[8.x] [Security Solution][Detection Engine] adds EBT telemetry for ru…

…le preview (elastic#194326) (elastic#195710)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution][Detection Engine] adds EBT telemetry for rule
preview (elastic#194326)](elastic#194326)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Vitalii
Dmyterko","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-10T08:06:33Z","message":"[Security
Solution][Detection Engine] adds EBT telemetry for rule preview
(elastic#194326)\n\n## Summary\r\n\r\n - adds basic EBT telemetry for rule
preview\r\n\r\n### To test \r\n\r\nUse Discover Data View in staging to
see reported
events:\r\nhttps://telemetry-v2-staging.elastic.dev/s/securitysolution/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:now-28h,to:now))&_a=(columns:!(properties.ruleType,properties.loggedRequestsEnabled),filters:!(),index:security-solution-ebt-kibana-browser,interval:auto,query:(language:kuery,query:'event_type%20:%20%22Preview%20rule%22'),sort:!(!(timestamp,desc)))\r\n\r\nNote,
there is a few hours delay from event reported locally to be\r\nstored
on staging
host","sha":"f687ce2ba34a500522907b76add4327c16ad1bec","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:
SecuritySolution","backport:prev-minor","Team:Detection Engine","8.16
candidate"],"title":"[Security Solution][Detection Engine] adds EBT
telemetry for rule
preview","number":194326,"url":"https://github.com/elastic/kibana/pull/194326","mergeCommit":{"message":"[Security
Solution][Detection Engine] adds EBT telemetry for rule preview
(elastic#194326)\n\n## Summary\r\n\r\n - adds basic EBT telemetry for rule
preview\r\n\r\n### To test \r\n\r\nUse Discover Data View in staging to
see reported
events:\r\nhttps://telemetry-v2-staging.elastic.dev/s/securitysolution/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:now-28h,to:now))&_a=(columns:!(properties.ruleType,properties.loggedRequestsEnabled),filters:!(),index:security-solution-ebt-kibana-browser,interval:auto,query:(language:kuery,query:'event_type%20:%20%22Preview%20rule%22'),sort:!(!(timestamp,desc)))\r\n\r\nNote,
there is a few hours delay from event reported locally to be\r\nstored
on staging
host","sha":"f687ce2ba34a500522907b76add4327c16ad1bec"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194326","number":194326,"mergeCommit":{"message":"[Security
Solution][Detection Engine] adds EBT telemetry for rule preview
(elastic#194326)\n\n## Summary\r\n\r\n - adds basic EBT telemetry for rule
preview\r\n\r\n### To test \r\n\r\nUse Discover Data View in staging to
see reported
events:\r\nhttps://telemetry-v2-staging.elastic.dev/s/securitysolution/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:now-28h,to:now))&_a=(columns:!(properties.ruleType,properties.loggedRequestsEnabled),filters:!(),index:security-solution-ebt-kibana-browser,interval:auto,query:(language:kuery,query:'event_type%20:%20%22Preview%20rule%22'),sort:!(!(timestamp,desc)))\r\n\r\nNote,
there is a few hours delay from event reported locally to be\r\nstored
on staging host","sha":"f687ce2ba34a500522907b76add4327c16ad1bec"}}]}]
BACKPORT-->

Co-authored-by: Vitalii Dmyterko <[email protected]>

x-pack/plugins/security_solution/public/common/lib/telemetry/constants.ts

@@ -86,6 +86,7 @@ export enum TelemetryEventTypes {
   EventLogShowSourceEventDateRange = 'Event Log -> Show Source -> Event Date Range',
   OpenNoteInExpandableFlyoutClicked = 'Open Note In Expandable Flyout Clicked',
   AddNoteFromExpandableFlyoutClicked = 'Add Note From Expandable Flyout Clicked',
+  PreviewRule = 'Preview rule',
 }
 
 export enum ML_JOB_TELEMETRY_STATUS {

x-pack/plugins/security_solution/public/common/lib/telemetry/events/preview_rule/index.ts

@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { TelemetryEvent } from '../../types';
+import { TelemetryEventTypes } from '../../constants';
+
+export const previewRuleEvent: TelemetryEvent = {
+  eventType: TelemetryEventTypes.PreviewRule,
+  schema: {
+    ruleType: {
+      type: 'keyword',
+      _meta: {
+        description: 'Rule type',
+        optional: false,
+      },
+    },
+    loggedRequestsEnabled: {
+      type: 'boolean',
+      _meta: {
+        description: 'shows if preview executed with enabled logged requests',
+        optional: false,
+      },
+    },
+  },
+};

x-pack/plugins/security_solution/public/common/lib/telemetry/events/preview_rule/types.ts

@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import type { Type } from '@kbn/securitysolution-io-ts-alerting-types';
+
+import type { RootSchema } from '@kbn/core/public';
+import type { TelemetryEventTypes } from '../../constants';
+
+export interface PreviewRuleParams {
+  ruleType: Type;
+  loggedRequestsEnabled: boolean;
+}
+
+export interface PreviewRuleTelemetryEvent {
+  eventType: TelemetryEventTypes.PreviewRule;
+  schema: RootSchema<PreviewRuleParams>;
+}

x-pack/plugins/security_solution/public/common/lib/telemetry/events/telemetry_events.ts

@@ -48,6 +48,7 @@ import {
   addNoteFromExpandableFlyoutClickedEvent,
   openNoteInExpandableFlyoutClickedEvent,
 } from './notes';
+import { previewRuleEvent } from './preview_rule';
 
 const mlJobUpdateEvent: TelemetryEvent = {
   eventType: TelemetryEventTypes.MLJobUpdate,
@@ -192,4 +193,5 @@ export const telemetryEvents = [
   eventLogShowSourceEventDateRangeEvent,
   openNoteInExpandableFlyoutClickedEvent,
   addNoteFromExpandableFlyoutClickedEvent,
+  previewRuleEvent,
 ];

x-pack/plugins/security_solution/public/common/lib/telemetry/telemetry_client.mock.ts

@@ -42,4 +42,5 @@ export const createTelemetryClientMock = (): jest.Mocked<TelemetryClientStart> =
   reportManualRuleRunOpenModal: jest.fn(),
   reportOpenNoteInExpandableFlyoutClicked: jest.fn(),
   reportAddNoteFromExpandableFlyoutClicked: jest.fn(),
+  reportPreviewRule: jest.fn(),
 });

x-pack/plugins/security_solution/public/common/lib/telemetry/telemetry_client.ts

@@ -44,6 +44,7 @@ import type {
   ReportManualRuleRunOpenModalParams,
   ReportEventLogShowSourceEventDateRangeParams,
   ReportEventLogFilterByRunTypeParams,
+  PreviewRuleParams,
 } from './types';
 import { TelemetryEventTypes } from './constants';
 
@@ -211,4 +212,8 @@ export class TelemetryClient implements TelemetryClientStart {
   ) => {
     this.analytics.reportEvent(TelemetryEventTypes.AddNoteFromExpandableFlyoutClicked, params);
   };
+
+  public reportPreviewRule = (params: PreviewRuleParams) => {
+    this.analytics.reportEvent(TelemetryEventTypes.PreviewRule, params);
+  };
 }

x-pack/plugins/security_solution/public/common/lib/telemetry/types.ts

@@ -72,6 +72,7 @@ import type {
   NotesTelemetryEvents,
   OpenNoteInExpandableFlyoutClickedParams,
 } from './events/notes/types';
+import type { PreviewRuleParams, PreviewRuleTelemetryEvent } from './events/preview_rule/types';
 
 export * from './events/ai_assistant/types';
 export * from './events/alerts_grouping/types';
@@ -91,6 +92,7 @@ export type {
 export * from './events/document_details/types';
 export * from './events/manual_rule_run/types';
 export * from './events/event_log/types';
+export * from './events/preview_rule/types';
 
 export interface TelemetryServiceSetupParams {
   analytics: AnalyticsServiceSetup;
@@ -136,6 +138,7 @@ export type TelemetryEventParams =
   | OnboardingHubStepLinkClickedParams
   | ReportManualRuleRunTelemetryEventParams
   | ReportEventLogTelemetryEventParams
+  | PreviewRuleParams
   | NotesTelemetryEventParams;
 
 export interface TelemetryClientStart {
@@ -194,6 +197,9 @@ export interface TelemetryClientStart {
   // new notes
   reportOpenNoteInExpandableFlyoutClicked(params: OpenNoteInExpandableFlyoutClickedParams): void;
   reportAddNoteFromExpandableFlyoutClicked(params: AddNoteFromExpandableFlyoutClickedParams): void;
+
+  // preview rule
+  reportPreviewRule(params: PreviewRuleParams): void;
 }
 
 export type TelemetryEvent =
@@ -221,4 +227,5 @@ export type TelemetryEvent =
   | OnboardingHubTelemetryEvent
   | ManualRuleRunTelemetryEvent
   | EventLogTelemetryEvent
+  | PreviewRuleTelemetryEvent
   | NotesTelemetryEvents;

x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/rule_preview/use_preview_rule.ts

@@ -12,7 +12,7 @@ import type {
   RuleCreateProps,
   RulePreviewResponse,
 } from '../../../../../common/api/detection_engine';
-
+import { useKibana } from '../../../../common/lib/kibana';
 import { previewRule } from '../../../rule_management/api/api';
 import { transformOutput } from '../../../../detections/containers/detection_engine/rules/transforms';
 import type { TimeframePreviewOptions } from '../../../../detections/pages/detection_engine/rules/types';
@@ -37,6 +37,7 @@ export const usePreviewRule = ({
   const [isLoading, setIsLoading] = useState(false);
   const { addError } = useAppToasts();
   const { invocationCount, interval, from } = usePreviewInvocationCount({ timeframeOptions });
+  const { telemetry } = useKibana().services;
 
   const timeframeEnd = useMemo(
     () => timeframeOptions.timeframeEnd.toISOString(),
@@ -57,6 +58,10 @@ export const usePreviewRule = ({
     const createPreviewId = async () => {
       if (rule != null) {
         try {
+          telemetry.reportPreviewRule({
+            loggedRequestsEnabled: enableLoggedRequests ?? false,
+            ruleType: rule.type,
+          });
           setIsLoading(true);
           const previewRuleResponse = await previewRule({
             rule: {
@@ -90,7 +95,16 @@ export const usePreviewRule = ({
       isSubscribed = false;
       abortCtrl.abort();
     };
-  }, [rule, addError, invocationCount, from, interval, timeframeEnd, enableLoggedRequests]);
+  }, [
+    rule,
+    addError,
+    invocationCount,
+    from,
+    interval,
+    timeframeEnd,
+    enableLoggedRequests,
+    telemetry,
+  ]);
 
   return { isLoading, response, rule, setRule };
 };