github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 09:19:04 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution][Alerts] Add new terms rule type telemetry (#137795)

Browse source 
* Add new terms rule type ID for telemetry

* Add new_terms in more places, update tests

* Add new_terms to collector
This commit is contained in:
Marshall Main 2022-08-03 14:17:25 -07:00 committed by GitHub
parent 6f439ebd88
commit c4407569cd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 120 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts
View file

@ -22,6 +22,7 @@ import {
EQL_RULE_TYPE_ID,
INDICATOR_RULE_TYPE_ID,
ML_RULE_TYPE_ID,
NEW_TERMS_RULE_TYPE_ID,
QUERY_RULE_TYPE_ID,
SAVED_QUERY_RULE_TYPE_ID,
SIGNALS_ID,
@ -491,6 +492,7 @@ export class TelemetryReceiver implements ITelemetryReceiver {
SAVED_QUERY_RULE_TYPE_ID,
INDICATOR_RULE_TYPE_ID,
THRESHOLD_RULE_TYPE_ID,
NEW_TERMS_RULE_TYPE_ID,
],
},
},

36
x-pack/plugins/security_solution/server/usage/collector.ts
View file

@ -199,6 +199,42 @@ export const registerCollector: RegisterCollector = ({
_meta: { description: 'Number of notifications enabled' },
},
},
new_terms: {
enabled: {
type: 'long',
_meta: { description: 'Number of new_terms rules enabled' },
},
disabled: {
type: 'long',
_meta: { description: 'Number of new_terms rules disabled' },
},
alerts: {
type: 'long',
_meta: { description: 'Number of alerts generated by new_terms rules' },
},
cases: {
type: 'long',
_meta: {
description: 'Number of cases attached to new_terms detection rule alerts',
},
},
legacy_notifications_enabled: {
type: 'long',
_meta: { description: 'Number of legacy notifications enabled' },
},
legacy_notifications_disabled: {
type: 'long',
_meta: { description: 'Number of legacy notifications disabled' },
},
notifications_enabled: {
type: 'long',
_meta: { description: 'Number of notifications enabled' },
},
notifications_disabled: {
type: 'long',
_meta: { description: 'Number of notifications enabled' },
},
},
elastic_total: {
enabled: { type: 'long', _meta: { description: 'Number of elastic rules enabled' } },
disabled: {

10
x-pack/plugins/security_solution/server/usage/detections/rules/get_initial_usage.ts
View file

@ -67,6 +67,16 @@ export const getInitialRulesUsage = (): RulesTypeUsage => ({
notifications_enabled: 0,
notifications_disabled: 0,
},
new_terms: {
enabled: 0,
disabled: 0,
alerts: 0,
cases: 0,
legacy_notifications_enabled: 0,
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
},
elastic_total: {
enabled: 0,
disabled: 0,

1
x-pack/plugins/security_solution/server/usage/detections/rules/types.ts
View file

@ -22,6 +22,7 @@ export interface RulesTypeUsage {
eql: FeatureTypeUsage;
machine_learning: FeatureTypeUsage;
threat_match: FeatureTypeUsage;
new_terms: FeatureTypeUsage;
elastic_total: FeatureTypeUsage;
custom_total: FeatureTypeUsage;
}

6
x-pack/plugins/security_solution/server/usage/detections/rules/update_usage.test.ts
View file

@ -222,6 +222,12 @@ describe('Detections Usage and Metrics', () => {
${'threat_match'} | ${true} | ${false} | ${true} | ${0} | ${0} | ${1} | ${0}
${'threat_match'} | ${false} | ${true} | ${false} | ${0} | ${1} | ${0} | ${0}
${'threat_match'} | ${false} | ${false} | ${false} | ${0} | ${0} | ${0} | ${0}
${'new_terms'} | ${true} | ${true} | ${false} | ${1} | ${0} | ${0} | ${0}
${'new_terms'} | ${true} | ${false} | ${true} | ${0} | ${0} | ${1} | ${0}
${'new_terms'} | ${false} | ${false} | ${true} | ${0} | ${0} | ${0} | ${1}
${'new_terms'} | ${true} | ${false} | ${true} | ${0} | ${0} | ${1} | ${0}
${'new_terms'} | ${false} | ${true} | ${false} | ${0} | ${1} | ${0} | ${0}
${'new_terms'} | ${false} | ${false} | ${false} | ${0} | ${0} | ${0} | ${0}
`(
'expect { "ruleType": $ruleType, "enabled": $enabled, "hasLegacyNotification": $hasLegacyNotification, "hasNotification": $hasNotification } to equal { legacy_notifications_enabled: $expectedLegacyNotificationsEnabled, legacy_notifications_disabled: $expectedLegacyNotificationsDisabled, notifications_enabled: $expectedNotificationsEnabled, notifications_disabled, $expectedNotificationsDisabled }',
({

9
x-pack/plugins/security_solution/server/usage/detections/rules/update_usage.ts
View file

@ -59,6 +59,15 @@ export const updateRuleUsage = (
detectionRuleMetric,
}),
};
} else if (detectionRuleMetric.rule_type === 'new_terms') {
updatedUsage = {
...usage,
new_terms: updateQueryUsage({
ruleType: detectionRuleMetric.rule_type,
usage,
detectionRuleMetric,
}),
};
}
if (detectionRuleMetric.elastic_rule) {

2
x-pack/plugins/security_solution/server/usage/queries/get_detection_rules.ts
View file

@ -19,6 +19,7 @@ import {
QUERY_RULE_TYPE_ID,
THRESHOLD_RULE_TYPE_ID,
SAVED_QUERY_RULE_TYPE_ID,
NEW_TERMS_RULE_TYPE_ID,
} from '@kbn/securitysolution-rules';
import type { RuleSearchResult } from '../types';
@ -44,6 +45,7 @@ export const getDetectionRules = async ({
`${filterAttribute}: ${SAVED_QUERY_RULE_TYPE_ID}`,
`${filterAttribute}: ${THRESHOLD_RULE_TYPE_ID}`,
`${filterAttribute}: ${INDICATOR_RULE_TYPE_ID}`,
`${filterAttribute}: ${NEW_TERMS_RULE_TYPE_ID}`,
].join(' OR ');
const query: SavedObjectsCreatePointInTimeFinderOptions = {

2
x-pack/plugins/security_solution/server/usage/queries/get_event_log_by_type_and_status.ts
View file

@ -13,6 +13,7 @@ import {
QUERY_RULE_TYPE_ID,
THRESHOLD_RULE_TYPE_ID,
SAVED_QUERY_RULE_TYPE_ID,
NEW_TERMS_RULE_TYPE_ID,
} from '@kbn/securitysolution-rules';
import type { EventLogTypeStatusAggs, RuleSearchResult } from '../types';
import type { EventLogStatusMetric } from '../detections/rules/types';
@ -92,6 +93,7 @@ const _getEventLogByTypeAndStatus = async ({
QUERY_RULE_TYPE_ID,
THRESHOLD_RULE_TYPE_ID,
SAVED_QUERY_RULE_TYPE_ID,
NEW_TERMS_RULE_TYPE_ID,
],
});

52
x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json
View file

@ -9335,6 +9335,58 @@
}
}
},
"new_terms": {
"properties": {
"enabled": {
"type": "long",
"_meta": {
"description": "Number of new_terms rules enabled"
}
},
"disabled": {
"type": "long",
"_meta": {
"description": "Number of new_terms rules disabled"
}
},
"alerts": {
"type": "long",
"_meta": {
"description": "Number of alerts generated by new_terms rules"
}
},
"cases": {
"type": "long",
"_meta": {
"description": "Number of cases attached to new_terms detection rule alerts"
}
},
"legacy_notifications_enabled": {
"type": "long",
"_meta": {
"description": "Number of legacy notifications enabled"
}
},
"legacy_notifications_disabled": {
"type": "long",
"_meta": {
"description": "Number of legacy notifications disabled"
}
},
"notifications_enabled": {
"type": "long",
"_meta": {
"description": "Number of notifications enabled"
}
},
"notifications_disabled": {
"type": "long",
"_meta": {
"description": "Number of notifications enabled"
}
}
}
},
"elastic_total": {
"properties": {
"enabled": {