From 819cb485dcb51a4a68bf1b23a8d442e770c984c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ece=20=C3=96zalp?= Date: Tue, 2 Mar 2021 16:47:09 -0500 Subject: [PATCH] Add searchDuration to EQL and Threshold rules (#93149) Closes #82861. --- .../signals/signal_rule_alert_type.ts | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts index f81f4c5a2c537..45d3986a1c115 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts @@ -12,6 +12,7 @@ import isEmpty from 'lodash/isEmpty'; import { chain, tryCatch } from 'fp-ts/lib/TaskEither'; import { flow } from 'fp-ts/lib/function'; +import { performance } from 'perf_hooks'; import { toError, toPromise } from '../../../../common/fp_utils'; import { @@ -50,6 +51,7 @@ import { hasTimestampFields, hasReadIndexPrivileges, getRuleRangeTuples, + makeFloatString, } from './utils'; import { signalParamsSchema } from './signal_params_schema'; import { siemRuleActionGroups } from './siem_rule_action_groups'; @@ -402,7 +404,11 @@ export const signalRulesAlertType = ({ lists: exceptionItems ?? [], }); - const { searchResult: thresholdResults, searchErrors } = await findThresholdSignals({ + const { + searchResult: thresholdResults, + searchErrors, + searchDuration: thresholdSearchDuration, + } = await findThresholdSignals({ inputIndexPattern: inputIndex, from, to, @@ -457,6 +463,7 @@ export const signalRulesAlertType = ({ createdSignalsCount: createdItemsCount, createdSignals: createdItems, bulkCreateTimes: bulkCreateDuration ? [bulkCreateDuration] : [], + searchAfterTimes: [thresholdSearchDuration], }), ]); } else if (isThreatMatchRule(type)) { @@ -590,10 +597,14 @@ export const signalRulesAlertType = ({ exceptionItems ?? [], eventCategoryOverride ); + const eqlSignalSearchStart = performance.now(); const response: EqlSignalSearchResponse = await services.callCluster( 'transport.request', request ); + const eqlSignalSearchEnd = performance.now(); + const eqlSearchDuration = makeFloatString(eqlSignalSearchEnd - eqlSignalSearchStart); + result.searchAfterTimes = [eqlSearchDuration]; let newSignals: WrappedSignalHit[] | undefined; if (response.hits.sequences !== undefined) { newSignals = response.hits.sequences.reduce( @@ -634,7 +645,6 @@ export const signalRulesAlertType = ({ const fromInMs = parseScheduleDates(`now-${interval}`)?.format('x'); const toInMs = parseScheduleDates('now')?.format('x'); - const resultsLink = getNotificationResultsLink({ from: fromInMs, to: toInMs,