x-pack/solutions/security/plugins/security_solution/server/usage/collector.ts (3,768 lines of code) (raw):

/* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * or more contributor license agreements. Licensed under the Elastic License * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ import type { CollectorFetchContext } from '@kbn/usage-collection-plugin/server'; import type { CollectorDependencies, DashboardMetrics } from './types'; import { getDetectionsMetrics } from './detections/get_metrics'; import { getInternalSavedObjectsClient } from './get_internal_saved_objects_client'; import { getEndpointMetrics } from './endpoint/get_metrics'; import { getDashboardMetrics } from './dashboards/get_dashboards_metrics'; import { riskEngineMetricsSchema } from './risk_engine/schema'; import { getRiskEngineMetrics } from './risk_engine/get_risk_engine_metrics'; export type RegisterCollector = (deps: CollectorDependencies) => void; export interface UsageData { detectionMetrics: {}; endpointMetrics: {}; dashboardMetrics: DashboardMetrics; riskEngineMetrics: {}; } export const registerCollector: RegisterCollector = ({ core, eventLogIndex, signalsIndex, ml, usageCollection, logger, riskEngineIndexPatterns, legacySignalsIndex, }) => { if (!usageCollection) { logger.debug('Usage collection is undefined, therefore returning early without registering it'); return; } const collector = usageCollection.makeUsageCollector<UsageData>({ type: 'security_solution', schema: { detectionMetrics: { detection_rules: { spaces_usage: { total: { type: 'long', _meta: { description: 'Total number of spaces where detection rules added' }, }, rules_in_spaces: { type: 'array', items: { type: 'long', _meta: { description: 'Number of rules is each space' }, }, }, }, detection_rule_usage: { query: { enabled: { type: 'long', _meta: { description: 'Number of query rules enabled' } }, disabled: { type: 'long', _meta: { description: 'Number of query rules disabled' } }, alerts: { type: 'long', _meta: { description: 'Number of alerts generated by query rules' }, }, cases: { type: 'long', _meta: { description: 'Number of cases attached to query detection rule alerts' }, }, legacy_notifications_enabled: { type: 'long', _meta: { description: 'Number of legacy notifications enabled' }, }, legacy_notifications_disabled: { type: 'long', _meta: { description: 'Number of legacy notifications disabled' }, }, notifications_enabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, notifications_disabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, legacy_investigation_fields: { type: 'long', _meta: { description: 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', }, }, alert_suppression: { enabled: { type: 'long', _meta: { description: 'Number of enabled query rules configured with suppression', }, }, disabled: { type: 'long', _meta: { description: 'Number of disabled query rules configured with suppression', }, }, suppressed_fields_count: { one: { type: 'long', _meta: { description: 'Number of query rules configured with one suppression field', }, }, two: { type: 'long', _meta: { description: 'Number of query rules configured with two suppression field', }, }, three: { type: 'long', _meta: { description: 'Number of query rules configured with three suppression field', }, }, }, suppressed_per_time_period: { type: 'long', _meta: { description: 'Number of query rules configured with suppression per time period', }, }, suppressed_per_rule_execution: { type: 'long', _meta: { description: 'Number of query rules configured with suppression per rule execution', }, }, suppresses_missing_fields: { type: 'long', _meta: { description: 'Number of query rules configured to suppress alerts with missing fields', }, }, does_not_suppress_missing_fields: { type: 'long', _meta: { description: 'Number of query rules configured do not suppress alerts with missing fields', }, }, }, }, threshold: { enabled: { type: 'long', _meta: { description: 'Number of threshold rules enabled' }, }, disabled: { type: 'long', _meta: { description: 'Number of threshold rules disabled' }, }, alerts: { type: 'long', _meta: { description: 'Number of alerts generated by threshold rules' }, }, cases: { type: 'long', _meta: { description: 'Number of cases attached to threshold detection rule alerts', }, }, legacy_notifications_enabled: { type: 'long', _meta: { description: 'Number of legacy notifications enabled' }, }, legacy_notifications_disabled: { type: 'long', _meta: { description: 'Number of legacy notifications disabled' }, }, notifications_enabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, notifications_disabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, legacy_investigation_fields: { type: 'long', _meta: { description: 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', }, }, alert_suppression: { enabled: { type: 'long', _meta: { description: 'Number of enabled threshold rules configured with suppression', }, }, disabled: { type: 'long', _meta: { description: 'Number of disabled threshold rules configured with suppression', }, }, suppressed_fields_count: { one: { type: 'long', _meta: { description: 'Number of threshold rules configured with one suppression field', }, }, two: { type: 'long', _meta: { description: 'Number of threshold rules configured with two suppression field', }, }, three: { type: 'long', _meta: { description: 'Number of threshold rules configured with three suppression field', }, }, }, suppressed_per_time_period: { type: 'long', _meta: { description: 'Number of threshold rules configured with suppression per time period', }, }, suppressed_per_rule_execution: { type: 'long', _meta: { description: 'Number of threshold rules configured with suppression per rule execution', }, }, suppresses_missing_fields: { type: 'long', _meta: { description: 'Number of threshold rules configured to suppress alerts with missing fields', }, }, does_not_suppress_missing_fields: { type: 'long', _meta: { description: 'Number of threshold rules configured do not suppress alerts with missing fields', }, }, }, }, eql: { enabled: { type: 'long', _meta: { description: 'Number of eql rules enabled' } }, disabled: { type: 'long', _meta: { description: 'Number of eql rules disabled' } }, alerts: { type: 'long', _meta: { description: 'Number of alerts generated by eql rules' }, }, cases: { type: 'long', _meta: { description: 'Number of cases attached to eql detection rule alerts' }, }, legacy_notifications_enabled: { type: 'long', _meta: { description: 'Number of legacy notifications enabled' }, }, legacy_notifications_disabled: { type: 'long', _meta: { description: 'Number of legacy notifications disabled' }, }, notifications_enabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, notifications_disabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, legacy_investigation_fields: { type: 'long', _meta: { description: 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', }, }, alert_suppression: { enabled: { type: 'long', _meta: { description: 'Number of enabled eql rules configured with suppression', }, }, disabled: { type: 'long', _meta: { description: 'Number of disabled eql rules configured with suppression', }, }, suppressed_fields_count: { one: { type: 'long', _meta: { description: 'Number of eql rules configured with one suppression field', }, }, two: { type: 'long', _meta: { description: 'Number of eql rules configured with two suppression field', }, }, three: { type: 'long', _meta: { description: 'Number of eql rules configured with three suppression field', }, }, }, suppressed_per_time_period: { type: 'long', _meta: { description: 'Number of eql rules configured with suppression per time period', }, }, suppressed_per_rule_execution: { type: 'long', _meta: { description: 'Number of eql rules configured with suppression per rule execution', }, }, suppresses_missing_fields: { type: 'long', _meta: { description: 'Number of eql rules configured to suppress alerts with missing fields', }, }, does_not_suppress_missing_fields: { type: 'long', _meta: { description: 'Number of eql rules configured do not suppress alerts with missing fields', }, }, }, }, machine_learning: { enabled: { type: 'long', _meta: { description: 'Number of machine_learning rules enabled' }, }, disabled: { type: 'long', _meta: { description: 'Number of machine_learning rules disabled' }, }, alerts: { type: 'long', _meta: { description: 'Number of alerts generated by machine_learning rules' }, }, cases: { type: 'long', _meta: { description: 'Number of cases attached to machine_learning detection rule alerts', }, }, legacy_notifications_enabled: { type: 'long', _meta: { description: 'Number of legacy notifications enabled' }, }, legacy_notifications_disabled: { type: 'long', _meta: { description: 'Number of legacy notifications disabled' }, }, notifications_enabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, notifications_disabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, legacy_investigation_fields: { type: 'long', _meta: { description: 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', }, }, alert_suppression: { enabled: { type: 'long', _meta: { description: 'Number of enabled machine_learning rules configured with suppression', }, }, disabled: { type: 'long', _meta: { description: 'Number of disabled machine_learning rules configured with suppression', }, }, suppressed_fields_count: { one: { type: 'long', _meta: { description: 'Number of machine_learning rules configured with one suppression field', }, }, two: { type: 'long', _meta: { description: 'Number of machine_learning rules configured with two suppression field', }, }, three: { type: 'long', _meta: { description: 'Number of machine_learning rules configured with three suppression field', }, }, }, suppressed_per_time_period: { type: 'long', _meta: { description: 'Number of machine_learning rules configured with suppression per time period', }, }, suppressed_per_rule_execution: { type: 'long', _meta: { description: 'Number of machine_learning rules configured with suppression per rule execution', }, }, suppresses_missing_fields: { type: 'long', _meta: { description: 'Number of machine_learning rules configured to suppress alerts with missing fields', }, }, does_not_suppress_missing_fields: { type: 'long', _meta: { description: 'Number of machine_learning rules configured do not suppress alerts with missing fields', }, }, }, }, threat_match: { enabled: { type: 'long', _meta: { description: 'Number of threat_match rules enabled' }, }, disabled: { type: 'long', _meta: { description: 'Number of threat_match rules disabled' }, }, alerts: { type: 'long', _meta: { description: 'Number of alerts generated by threat_match rules' }, }, cases: { type: 'long', _meta: { description: 'Number of cases attached to threat_match detection rule alerts', }, }, legacy_notifications_enabled: { type: 'long', _meta: { description: 'Number of legacy notifications enabled' }, }, legacy_notifications_disabled: { type: 'long', _meta: { description: 'Number of legacy notifications disabled' }, }, notifications_enabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, notifications_disabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, legacy_investigation_fields: { type: 'long', _meta: { description: 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', }, }, alert_suppression: { enabled: { type: 'long', _meta: { description: 'Number of enabled threat_match rules configured with suppression', }, }, disabled: { type: 'long', _meta: { description: 'Number of disabled threat_match rules configured with suppression', }, }, suppressed_fields_count: { one: { type: 'long', _meta: { description: 'Number of threat_match rules configured with one suppression field', }, }, two: { type: 'long', _meta: { description: 'Number of threat_match rules configured with two suppression field', }, }, three: { type: 'long', _meta: { description: 'Number of threat_match rules configured with three suppression field', }, }, }, suppressed_per_time_period: { type: 'long', _meta: { description: 'Number of threat_match rules configured with suppression per time period', }, }, suppressed_per_rule_execution: { type: 'long', _meta: { description: 'Number of threat_match rules configured with suppression per rule execution', }, }, suppresses_missing_fields: { type: 'long', _meta: { description: 'Number of threat_match rules configured to suppress alerts with missing fields', }, }, does_not_suppress_missing_fields: { type: 'long', _meta: { description: 'Number of threat_match rules configured do not suppress alerts with missing fields', }, }, }, }, new_terms: { enabled: { type: 'long', _meta: { description: 'Number of new_terms rules enabled' }, }, disabled: { type: 'long', _meta: { description: 'Number of new_terms rules disabled' }, }, alerts: { type: 'long', _meta: { description: 'Number of alerts generated by new_terms rules' }, }, cases: { type: 'long', _meta: { description: 'Number of cases attached to new_terms detection rule alerts', }, }, legacy_notifications_enabled: { type: 'long', _meta: { description: 'Number of legacy notifications enabled' }, }, legacy_notifications_disabled: { type: 'long', _meta: { description: 'Number of legacy notifications disabled' }, }, notifications_enabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, notifications_disabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, legacy_investigation_fields: { type: 'long', _meta: { description: 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', }, }, alert_suppression: { enabled: { type: 'long', _meta: { description: 'Number of enabled new_terms rules configured with suppression', }, }, disabled: { type: 'long', _meta: { description: 'Number of disabled new_terms rules configured with suppression', }, }, suppressed_fields_count: { one: { type: 'long', _meta: { description: 'Number of new_terms rules configured with one suppression field', }, }, two: { type: 'long', _meta: { description: 'Number of new_terms rules configured with two suppression field', }, }, three: { type: 'long', _meta: { description: 'Number of new_terms rules configured with three suppression field', }, }, }, suppressed_per_time_period: { type: 'long', _meta: { description: 'Number of new_terms rules configured with suppression per time period', }, }, suppressed_per_rule_execution: { type: 'long', _meta: { description: 'Number of new_terms rules configured with suppression per rule execution', }, }, suppresses_missing_fields: { type: 'long', _meta: { description: 'Number of new_terms rules configured to suppress alerts with missing fields', }, }, does_not_suppress_missing_fields: { type: 'long', _meta: { description: 'Number of new_terms rules configured do not suppress alerts with missing fields', }, }, }, }, esql: { enabled: { type: 'long', _meta: { description: 'Number of esql rules enabled' }, }, disabled: { type: 'long', _meta: { description: 'Number of esql rules disabled' }, }, alerts: { type: 'long', _meta: { description: 'Number of alerts generated by esql rules' }, }, cases: { type: 'long', _meta: { description: 'Number of cases attached to esql detection rule alerts', }, }, legacy_notifications_enabled: { type: 'long', _meta: { description: 'Number of legacy notifications enabled' }, }, legacy_notifications_disabled: { type: 'long', _meta: { description: 'Number of legacy notifications disabled' }, }, notifications_enabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, notifications_disabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, legacy_investigation_fields: { type: 'long', _meta: { description: 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', }, }, alert_suppression: { enabled: { type: 'long', _meta: { description: 'Number of enabled esql rules configured with suppression', }, }, disabled: { type: 'long', _meta: { description: 'Number of disabled esql rules configured with suppression', }, }, suppressed_fields_count: { one: { type: 'long', _meta: { description: 'Number of esql rules configured with one suppression field', }, }, two: { type: 'long', _meta: { description: 'Number of esql rules configured with two suppression field', }, }, three: { type: 'long', _meta: { description: 'Number of esql rules configured with three suppression field', }, }, }, suppressed_per_time_period: { type: 'long', _meta: { description: 'Number of esql rules configured with suppression per time period', }, }, suppressed_per_rule_execution: { type: 'long', _meta: { description: 'Number of esql rules configured with suppression per rule execution', }, }, suppresses_missing_fields: { type: 'long', _meta: { description: 'Number of esql rules configured to suppress alerts with missing fields', }, }, does_not_suppress_missing_fields: { type: 'long', _meta: { description: 'Number of esql rules configured do not suppress alerts with missing fields', }, }, }, }, elastic_total: { enabled: { type: 'long', _meta: { description: 'Number of elastic rules enabled' } }, disabled: { type: 'long', _meta: { description: 'Number of elastic rules disabled' }, }, alerts: { type: 'long', _meta: { description: 'Number of alerts generated by elastic rules' }, }, cases: { type: 'long', _meta: { description: 'Number of cases attached to elastic detection rule alerts' }, }, legacy_notifications_enabled: { type: 'long', _meta: { description: 'Number of legacy notifications enabled' }, }, legacy_notifications_disabled: { type: 'long', _meta: { description: 'Number of legacy notifications disabled' }, }, notifications_enabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, notifications_disabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, legacy_investigation_fields: { type: 'long', _meta: { description: 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', }, }, alert_suppression: { enabled: { type: 'long', _meta: { description: 'Number of enabled elastic rules configured with suppression', }, }, disabled: { type: 'long', _meta: { description: 'Number of disabled elastic rules configured with suppression', }, }, suppressed_fields_count: { one: { type: 'long', _meta: { description: 'Number of elastic rules configured with one suppression field', }, }, two: { type: 'long', _meta: { description: 'Number of elastic rules configured with two suppression field', }, }, three: { type: 'long', _meta: { description: 'Number of elastic rules configured with three suppression field', }, }, }, suppressed_per_time_period: { type: 'long', _meta: { description: 'Number of elastic rules configured with suppression per time period', }, }, suppressed_per_rule_execution: { type: 'long', _meta: { description: 'Number of elastic rules configured with suppression per rule execution', }, }, suppresses_missing_fields: { type: 'long', _meta: { description: 'Number of elastic rules configured to suppress alerts with missing fields', }, }, does_not_suppress_missing_fields: { type: 'long', _meta: { description: 'Number of elastic rules configured do not suppress alerts with missing fields', }, }, }, }, custom_total: { enabled: { type: 'long', _meta: { description: 'Number of custom rules enabled' } }, disabled: { type: 'long', _meta: { description: 'Number of custom rules disabled' } }, alerts: { type: 'long', _meta: { description: 'Number of alerts generated by custom rules' }, }, cases: { type: 'long', _meta: { description: 'Number of cases attached to custom detection rule alerts' }, }, legacy_notifications_enabled: { type: 'long', _meta: { description: 'Number of legacy notifications enabled' }, }, legacy_notifications_disabled: { type: 'long', _meta: { description: 'Number of legacy notifications disabled' }, }, notifications_enabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, notifications_disabled: { type: 'long', _meta: { description: 'Number of notifications enabled' }, }, legacy_investigation_fields: { type: 'long', _meta: { description: 'Number of rules using the legacy investigation fields type introduced only in 8.10 ESS', }, }, alert_suppression: { enabled: { type: 'long', _meta: { description: 'Number of enabled custom rules configured with suppression', }, }, disabled: { type: 'long', _meta: { description: 'Number of disabled custom rules configured with suppression', }, }, suppressed_fields_count: { one: { type: 'long', _meta: { description: 'Number of custom rules configured with one suppression field', }, }, two: { type: 'long', _meta: { description: 'Number of custom rules configured with two suppression field', }, }, three: { type: 'long', _meta: { description: 'Number of custom rules configured with three suppression field', }, }, }, suppressed_per_time_period: { type: 'long', _meta: { description: 'Number of custom rules configured with suppression per time period', }, }, suppressed_per_rule_execution: { type: 'long', _meta: { description: 'Number of custom rules configured with suppression per rule execution', }, }, suppresses_missing_fields: { type: 'long', _meta: { description: 'Number of custom rules configured to suppress alerts with missing fields', }, }, does_not_suppress_missing_fields: { type: 'long', _meta: { description: 'Number of custom rules configured do not suppress alerts with missing fields', }, }, }, }, }, detection_rule_detail: { type: 'array', items: { rule_name: { type: 'keyword', _meta: { description: 'The name of the detection rule' }, }, rule_id: { type: 'keyword', _meta: { description: 'The UUID id of the detection rule' }, }, rule_type: { type: 'keyword', _meta: { description: 'The type of detection rule. ie eql, query...' }, }, rule_version: { type: 'long', _meta: { description: 'The version of the rule' } }, enabled: { type: 'boolean', _meta: { description: 'If the detection rule has been enabled by the user' }, }, elastic_rule: { type: 'boolean', _meta: { description: 'If the detection rule has been authored by Elastic' }, }, created_on: { type: 'keyword', _meta: { description: 'When the detection rule was created on the cluster' }, }, updated_on: { type: 'keyword', _meta: { description: 'When the detection rule was updated on the cluster' }, }, alert_count_daily: { type: 'long', _meta: { description: 'The number of daily alerts generated by a rule' }, }, cases_count_total: { type: 'long', _meta: { description: 'The number of total cases generated by a rule' }, }, has_legacy_notification: { type: 'boolean', _meta: { description: 'True if this rule has a legacy notification' }, }, has_notification: { type: 'boolean', _meta: { description: 'True if this rule has a notification' }, }, }, }, detection_rule_status: { all_rules: { eql: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, new_terms: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, esql: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, threat_match: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, machine_learning: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, query: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, saved_query: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, threshold: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, total: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, succeeded: { type: 'long', _meta: { description: 'The number of succeeded rules' }, }, }, }, elastic_rules: { eql: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, new_terms: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, esql: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, threat_match: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, machine_learning: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, query: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, saved_query: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, threshold: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, total: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, succeeded: { type: 'long', _meta: { description: 'The number of succeeded rules' }, }, }, }, custom_rules: { eql: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, new_terms: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, esql: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, threat_match: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, machine_learning: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, query: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, saved_query: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, threshold: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, top_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, top_partial_failures: { type: 'array', items: { message: { type: 'keyword', _meta: { description: 'Failed rule message' }, }, count: { type: 'long', _meta: { description: 'Number of times the message occurred' }, }, }, }, succeeded: { type: 'long', _meta: { description: 'The number of successful rules' }, }, index_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, search_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, enrichment_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_duration: { max: { type: 'float', _meta: { description: 'The max duration' }, }, avg: { type: 'float', _meta: { description: 'The avg duration' }, }, min: { type: 'float', _meta: { description: 'The min duration' }, }, }, gap_count: { type: 'long', _meta: { description: 'The count of gaps' }, }, }, total: { failures: { type: 'long', _meta: { description: 'The number of failed rules' }, }, partial_failures: { type: 'long', _meta: { description: 'The number of partial failure rules' }, }, succeeded: { type: 'long', _meta: { description: 'The number of succeeded rules' }, }, }, }, }, }, ml_jobs: { ml_job_usage: { custom: { enabled: { type: 'long', _meta: { description: 'The number of custom ML jobs rules enabled' }, }, disabled: { type: 'long', _meta: { description: 'The number of custom ML jobs rules disabled' }, }, }, elastic: { enabled: { type: 'long', _meta: { description: 'The number of elastic provided ML jobs rules enabled' }, }, disabled: { type: 'long', _meta: { description: 'The number of elastic provided ML jobs rules disabled' }, }, }, }, ml_job_metrics: { type: 'array', items: { job_id: { type: 'keyword', _meta: { description: 'Identifier for the anomaly detection job' }, }, open_time: { type: 'keyword', _meta: { description: 'For open jobs only, the elapsed time for which the job has been open', }, }, create_time: { type: 'keyword', _meta: { description: 'The time the job was created' }, }, finished_time: { type: 'keyword', _meta: { description: 'If the job closed or failed, this is the time the job finished', }, }, state: { type: 'keyword', _meta: { description: 'The status of the anomaly detection job' }, }, data_counts: { bucket_count: { type: 'long', _meta: { description: 'The number of buckets processed' }, }, empty_bucket_count: { type: 'long', _meta: { description: 'The number of buckets which did not contain any data' }, }, input_bytes: { type: 'long', _meta: { description: 'The number of bytes of input data posted to the anomaly detection job', }, }, input_record_count: { type: 'long', _meta: { description: 'The number of input documents posted to the anomaly detection job', }, }, last_data_time: { type: 'long', _meta: { description: 'The timestamp at which data was last analyzed, according to server time', }, }, processed_record_count: { type: 'long', _meta: { description: 'The number of input documents that have been processed by the anomaly detection job', }, }, }, model_size_stats: { bucket_allocation_failures_count: { type: 'long', _meta: { description: 'The number of buckets for which new entities in incoming data were not processed due to insufficient model memory', }, }, model_bytes: { type: 'long', _meta: { description: 'The number of bytes of memory used by the models' }, }, model_bytes_exceeded: { type: 'long', _meta: { description: 'The number of bytes over the high limit for memory usage at the last allocation failure', }, }, model_bytes_memory_limit: { type: 'long', _meta: { description: 'The upper limit for model memory usage, checked on increasing values', }, }, peak_model_bytes: { type: 'long', _meta: { description: 'The peak number of bytes of memory ever used by the models', }, }, }, timing_stats: { bucket_count: { type: 'long', _meta: { description: 'The number of buckets processed' }, }, exponential_average_bucket_processing_time_ms: { type: 'long', _meta: { description: 'Exponential moving average of all bucket processing times, in milliseconds', }, }, exponential_average_bucket_processing_time_per_hour_ms: { type: 'long', _meta: { description: 'Exponentially-weighted moving average of bucket processing times calculated in a 1 hour time window, in milliseconds', }, }, maximum_bucket_processing_time_ms: { type: 'long', _meta: { description: 'Maximum among all bucket processing times, in milliseconds', }, }, minimum_bucket_processing_time_ms: { type: 'long', _meta: { description: 'Minimum among all bucket processing times, in milliseconds', }, }, total_bucket_processing_time_ms: { type: 'long', _meta: { description: 'Sum of all bucket processing times, in milliseconds' }, }, }, datafeed: { datafeed_id: { type: 'keyword', _meta: { description: 'A numerical character string that uniquely identifies the datafeed', }, }, state: { type: 'keyword', _meta: { description: 'The status of the datafeed' }, }, timing_stats: { average_search_time_per_bucket_ms: { type: 'long', _meta: { description: 'The average search time per bucket, in milliseconds' }, }, bucket_count: { type: 'long', _meta: { description: 'The number of buckets processed' }, }, exponential_average_search_time_per_hour_ms: { type: 'long', _meta: { description: 'The exponential average search time per hour, in milliseconds', }, }, search_count: { type: 'long', _meta: { description: 'The number of searches run by the datafeed' }, }, total_search_time_ms: { type: 'long', _meta: { description: 'The total time the datafeed spent searching, in milliseconds', }, }, }, }, }, }, }, legacy_siem_signals: { non_migrated_indices_total: { type: 'long', _meta: { description: 'Total number of non migrated legacy siem signals indices', }, }, spaces_total: { type: 'long', _meta: { description: 'Total number of Kibana spaces that have non migrated legacy siem signals indices', }, }, }, }, endpointMetrics: { unique_endpoint_count: { type: 'long', _meta: { description: 'Number of active unique endpoints in last 24 hours' }, }, }, dashboardMetrics: { dashboard_tag: { created_at: { type: 'keyword', _meta: { description: 'The time the tab was created' }, }, linked_dashboards_count: { type: 'long', _meta: { description: 'Number of associated dashboards' }, }, }, dashboards: { type: 'array', items: { created_at: { type: 'keyword', _meta: { description: 'The time the dashboard was created' }, }, dashboard_id: { type: 'keyword', _meta: { description: 'The dashboard saved object id' }, }, error_message: { type: 'keyword', _meta: { description: 'The relevant error message' }, }, error_status_code: { type: 'long', _meta: { description: 'The relevant error status code' }, }, }, }, }, riskEngineMetrics: riskEngineMetricsSchema, }, isReady: () => true, fetch: async ({ esClient }: CollectorFetchContext): Promise<UsageData> => { const savedObjectsClient = await getInternalSavedObjectsClient(core); const [detectionMetrics, endpointMetrics, dashboardMetrics, riskEngineMetrics] = await Promise.allSettled([ getDetectionsMetrics({ eventLogIndex, signalsIndex, esClient, savedObjectsClient, logger, mlClient: ml, legacySignalsIndex, }), getEndpointMetrics({ esClient, logger }), getDashboardMetrics({ savedObjectsClient, logger, }), getRiskEngineMetrics({ esClient, logger, riskEngineIndexPatterns }), ]); return { detectionMetrics: detectionMetrics.status === 'fulfilled' ? detectionMetrics.value : {}, endpointMetrics: endpointMetrics.status === 'fulfilled' ? endpointMetrics.value : {}, dashboardMetrics: dashboardMetrics.status === 'fulfilled' ? dashboardMetrics.value : {}, riskEngineMetrics: riskEngineMetrics.status === 'fulfilled' ? riskEngineMetrics.value : {}, }; }, }); usageCollection.registerCollector(collector); };