github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

[8.x] [Security Solution][Detection Engine] adds missing ES|QL/New terms rule status telemetry (#214974) (#216500)

Browse source 
# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution][Detection Engine] adds missing ES|QL/New terms
rule status telemetry
(#214974)](https://github.com/elastic/kibana/pull/214974)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Vitalii
Dmyterko","email":"92328789+vitaliidm@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-03-31T15:18:02Z","message":"[Security
Solution][Detection Engine] adds missing ES|QL/New terms rule status
telemetry (#214974)\n\n## Summary\n\n- partly addresses
https://github.com/elastic/security-team/issues/12000\n- adds missing
ES|QL rule status telemetry\n- adds missing New terms rule status
telemetry\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"f199b4ceff66b1d353526ac4498838073c830bd5","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection
Engine","backport:version","v9.1.0","v8.19.0"],"title":"[Security
Solution][Detection Engine] adds missing ES|QL/New terms rule status
telemetry","number":214974,"url":"https://github.com/elastic/kibana/pull/214974","mergeCommit":{"message":"[Security
Solution][Detection Engine] adds missing ES|QL/New terms rule status
telemetry (#214974)\n\n## Summary\n\n- partly addresses
https://github.com/elastic/security-team/issues/12000\n- adds missing
ES|QL rule status telemetry\n- adds missing New terms rule status
telemetry\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"f199b4ceff66b1d353526ac4498838073c830bd5"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/214974","number":214974,"mergeCommit":{"message":"[Security
Solution][Detection Engine] adds missing ES|QL/New terms rule status
telemetry (#214974)\n\n## Summary\n\n- partly addresses
https://github.com/elastic/security-team/issues/12000\n- adds missing
ES|QL rule status telemetry\n- adds missing New terms rule status
telemetry\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"f199b4ceff66b1d353526ac4498838073c830bd5"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>
This commit is contained in:
Kibana Machine 2025-03-31 19:22:17 +02:00 committed by GitHub
parent ba172d1f57
commit d8dd5d0ecc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 2521 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

924
x-pack/platform/plugins/private/telemetry_collection_xpack/schema/xpack_security.json
View file

@ -2039,6 +2039,314 @@
}
}
},
"new_terms": {
"properties": {
"failures": {
"type": "long",
"_meta": {
"description": "The number of failed rules"
}
},
"top_failures": {
"type": "array",
"items": {
"properties": {
"message": {
"type": "keyword",
"_meta": {
"description": "Failed rule message"
}
},
"count": {
"type": "long",
"_meta": {
"description": "Number of times the message occurred"
}
}
}
}
},
"partial_failures": {
"type": "long",
"_meta": {
"description": "The number of partial failure rules"
}
},
"top_partial_failures": {
"type": "array",
"items": {
"properties": {
"message": {
"type": "keyword",
"_meta": {
"description": "Failed rule message"
}
},
"count": {
"type": "long",
"_meta": {
"description": "Number of times the message occurred"
}
}
}
}
},
"succeeded": {
"type": "long",
"_meta": {
"description": "The number of successful rules"
}
},
"index_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"search_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"enrichment_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"gap_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"gap_count": {
"type": "long",
"_meta": {
"description": "The count of gaps"
}
}
}
},
"esql": {
"properties": {
"failures": {
"type": "long",
"_meta": {
"description": "The number of failed rules"
}
},
"top_failures": {
"type": "array",
"items": {
"properties": {
"message": {
"type": "keyword",
"_meta": {
"description": "Failed rule message"
}
},
"count": {
"type": "long",
"_meta": {
"description": "Number of times the message occurred"
}
}
}
}
},
"partial_failures": {
"type": "long",
"_meta": {
"description": "The number of partial failure rules"
}
},
"top_partial_failures": {
"type": "array",
"items": {
"properties": {
"message": {
"type": "keyword",
"_meta": {
"description": "Failed rule message"
}
},
"count": {
"type": "long",
"_meta": {
"description": "Number of times the message occurred"
}
}
}
}
},
"succeeded": {
"type": "long",
"_meta": {
"description": "The number of successful rules"
}
},
"index_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"search_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"enrichment_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"gap_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"gap_count": {
"type": "long",
"_meta": {
"description": "The count of gaps"
}
}
}
},
"threat_match": {
"properties": {
"failures": {
@ -2989,6 +3297,314 @@
}
}
},
"new_terms": {
"properties": {
"failures": {
"type": "long",
"_meta": {
"description": "The number of failed rules"
}
},
"top_failures": {
"type": "array",
"items": {
"properties": {
"message": {
"type": "keyword",
"_meta": {
"description": "Failed rule message"
}
},
"count": {
"type": "long",
"_meta": {
"description": "Number of times the message occurred"
}
}
}
}
},
"partial_failures": {
"type": "long",
"_meta": {
"description": "The number of partial failure rules"
}
},
"top_partial_failures": {
"type": "array",
"items": {
"properties": {
"message": {
"type": "keyword",
"_meta": {
"description": "Failed rule message"
}
},
"count": {
"type": "long",
"_meta": {
"description": "Number of times the message occurred"
}
}
}
}
},
"succeeded": {
"type": "long",
"_meta": {
"description": "The number of successful rules"
}
},
"index_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"search_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"enrichment_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"gap_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"gap_count": {
"type": "long",
"_meta": {
"description": "The count of gaps"
}
}
}
},
"esql": {
"properties": {
"failures": {
"type": "long",
"_meta": {
"description": "The number of failed rules"
}
},
"top_failures": {
"type": "array",
"items": {
"properties": {
"message": {
"type": "keyword",
"_meta": {
"description": "Failed rule message"
}
},
"count": {
"type": "long",
"_meta": {
"description": "Number of times the message occurred"
}
}
}
}
},
"partial_failures": {
"type": "long",
"_meta": {
"description": "The number of partial failure rules"
}
},
"top_partial_failures": {
"type": "array",
"items": {
"properties": {
"message": {
"type": "keyword",
"_meta": {
"description": "Failed rule message"
}
},
"count": {
"type": "long",
"_meta": {
"description": "Number of times the message occurred"
}
}
}
}
},
"succeeded": {
"type": "long",
"_meta": {
"description": "The number of successful rules"
}
},
"index_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"search_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"enrichment_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"gap_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"gap_count": {
"type": "long",
"_meta": {
"description": "The count of gaps"
}
}
}
},
"threat_match": {
"properties": {
"failures": {
@ -3939,6 +4555,314 @@
}
}
},
"new_terms": {
"properties": {
"failures": {
"type": "long",
"_meta": {
"description": "The number of failed rules"
}
},
"top_failures": {
"type": "array",
"items": {
"properties": {
"message": {
"type": "keyword",
"_meta": {
"description": "Failed rule message"
}
},
"count": {
"type": "long",
"_meta": {
"description": "Number of times the message occurred"
}
}
}
}
},
"partial_failures": {
"type": "long",
"_meta": {
"description": "The number of partial failure rules"
}
},
"top_partial_failures": {
"type": "array",
"items": {
"properties": {
"message": {
"type": "keyword",
"_meta": {
"description": "Failed rule message"
}
},
"count": {
"type": "long",
"_meta": {
"description": "Number of times the message occurred"
}
}
}
}
},
"succeeded": {
"type": "long",
"_meta": {
"description": "The number of successful rules"
}
},
"index_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"search_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"enrichment_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"gap_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"gap_count": {
"type": "long",
"_meta": {
"description": "The count of gaps"
}
}
}
},
"esql": {
"properties": {
"failures": {
"type": "long",
"_meta": {
"description": "The number of failed rules"
}
},
"top_failures": {
"type": "array",
"items": {
"properties": {
"message": {
"type": "keyword",
"_meta": {
"description": "Failed rule message"
}
},
"count": {
"type": "long",
"_meta": {
"description": "Number of times the message occurred"
}
}
}
}
},
"partial_failures": {
"type": "long",
"_meta": {
"description": "The number of partial failure rules"
}
},
"top_partial_failures": {
"type": "array",
"items": {
"properties": {
"message": {
"type": "keyword",
"_meta": {
"description": "Failed rule message"
}
},
"count": {
"type": "long",
"_meta": {
"description": "Number of times the message occurred"
}
}
}
}
},
"succeeded": {
"type": "long",
"_meta": {
"description": "The number of successful rules"
}
},
"index_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"search_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"enrichment_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"gap_duration": {
"properties": {
"max": {
"type": "float",
"_meta": {
"description": "The max duration"
}
},
"avg": {
"type": "float",
"_meta": {
"description": "The avg duration"
}
},
"min": {
"type": "float",
"_meta": {
"description": "The min duration"
}
}
}
},
"gap_count": {
"type": "long",
"_meta": {
"description": "The count of gaps"
}
}
}
},
"threat_match": {
"properties": {
"failures": {

600
x-pack/solutions/security/plugins/security_solution/server/usage/collector.ts
View file

@ -1128,6 +1128,206 @@ export const registerCollector: RegisterCollector = ({
_meta: { description: 'The count of gaps' },
},
},
new_terms: {
failures: {
type: 'long',
_meta: { description: 'The number of failed rules' },
},
top_failures: {
type: 'array',
items: {
message: {
type: 'keyword',
_meta: { description: 'Failed rule message' },
},
count: {
type: 'long',
_meta: { description: 'Number of times the message occurred' },
},
},
},
partial_failures: {
type: 'long',
_meta: { description: 'The number of partial failure rules' },
},
top_partial_failures: {
type: 'array',
items: {
message: {
type: 'keyword',
_meta: { description: 'Failed rule message' },
},
count: {
type: 'long',
_meta: { description: 'Number of times the message occurred' },
},
},
},
succeeded: {
type: 'long',
_meta: { description: 'The number of successful rules' },
},
index_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
search_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
enrichment_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
gap_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
gap_count: {
type: 'long',
_meta: { description: 'The count of gaps' },
},
},
esql: {
failures: {
type: 'long',
_meta: { description: 'The number of failed rules' },
},
top_failures: {
type: 'array',
items: {
message: {
type: 'keyword',
_meta: { description: 'Failed rule message' },
},
count: {
type: 'long',
_meta: { description: 'Number of times the message occurred' },
},
},
},
partial_failures: {
type: 'long',
_meta: { description: 'The number of partial failure rules' },
},
top_partial_failures: {
type: 'array',
items: {
message: {
type: 'keyword',
_meta: { description: 'Failed rule message' },
},
count: {
type: 'long',
_meta: { description: 'Number of times the message occurred' },
},
},
},
succeeded: {
type: 'long',
_meta: { description: 'The number of successful rules' },
},
index_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
search_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
enrichment_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
gap_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
gap_count: {
type: 'long',
_meta: { description: 'The count of gaps' },
},
},
threat_match: {
failures: {
type: 'long',
@ -1744,6 +1944,206 @@ export const registerCollector: RegisterCollector = ({
_meta: { description: 'The count of gaps' },
},
},
new_terms: {
failures: {
type: 'long',
_meta: { description: 'The number of failed rules' },
},
top_failures: {
type: 'array',
items: {
message: {
type: 'keyword',
_meta: { description: 'Failed rule message' },
},
count: {
type: 'long',
_meta: { description: 'Number of times the message occurred' },
},
},
},
partial_failures: {
type: 'long',
_meta: { description: 'The number of partial failure rules' },
},
top_partial_failures: {
type: 'array',
items: {
message: {
type: 'keyword',
_meta: { description: 'Failed rule message' },
},
count: {
type: 'long',
_meta: { description: 'Number of times the message occurred' },
},
},
},
succeeded: {
type: 'long',
_meta: { description: 'The number of successful rules' },
},
index_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
search_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
enrichment_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
gap_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
gap_count: {
type: 'long',
_meta: { description: 'The count of gaps' },
},
},
esql: {
failures: {
type: 'long',
_meta: { description: 'The number of failed rules' },
},
top_failures: {
type: 'array',
items: {
message: {
type: 'keyword',
_meta: { description: 'Failed rule message' },
},
count: {
type: 'long',
_meta: { description: 'Number of times the message occurred' },
},
},
},
partial_failures: {
type: 'long',
_meta: { description: 'The number of partial failure rules' },
},
top_partial_failures: {
type: 'array',
items: {
message: {
type: 'keyword',
_meta: { description: 'Failed rule message' },
},
count: {
type: 'long',
_meta: { description: 'Number of times the message occurred' },
},
},
},
succeeded: {
type: 'long',
_meta: { description: 'The number of successful rules' },
},
index_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
search_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
enrichment_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
gap_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
gap_count: {
type: 'long',
_meta: { description: 'The count of gaps' },
},
},
threat_match: {
failures: {
type: 'long',
@ -2360,6 +2760,206 @@ export const registerCollector: RegisterCollector = ({
_meta: { description: 'The count of gaps' },
},
},
new_terms: {
failures: {
type: 'long',
_meta: { description: 'The number of failed rules' },
},
top_failures: {
type: 'array',
items: {
message: {
type: 'keyword',
_meta: { description: 'Failed rule message' },
},
count: {
type: 'long',
_meta: { description: 'Number of times the message occurred' },
},
},
},
partial_failures: {
type: 'long',
_meta: { description: 'The number of partial failure rules' },
},
top_partial_failures: {
type: 'array',
items: {
message: {
type: 'keyword',
_meta: { description: 'Failed rule message' },
},
count: {
type: 'long',
_meta: { description: 'Number of times the message occurred' },
},
},
},
succeeded: {
type: 'long',
_meta: { description: 'The number of successful rules' },
},
index_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
search_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
enrichment_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
gap_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
gap_count: {
type: 'long',
_meta: { description: 'The count of gaps' },
},
},
esql: {
failures: {
type: 'long',
_meta: { description: 'The number of failed rules' },
},
top_failures: {
type: 'array',
items: {
message: {
type: 'keyword',
_meta: { description: 'Failed rule message' },
},
count: {
type: 'long',
_meta: { description: 'Number of times the message occurred' },
},
},
},
partial_failures: {
type: 'long',
_meta: { description: 'The number of partial failure rules' },
},
top_partial_failures: {
type: 'array',
items: {
message: {
type: 'keyword',
_meta: { description: 'Failed rule message' },
},
count: {
type: 'long',
_meta: { description: 'Number of times the message occurred' },
},
},
},
succeeded: {
type: 'long',
_meta: { description: 'The number of successful rules' },
},
index_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
search_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
enrichment_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
gap_duration: {
max: {
type: 'float',
_meta: { description: 'The max duration' },
},
avg: {
type: 'float',
_meta: { description: 'The avg duration' },
},
min: {
type: 'float',
_meta: { description: 'The min duration' },
},
},
gap_count: {
type: 'long',
_meta: { description: 'The count of gaps' },
},
},
threat_match: {
failures: {
type: 'long',

2
x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/get_initial_usage.ts
View file

@ -161,6 +161,8 @@ export const getInitialEventLogUsage = (): EventLogStatusMetric => ({
*/
export const getInitialSingleEventLogUsage = (): SingleEventLogStatusMetric => ({
eql: getInitialSingleEventMetric(),
new_terms: getInitialSingleEventMetric(),
esql: getInitialSingleEventMetric(),
threat_match: getInitialSingleEventMetric(),
machine_learning: getInitialSingleEventMetric(),
query: getInitialSingleEventMetric(),

960
x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/get_metrics.mocks.ts
View file

File diff suppressed because it is too large Load diff

2
x-pack/solutions/security/plugins/security_solution/server/usage/detections/rules/types.ts
View file

@ -118,6 +118,8 @@ export interface SingleEventMetric {
*/
export interface SingleEventLogStatusMetric {
eql: SingleEventMetric;
new_terms: SingleEventMetric;
esql: SingleEventMetric;
threat_match: SingleEventMetric;
machine_learning: SingleEventMetric;
query: SingleEventMetric;

27
x-pack/solutions/security/plugins/security_solution/server/usage/queries/utils/transform_event_log_type_status.ts
View file

@ -38,6 +38,8 @@ export const transformEventLogTypeStatus = ({
// metrics
const eqlMetrics = aggs.eventActionExecutionMetrics['siem.eqlRule'];
const newTermsMetrics = aggs.eventActionExecutionMetrics['siem.newTermsRule'];
const esqlMetrics = aggs.eventActionExecutionMetrics['siem.esqlRule'];
const indicatorMetrics = aggs.eventActionExecutionMetrics['siem.indicatorRule'];
const mlMetrics = aggs.eventActionExecutionMetrics['siem.mlRule'];
const queryMetrics = aggs.eventActionExecutionMetrics['siem.queryRule'];
@ -46,6 +48,8 @@ export const transformEventLogTypeStatus = ({
// failure status
const eqlFailure = aggs.eventActionStatusChange.failed['siem.eqlRule'];
const newTermsFailure = aggs.eventActionStatusChange.failed['siem.newTermsRule'];
const esqlFailure = aggs.eventActionStatusChange.failed['siem.esqlRule'];
const indicatorFailure = aggs.eventActionStatusChange.failed['siem.indicatorRule'];
const mlFailure = aggs.eventActionStatusChange.failed['siem.mlRule'];
const queryFailure = aggs.eventActionStatusChange.failed['siem.queryRule'];
@ -54,6 +58,9 @@ export const transformEventLogTypeStatus = ({
// partial failure
const eqlPartialFailure = aggs.eventActionStatusChange['partial failure']['siem.eqlRule'];
const newTermsPartialFailure =
aggs.eventActionStatusChange['partial failure']['siem.newTermsRule'];
const esqlPartialFailure = aggs.eventActionStatusChange['partial failure']['siem.esqlRule'];
const indicatorPartialFailure =
aggs.eventActionStatusChange['partial failure']['siem.indicatorRule'];
const mlPartialFailure = aggs.eventActionStatusChange['partial failure']['siem.mlRule'];
@ -65,6 +72,8 @@ export const transformEventLogTypeStatus = ({
// success
const eqlSuccess = aggs.eventActionStatusChange.succeeded['siem.eqlRule'];
const newTermsSuccess = aggs.eventActionStatusChange.succeeded['siem.newTermsRule'];
const esqlSuccess = aggs.eventActionStatusChange.succeeded['siem.esqlRule'];
const indicatorSuccess = aggs.eventActionStatusChange.succeeded['siem.indicatorRule'];
const mlSuccess = aggs.eventActionStatusChange.succeeded['siem.mlRule'];
const querySuccess = aggs.eventActionStatusChange.succeeded['siem.queryRule'];
@ -78,6 +87,18 @@ export const transformEventLogTypeStatus = ({
succeeded: eqlSuccess,
singleMetric: eqlMetrics,
}),
new_terms: transformSingleRuleMetric({
failed: newTermsFailure,
partialFailed: newTermsPartialFailure,
succeeded: newTermsSuccess,
singleMetric: newTermsMetrics,
}),
esql: transformSingleRuleMetric({
failed: esqlFailure,
partialFailed: esqlPartialFailure,
succeeded: esqlSuccess,
singleMetric: esqlMetrics,
}),
threat_match: transformSingleRuleMetric({
failed: indicatorFailure,
partialFailed: indicatorPartialFailure,
@ -111,6 +132,8 @@ export const transformEventLogTypeStatus = ({
total: {
failures: countTotals([
eqlFailure,
newTermsFailure,
esqlFailure,
indicatorFailure,
mlFailure,
queryFailure,
@ -119,6 +142,8 @@ export const transformEventLogTypeStatus = ({
]),
partial_failures: countTotals([
eqlPartialFailure,
newTermsPartialFailure,
esqlPartialFailure,
indicatorPartialFailure,
mlPartialFailure,
queryPartialFailure,
@ -127,6 +152,8 @@ export const transformEventLogTypeStatus = ({
]),
succeeded: countTotals([
eqlSuccess,
newTermsSuccess,
esqlSuccess,
indicatorSuccess,
mlSuccess,
querySuccess,

6
x-pack/solutions/security/plugins/security_solution/server/usage/types.ts
View file

@ -93,6 +93,8 @@ export interface SingleEVentLogTypeStatusAgg {
'siem.queryRule': CountCardinality;
'siem.savedQueryRule': CountCardinality;
'siem.eqlRule': CountCardinality;
'siem.newTermsRule': CountCardinality;
'siem.esqlRule': CountCardinality;
'siem.thresholdRule': CountCardinality;
'siem.mlRule': CountCardinality;
'siem.indicatorRule': CountCardinality;
@ -103,6 +105,8 @@ export interface SingleEVentLogTypeStatusAggWithCategories {
'siem.queryRule': CountCardinalityWithCategories;
'siem.savedQueryRule': CountCardinalityWithCategories;
'siem.eqlRule': CountCardinalityWithCategories;
'siem.newTermsRule': CountCardinalityWithCategories;
'siem.esqlRule': CountCardinalityWithCategories;
'siem.thresholdRule': CountCardinalityWithCategories;
'siem.mlRule': CountCardinalityWithCategories;
'siem.indicatorRule': CountCardinalityWithCategories;
@ -163,6 +167,8 @@ export interface EventLogTypeStatusAggs {
'siem.queryRule': SingleExecutionMetricAgg;
'siem.savedQueryRule': SingleExecutionMetricAgg;
'siem.eqlRule': SingleExecutionMetricAgg;
'siem.newTermsRule': SingleExecutionMetricAgg;
'siem.esqlRule': SingleExecutionMetricAgg;
'siem.thresholdRule': SingleExecutionMetricAgg;
'siem.mlRule': SingleExecutionMetricAgg;
'siem.indicatorRule': SingleExecutionMetricAgg;