From 81e20bedc6afeb1e58ac4eea5dc85fac12365f90 Mon Sep 17 00:00:00 2001 From: Keerthy Date: Fri, 27 Oct 2023 12:35:01 -0400 Subject: [PATCH 1/9] Adding Usage Telemetry for Detection Rules & Secuirty Lists Tasks --- .../server/lib/telemetry/sender.ts | 2 +- .../lib/telemetry/tasks/detection_rule.ts | 25 ++++++++++++-- .../lib/telemetry/tasks/security_lists.ts | 34 ++++++++++++++++--- 3 files changed, 52 insertions(+), 9 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts index 848f66c3aaf0a..66034677820b7 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts @@ -27,7 +27,7 @@ import type { SecurityTelemetryTaskConfig } from './task'; import { SecurityTelemetryTask } from './task'; import { telemetryConfiguration } from './configuration'; -const usageLabelPrefix: string[] = ['security_telemetry', 'sender']; +export const usageLabelPrefix: string[] = ['security_telemetry', 'sender']; export interface ITelemetryEventsSender { setup( diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/detection_rule.ts b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/detection_rule.ts index 4562cbb725cb4..6ebf9424bdb80 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/detection_rule.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/detection_rule.ts @@ -11,7 +11,14 @@ import { TELEMETRY_CHANNEL_LISTS, TASK_METRICS_CHANNEL, } from '../constants'; -import { batchTelemetryRecords, templateExceptionList, tlog, createTaskMetric } from '../helpers'; +import { + batchTelemetryRecords, + templateExceptionList, + tlog, + createTaskMetric, + createUsageCounterLabel, +} from '../helpers'; +import { usageLabelPrefix } from '../sender'; import type { ITelemetryEventsSender } from '../sender'; import type { ITelemetryReceiver } from '../receiver'; import type { ExceptionListItem, ESClusterInfo, ESLicense, RuleSearchResult } from '../types'; @@ -21,7 +28,7 @@ export function createTelemetryDetectionRuleListsTaskConfig(maxTelemetryBatch: n return { type: 'security:telemetry-detection-rules', title: 'Security Solution Detection Rule Lists Telemetry', - interval: '24h', + interval: '2m', timeout: '10m', version: '1.0.0', runTask: async ( @@ -31,9 +38,13 @@ export function createTelemetryDetectionRuleListsTaskConfig(maxTelemetryBatch: n sender: ITelemetryEventsSender, taskExecutionPeriod: TaskExecutionPeriod ) => { + const usageCollector = sender.getTelemetryUsageCluster(); + const startTime = Date.now(); const taskName = 'Security Solution Detection Rule Lists Telemetry'; try { + let detectionRuleCount = 0; + const [clusterInfoPromise, licenseInfoPromise] = await Promise.allSettled([ receiver.fetchClusterInfo(), receiver.fetchLicenseInfo(), @@ -98,6 +109,14 @@ export function createTelemetryDetectionRuleListsTaskConfig(maxTelemetryBatch: n LIST_DETECTION_RULE_EXCEPTION ); tlog(logger, `Detection rule exception json length ${detectionRuleExceptionsJson.length}`); + + detectionRuleCount = detectionRuleExceptionsJson.length; + usageCollector?.incrementCounter({ + counterName: createUsageCounterLabel(usageLabelPrefix.concat(['detection_rule'])), + counterType: 'detection_rule_count', + incrementBy: detectionRuleCount, + }); + const batches = batchTelemetryRecords(detectionRuleExceptionsJson, maxTelemetryBatch); for (const batch of batches) { await sender.sendOnDemand(TELEMETRY_CHANNEL_LISTS, batch); @@ -105,7 +124,7 @@ export function createTelemetryDetectionRuleListsTaskConfig(maxTelemetryBatch: n await sender.sendOnDemand(TASK_METRICS_CHANNEL, [ createTaskMetric(taskName, true, startTime), ]); - return detectionRuleExceptions.length; + return detectionRuleCount; } catch (err) { await sender.sendOnDemand(TASK_METRICS_CHANNEL, [ createTaskMetric(taskName, false, startTime, err.message), diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts index 68a6fb643e1ba..f4f3c92acbf03 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts @@ -24,7 +24,9 @@ import { tlog, createTaskMetric, formatValueListMetaData, + createUsageCounterLabel, } from '../helpers'; +import { usageLabelPrefix } from '../sender'; import type { ITelemetryEventsSender } from '../sender'; import type { ITelemetryReceiver } from '../receiver'; import type { TaskExecutionPeriod } from '../task'; @@ -43,10 +45,14 @@ export function createTelemetrySecurityListTaskConfig(maxTelemetryBatch: number) sender: ITelemetryEventsSender, taskExecutionPeriod: TaskExecutionPeriod ) => { + const usageCollector = sender.getTelemetryUsageCluster(); + const startTime = Date.now(); const taskName = 'Security Solution Lists Telemetry'; try { - let count = 0; + let trustedApplicationsCount = 0; + let endpointExceptionsCount = 0; + let endpointEventFiltersCount = 0; const [clusterInfoPromise, licenseInfoPromise] = await Promise.allSettled([ receiver.fetchClusterInfo(), @@ -73,7 +79,13 @@ export function createTelemetrySecurityListTaskConfig(maxTelemetryBatch: number) LIST_TRUSTED_APPLICATION ); tlog(logger, `Trusted Apps: ${trustedAppsJson}`); - count += trustedAppsJson.length; + trustedApplicationsCount = trustedAppsJson.length; + + usageCollector?.incrementCounter({ + counterName: createUsageCounterLabel(usageLabelPrefix.concat(['security_lists'])), + counterType: 'trusted_apps_count', + incrementBy: trustedApplicationsCount, + }); const batches = batchTelemetryRecords(trustedAppsJson, maxTelemetryBatch); for (const batch of batches) { @@ -92,7 +104,13 @@ export function createTelemetrySecurityListTaskConfig(maxTelemetryBatch: number) LIST_ENDPOINT_EXCEPTION ); tlog(logger, `EP Exceptions: ${epExceptionsJson}`); - count += epExceptionsJson.length; + endpointExceptionsCount = epExceptionsJson.length; + + usageCollector?.incrementCounter({ + counterName: createUsageCounterLabel(usageLabelPrefix.concat(['security_lists'])), + counterType: 'endpoint_exceptions_count', + incrementBy: endpointExceptionsCount, + }); const batches = batchTelemetryRecords(epExceptionsJson, maxTelemetryBatch); for (const batch of batches) { @@ -111,7 +129,13 @@ export function createTelemetrySecurityListTaskConfig(maxTelemetryBatch: number) LIST_ENDPOINT_EVENT_FILTER ); tlog(logger, `EP Event Filters: ${epFiltersJson}`); - count += epFiltersJson.length; + endpointEventFiltersCount = epFiltersJson.length; + + usageCollector?.incrementCounter({ + counterName: createUsageCounterLabel(usageLabelPrefix.concat(['security_lists'])), + counterType: 'endpoint_event_filters_count', + incrementBy: endpointEventFiltersCount, + }); const batches = batchTelemetryRecords(epFiltersJson, maxTelemetryBatch); for (const batch of batches) { @@ -135,7 +159,7 @@ export function createTelemetrySecurityListTaskConfig(maxTelemetryBatch: number) await sender.sendOnDemand(TASK_METRICS_CHANNEL, [ createTaskMetric(taskName, true, startTime), ]); - return count; + return trustedApplicationsCount + endpointExceptionsCount + endpointEventFiltersCount; } catch (err) { await sender.sendOnDemand(TASK_METRICS_CHANNEL, [ createTaskMetric(taskName, false, startTime, err.message), From 3447cb7355a9e168709b4ed1419135eb509502cd Mon Sep 17 00:00:00 2001 From: Keerthy Date: Fri, 27 Oct 2023 12:36:55 -0400 Subject: [PATCH 2/9] Enhancing interval --- .../server/lib/telemetry/tasks/detection_rule.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/detection_rule.ts b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/detection_rule.ts index 6ebf9424bdb80..219f339432c74 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/detection_rule.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/detection_rule.ts @@ -28,7 +28,7 @@ export function createTelemetryDetectionRuleListsTaskConfig(maxTelemetryBatch: n return { type: 'security:telemetry-detection-rules', title: 'Security Solution Detection Rule Lists Telemetry', - interval: '2m', + interval: '24h', timeout: '10m', version: '1.0.0', runTask: async ( From e7de3d8c53f03720d0f4672cf8c3d1bd3e370af3 Mon Sep 17 00:00:00 2001 From: Keerthy Date: Wed, 1 Nov 2023 12:26:41 -0400 Subject: [PATCH 3/9] Adding 24-hour filter to exception-list retrieval --- .../security_solution/server/lib/telemetry/receiver.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts index c699f6a1e9698..3b84281a7a15d 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts @@ -443,7 +443,10 @@ export class TelemetryReceiver implements ITelemetryReceiver { listId: ENDPOINT_TRUSTED_APPS_LIST_ID, page: 1, perPage: 10_000, - filter: undefined, + filter: `exception-list-agnostic.attributes.created_at > ${moment + .utc() + .subtract(24, 'hours') + .valueOf()}`, namespaceType: 'agnostic', sortField: 'name', sortOrder: 'asc', From dd0ff064bf82cea10f50127f217cb900b841c2bd Mon Sep 17 00:00:00 2001 From: Keerthy Date: Wed, 1 Nov 2023 14:30:26 -0400 Subject: [PATCH 4/9] Adding import for moment --- .../plugins/security_solution/server/lib/telemetry/receiver.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts index 3b84281a7a15d..d2e15566b985c 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts @@ -43,6 +43,7 @@ import type { PackageService, } from '@kbn/fleet-plugin/server'; import type { ExceptionListClient } from '@kbn/lists-plugin/server'; +import moment from 'moment'; import type { EndpointAppContextService } from '../../endpoint/endpoint_app_context_services'; import { exceptionListItemToTelemetryEntry, From c8438c9231b0d64a1d83541cd4f49655114038b0 Mon Sep 17 00:00:00 2001 From: Keerthy Date: Thu, 2 Nov 2023 11:50:22 -0400 Subject: [PATCH 5/9] Review comments are addressed --- .../server/lib/telemetry/receiver.ts | 14 +++++++++++--- .../server/lib/telemetry/sender.ts | 2 +- .../server/lib/telemetry/tasks/detection_rule.ts | 12 +++++------- .../server/lib/telemetry/tasks/security_lists.ts | 9 +++++---- 4 files changed, 22 insertions(+), 15 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts index d2e15566b985c..6cc3ad0ed6486 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts @@ -444,7 +444,7 @@ export class TelemetryReceiver implements ITelemetryReceiver { listId: ENDPOINT_TRUSTED_APPS_LIST_ID, page: 1, perPage: 10_000, - filter: `exception-list-agnostic.attributes.created_at > ${moment + filter: `exception-list-agnostic.attributes.created_at >= ${moment .utc() .subtract(24, 'hours') .valueOf()}`, @@ -473,7 +473,10 @@ export class TelemetryReceiver implements ITelemetryReceiver { listId, page: 1, perPage: this.maxRecords, - filter: undefined, + filter: `exception-list-agnostic.attributes.created_at >= ${moment + .utc() + .subtract(24, 'hours') + .valueOf()}`, namespaceType: 'agnostic', sortField: 'name', sortOrder: 'asc', @@ -549,9 +552,14 @@ export class TelemetryReceiver implements ITelemetryReceiver { // Ensure list is created if it does not exist await this.exceptionListClient.createTrustedAppsList(); + const filter = `exception-list.single.attributes.created_at >= ${moment + .utc() + .subtract(24, 'hours') + .valueOf()}`; + const results = await this.exceptionListClient?.findExceptionListsItem({ listId: [listId], - filter: [], + filter: [filter], perPage: this.maxRecords, page: 1, sortField: 'exception-list.created_at', diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts index 66034677820b7..848f66c3aaf0a 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/sender.ts @@ -27,7 +27,7 @@ import type { SecurityTelemetryTaskConfig } from './task'; import { SecurityTelemetryTask } from './task'; import { telemetryConfiguration } from './configuration'; -export const usageLabelPrefix: string[] = ['security_telemetry', 'sender']; +const usageLabelPrefix: string[] = ['security_telemetry', 'sender']; export interface ITelemetryEventsSender { setup( diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/detection_rule.ts b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/detection_rule.ts index 219f339432c74..e2d29d9cc42dc 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/detection_rule.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/detection_rule.ts @@ -18,7 +18,6 @@ import { createTaskMetric, createUsageCounterLabel, } from '../helpers'; -import { usageLabelPrefix } from '../sender'; import type { ITelemetryEventsSender } from '../sender'; import type { ITelemetryReceiver } from '../receiver'; import type { ExceptionListItem, ESClusterInfo, ESLicense, RuleSearchResult } from '../types'; @@ -40,11 +39,11 @@ export function createTelemetryDetectionRuleListsTaskConfig(maxTelemetryBatch: n ) => { const usageCollector = sender.getTelemetryUsageCluster(); + const usageLabelPrefix: string[] = ['security_telemetry', 'detection-rules']; + const startTime = Date.now(); const taskName = 'Security Solution Detection Rule Lists Telemetry'; try { - let detectionRuleCount = 0; - const [clusterInfoPromise, licenseInfoPromise] = await Promise.allSettled([ receiver.fetchClusterInfo(), receiver.fetchLicenseInfo(), @@ -110,11 +109,10 @@ export function createTelemetryDetectionRuleListsTaskConfig(maxTelemetryBatch: n ); tlog(logger, `Detection rule exception json length ${detectionRuleExceptionsJson.length}`); - detectionRuleCount = detectionRuleExceptionsJson.length; usageCollector?.incrementCounter({ - counterName: createUsageCounterLabel(usageLabelPrefix.concat(['detection_rule'])), + counterName: createUsageCounterLabel(usageLabelPrefix), counterType: 'detection_rule_count', - incrementBy: detectionRuleCount, + incrementBy: detectionRuleExceptionsJson.length, }); const batches = batchTelemetryRecords(detectionRuleExceptionsJson, maxTelemetryBatch); @@ -124,7 +122,7 @@ export function createTelemetryDetectionRuleListsTaskConfig(maxTelemetryBatch: n await sender.sendOnDemand(TASK_METRICS_CHANNEL, [ createTaskMetric(taskName, true, startTime), ]); - return detectionRuleCount; + return detectionRuleExceptionsJson.length; } catch (err) { await sender.sendOnDemand(TASK_METRICS_CHANNEL, [ createTaskMetric(taskName, false, startTime, err.message), diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts index f4f3c92acbf03..2fb8323852f08 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts @@ -26,7 +26,6 @@ import { formatValueListMetaData, createUsageCounterLabel, } from '../helpers'; -import { usageLabelPrefix } from '../sender'; import type { ITelemetryEventsSender } from '../sender'; import type { ITelemetryReceiver } from '../receiver'; import type { TaskExecutionPeriod } from '../task'; @@ -47,6 +46,8 @@ export function createTelemetrySecurityListTaskConfig(maxTelemetryBatch: number) ) => { const usageCollector = sender.getTelemetryUsageCluster(); + const usageLabelPrefix: string[] = ['security_telemetry', 'lists']; + const startTime = Date.now(); const taskName = 'Security Solution Lists Telemetry'; try { @@ -82,7 +83,7 @@ export function createTelemetrySecurityListTaskConfig(maxTelemetryBatch: number) trustedApplicationsCount = trustedAppsJson.length; usageCollector?.incrementCounter({ - counterName: createUsageCounterLabel(usageLabelPrefix.concat(['security_lists'])), + counterName: createUsageCounterLabel(usageLabelPrefix), counterType: 'trusted_apps_count', incrementBy: trustedApplicationsCount, }); @@ -107,7 +108,7 @@ export function createTelemetrySecurityListTaskConfig(maxTelemetryBatch: number) endpointExceptionsCount = epExceptionsJson.length; usageCollector?.incrementCounter({ - counterName: createUsageCounterLabel(usageLabelPrefix.concat(['security_lists'])), + counterName: createUsageCounterLabel(usageLabelPrefix), counterType: 'endpoint_exceptions_count', incrementBy: endpointExceptionsCount, }); @@ -132,7 +133,7 @@ export function createTelemetrySecurityListTaskConfig(maxTelemetryBatch: number) endpointEventFiltersCount = epFiltersJson.length; usageCollector?.incrementCounter({ - counterName: createUsageCounterLabel(usageLabelPrefix.concat(['security_lists'])), + counterName: createUsageCounterLabel(usageLabelPrefix), counterType: 'endpoint_event_filters_count', incrementBy: endpointEventFiltersCount, }); From aa9f6ce8af7e134be4718fe7e8cdca9b29936ebe Mon Sep 17 00:00:00 2001 From: Keerthy Date: Thu, 2 Nov 2023 22:17:57 -0400 Subject: [PATCH 6/9] Enhancing the filter --- .../plugins/security_solution/server/lib/telemetry/receiver.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts index 6cc3ad0ed6486..f3295da597c87 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts @@ -552,7 +552,7 @@ export class TelemetryReceiver implements ITelemetryReceiver { // Ensure list is created if it does not exist await this.exceptionListClient.createTrustedAppsList(); - const filter = `exception-list.single.attributes.created_at >= ${moment + const filter = `exception-list-single.attributes.created_at >= ${moment .utc() .subtract(24, 'hours') .valueOf()}`; From 6ca61c2d103552e8268f4ba5f0f37b35f68a6f31 Mon Sep 17 00:00:00 2001 From: Pete Hampton Date: Tue, 14 Nov 2023 14:07:44 +0000 Subject: [PATCH 7/9] Add polish. --- .../server/lib/telemetry/receiver.ts | 20 ++++++++----------- .../lib/telemetry/tasks/security_lists.ts | 8 +++----- 2 files changed, 11 insertions(+), 17 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts index f3295da597c87..6713c8a88ea27 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts @@ -18,7 +18,7 @@ import type { SearchRequest, SearchResponse, } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; -import { ENDPOINT_TRUSTED_APPS_LIST_ID } from '@kbn/securitysolution-list-constants'; +import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants'; import { EQL_RULE_TYPE_ID, INDICATOR_RULE_TYPE_ID, @@ -440,14 +440,12 @@ export class TelemetryReceiver implements ITelemetryReceiver { // Ensure list is created if it does not exist await this.exceptionListClient.createTrustedAppsList(); + const timeFrom = moment.utc().subtract(1, 'day').valueOf(); const results = await this.exceptionListClient.findExceptionListItem({ - listId: ENDPOINT_TRUSTED_APPS_LIST_ID, + listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, page: 1, perPage: 10_000, - filter: `exception-list-agnostic.attributes.created_at >= ${moment - .utc() - .subtract(24, 'hours') - .valueOf()}`, + filter: `exception-list-agnostic.attributes.created_at >= ${timeFrom}`, namespaceType: 'agnostic', sortField: 'name', sortOrder: 'asc', @@ -469,14 +467,12 @@ export class TelemetryReceiver implements ITelemetryReceiver { // Ensure list is created if it does not exist await this.exceptionListClient.createEndpointList(); + const timeFrom = moment.utc().subtract(1, 'day').valueOf(); const results = await this.exceptionListClient.findExceptionListItem({ listId, page: 1, perPage: this.maxRecords, - filter: `exception-list-agnostic.attributes.created_at >= ${moment - .utc() - .subtract(24, 'hours') - .valueOf()}`, + filter: `exception-list-agnostic.attributes.created_at >= ${timeFrom}`, namespaceType: 'agnostic', sortField: 'name', sortOrder: 'asc', @@ -552,14 +548,14 @@ export class TelemetryReceiver implements ITelemetryReceiver { // Ensure list is created if it does not exist await this.exceptionListClient.createTrustedAppsList(); - const filter = `exception-list-single.attributes.created_at >= ${moment + const timeFrom = `exception-list-single.attributes.created_at >= ${moment .utc() .subtract(24, 'hours') .valueOf()}`; const results = await this.exceptionListClient?.findExceptionListsItem({ listId: [listId], - filter: [filter], + filter: [timeFrom], perPage: this.maxRecords, page: 1, sortField: 'exception-list.created_at', diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts index f8ce6b8d76b0d..4def8e150cb81 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts @@ -6,10 +6,7 @@ */ import type { Logger } from '@kbn/core/server'; -import { - ENDPOINT_LIST_ID, - ENDPOINT_EVENT_FILTERS_LIST_ID, -} from '@kbn/securitysolution-list-constants'; +import { ENDPOINT_LIST_ID, ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants'; import { LIST_ENDPOINT_EXCEPTION, LIST_ENDPOINT_EVENT_FILTER, @@ -24,6 +21,7 @@ import { createTaskMetric, formatValueListMetaData, createUsageCounterLabel, + tlog, } from '../helpers'; import type { ITelemetryEventsSender } from '../sender'; import type { ITelemetryReceiver } from '../receiver'; @@ -120,7 +118,7 @@ export function createTelemetrySecurityListTaskConfig(maxTelemetryBatch: number) // Lists Telemetry: Endpoint Event Filters - const epFilters = await receiver.fetchEndpointList(ENDPOINT_EVENT_FILTERS_LIST_ID); + const epFilters = await receiver.fetchEndpointList(ENDPOINT_ARTIFACT_LISTS.eventFilters.id); if (epFilters?.data) { const epFiltersJson = templateExceptionList( epFilters.data, From 9ce565985513aec2cede77fdac2fd5e4051e6840 Mon Sep 17 00:00:00 2001 From: Pete Hampton Date: Wed, 15 Nov 2023 10:16:59 +0000 Subject: [PATCH 8/9] Fix filter. --- .../plugins/security_solution/server/lib/telemetry/receiver.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts index 6713c8a88ea27..cd25301be981e 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/receiver.ts @@ -548,7 +548,7 @@ export class TelemetryReceiver implements ITelemetryReceiver { // Ensure list is created if it does not exist await this.exceptionListClient.createTrustedAppsList(); - const timeFrom = `exception-list-single.attributes.created_at >= ${moment + const timeFrom = `exception-list.attributes.created_at >= ${moment .utc() .subtract(24, 'hours') .valueOf()}`; From b93311bb90ccedd8f00188e45855504981195d9a Mon Sep 17 00:00:00 2001 From: Pete Hampton Date: Mon, 27 Nov 2023 14:22:31 +0000 Subject: [PATCH 9/9] Don't log exception lists. Just record counts. --- .../server/lib/telemetry/tasks/security_lists.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts index 4def8e150cb81..863d66d55c4e7 100644 --- a/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts +++ b/x-pack/plugins/security_solution/server/lib/telemetry/tasks/security_lists.ts @@ -76,8 +76,8 @@ export function createTelemetrySecurityListTaskConfig(maxTelemetryBatch: number) licenseInfo, LIST_TRUSTED_APPLICATION ); - tlog(logger, `Trusted Apps: ${trustedAppsJson}`); trustedApplicationsCount = trustedAppsJson.length; + tlog(logger, `Trusted Apps: ${trustedApplicationsCount}`); usageCollector?.incrementCounter({ counterName: createUsageCounterLabel(usageLabelPrefix), @@ -101,8 +101,8 @@ export function createTelemetrySecurityListTaskConfig(maxTelemetryBatch: number) licenseInfo, LIST_ENDPOINT_EXCEPTION ); - tlog(logger, `EP Exceptions: ${epExceptionsJson}`); endpointExceptionsCount = epExceptionsJson.length; + tlog(logger, `EP Exceptions: ${endpointExceptionsCount}`); usageCollector?.incrementCounter({ counterName: createUsageCounterLabel(usageLabelPrefix), @@ -126,8 +126,8 @@ export function createTelemetrySecurityListTaskConfig(maxTelemetryBatch: number) licenseInfo, LIST_ENDPOINT_EVENT_FILTER ); - tlog(logger, `EP Event Filters: ${epFiltersJson}`); endpointEventFiltersCount = epFiltersJson.length; + tlog(logger, `EP Event Filters: ${endpointEventFiltersCount}`); usageCollector?.incrementCounter({ counterName: createUsageCounterLabel(usageLabelPrefix),