[FEATURE] Decouple Alerting and Anomaly Detection

[amitgalitz]

Is your feature request related to a problem?

Currently Anomaly Detection and Alerting code is coupled throughout the backend in order to create an alerting monitor on top of an existing anomaly detector. The Alerting plugin currently queries the anomaly detection system indices directly, and also has specific code that checks if Anomaly Detection has their filter by backend role setting enabled. We would like to change this so we have a solution that decouples Alerting and Anomaly Detection code as well as creates supports for further enhancements.

What solution would you like?

The first step of change we would like to make is to utilize Common Utils (Alerting already has an interface there https://github.com/sbcd90/common-utils/blob/514fa7acca686c6142ea847cfc1906398886fe41/src/main/kotlin/org/opensearch/commons/alerting/AlertingPluginInterface.kt) in order for Alerting to interact with the transport layer of Anomaly Detection. This has already been done in between alerting and security analytics and will require similar changes.

On the Anomaly Detection side we will register two new transport actions. One of the action will do the same as the GetAnomalyDetectorAction and one will do the same as SearchAnomalyResultAction.

These functions will then be called by Alerting whenever a CRUD operations is to be performed by the Alerting on an Anomaly Detector monitor. Specifically the two times will be when a monitor is created on top of a detector and when the monitor queries the AD result index. Some of the change that is exactly the same in securityAnalytics is seen here: opensearch-project/security-analytics@acfef46#diff-1fb44510bdb99d2acfb92897acb36e50b89d42b746c707540f0cb3afaaff03c3R233