Skip to content

Commit

Permalink
[Security Solution][DE] Investigation fields telemetry (#169482)
Browse files Browse the repository at this point in the history 
## Summary

Adds telemetry to determine the number of users utilizing
`investigation_fields` in 8.10. We want to eventually deprecate use of
this field as an array (in 8.10) in favor of the new object type.

Utilizes the telemetry detections rule usage logic to add a new field
`legacy_investigation_fields` - which is a total count of the number of
rules utilizing the legacy `investigation_fields` (the field as an
array).
  • Loading branch information
@yctercero
yctercero authored Oct 24, 2023
1 parent 1b7b094 commit c295c67
Show file tree
Hide file tree
Showing 11 changed files with 530 additions and 39 deletions.
56 changes: 56 additions & 0 deletions x-pack/plugins/security_solution/server/usage/collector.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,13 @@ export const registerCollector: RegisterCollector = ({
type: 'long',
_meta: { description: 'Number of notifications enabled' },
},
legacy_investigation_fields: {
type: 'long',
_meta: {
description:
'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS',
},
},
},
threshold: {
enabled: {
Expand Down Expand Up @@ -107,6 +114,13 @@ export const registerCollector: RegisterCollector = ({
type: 'long',
_meta: { description: 'Number of notifications enabled' },
},
legacy_investigation_fields: {
type: 'long',
_meta: {
description:
'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS',
},
},
},
eql: {
enabled: { type: 'long', _meta: { description: 'Number of eql rules enabled' } },
Expand Down Expand Up @@ -135,6 +149,13 @@ export const registerCollector: RegisterCollector = ({
type: 'long',
_meta: { description: 'Number of notifications enabled' },
},
legacy_investigation_fields: {
type: 'long',
_meta: {
description:
'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS',
},
},
},
machine_learning: {
enabled: {
Expand Down Expand Up @@ -171,6 +192,13 @@ export const registerCollector: RegisterCollector = ({
type: 'long',
_meta: { description: 'Number of notifications enabled' },
},
legacy_investigation_fields: {
type: 'long',
_meta: {
description:
'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS',
},
},
},
threat_match: {
enabled: {
Expand Down Expand Up @@ -207,6 +235,13 @@ export const registerCollector: RegisterCollector = ({
type: 'long',
_meta: { description: 'Number of notifications enabled' },
},
legacy_investigation_fields: {
type: 'long',
_meta: {
description:
'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS',
},
},
},
new_terms: {
enabled: {
Expand Down Expand Up @@ -243,6 +278,13 @@ export const registerCollector: RegisterCollector = ({
type: 'long',
_meta: { description: 'Number of notifications enabled' },
},
legacy_investigation_fields: {
type: 'long',
_meta: {
description:
'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS',
},
},
},
elastic_total: {
enabled: { type: 'long', _meta: { description: 'Number of elastic rules enabled' } },
Expand Down Expand Up @@ -274,6 +316,13 @@ export const registerCollector: RegisterCollector = ({
type: 'long',
_meta: { description: 'Number of notifications enabled' },
},
legacy_investigation_fields: {
type: 'long',
_meta: {
description:
'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS',
},
},
},
custom_total: {
enabled: { type: 'long', _meta: { description: 'Number of custom rules enabled' } },
Expand Down Expand Up @@ -302,6 +351,13 @@ export const registerCollector: RegisterCollector = ({
type: 'long',
_meta: { description: 'Number of notifications enabled' },
},
legacy_investigation_fields: {
type: 'long',
_meta: {
description:
'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS',
},
},
},
},
detection_rule_detail: {
Expand Down
8 changes: 8 additions & 0 deletions x-pack/plugins/security_solution/server/usage/detections/get_metrics.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@ describe('Detections Usage and Metrics', () => {
updated_on: '2021-03-23T17:15:59.634Z',
has_legacy_notification: false,
has_notification: false,
has_legacy_investigation_field: false,
},
],
detection_rule_usage: {
Expand All @@ -112,6 +113,7 @@ describe('Detections Usage and Metrics', () => {
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
elastic_total: {
alerts: 3400,
Expand All @@ -122,6 +124,7 @@ describe('Detections Usage and Metrics', () => {
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
},
},
Expand Down Expand Up @@ -163,6 +166,7 @@ describe('Detections Usage and Metrics', () => {
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
query: {
alerts: 800,
Expand All @@ -173,6 +177,7 @@ describe('Detections Usage and Metrics', () => {
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
},
},
Expand Down Expand Up @@ -217,6 +222,7 @@ describe('Detections Usage and Metrics', () => {
updated_on: '2021-03-23T17:15:59.634Z',
has_legacy_notification: false,
has_notification: false,
has_legacy_investigation_field: false,
},
],
detection_rule_usage: {
Expand All @@ -230,6 +236,7 @@ describe('Detections Usage and Metrics', () => {
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
query: {
alerts: 0,
Expand All @@ -240,6 +247,7 @@ describe('Detections Usage and Metrics', () => {
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
},
},
Expand Down
8 changes: 8 additions & 0 deletions x-pack/plugins/security_solution/server/usage/detections/rules/get_initial_usage.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ export const getInitialRulesUsage = (): RulesTypeUsage => ({
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
threshold: {
enabled: 0,
Expand All @@ -36,6 +37,7 @@ export const getInitialRulesUsage = (): RulesTypeUsage => ({
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
eql: {
enabled: 0,
Expand All @@ -46,6 +48,7 @@ export const getInitialRulesUsage = (): RulesTypeUsage => ({
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
machine_learning: {
enabled: 0,
Expand All @@ -56,6 +59,7 @@ export const getInitialRulesUsage = (): RulesTypeUsage => ({
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
threat_match: {
enabled: 0,
Expand All @@ -66,6 +70,7 @@ export const getInitialRulesUsage = (): RulesTypeUsage => ({
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
new_terms: {
enabled: 0,
Expand All @@ -76,6 +81,7 @@ export const getInitialRulesUsage = (): RulesTypeUsage => ({
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
elastic_total: {
enabled: 0,
Expand All @@ -86,6 +92,7 @@ export const getInitialRulesUsage = (): RulesTypeUsage => ({
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
custom_total: {
enabled: 0,
Expand All @@ -96,6 +103,7 @@ export const getInitialRulesUsage = (): RulesTypeUsage => ({
legacy_notifications_disabled: 0,
notifications_enabled: 0,
notifications_disabled: 0,
legacy_investigation_fields: 0,
},
});

Expand Down
1 change: 1 addition & 0 deletions ...ty_solution/server/usage/detections/rules/transform_utils/get_rule_object_correlations.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ export const getRuleObjectCorrelations = ({
cases_count_total: casesRuleIds.get(ruleId) || 0,
has_legacy_notification: hasLegacyNotification,
has_notification: hasNotification,
has_legacy_investigation_field: Array.isArray(attributes.params.investigationFields),
};
});
};
2 changes: 2 additions & 0 deletions x-pack/plugins/security_solution/server/usage/detections/rules/types.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ export interface FeatureTypeUsage {
legacy_notifications_disabled: number;
notifications_enabled: number;
notifications_disabled: number;
legacy_investigation_fields: number;
}

export interface RulesTypeUsage {
Expand Down Expand Up @@ -46,6 +47,7 @@ export interface RuleMetric {
cases_count_total: number;
has_legacy_notification: boolean;
has_notification: boolean;
has_legacy_investigation_field: boolean;
}

/**
Expand Down
Loading

0 comments on commit c295c67

Please sign in to comment.