From 5a9cd830271491a2e7393686b5fd0a22aeb09e9e Mon Sep 17 00:00:00 2001 From: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com> Date: Fri, 23 Feb 2024 17:04:31 +0000 Subject: [PATCH] [Security Solution][Detection Engine] enables telemetry for ES|QL rule type (#177193) ## Summary - addresses https://github.com/elastic/kibana/issues/176785 - enables telemetry for Security Detection ES|QL rule type --- .../server/usage/collector.ts | 43 ++++++++++++++ .../detections/rules/get_initial_usage.ts | 11 ++++ .../server/usage/detections/rules/types.ts | 1 + .../detections/rules/update_usage.test.ts | 7 +++ .../usage/detections/rules/update_usage.ts | 9 +++ .../schema/xpack_plugins.json | 58 +++++++++++++++++++ 6 files changed, 129 insertions(+) diff --git a/x-pack/plugins/security_solution/server/usage/collector.ts b/x-pack/plugins/security_solution/server/usage/collector.ts index 39635b9abda94..8aab08ea621d8 100644 --- a/x-pack/plugins/security_solution/server/usage/collector.ts +++ b/x-pack/plugins/security_solution/server/usage/collector.ts @@ -286,6 +286,49 @@ export const registerCollector: RegisterCollector = ({ }, }, }, + esql: { + enabled: { + type: 'long', + _meta: { description: 'Number of esql rules enabled' }, + }, + disabled: { + type: 'long', + _meta: { description: 'Number of esql rules disabled' }, + }, + alerts: { + type: 'long', + _meta: { description: 'Number of alerts generated by esql rules' }, + }, + cases: { + type: 'long', + _meta: { + description: 'Number of cases attached to esql detection rule alerts', + }, + }, + legacy_notifications_enabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications enabled' }, + }, + legacy_notifications_disabled: { + type: 'long', + _meta: { description: 'Number of legacy notifications disabled' }, + }, + notifications_enabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + notifications_disabled: { + type: 'long', + _meta: { description: 'Number of notifications enabled' }, + }, + legacy_investigation_fields: { + type: 'long', + _meta: { + description: + 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', + }, + }, + }, elastic_total: { enabled: { type: 'long', _meta: { description: 'Number of elastic rules enabled' } }, disabled: { diff --git a/x-pack/plugins/security_solution/server/usage/detections/rules/get_initial_usage.ts b/x-pack/plugins/security_solution/server/usage/detections/rules/get_initial_usage.ts index dfe19bff7079a..4313abdc336bd 100644 --- a/x-pack/plugins/security_solution/server/usage/detections/rules/get_initial_usage.ts +++ b/x-pack/plugins/security_solution/server/usage/detections/rules/get_initial_usage.ts @@ -83,6 +83,17 @@ export const getInitialRulesUsage = (): RulesTypeUsage => ({ notifications_disabled: 0, legacy_investigation_fields: 0, }, + esql: { + enabled: 0, + disabled: 0, + alerts: 0, + cases: 0, + legacy_notifications_enabled: 0, + legacy_notifications_disabled: 0, + notifications_enabled: 0, + notifications_disabled: 0, + legacy_investigation_fields: 0, + }, elastic_total: { enabled: 0, disabled: 0, diff --git a/x-pack/plugins/security_solution/server/usage/detections/rules/types.ts b/x-pack/plugins/security_solution/server/usage/detections/rules/types.ts index 1bbe1b8f01f0e..e212ba8a9e15e 100644 --- a/x-pack/plugins/security_solution/server/usage/detections/rules/types.ts +++ b/x-pack/plugins/security_solution/server/usage/detections/rules/types.ts @@ -26,6 +26,7 @@ export interface RulesTypeUsage { new_terms: FeatureTypeUsage; elastic_total: FeatureTypeUsage; custom_total: FeatureTypeUsage; + esql: FeatureTypeUsage; } export interface RuleAdoption { diff --git a/x-pack/plugins/security_solution/server/usage/detections/rules/update_usage.test.ts b/x-pack/plugins/security_solution/server/usage/detections/rules/update_usage.test.ts index 8bdb4c582f0ee..3edacf0ae9e1b 100644 --- a/x-pack/plugins/security_solution/server/usage/detections/rules/update_usage.test.ts +++ b/x-pack/plugins/security_solution/server/usage/detections/rules/update_usage.test.ts @@ -250,6 +250,13 @@ describe('Detections Usage and Metrics', () => { ${'new_terms'} | ${false} | ${true} | ${false} | ${0} | ${1} | ${0} | ${0} | ${0} ${'new_terms'} | ${false} | ${false} | ${false} | ${0} | ${0} | ${0} | ${0} | ${0} ${'new_terms'} | ${false} | ${false} | ${false} | ${0} | ${0} | ${0} | ${0} | ${1} + ${'esql'} | ${true} | ${true} | ${false} | ${1} | ${0} | ${0} | ${0} | ${0} + ${'esql'} | ${true} | ${false} | ${true} | ${0} | ${0} | ${1} | ${0} | ${0} + ${'esql'} | ${false} | ${false} | ${true} | ${0} | ${0} | ${0} | ${1} | ${0} + ${'esql'} | ${true} | ${false} | ${true} | ${0} | ${0} | ${1} | ${0} | ${0} + ${'esql'} | ${false} | ${true} | ${false} | ${0} | ${1} | ${0} | ${0} | ${0} + ${'esql'} | ${false} | ${false} | ${false} | ${0} | ${0} | ${0} | ${0} | ${0} + ${'esql'} | ${false} | ${false} | ${false} | ${0} | ${0} | ${0} | ${0} | ${1} `( 'expect { "ruleType": $ruleType, "enabled": $enabled, "hasLegacyNotification": $hasLegacyNotification, "hasNotification": $hasNotification, hasLegacyInvestigationField: $hasLegacyInvestigationField } to equal { legacy_notifications_enabled: $expectedLegacyNotificationsEnabled, legacy_notifications_disabled: $expectedLegacyNotificationsDisabled, notifications_enabled: $expectedNotificationsEnabled, notifications_disabled, $expectedNotificationsDisabled, hasLegacyInvestigationField: $hasLegacyInvestigationField }', ({ diff --git a/x-pack/plugins/security_solution/server/usage/detections/rules/update_usage.ts b/x-pack/plugins/security_solution/server/usage/detections/rules/update_usage.ts index 26eeffb6b9f0a..4c08e1ddc9cc0 100644 --- a/x-pack/plugins/security_solution/server/usage/detections/rules/update_usage.ts +++ b/x-pack/plugins/security_solution/server/usage/detections/rules/update_usage.ts @@ -68,6 +68,15 @@ export const updateRuleUsage = ( detectionRuleMetric, }), }; + } else if (detectionRuleMetric.rule_type === 'esql') { + updatedUsage = { + ...usage, + esql: updateQueryUsage({ + ruleType: detectionRuleMetric.rule_type, + usage, + detectionRuleMetric, + }), + }; } if (detectionRuleMetric.elastic_rule) { diff --git a/x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json b/x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json index 26b8ab2f1c537..34a18f8349b20 100644 --- a/x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json +++ b/x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json @@ -12899,6 +12899,64 @@ } } }, + "esql": { + "properties": { + "enabled": { + "type": "long", + "_meta": { + "description": "Number of esql rules enabled" + } + }, + "disabled": { + "type": "long", + "_meta": { + "description": "Number of esql rules disabled" + } + }, + "alerts": { + "type": "long", + "_meta": { + "description": "Number of alerts generated by esql rules" + } + }, + "cases": { + "type": "long", + "_meta": { + "description": "Number of cases attached to esql detection rule alerts" + } + }, + "legacy_notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications enabled" + } + }, + "legacy_notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of legacy notifications disabled" + } + }, + "notifications_enabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "notifications_disabled": { + "type": "long", + "_meta": { + "description": "Number of notifications enabled" + } + }, + "legacy_investigation_fields": { + "type": "long", + "_meta": { + "description": "Number of rules using the legacy investigation fields type introduced only in 8.10 ESS" + } + } + } + }, "elastic_total": { "properties": { "enabled": {