Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solutions] Updates usage collector telemetry to use PIT (Point in Time) and restructuring of folders #124912

Merged
merged 19 commits into from
Feb 15, 2022
Merged
Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,11 @@ import { requestContextMock, serverMock, requestMock } from '../__mocks__';
import { performBulkActionRoute } from './perform_bulk_action_route';
import { getPerformBulkActionSchemaMock } from '../../../../../common/detection_engine/schemas/request/perform_bulk_action_schema.mock';
import { loggingSystemMock } from 'src/core/server/mocks';
import { isElasticRule } from '../../../../usage/detections';
import { isElasticRule } from '../../../../usage/queries/utils/is_elastic_rule';
import { readRules } from '../../rules/read_rules';

jest.mock('../../../machine_learning/authz', () => mockMlAuthzFactory.create());
jest.mock('../../../../usage/detections', () => ({ isElasticRule: jest.fn() }));
jest.mock('../../../../usage/queries/utils/is_elastic_rule', () => ({ isElasticRule: jest.fn() }));
jest.mock('../../rules/read_rules', () => ({ readRules: jest.fn() }));

describe.each([
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ import type { SecuritySolutionPluginRouter } from '../../../../types';
import { buildRouteValidation } from '../../../../utils/build_validation/route_validation';
import { routeLimitedConcurrencyTag } from '../../../../utils/route_limited_concurrency_tag';
import { initPromisePool } from '../../../../utils/promise_pool';
import { isElasticRule } from '../../../../usage/detections';
import { isElasticRule } from '../../../../usage/queries/utils/is_elastic_rule';
import { buildMlAuthz } from '../../../machine_learning/authz';
import { throwHttpError } from '../../../machine_learning/validation';
import { deleteRules } from '../../rules/delete_rules';
Expand Down
1 change: 1 addition & 0 deletions x-pack/plugins/security_solution/server/plugin.ts
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,7 @@ export class Plugin implements ISecuritySolutionPlugin {
signalsIndex: DEFAULT_ALERTS_INDEX,
ml: plugins.ml,
usageCollection: plugins.usageCollection,
logger,
});

this.telemetryUsageCounter = plugins.usageCollection?.createUsageCounter(APP_ID);
Expand Down
40 changes: 17 additions & 23 deletions x-pack/plugins/security_solution/server/usage/collector.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,38 +5,27 @@
* 2.0.
*/

import { CoreSetup, SavedObjectsClientContract } from '../../../../../src/core/server';
import { CollectorFetchContext } from '../../../../../src/plugins/usage_collection/server';
import { CollectorDependencies } from './types';
import { fetchDetectionsMetrics } from './detections';
import { SAVED_OBJECT_TYPES } from '../../../cases/common/constants';
// eslint-disable-next-line no-restricted-imports
import { legacyRuleActionsSavedObjectType } from '../lib/detection_engine/rule_actions/legacy_saved_object_mappings';
import type { CollectorFetchContext } from '../../../../../src/plugins/usage_collection/server';
import type { CollectorDependencies } from './types';
import { getDetectionsMetrics } from './detections/get_metrics';
import { getInternalSavedObjectsClient } from './get_internal_saved_objects_client';

export type RegisterCollector = (deps: CollectorDependencies) => void;

export interface UsageData {
detectionMetrics: {};
}

export async function getInternalSavedObjectsClient(core: CoreSetup) {
return core.getStartServices().then(async ([coreStart]) => {
// note: we include the "cases" and "alert" hidden types here otherwise we would not be able to query them. If at some point cases and alert is not considered a hidden type this can be removed
return coreStart.savedObjects.createInternalRepository([
'alert',
legacyRuleActionsSavedObjectType,
...SAVED_OBJECT_TYPES,
]);
});
}

export const registerCollector: RegisterCollector = ({
core,
kibanaIndex,
signalsIndex,
ml,
usageCollection,
logger,
}) => {
if (!usageCollection) {
logger.debug('Usage collection is undefined, therefore returning early without registering it');
return;
}

Expand Down Expand Up @@ -525,12 +514,17 @@ export const registerCollector: RegisterCollector = ({
},
isReady: () => true,
fetch: async ({ esClient }: CollectorFetchContext): Promise<UsageData> => {
const internalSavedObjectsClient = await getInternalSavedObjectsClient(core);
const soClient = internalSavedObjectsClient as unknown as SavedObjectsClientContract;

const savedObjectsClient = await getInternalSavedObjectsClient(core);
const detectionMetrics = await getDetectionsMetrics({
kibanaIndex,
signalsIndex,
esClient,
savedObjectsClient,
logger,
mlClient: ml,
});
return {
detectionMetrics:
(await fetchDetectionsMetrics(kibanaIndex, signalsIndex, esClient, soClient, ml)) || {},
detectionMetrics: detectionMetrics || {},
};
},
});
Expand Down
26 changes: 26 additions & 0 deletions x-pack/plugins/security_solution/server/usage/constants.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

/**
* We limit the max results window to prevent in-memory from blowing up when we do correlation.
* This is limiting us to 10,000 cases and 10,000 elastic detection rules to do telemetry and correlation
* and the choice was based on the initial "index.max_result_window" before this turned into a PIT (Point In Time)
* implementation.
*
* This number could be changed, and the implementation details of how we correlate could change as well (maybe)
* to avoid pulling 10,000 worth of cases and elastic rules into memory.
*
* However, for now, we are keeping this maximum as the original and the in-memory implementation
*/
export const MAX_RESULTS_WINDOW = 10_000;

/**
* We choose our max per page based on 1k as that
* appears to be what others are choosing here in the other sections of telemetry:
* https://github.com/elastic/kibana/pull/99031
FrankHassanabad marked this conversation as resolved.
Show resolved Hide resolved
*/
export const MAX_PER_PAGE = 1_000;

This file was deleted.

Loading