[Cloud Security] [Alerts] Add telemetry

[opauloh]

Motivation

We wish to collect the following metrics for the alerts and rules feature

Important to note that for 8.10 we are only collecting Rule telemetry for Rules that generated Alerts

Definition of done

• Count of CSPM rules
• Count of KSPM rules
• Count of CNVM rules

Secondary objective:

• Count of CSPM alerts
• Count of KSPM alerts
• Count of CNVM alerts

Out of scope

• Create a new dashboard in locker
• Create silver and golds tables
• Revenue/Cost estimations of index size of alerts and rules

Related tasks/epics

[elasticmachine]

Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security)

[tehilashn]

@opauloh - I recommend consulting with the security analyst team and asking what telemetry data they have.

[opauloh]

@opauloh - I recommend consulting with the security analyst team and asking what telemetry data they have.

Hi @tehilashn, I confirmed with the sec-inteligent-service team that the rules/alert telemetry data is only collected from the Elastic Pre Built rules, meaning the rules created from the findings won't be collected as part of the existing telemetry since they count as created by the user.

This means we will need to add the detection rules stats to our cloud security collector filtering rules by the tags.

[maxcold]

I started testing telemetry, but for some reason https://maxcold-8-10-v2-qa-o7w-8-10-0.kb.us-west2.gcp.elastic-cloud.com:9243/internal/telemetry/clusters/_stats doesn't return cloud_security_posture in the response. @CohenIdo also confirmed that he is not getting the csp stats either on that instance. this is the instance where I tested the alert and rule creation so might be related. I will open a bug on that.

[maxcold]

Created a bug ticket https://github.com/elastic/security-team/issues/7411, reopening in case those are related. cc @opauloh

[CohenIdo]

Thanks for the quick fix in issue #7411, @opauloh.

Can you clarify why we are only collecting data for rules that generate alerts? Is there a task to follow up and collect data on alerting rules that did not generate any alerts?

[kfirpeled]

Closing this issue - fixed in #164757

[opauloh]

Thanks for the quick fix in issue #7411, @opauloh.

Can you clarify why we are only collecting data for rules that generate alerts? Is there a task to follow up and collect data on alerting rules that did not generate any alerts?

Hey @CohenIdo, since we’re getting rules data from the Rules Kibana API, and telemetry runs on the server side, it is unable to fetch the kibana API from the Kibana server itself, and detection rules are stored as a saved object, meaning that the complexity to achieve had increased beyond the scope for 8.10.

So, currently, we are getting the number of rules using the alert's index, which is also how the detection engine team collects rule data, but that only works for rules that have generated alerts.

I created a follow-up ticket in case we decide to prioritize the collection for rules without alerts

[orouz]

kibana version: 8.10.0 (56348fa0ed0719679e24d6c58dc3dbee03928c4e)

---

component	result
CNVM rules+alerts count
KSPM rules+alerts count
CSPM rules+alerts count