From ffc649ad5e3534c004a0f2f453c41240efb3bbe3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ece=20=C3=96zalp?= Date: Tue, 2 Mar 2021 16:47:09 -0500 Subject: [PATCH] Add searchDuration to EQL and Threshold rules (#93149) Closes #82861. --- .../signals/signal_rule_alert_type.ts | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts index 1fd0552569b2d..78dfa4bbf5780 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts @@ -11,6 +11,7 @@ import { Logger, KibanaRequest } from 'src/core/server'; import isEmpty from 'lodash/isEmpty'; import { chain, tryCatch } from 'fp-ts/lib/TaskEither'; import { flow } from 'fp-ts/lib/function'; +import { performance } from 'perf_hooks'; import { toError, toPromise } from '../../../../common/fp_utils'; @@ -52,6 +53,7 @@ import { checkPrivileges, hasTimestampFields, hasReadIndexPrivileges, + makeFloatString, } from './utils'; import { signalParamsSchema } from './signal_params_schema'; import { siemRuleActionGroups } from './siem_rule_action_groups'; @@ -409,7 +411,11 @@ export const signalRulesAlertType = ({ lists: exceptionItems ?? [], }); - const { searchResult: thresholdResults, searchErrors } = await findThresholdSignals({ + const { + searchResult: thresholdResults, + searchErrors, + searchDuration: thresholdSearchDuration, + } = await findThresholdSignals({ inputIndexPattern: inputIndex, from, to, @@ -464,6 +470,7 @@ export const signalRulesAlertType = ({ createdSignalsCount: createdItemsCount, createdSignals: createdItems, bulkCreateTimes: bulkCreateDuration ? [bulkCreateDuration] : [], + searchAfterTimes: [thresholdSearchDuration], }), ]); } else if (isThreatMatchRule(type)) { @@ -599,10 +606,14 @@ export const signalRulesAlertType = ({ exceptionItems ?? [], eventCategoryOverride ); + const eqlSignalSearchStart = performance.now(); const response: EqlSignalSearchResponse = await services.callCluster( 'transport.request', request ); + const eqlSignalSearchEnd = performance.now(); + const eqlSearchDuration = makeFloatString(eqlSignalSearchEnd - eqlSignalSearchStart); + result.searchAfterTimes = [eqlSearchDuration]; let newSignals: WrappedSignalHit[] | undefined; if (response.hits.sequences !== undefined) { newSignals = response.hits.sequences.reduce( @@ -643,7 +654,6 @@ export const signalRulesAlertType = ({ const fromInMs = parseScheduleDates(`now-${interval}`)?.format('x'); const toInMs = parseScheduleDates('now')?.format('x'); - const resultsLink = getNotificationResultsLink({ from: fromInMs, to: toInMs,