[Security Solution][Detections] Adds rule execution log table

packages/kbn-securitysolution-rules/src/configuration_constants.ts

@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+/**
+ * Max number of execution events to aggregate in memory for the Rule Execution Log
+ */
+export const MAX_EXECUTION_EVENTS_DISPLAYED = 1000 as const;

packages/kbn-securitysolution-rules/src/index.ts

@@ -6,6 +6,7 @@
  * Side Public License, v 1.
  */
 
+export * from './configuration_constants';
 export * from './rule_type_constants';
 export * from './rule_type_mappings';
 export * from './utils';

x-pack/plugins/security_solution/common/constants.ts

@@ -440,3 +440,6 @@ export const RULES_TABLE_PAGE_SIZE_OPTIONS = [5, 10, 20, 50, RULES_TABLE_MAX_PAG
  */
 export const RULES_MANAGEMENT_FEATURE_TOUR_STORAGE_KEY =
   'securitySolution.rulesManagementPage.newFeaturesTour.v8.1';
+
+export const RULE_DETAILS_EXECUTION_LOG_TABLE_SHOW_METRIC_COLUMNS_STORAGE_KEY =
+  'securitySolution.ruleDetails.ruleExecutionLog.showMetrics.v8.2';

x-pack/plugins/security_solution/common/detection_engine/schemas/common/rule_monitoring.ts

@@ -106,3 +106,31 @@ export const ruleExecutionEvent = t.type({
 });
 
 export type RuleExecutionEvent = t.TypeOf<typeof ruleExecutionEvent>;
+
+// -------------------------------------------------------------------------------------------------
+// Aggregate Rule execution events
+
+export const aggregateRuleExecutionEvent = t.type({
+  execution_uuid: t.string,
+  timestamp: IsoDateString,
+  duration_ms: t.number,
+  status: t.string,
+  message: t.string,
+  num_active_alerts: t.number,
+  num_new_alerts: t.number,
+  num_recovered_alerts: t.number,
+  num_triggered_actions: t.number,
+  num_succeeded_actions: t.number,
+  num_errored_actions: t.number,
+  total_search_duration_ms: t.number,
+  es_search_duration_ms: t.number,
+  schedule_delay_ms: t.number,
+  timed_out: t.boolean,
+  indexing_duration_ms: t.number,
+  search_duration_ms: t.number,
+  gap_duration_ms: t.number,
+  security_status: t.string,
+  security_message: t.string,
+});
+
+export type AggregateRuleExecutionEvent = t.TypeOf<typeof aggregateRuleExecutionEvent>;

x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_request.ts → x-pack/plugins/security_solution/common/detection_engine/schemas/request/get_rule_execution_events_schema.ts

@@ -7,12 +7,27 @@
 
 import * as t from 'io-ts';
 
+import { sortFieldOrUndefined, sortOrderOrUndefined } from '../common';
+
 export const GetRuleExecutionEventsRequestParams = t.exact(
   t.type({
     ruleId: t.string,
   })
 );
 
+export const GetRuleExecutionEventsQueryParams = t.exact(
+  t.type({
+    start: t.string,
+    end: t.string,
+    query_text: t.union([t.string, t.undefined]),
+    status_filters: t.union([t.string, t.undefined]),
+    per_page: t.union([t.string, t.undefined]),
+    page: t.union([t.string, t.undefined]),
+    sort_field: sortFieldOrUndefined,
+    sort_order: sortOrderOrUndefined,
+  })
+);
+
 export type GetRuleExecutionEventsRequestParams = t.TypeOf<
   typeof GetRuleExecutionEventsRequestParams
 >;

x-pack/plugins/security_solution/common/detection_engine/schemas/response/get_rule_execution_events_response.ts

@@ -6,7 +6,7 @@
  */
 
 import * as t from 'io-ts';
-import { ruleExecutionEvent } from '../common';
+import { aggregateRuleExecutionEvent, ruleExecutionEvent } from '../common';
 
 export const GetRuleExecutionEventsResponse = t.exact(
   t.type({
@@ -15,3 +15,14 @@ export const GetRuleExecutionEventsResponse = t.exact(
 );
 
 export type GetRuleExecutionEventsResponse = t.TypeOf<typeof GetRuleExecutionEventsResponse>;
+
+export const GetAggregateRuleExecutionEventsResponse = t.exact(
+  t.type({
+    events: t.array(aggregateRuleExecutionEvent),
+    total: t.number,
+  })
+);
+
+export type GetAggregateRuleExecutionEventsResponse = t.TypeOf<
+  typeof GetAggregateRuleExecutionEventsResponse
+>;

x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/__mocks__/api.ts

@@ -5,9 +5,8 @@
  * 2.0.
  */
 
-import { RuleExecutionStatus } from '../../../../../../common/detection_engine/schemas/common';
 import {
-  GetRuleExecutionEventsResponse,
+  GetAggregateRuleExecutionEventsResponse,
   RulesSchema,
 } from '../../../../../../common/detection_engine/schemas/response';
 
@@ -62,19 +61,44 @@ export const fetchRules = async (_: FetchRulesProps): Promise<FetchRulesResponse
 
 export const fetchRuleExecutionEvents = async ({
   ruleId,
+  start,
+  end,
+  filters,
   signal,
 }: {
   ruleId: string;
+  start: string;
+  end: string;
+  filters?: string;
   signal?: AbortSignal;
-}): Promise<GetRuleExecutionEventsResponse> => {
+}): Promise<GetAggregateRuleExecutionEventsResponse> => {
   return Promise.resolve({
     events: [
       {
-        date: '2021-12-29T10:42:59.996Z',
-        status: RuleExecutionStatus.succeeded,
-        message: 'Rule executed successfully',
+        duration_ms: 3866,
+        es_search_duration_ms: 1236,
+        execution_uuid: '88d15095-7937-462c-8f21-9763e1387cad',
+        gap_duration_ms: 0,
+        indexing_duration_ms: 95,
+        message:
+          "rule executed: siem.queryRule:fb1fc150-a292-11ec-a2cf-c1b28b0392b0: 'Lots of Execution Events'",
+        num_active_alerts: 0,
+        num_errored_actions: 0,
+        num_new_alerts: 0,
+        num_recovered_alerts: 0,
+        num_succeeded_actions: 1,
+        num_triggered_actions: 1,
+        schedule_delay_ms: -127535,
+        search_duration_ms: 1255,
+        security_message: 'succeeded',
+        security_status: 'succeeded',
+        status: 'success',
+        timed_out: false,
+        timestamp: '2022-03-13T06:04:05.838Z',
+        total_search_duration_ms: 0,
       },
     ],
+    total: 1,
   });
 };
 

x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.test.ts

@@ -595,19 +595,43 @@ describe('Detections Rules API', () => {
     });
 
     test('calls API with correct parameters', async () => {
-      await fetchRuleExecutionEvents({ ruleId: '42', signal: abortCtrl.signal });
+      await fetchRuleExecutionEvents({
+        ruleId: '42',
+        start: '2001-01-01T17:00:00.000Z',
+        end: '2001-01-02T17:00:00.000Z',
+        queryText: '',
+        statusFilters: '',
+        signal: abortCtrl.signal,
+      });
 
       expect(fetchMock).toHaveBeenCalledWith(
         '/internal/detection_engine/rules/42/execution/events',
         {
           method: 'GET',
+          query: {
+            end: '2001-01-02T17:00:00.000Z',
+            page: undefined,
+            per_page: undefined,
+            query_text: '',
+            sort_field: undefined,
+            sort_order: undefined,
+            start: '2001-01-01T17:00:00.000Z',
+            status_filters: '',
+          },
           signal: abortCtrl.signal,
         }
       );
     });
 
     test('returns API response as is', async () => {
-      const response = await fetchRuleExecutionEvents({ ruleId: '42', signal: abortCtrl.signal });
+      const response = await fetchRuleExecutionEvents({
+        ruleId: '42',
+        start: 'now-30',
+        end: 'now',
+        queryText: '',
+        statusFilters: '',
+        signal: abortCtrl.signal,
+      });
       expect(response).toEqual(responseMock);
     });
   });

x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/api.ts

@@ -6,6 +6,7 @@
  */
 
 import { camelCase } from 'lodash';
+import dateMath from '@elastic/datemath';
 import { HttpStart } from 'src/core/public';
 
 import {
@@ -24,7 +25,7 @@ import {
 } from '../../../../../common/detection_engine/schemas/request';
 import {
   RulesSchema,
-  GetRuleExecutionEventsResponse,
+  GetAggregateRuleExecutionEventsResponse,
 } from '../../../../../common/detection_engine/schemas/response';
 
 import {
@@ -315,21 +316,57 @@ export const exportRules = async ({
 /**
  * Fetch rule execution events (e.g. status changes) from Event Log.
  *
- * @param ruleId string Saved Object ID of the rule (`rule.id`, not static `rule.rule_id`)
+ * @param ruleId Saved Object ID of the rule (`rule.id`, not static `rule.rule_id`)
+ * @param start Start daterange either in UTC ISO8601 or as datemath string (e.g. `2021-12-29T02:44:41.653Z` or `now-30`)
+ * @param end End daterange either in UTC ISO8601 or as datemath string (e.g. `2021-12-29T02:44:41.653Z` or `now/w`)
+ * @param queryText search string in querystring format (e.g. `event.duration > 1000 OR kibana.alert.rule.execution.metrics.execution_gap_duration_s > 100`)
+ * @param statusFilters comma separated string of `statusFilters` (e.g. `succeeded,failed,partial failure`)
+ * @param page current page to fetch
+ * @param perPage number of results to fetch per page
+ * @param sortField field to sort by
+ * @param sortOrder what order to sort by (e.g. `asc` or `desc`)
  * @param signal AbortSignal Optional signal for cancelling the request
  *
  * @throws An error if response is not OK
  */
 export const fetchRuleExecutionEvents = async ({
   ruleId,
+  start,
+  end,
+  queryText,
+  statusFilters,
+  page,
+  perPage,
+  sortField,
+  sortOrder,
   signal,
 }: {
   ruleId: string;
+  start: string;
+  end: string;
+  queryText?: string;
+  statusFilters?: string;
+  page?: number;
+  perPage?: number;
+  sortField?: string;
+  sortOrder?: string;
   signal?: AbortSignal;
-}): Promise<GetRuleExecutionEventsResponse> => {
+}): Promise<GetAggregateRuleExecutionEventsResponse> => {
   const url = detectionEngineRuleExecutionEventsUrl(ruleId);
-  return KibanaServices.get().http.fetch<GetRuleExecutionEventsResponse>(url, {
+  const startDate = dateMath.parse(start);
+  const endDate = dateMath.parse(end, { roundUp: true });
+  return KibanaServices.get().http.fetch<GetAggregateRuleExecutionEventsResponse>(url, {
     method: 'GET',
+    query: {
+      start: startDate?.utc().toISOString(),
+      end: endDate?.utc().toISOString(),
+      query_text: queryText?.trim(),
+      status_filters: statusFilters?.trim(),
+      page,
+      per_page: perPage,
+      sort_field: sortField,
+      sort_order: sortOrder,
+    },
     signal,
   });
 };

x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/translations.ts

@@ -14,6 +14,13 @@ export const RULE_AND_TIMELINE_FETCH_FAILURE = i18n.translate(
   }
 );
 
+export const RULE_EXECUTION_FETCH_FAILURE = i18n.translate(
+  'xpack.securitySolution.containers.detectionEngine.ruleExecutionLogFailureDescription',
+  {
+    defaultMessage: 'Failed to fetch Rule Execution Events',
+  }
+);
+
 export const RULE_ADD_FAILURE = i18n.translate(
   'xpack.securitySolution.containers.detectionEngine.addRuleFailDescription',
   {

x-pack/plugins/security_solution/public/detections/containers/detection_engine/rules/use_rule_execution_events.test.tsx

@@ -12,7 +12,6 @@ import React from 'react';
 import { QueryClient, QueryClientProvider } from 'react-query';
 import { renderHook, cleanup } from '@testing-library/react-hooks';
 
-import { RuleExecutionStatus } from '../../../../../common/detection_engine/schemas/common';
 import { useRuleExecutionEvents } from './use_rule_execution_events';
 
 import * as api from './api';
@@ -45,9 +44,19 @@ describe('useRuleExecutionEvents', () => {
   };
 
   const render = () =>
-    renderHook(() => useRuleExecutionEvents(SOME_RULE_ID), {
-      wrapper: createReactQueryWrapper(),
-    });
+    renderHook(
+      () =>
+        useRuleExecutionEvents({
+          ruleId: SOME_RULE_ID,
+          start: 'now-30',
+          end: 'now',
+          queryText: '',
+          statusFilters: '',
+        }),
+      {
+        wrapper: createReactQueryWrapper(),
+      }
+    );
 
   it('calls the API via fetchRuleExecutionEvents', async () => {
     const fetchRuleExecutionEvents = jest.spyOn(api, 'fetchRuleExecutionEvents');
@@ -77,13 +86,34 @@ describe('useRuleExecutionEvents', () => {
     expect(result.current.isLoading).toEqual(false);
     expect(result.current.isSuccess).toEqual(true);
     expect(result.current.isError).toEqual(false);
-    expect(result.current.data).toEqual([
-      {
-        date: '2021-12-29T10:42:59.996Z',
-        status: RuleExecutionStatus.succeeded,
-        message: 'Rule executed successfully',
-      },
-    ]);
+    expect(result.current.data).toEqual({
+      events: [
+        {
+          duration_ms: 3866,
+          es_search_duration_ms: 1236,
+          execution_uuid: '88d15095-7937-462c-8f21-9763e1387cad',
+          gap_duration_ms: 0,
+          indexing_duration_ms: 95,
+          message:
+            "rule executed: siem.queryRule:fb1fc150-a292-11ec-a2cf-c1b28b0392b0: 'Lots of Execution Events'",
+          num_active_alerts: 0,
+          num_errored_actions: 0,
+          num_new_alerts: 0,
+          num_recovered_alerts: 0,
+          num_succeeded_actions: 1,
+          num_triggered_actions: 1,
+          schedule_delay_ms: -127535,
+          search_duration_ms: 1255,
+          security_message: 'succeeded',
+          security_status: 'succeeded',
+          status: 'success',
+          timed_out: false,
+          timestamp: '2022-03-13T06:04:05.838Z',
+          total_search_duration_ms: 0,
+        },
+      ],
+      total: 1,
+    });
   });
 
   it('handles exceptions from the API', async () => {