forked from elastic/kibana
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[7.13][Telemetry] Detection Rule Adoption (elastic#95659)
* pushing initial experiments. * Add name, version tags. * Get alert count. * Include rule type. * Fetch cases count. * Get all data sources working together. * Stage work. * Add detection adoption metrics. * Add usage collector schema. * Add usage collector schema. * Update telemetry schema. * Use let instead of const * Fix spelling on array key. * Update telemetry schema. * Add unit tests. * Fix type. * Move types to index. * Bug fix * Update telemetry schema. * Pass in signals index. * Opps. Broke tests. * Update. * Fix types. * Reflect @FrankHassanabad feedback in PR. * Separate metric / usage telemetry code for complexity reduction. * Add first e2e jest test. * Add some additional tests for custom cases. Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
- Loading branch information
Showing
11 changed files
with
1,553 additions
and
130 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
147 changes: 147 additions & 0 deletions
147
x-pack/plugins/security_solution/server/usage/detections/dectections_metrics_helpers.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,147 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { initialDetectionRulesUsage, updateDetectionRuleUsage } from './detections_metrics_helpers'; | ||
import { DetectionRuleMetric, DetectionRulesTypeUsage } from './index'; | ||
import { v4 as uuid } from 'uuid'; | ||
|
||
const createStubRule = ( | ||
ruleType: string, | ||
enabled: boolean, | ||
elasticRule: boolean, | ||
alertCount: number, | ||
caseCount: number | ||
): DetectionRuleMetric => ({ | ||
rule_name: uuid(), | ||
rule_id: uuid(), | ||
rule_type: ruleType, | ||
enabled, | ||
elastic_rule: elasticRule, | ||
created_on: uuid(), | ||
updated_on: uuid(), | ||
alert_count_daily: alertCount, | ||
cases_count_daily: caseCount, | ||
}); | ||
|
||
describe('Detections Usage and Metrics', () => { | ||
describe('Update metrics with rule information', () => { | ||
it('Should update elastic and eql rule metric total', async () => { | ||
const initialUsage: DetectionRulesTypeUsage = initialDetectionRulesUsage; | ||
const stubRule = createStubRule('eql', true, true, 1, 1); | ||
const usage = updateDetectionRuleUsage(stubRule, initialUsage); | ||
|
||
expect(usage).toEqual( | ||
expect.objectContaining({ | ||
custom_total: { | ||
alerts: 0, | ||
cases: 0, | ||
disabled: 0, | ||
enabled: 0, | ||
}, | ||
elastic_total: { | ||
alerts: 1, | ||
cases: 1, | ||
disabled: 0, | ||
enabled: 1, | ||
}, | ||
eql: { | ||
alerts: 1, | ||
cases: 1, | ||
disabled: 0, | ||
enabled: 1, | ||
}, | ||
machine_learning: { | ||
alerts: 0, | ||
cases: 0, | ||
disabled: 0, | ||
enabled: 0, | ||
}, | ||
query: { | ||
alerts: 0, | ||
cases: 0, | ||
disabled: 0, | ||
enabled: 0, | ||
}, | ||
threat_match: { | ||
alerts: 0, | ||
cases: 0, | ||
disabled: 0, | ||
enabled: 0, | ||
}, | ||
threshold: { | ||
alerts: 0, | ||
cases: 0, | ||
disabled: 0, | ||
enabled: 0, | ||
}, | ||
}) | ||
); | ||
}); | ||
|
||
it('Should update based on multiple metrics', async () => { | ||
const initialUsage: DetectionRulesTypeUsage = initialDetectionRulesUsage; | ||
const stubEqlRule = createStubRule('eql', true, true, 1, 1); | ||
const stubQueryRuleOne = createStubRule('query', true, true, 5, 2); | ||
const stubQueryRuleTwo = createStubRule('query', true, false, 5, 2); | ||
const stubMachineLearningOne = createStubRule('machine_learning', false, false, 0, 10); | ||
const stubMachineLearningTwo = createStubRule('machine_learning', true, true, 22, 44); | ||
|
||
let usage = updateDetectionRuleUsage(stubEqlRule, initialUsage); | ||
usage = updateDetectionRuleUsage(stubQueryRuleOne, usage); | ||
usage = updateDetectionRuleUsage(stubQueryRuleTwo, usage); | ||
usage = updateDetectionRuleUsage(stubMachineLearningOne, usage); | ||
usage = updateDetectionRuleUsage(stubMachineLearningTwo, usage); | ||
|
||
expect(usage).toEqual( | ||
expect.objectContaining({ | ||
custom_total: { | ||
alerts: 5, | ||
cases: 12, | ||
disabled: 1, | ||
enabled: 1, | ||
}, | ||
elastic_total: { | ||
alerts: 28, | ||
cases: 47, | ||
disabled: 0, | ||
enabled: 3, | ||
}, | ||
eql: { | ||
alerts: 1, | ||
cases: 1, | ||
disabled: 0, | ||
enabled: 1, | ||
}, | ||
machine_learning: { | ||
alerts: 22, | ||
cases: 54, | ||
disabled: 1, | ||
enabled: 1, | ||
}, | ||
query: { | ||
alerts: 10, | ||
cases: 4, | ||
disabled: 0, | ||
enabled: 2, | ||
}, | ||
threat_match: { | ||
alerts: 0, | ||
cases: 0, | ||
disabled: 0, | ||
enabled: 0, | ||
}, | ||
threshold: { | ||
alerts: 0, | ||
cases: 0, | ||
disabled: 0, | ||
enabled: 0, | ||
}, | ||
}) | ||
); | ||
}); | ||
}); | ||
}); |
46 changes: 46 additions & 0 deletions
46
x-pack/plugins/security_solution/server/usage/detections/detection_telemetry_helpers.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { INTERNAL_IMMUTABLE_KEY } from '../../../common/constants'; | ||
|
||
export const isElasticRule = (tags: string[] = []) => | ||
tags.includes(`${INTERNAL_IMMUTABLE_KEY}:true`); | ||
|
||
interface RuleSearchBody { | ||
query: { | ||
bool: { | ||
filter: { | ||
term: { [key: string]: string }; | ||
}; | ||
}; | ||
}; | ||
} | ||
|
||
export interface RuleSearchParams { | ||
body: RuleSearchBody; | ||
filterPath: string[]; | ||
ignoreUnavailable: boolean; | ||
index: string; | ||
size: number; | ||
} | ||
|
||
export interface RuleSearchResult { | ||
alert: { | ||
name: string; | ||
enabled: boolean; | ||
tags: string[]; | ||
createdAt: string; | ||
updatedAt: string; | ||
params: DetectionRuleParms; | ||
}; | ||
} | ||
|
||
interface DetectionRuleParms { | ||
ruleId: string; | ||
version: string; | ||
type: string; | ||
} |
Oops, something went wrong.