[Security Solution] Collect usage statistics for prebuilt rule customization

[xcrzx]

Epics: https://github.com/elastic/security-team/issues/1974 (internal), #174168

Summary

As part of the prebuilt rule customization epic, we need to implement custom telemetry data collection to get essential insights into the usage of the feature.

We want to collect the following data:

• Breakdown of a number of Elastic prebuilt rules ("stock"), Elastic custom rules (prebuilt rules with customizations), and fully custom rules (user-defined) per cluster. We can use snapshot telemetry here with daily granularity.

• Breakdown of which fields are being customized. Send a telemetry event once users save a rule with all customized fields and the rule information: rule_id, type, version.

  • Including bulk actions

• Number of field conflicts for customised Elastic rules with updates, break down by with/without prepopulated final version. Event based, collect this information inside the perform upgrade API. For every customized field, collect the selected version (base, target, merged, resolved) and conflict.

• Check if rule names or other sensitive info is gathered by snapshot telementry and remove

Future improvements:

• Collect information on used bulk upgrade options, like upgrade all rules without conflicts

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[banderror]

Once we have some draft implementation of prebuilt rule customization (likely hidden behind a feature flag) we will need more details on telemetry to be collected.