Alerting now includes one additional stack rule: Tracking containment.
As with other stack rules, you need
all access to the Stack Rules feature
to be able to create and edit a geo rule.
See feature privileges for more information on configuring roles that provide access to this feature.
Geo alerting requirementsedit
To create a Tracking containment rule, the following requirements must be present:
Tracks index or index pattern: An index containing a
datefield, and some form of entity identifier. An entity identifier is a
numberfield that consistently identifies the entity to be tracked. The data in this index should be dynamically updating so that there are entity movements to alert upon.
Boundaries index or index pattern: An index containing
geo_shapedata, such as boundary data and bounding box data. This data is presumed to be static (not updating). Shape data matching the query is harvested once when the rule is created and anytime after when the rule is re-enabled after disablement.
By design, current interval entity locations (current is determined by
the Tracked index or index pattern) are queried to determine if they are contained
within any monitored boundaries. Entity
data should be somewhat "real time", meaning the dates of new documents aren’t older
than the current time minus the amount of the interval. If data older than
now - <current interval> is ingested, it won’t trigger a rule.
Creating a geo ruleedit
The Tracking containment rule type runs an Elasticsearch query over indices, determining if any documents are currently contained within any boundaries from the specified boundary index. In the event that an entity is contained within a boundary, an alert may be generated.
Defining the conditionsedit
Tracking containment rules have 3 clauses that define the condition to detect, as well as 2 Kuery bars used to provide additional filtering context for each of the indices.
- Index (entity)
This clause requires an index or index pattern, a time field that will be used for the time window, and a
geo_pointfield for tracking.
- When entity
- This clause specifies which crossing option to track. The values Entered, Exited, and Crossed can be selected to indicate which crossing conditions should trigger a rule. Entered alerts on entry into a boundary, Exited alerts on exit from a boundary, and Crossed alerts on all boundary crossings whether they be entrances or exits.
- Index (Boundary)
This clause requires an index or index pattern, a
geo_shapefield identifying boundaries, and an optional Human-readable boundary name for better alerting messages.
Conditions for how a rule is tracked can be specified uniquely for each individual action. A rule can be triggered either when a containment condition is met or when an entity is no longer contained.