersion: '8.9.0',
+          dangerouslyCreateAlertsInAllSpaces: true,
+        })
+      ).toEqual({
+        ...alertRule,
+        [TIMESTAMP]: '2023-03-29T12:27:28.159Z',
+        [ALERT_RULE_EXECUTION_TIMESTAMP]: '2023-03-29T12:27:28.159Z',
+        [EVENT_ACTION]: 'active',
+        [ALERT_ACTION_GROUP]: 'error',
+        [ALERT_CONSECUTIVE_MATCHES]: 0,
+        [ALERT_FLAPPING]: false,
+        [ALERT_FLAPPING_HISTORY]: [false, false, true, true],
+        [ALERT_MAINTENANCE_WINDOW_IDS]: ['maint-xyz'],
+        [ALERT_PENDING_RECOVERED_COUNT]: 0,
+        [ALERT_PREVIOUS_ACTION_GROUP]: 'error',
+        [ALERT_STATUS]: 'active',
+        [ALERT_WORKFLOW_STATUS]: 'open',
+        [ALERT_DURATION]: 36000,
+        [ALERT_TIME_RANGE]: { gte: '2023-03-28T12:27:28.159Z' },
+        [SPACE_IDS]: ['*'],
+        [VERSION]: '8.9.0',
+        [TAGS]: ['rule-', '-tags'],
+        ...(flattened
+          ? {
+              [EVENT_KIND]: 'signal',
+              [ALERT_INSTANCE_ID]: 'alert-A',
+              [ALERT_START]: '2023-03-28T12:27:28.159Z',
+              [ALERT_UUID]: 'abcdefg',
+            }
+          : {
+              event: {
+                kind: 'signal',
+              },
+              kibana: {
+                alert: {
+                  instance: { id: 'alert-A' },
+                  start: '2023-03-28T12:27:28.159Z',
+                  uuid: 'abcdefg',
+                },
+              },
+            }),
+      });
+    });
+
     test('should return alert document with updated isImproving', () => {
       const legacyAlert = new LegacyAlert<{}, {}, 'error' | 'warning'>('alert-A', {
         meta: { uuid: 'abcdefg' },

x-pack/platform/plugins/shared/alerting/server/alerts_client/lib/build_ongoing_alert.ts

@@ -50,6 +50,7 @@ interface BuildOngoingAlertOpts<
   runTimestamp?: string;
   timestamp: string;
   kibanaVersion: string;
+  dangerouslyCreateAlertsInAllSpaces?: boolean;
 }
 
 /**
@@ -72,6 +73,7 @@ export const buildOngoingAlert = <
   runTimestamp,
   timestamp,
   kibanaVersion,
+  dangerouslyCreateAlertsInAllSpaces,
 }: BuildOngoingAlertOpts<
   AlertData,
   LegacyState,
@@ -122,7 +124,7 @@ export const buildOngoingAlert = <
       : {}),
     ...(isImproving != null ? { [ALERT_SEVERITY_IMPROVING]: isImproving } : {}),
     [ALERT_PREVIOUS_ACTION_GROUP]: get(alert, ALERT_ACTION_GROUP),
-    [SPACE_IDS]: rule[SPACE_IDS],
+    [SPACE_IDS]: dangerouslyCreateAlertsInAllSpaces === true ? ['*'] : rule[SPACE_IDS],
     [VERSION]: kibanaVersion,
     [TAGS]: Array.from(
       new Set([

x-pack/platform/plugins/shared/alerting/server/alerts_client/lib/build_recovered_alert.test.ts

@@ -185,6 +185,74 @@ for (const flattened of [true, false]) {
       });
     });
 
+    test(`should return alert document with kibana.space_ids set to '*' if dangerouslyCreateAlertsInAllSpaces=true`, () => {
+      const legacyAlert = new LegacyAlert<{}, {}, 'default'>('alert-A', {
+        meta: { uuid: 'abcdefg' },
+      });
+      legacyAlert.scheduleActions('default').replaceState({
+        start: '2023-03-28T12:27:28.159Z',
+        end: '2023-03-30T12:27:28.159Z',
+        duration: '36000000',
+      });
+
+      expect(
+        buildRecoveredAlert<{}, {}, {}, 'default', 'recovered'>({
+          // @ts-expect-error
+          alert: existingAlert,
+          legacyAlert,
+          rule: alertRule,
+          recoveryActionGroup: 'recovered',
+          timestamp: '2023-03-29T12:27:28.159Z',
+          kibanaVersion: '8.9.0',
+          dangerouslyCreateAlertsInAllSpaces: true,
+        })
+      ).toEqual({
+        [TIMESTAMP]: '2023-03-29T12:27:28.159Z',
+        [ALERT_RULE_EXECUTION_TIMESTAMP]: '2023-03-29T12:27:28.159Z',
+        // @ts-ignore
+        [ALERT_RULE_EXECUTION_UUID]: '5f6aa57d-3e22-484e-bae8-cbed868f4d28',
+        [EVENT_ACTION]: 'close',
+        [ALERT_ACTION_GROUP]: 'recovered',
+        [ALERT_CONSECUTIVE_MATCHES]: 0,
+        [ALERT_FLAPPING]: false,
+        [ALERT_FLAPPING_HISTORY]: [],
+        [ALERT_SEVERITY_IMPROVING]: true,
+        [ALERT_PREVIOUS_ACTION_GROUP]: 'default',
+        [ALERT_MAINTENANCE_WINDOW_IDS]: [],
+        [ALERT_PENDING_RECOVERED_COUNT]: 0,
+        [ALERT_STATUS]: 'recovered',
+        [ALERT_WORKFLOW_STATUS]: 'open',
+        [ALERT_DURATION]: 36000,
+        [ALERT_START]: '2023-03-28T12:27:28.159Z',
+        [ALERT_END]: '2023-03-30T12:27:28.159Z',
+        [ALERT_TIME_RANGE]: { gte: '2023-03-28T12:27:28.159Z', lte: '2023-03-30T12:27:28.159Z' },
+        // @ts-expect-error
+        [SPACE_IDS]: ['*'],
+        [VERSION]: '8.9.0',
+        [TAGS]: ['rule-', '-tags'],
+        ...(flattened
+          ? {
+              ...alertRule,
+              [EVENT_KIND]: 'signal',
+              [ALERT_INSTANCE_ID]: 'alert-A',
+              [ALERT_UUID]: 'abcdefg',
+              [SPACE_IDS]: ['*'],
+            }
+          : {
+              event: {
+                kind: 'signal',
+              },
+              kibana: {
+                alert: {
+                  instance: { id: 'alert-A' },
+                  rule: omit(rule, 'execution'),
+                  uuid: 'abcdefg',
+                },
+              },
+            }),
+      });
+    });
+
     test('should return alert document with updated payload if specified', () => {
       const legacyAlert = new LegacyAlert<{}, {}, 'default'>('alert-A', {
         meta: { uuid: 'abcdefg' },

x-pack/platform/plugins/shared/alerting/server/alerts_client/lib/build_recovered_alert.ts

@@ -54,6 +54,7 @@ interface BuildRecoveredAlertOpts<
   payload?: DeepPartial<AlertData>;
   timestamp: string;
   kibanaVersion: string;
+  dangerouslyCreateAlertsInAllSpaces?: boolean;
 }
 
 /**
@@ -76,6 +77,7 @@ export const buildRecoveredAlert = <
   runTimestamp,
   recoveryActionGroup,
   kibanaVersion,
+  dangerouslyCreateAlertsInAllSpaces,
 }: BuildRecoveredAlertOpts<
   AlertData,
   LegacyState,
@@ -126,7 +128,7 @@ export const buildRecoveredAlert = <
         }
       : {}),
 
-    [SPACE_IDS]: rule[SPACE_IDS],
+    [SPACE_IDS]: dangerouslyCreateAlertsInAllSpaces === true ? ['*'] : rule[SPACE_IDS],
     // Set latest kibana version
     [VERSION]: kibanaVersion,
     [TAGS]: Array.from(

x-pack/platform/plugins/shared/alerting/server/alerts_client/lib/index.ts

@@ -20,3 +20,4 @@ export { expandFlattenedAlert } from './format_alert';
 export { sanitizeBulkErrorResponse } from './sanitize_bulk_response';
 export { initializeAlertsClient } from './initialize_alerts_client';
 export { isAlertImproving } from './is_alert_improving';
+export { shouldCreateAlertsInAllSpaces } from './should_create_alerts_in_all_spaces';