record last run.

x-pack/plugins/security_solution/server/lib/telemetry/sender.ts

@@ -101,7 +101,7 @@ export class TelemetryEventsSender {
     }
   }
 
-  public async fetchDiagnosticAlerts() {
+  public async fetchDiagnosticAlerts(executeFrom: string, executeTo: string) {
     const query = {
       expand_wildcards: 'open,hidden',
       index: 'logs-endpoint.diagnostic.collection-default*',
@@ -111,15 +111,15 @@ export class TelemetryEventsSender {
         query: {
           range: {
             'event.ingested': {
-              gte: 'now-5m',
-              lt: 'now',
+              gte: executeFrom,
+              lt: executeTo,
             },
           },
         },
         sort: [
           {
             'event.ingested': {
-              order: 'asc',
+              order: 'desc',
             },
           },
         ],

x-pack/plugins/security_solution/server/lib/telemetry/task.test.ts

@@ -3,6 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+import { moment } from 'moment';
 import { loggingSystemMock } from 'src/core/server/mocks';
 
 import { taskManagerMock } from '../../../../task_manager/server/mocks';
@@ -101,4 +102,48 @@ describe('test', () => {
     await taskRunner.run();
     expect(mockSender.fetchDiagnosticAlerts).not.toHaveBeenCalled();
   });
+
+  test('test -5 mins is returned when there is no previous task run', async () => {
+    const telemetryDiagTask = new TelemetryDiagTask(
+      logger,
+      taskManagerMock.createSetup(),
+      createMockTelemetryEventsSender(true)
+    );
+
+    const executeTo = moment().utc().toISOString();
+    const executeFrom = undefined;
+    const newExecuteFrom = telemetryDiagTask.getLastExecutionTimestamp(executeTo, executeFrom);
+
+    expect(newExecuteFrom).toEqual(moment(executeTo).subtract(5, 'minutes'));
+  });
+
+  test('test -6 mins is returned when there was a previous task run', async () => {
+    const telemetryDiagTask = new TelemetryDiagTask(
+      logger,
+      taskManagerMock.createSetup(),
+      createMockTelemetryEventsSender(true)
+    );
+
+    const executeTo = moment().utc().toISOString();
+    const executeFrom = moment(executeTo).subtract(6, 'minutes');
+    const newExecuteFrom = telemetryDiagTask.getLastExecutionTimestamp(executeTo, executeFrom);
+
+    expect(newExecuteFrom).toEqual(executeFrom);
+  });
+
+  // it's possible if Kibana is down for a prolonged period the stored lastRun would have drifted
+  // if that is the case we will just roll it back to a 10 min search window
+  test('test 10 mins is returned when previous task run took longer than 10 minutes', async () => {
+    const telemetryDiagTask = new TelemetryDiagTask(
+      logger,
+      taskManagerMock.createSetup(),
+      createMockTelemetryEventsSender(true)
+    );
+
+    const executeTo = moment().utc().toISOString();
+    const executeFrom = moment(executeTo).subtract(142, 'minutes');
+    const newExecuteFrom = telemetryDiagTask.getLastExecutionTimestamp(executeTo, executeFrom);
+
+    expect(newExecuteFrom).toEqual(moment(executeTo).subtract(10, 'minutes'));
+  });
 });

x-pack/plugins/security_solution/server/lib/telemetry/task.ts

@@ -3,6 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
+import moment from 'moment';
 import { Logger } from 'src/core/server';
 import {
   ConcreteTaskInstance,
@@ -37,7 +38,18 @@ export class TelemetryDiagTask {
         createTaskRunner: ({ taskInstance }: { taskInstance: ConcreteTaskInstance }) => {
           return {
             run: async () => {
-              await this.runTask(taskInstance.id);
+              const executeTo = moment().utc().toISOString();
+              const executeFrom = this.getLastExecutionTimestamp(
+                executeTo,
+                taskInstance.state?.lastExecutionTimestamp
+              );
+              await this.runTask(taskInstance.id, executeFrom, executeTo);
+
+              return {
+                state: {
+                  lastExecutionTimestamp: executeTo,
+                },
+              };
             },
             cancel: async () => {},
           };
@@ -46,6 +58,20 @@ export class TelemetryDiagTask {
     });
   }
 
+  public getLastExecutionTimestamp(executeTo: string, lastExecutionTimestamp?: string) {
+    if (lastExecutionTimestamp === undefined) {
+      this.logger.debug(`No last execution timestamp defined`);
+      return moment(executeTo).subtract(5, 'minutes').toISOString();
+    }
+
+    if (moment(lastExecutionTimestamp).diff(executeTo) >= 10) {
+      this.logger.debug(`last execution timestamp was greater than 10 minutes`);
+      return moment(executeTo).subtract(10, 'minutes').toISOString();
+    }
+
+    return lastExecutionTimestamp;
+  }
+
   public start = async (taskManager: TaskManagerStartContract) => {
     try {
       await taskManager.ensureScheduled({
@@ -67,7 +93,7 @@ export class TelemetryDiagTask {
     return `${TelemetryDiagTaskConstants.TYPE}:${TelemetryDiagTaskConstants.VERSION}`;
   };
 
-  public runTask = async (taskId: string) => {
+  public runTask = async (taskId: string, searchFrom: string, searchTo: string) => {
     this.logger.debug(`Running task ${taskId}`);
     if (taskId !== this.getTaskId()) {
       this.logger.debug(`Outdated task running: ${taskId}`);
@@ -80,7 +106,7 @@ export class TelemetryDiagTask {
       return;
     }
 
-    const response = await this.sender.fetchDiagnosticAlerts();
+    const response = await this.sender.fetchDiagnosticAlerts(searchFrom, searchTo);
 
     const hits = response.hits?.hits || [];
     if (!Array.isArray(hits) || !hits.length) {