Skip to content

Commit

Permalink
[Security Solution][Detection Engine] enables telemetry for ES|QL rul…
Browse files Browse the repository at this point in the history 
…e type (#177193)

## Summary

- addresses #176785
- enables telemetry for Security Detection ES|QL rule type
  • Loading branch information
@vitaliidm
vitaliidm authored Feb 23, 2024
1 parent db8440d commit 5a9cd83
Show file tree
Hide file tree
Showing 6 changed files with 129 additions and 0 deletions.
43 changes: 43 additions & 0 deletions x-pack/plugins/security_solution/server/usage/collector.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,49 @@ export const registerCollector: RegisterCollector = ({
},
},
},
esql: {
enabled: {
type: 'long',
_meta: { description: 'Number of esql rules enabled' },
},
disabled: {
type: 'long',
_meta: { description: 'Number of esql rules disabled' },
},
alerts: {
type: 'long',
_meta: { description: 'Number of alerts generated by esql rules' },
},
cases: {
type: 'long',
_meta: {
description: 'Number of cases attached to esql detection rule alerts',
},
},
legacy_notifications_enabled: {
type: 'long',
_meta: { description: 'Number of legacy notifications enabled' },
},
legacy_notifications_disabled: {
type: 'long',
_meta: { description: 'Number of legacy notifications disabled' },
},
notifications_enabled: {
type: 'long',
_meta: { description: 'Number of notifications enabled' },
},
notifications_disabled: {
type: 'long',
_meta: { description: 'Number of notifications enabled' },
},
legacy_investigation_fields: {
type: 'long',
_meta: {
description:
'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS',
},
},
},
elastic_total: {
enabled: { type: 'long', _meta: { description: 'Number of elastic rules enabled' } },
disabled: {
Expand Down
11 changes: 11 additions & 0 deletions x-pack/plugins/security_solution/server/usage/detections/rules/get_initial_usage.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,17 @@ export const getInitialRulesUsage = (): RulesTypeUsage => ({
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
esql: {
enabled: 0,
disabled: 0,
alerts: 0,
cases: 0,
legacy_notifications_enabled: 0,
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
elastic_total: {
enabled: 0,
disabled: 0,
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugins/security_solution/server/usage/detections/rules/types.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ export interface RulesTypeUsage {
new_terms: FeatureTypeUsage;
elastic_total: FeatureTypeUsage;
custom_total: FeatureTypeUsage;
esql: FeatureTypeUsage;
}

export interface RuleAdoption {
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/security_solution/server/usage/detections/rules/update_usage.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,13 @@ describe('Detections Usage and Metrics', () => {
${'new_terms'} | ${false} | ${true} | ${false} | ${0} | ${1} | ${0} | ${0} | ${0}
${'new_terms'} | ${false} | ${false} | ${false} | ${0} | ${0} | ${0} | ${0} | ${0}
${'new_terms'} | ${false} | ${false} | ${false} | ${0} | ${0} | ${0} | ${0} | ${1}
${'esql'} | ${true} | ${true} | ${false} | ${1} | ${0} | ${0} | ${0} | ${0}
${'esql'} | ${true} | ${false} | ${true} | ${0} | ${0} | ${1} | ${0} | ${0}
${'esql'} | ${false} | ${false} | ${true} | ${0} | ${0} | ${0} | ${1} | ${0}
${'esql'} | ${true} | ${false} | ${true} | ${0} | ${0} | ${1} | ${0} | ${0}
${'esql'} | ${false} | ${true} | ${false} | ${0} | ${1} | ${0} | ${0} | ${0}
${'esql'} | ${false} | ${false} | ${false} | ${0} | ${0} | ${0} | ${0} | ${0}
${'esql'} | ${false} | ${false} | ${false} | ${0} | ${0} | ${0} | ${0} | ${1}
`(
'expect { "ruleType": $ruleType, "enabled": $enabled, "hasLegacyNotification": $hasLegacyNotification, "hasNotification": $hasNotification, hasLegacyInvestigationField: $hasLegacyInvestigationField } to equal { legacy_notifications_enabled: $expectedLegacyNotificationsEnabled, legacy_notifications_disabled: $expectedLegacyNotificationsDisabled, notifications_enabled: $expectedNotificationsEnabled, notifications_disabled, $expectedNotificationsDisabled, hasLegacyInvestigationField: $hasLegacyInvestigationField }',
({
Expand Down
9 changes: 9 additions & 0 deletions x-pack/plugins/security_solution/server/usage/detections/rules/update_usage.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,15 @@ export const updateRuleUsage = (
detectionRuleMetric,
}),
};
} else if (detectionRuleMetric.rule_type === 'esql') {
updatedUsage = {
...usage,
esql: updateQueryUsage({
ruleType: detectionRuleMetric.rule_type,
usage,
detectionRuleMetric,
}),
};
}

if (detectionRuleMetric.elastic_rule) {
Expand Down
58 changes: 58 additions & 0 deletions x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12899,6 +12899,64 @@
}
}
},
"esql": {
"properties": {
"enabled": {
"type": "long",
"_meta": {
"description": "Number of esql rules enabled"
}
},
"disabled": {
"type": "long",
"_meta": {
"description": "Number of esql rules disabled"
}
},
"alerts": {
"type": "long",
"_meta": {
"description": "Number of alerts generated by esql rules"
}
},
"cases": {
"type": "long",
"_meta": {
"description": "Number of cases attached to esql detection rule alerts"
}
},
"legacy_notifications_enabled": {
"type": "long",
"_meta": {
"description": "Number of legacy notifications enabled"
}
},
"legacy_notifications_disabled": {
"type": "long",
"_meta": {
"description": "Number of legacy notifications disabled"
}
},
"notifications_enabled": {
"type": "long",
"_meta": {
"description": "Number of notifications enabled"
}
},
"notifications_disabled": {
"type": "long",
"_meta": {
"description": "Number of notifications enabled"
}
},
"legacy_investigation_fields": {
"type": "long",
"_meta": {
"description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS"
}
}
}
},
"elastic_total": {
"properties": {
"enabled": {
Expand Down

0 comments on commit 5a9cd83

Please sign in to comment.