[Cloud Security] Account type installation telemetry (#163074)

2025-04-23 09:19:04 -04:00 · 2023-08-07 18:07:56 +03:00 · 2023-08-07 18:07:56 +03:00 · 208040e0fb
commit 208040e0fb
parent 0a9f3216b6
4 changed files with 55 additions and 27 deletions
--- a/x-pack/plugins/cloud_security_posture/server/lib/telemetry/collectors/installation_stats_collector.ts
+++ b/x-pack/plugins/cloud_security_posture/server/lib/telemetry/collectors/installation_stats_collector.ts
@ -8,8 +8,8 @@ import type { CoreStart, Logger, SavedObjectsClientContract } from '@kbn/core/se
 import type { ElasticsearchClient } from '@kbn/core-elasticsearch-server';
 import {
  AgentPolicy,
-  PackagePolicy,
  PACKAGE_POLICY_SAVED_OBJECT_TYPE,
+  PackagePolicy,
  SO_SEARCH_LIMIT,
 } from '@kbn/fleet-plugin/common';
 import { agentPolicyService } from '@kbn/fleet-plugin/server/services';
@ -17,6 +17,53 @@ import type { CloudSecurityInstallationStats } from './types';
 import type { CspServerPluginStart, CspServerPluginStartDeps } from '../../../types';
 import { CLOUD_SECURITY_POSTURE_PACKAGE_NAME } from '../../../../common/constants';

+const getEnabledInputStreamVars = (packagePolicy: PackagePolicy) => {
+  const enabledInput = packagePolicy.inputs.find((input) => input.enabled);
+  return enabledInput?.streams[0].vars;
+};
+
+const getAccountTypeField = (
+  packagePolicy: PackagePolicy
+): CloudSecurityInstallationStats['account_type'] => {
+  if (packagePolicy.vars?.posture.value !== 'cspm') return;
+
+  const inputStreamVars = getEnabledInputStreamVars(packagePolicy);
+  const cloudProvider = packagePolicy.vars?.deployment?.value;
+  const accountType = inputStreamVars?.[`${cloudProvider}.account_type`]?.value;
+
+  // If the account_type field is not present, we can assume that the cspm integrations is a single accounts,
+  // as this field did not exist before organization accounts were introduced.
+  if (!accountType) return 'single-account';
+
+  return accountType;
+};
+
+const getInstalledPackagePolicies = (
+  packagePolicies: PackagePolicy[],
+  agentPolicies: AgentPolicy[]
+) => {
+  const installationStats = packagePolicies.map(
+    (packagePolicy: PackagePolicy): CloudSecurityInstallationStats => {
+      const agentCounts =
+        agentPolicies?.find((agentPolicy) => agentPolicy?.id === packagePolicy.policy_id)?.agents ??
+        0;
+
+      return {
+        package_policy_id: packagePolicy.id,
+        feature: packagePolicy.vars?.posture?.value as string,
+        deployment_mode: packagePolicy.vars?.deployment?.value as string,
+        package_version: packagePolicy.package?.version as string,
+        created_at: packagePolicy.created_at,
+        agent_policy_id: packagePolicy.policy_id,
+        agent_count: agentCounts,
+        account_type: getAccountTypeField(packagePolicy),
+      };
+    }
+  );
+
+  return installationStats;
+};
+
 export const getInstallationStats = async (
  esClient: ElasticsearchClient,
  soClient: SavedObjectsClientContract,
@ -34,34 +81,11 @@ export const getInstallationStats = async (
    isPluginInitialized,
  };

-  const getInstalledPackagePolicies = async (
-    packagePolicies: PackagePolicy[],
-    agentPolicies: AgentPolicy[]
-  ) => {
-    const installationStats = await packagePolicies.map(
-      (packagePolicy: PackagePolicy): CloudSecurityInstallationStats => {
-        const agentCounts =
-          agentPolicies?.find((agentPolicy) => agentPolicy?.id === packagePolicy.policy_id)
-            ?.agents ?? 0;
-
-        return {
-          package_policy_id: packagePolicy.id,
-          feature: packagePolicy.vars?.posture?.value as string,
-          deployment_mode: packagePolicy.vars?.deployment?.value as string,
-          package_version: packagePolicy.package?.version as string,
-          created_at: packagePolicy.created_at,
-          agent_policy_id: packagePolicy.policy_id,
-          agent_count: agentCounts,
-        };
-      }
-    );
-    return installationStats;
-  };
-
  const packagePolicies = await cspContext.packagePolicyService.list(soClient, {
    perPage: SO_SEARCH_LIMIT,
    kuery: `${PACKAGE_POLICY_SAVED_OBJECT_TYPE}.package.name:"${CLOUD_SECURITY_POSTURE_PACKAGE_NAME}"`,
  });
+  if (!packagePolicies) return [];

  const agentPolicies = await agentPolicyService.list(soClient, {
    perPage: SO_SEARCH_LIMIT,
@ -69,9 +93,8 @@ export const getInstallationStats = async (
    esClient,
    withAgentCount: true,
  });
-  if (!packagePolicies) return [];

-  const installationStats: CloudSecurityInstallationStats[] = await getInstalledPackagePolicies(
+  const installationStats: CloudSecurityInstallationStats[] = getInstalledPackagePolicies(
    packagePolicies.items,
    agentPolicies?.items || []
  );
--- a/x-pack/plugins/cloud_security_posture/server/lib/telemetry/collectors/schema.ts
+++ b/x-pack/plugins/cloud_security_posture/server/lib/telemetry/collectors/schema.ts
@ -153,6 +153,7 @@ export const cspmUsageSchema: MakeSchemaFrom<CspmUsage> = {
      deployment_mode: { type: 'keyword' },
      created_at: { type: 'date' },
      agent_count: { type: 'long' },
+      account_type: { type: 'keyword' },
    },
  },
 };
--- a/x-pack/plugins/cloud_security_posture/server/lib/telemetry/collectors/types.ts
+++ b/x-pack/plugins/cloud_security_posture/server/lib/telemetry/collectors/types.ts
@ -86,4 +86,5 @@ export interface CloudSecurityInstallationStats {
  deployment_mode: string;
  created_at: string;
  agent_count: number;
+  account_type?: 'single-account' | 'organization-account';
 }
--- a/x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json
+++ b/x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json
@ -6579,6 +6579,9 @@
              },
              "agent_count": {
                "type": "long"
+              },
+              "account_type": {
+                "type": "keyword"
              }
            }
          }