[Event Log] Added a new event log API, which allows to fetch events summary aggregations for saved objects by Ids.

[YulNaumenko]

Current PR exposes a new event log API, which allows to fetch events summary aggregations for saved objects by Ids.

Example:

POST /api/event_log/{type}/saved_object_summary?start=2021-02-04T06:39:27.442Z&end=2021-02-04T06:39:27.442Z

Body example

{
   "ids":[
      "ca200500-66b2-11eb-aa35-e3f876ca1006"
   ],
   "aggs":{
      "instances":{
         "terms":{
            "field":"kibana.alerting.instance_id",
            "order":{
               "_key":"asc"
            },
            "size":65535
         },
      },
   },
}

[elasticmachine]

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

[gmmorris]

I feel that some tests are missing here:

1. What happens when a user requests SOs they don't have permission to see?
2. What happens when a user requests a mix of SOs they are allowed to see and SOs they're not allowed to see?
3. What happens when a user requests SOs that don't exist?

[gmmorris]

Testing this locally, I'm not sure the behaviour I'm seeing aligns with what I'd expect.
If a user specifies a SO that doesn't exist or they have no permission to view - this just gets silently ignored.

I think we should actually return errors in these cases... 404s... or 302s.... accordingly.

What do you think?

[YulNaumenko]

I think 404 should be the right error message.

[YulNaumenko]

Closing this PR in favor of the upcoming changes for the concept "Alert as a data". Observability team currently doesn't rely any more on this API.

[pmuellr]

Time to open this back up! RAC is looking to do aggs over the event log. Hopefully it's still in good shape!

[YulNaumenko]

Nice! I will take a look. If it's not in the shape I will fix it. @pmuellr do you the opened issue for this? Or the requirements is still the same?

[pmuellr]

Responded off-line, realized I should have here as well:

Nice! I will take a look.

I've taken a quick look, the conflicts don't look bad, will hopefully have a commit with merge to master later today.

If it's not in the shape I will fix it. @pmuellr do you the opened issue for this? Or the requirements is still the same?

I'm going to have the RAC folks see if the API shape fits their requirements - as long as it does, I'm not sure we need a new issue opened at this point. Seems like #91265 is the best issue to focus on for this PR, although I wouldn't say it resolves that issue, more that this PR is required to resolve that issue. I don't mind if we create an issue specifically for this though ...

[pmuellr]

I've merged master on this, but it was as of last week while working out the conflicts. So will need another merge, which I'll do from here, after this comment.

There's a typescript error in the query, so that will need to be resolved, but there's some other bits to do like handling the date ranges, allow additional filter clauses, etc.

[pmuellr]

@elasticmachine merge upstream

[kibanamachine]

💔 Build Failed

• continuous-integration/kibana-ci/pull-request
• Commit: 2f24158
• Storybooks Preview
• Pipeline Steps (look for red circles / failed steps)
• Interpreting CI Failures

Failed CI Steps

• Jest Unit Tests
• Execute xpack-kibana-ciGroup6
• Execute xpack-kibana-ciGroup5
• Execute xpack-kibana-ciGroup5
• Check Types and Public API Docs

---

Test Failures

Kibana Pipeline / jest / Jest Tests.x-pack/plugins/event_log/server/es.queryEventsSummaryBySavedObjectIds should call cluster with proper aggregations and with default namespace

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

Stack Trace

Error: expect(received).toMatchObject(expected)

- Expected  - 72
+ Received  +  2

@@ -1,16 +1,8 @@
  Object {
    "body": Object {
      "aggs": Object {
-       "saved_objects": Object {
-         "aggs": Object {
-           "saved_object": Object {
-             "aggs": Object {
-               "ids": Object {
-                 "aggs": Object {
-                   "summary": Object {
-                     "aggs": Object {
        "instances": Object {
          "aggs": Object {
            "instance_created": Object {
              "aggs": Object {
                "max_timestamp": Object {
@@ -28,97 +20,35 @@
          },
          "terms": Object {
            "field": "saved-object-type.instance_id",
            "order": Object {
              "_key": "asc",
-                           },
-                           "size": 65535,
            },
-                       },
-                     },
-                     "reverse_nested": Object {},
-                   },
-                 },
-                 "terms": Object {
-                   "field": "kibana.saved_objects.id",
            "size": 65535,
          },
        },
      },
-             "filter": Object {
-               "terms": Object {
-                 "kibana.saved_objects.id": Array [
-                   "saved-object-id",
-                 ],
-               },
-             },
-           },
-         },
-         "nested": Object {
-           "path": "kibana.saved_objects",
-         },
-       },
-     },
+     "query": Object {
        "query": Object {
          "bool": Object {
-         "must": Array [
-           Object {
            "nested": Object {
              "path": "kibana.saved_objects",
              "query": Object {
                "bool": Object {
-                   "must": Array [
-                     Object {
-                       "term": Object {
-                         "kibana.saved_objects.rel": Object {
-                           "value": "primary",
-                         },
-                       },
-                     },
-                     Object {
-                       "term": Object {
-                         "kibana.saved_objects.type": Object {
-                           "value": "saved-object-type",
-                         },
-                       },
-                     },
-                     Object {
-                       "terms": Object {
-                         "kibana.saved_objects.id": Array [
-                           "saved-object-id",
-                         ],
-                       },
-                     },
-                     Object {
+                 "must": Object {
                    "bool": Object {
                      "must_not": Object {
                        "exists": Object {
                          "field": "kibana.saved_objects.namespace",
-                           },
-                         },
                        },
                      },
-                   ],
                    },
                  },
                },
              },
-           Object {
-             "range": Object {
-               "@timestamp": Object {
-                 "gte": "2020-07-08T00:52:28.350Z",
            },
          },
-           },
-           Object {
-             "range": Object {
-               "@timestamp": Object {
-                 "lte": "2020-07-08T00:00:00.000Z",
-               },
-             },
-           },
-         ],
        },
      },
      "size": 0,
      "sort": Object {
        "@timestamp": Object {
    at Object.<anonymous> (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/x-pack/plugins/event_log/server/es/cluster_client_adapter.test.ts:1350:19)
    at _callCircusTest (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:212:5)
    at _runTest (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:149:3)
    at _runTestsForDescribeBlock (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:63:9)
    at _runTestsForDescribeBlock (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:57:9)
    at run (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/run.js:25:3)
    at runAndTransformResultsToJestFormat (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/legacy-code-todo-rewrite/jestAdapterInit.js:176:21)
    at jestAdapter (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-circus/build/legacy-code-todo-rewrite/jestAdapter.js:109:19)
    at runTestInternal (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/runTest.js:380:16)
    at runTest (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/runTest.js:472:34)
    at Object.worker (/var/lib/jenkins/workspace/elastic+kibana+pipeline-pull-request/kibana/node_modules/jest-runner/build/testWorker.js:133:12)

---

Kibana Pipeline / general / X-Pack Case API Integration Tests.x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/import_export·ts.cases security and spaces enabled: basic Common import and export cases imports a case with a connector

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 1 times on tracked branches: https://dryrun

[00:00:00]         │
[00:00:00]           └-: cases security and spaces enabled: basic
[00:00:00]             └-> "before all" hook in "cases security and spaces enabled: basic"
[00:00:00]             └-> "before all" hook in "cases security and spaces enabled: basic"
[00:00:00]               │ debg creating space
[00:00:00]               │ debg created space
[00:00:00]               │ debg creating space
[00:00:01]               │ debg created space
[00:00:01]               │ debg creating role no_kibana_privileges
[00:00:01]               │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [no_kibana_privileges]
[00:00:01]               │ debg creating role global_read
[00:00:01]               │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [global_read]
[00:00:01]               │ debg creating role sec_only_all
[00:00:01]               │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [sec_only_all]
[00:00:01]               │ debg creating role sec_only_read
[00:00:01]               │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [sec_only_read]
[00:00:01]               │ debg creating role obs_only_all
[00:00:01]               │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [obs_only_all]
[00:00:01]               │ debg creating role obs_only_read
[00:00:01]               │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [obs_only_read]
[00:00:01]               │ debg creating role test_disabled_plugin_all
[00:00:01]               │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [test_disabled_plugin_all]
[00:00:01]               │ debg creating user superuser
[00:00:01]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [superuser]
[00:00:01]               │ debg created user superuser
[00:00:01]               │ debg creating user sec_only
[00:00:01]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [sec_only]
[00:00:01]               │ debg created user sec_only
[00:00:01]               │ debg creating user sec_only_read
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [sec_only_read]
[00:00:02]               │ debg created user sec_only_read
[00:00:02]               │ debg creating user obs_only
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [obs_only]
[00:00:02]               │ debg created user obs_only
[00:00:02]               │ debg creating user obs_only_read
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [obs_only_read]
[00:00:02]               │ debg created user obs_only_read
[00:00:02]               │ debg creating user obs_sec
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [obs_sec]
[00:00:02]               │ debg created user obs_sec
[00:00:02]               │ debg creating user obs_sec_read
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [obs_sec_read]
[00:00:02]               │ debg created user obs_sec_read
[00:00:02]               │ debg creating user global_read
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [global_read]
[00:00:02]               │ debg created user global_read
[00:00:02]               │ debg creating user no_kibana_privileges
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [no_kibana_privileges]
[00:00:02]               │ debg created user no_kibana_privileges
[00:00:02]               │ debg creating user test_disabled
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [test_disabled]
[00:00:02]               │ debg created user test_disabled
[00:00:06]             └-: Common
[00:00:06]               └-> "before all" hook in "Common"
[00:07:35]               └-: import and export cases
[00:07:35]                 └-> "before all" hook for "exports a case with its associated user actions and comments"
[00:07:35]                 └-> exports a case with its associated user actions and comments
[00:07:35]                   └-> "before each" hook: global before each for "exports a case with its associated user actions and comments"
[00:07:39]                   └- ✓ pass  (4.1s) "cases security and spaces enabled: basic Common import and export cases exports a case with its associated user actions and comments"
[00:07:39]                 └-> "after each" hook for "exports a case with its associated user actions and comments"
[00:07:39]                 └-> imports a case with a comment and user actions
[00:07:39]                   └-> "before each" hook: global before each for "imports a case with a comment and user actions"
[00:07:40]                   └- ✓ pass  (979ms) "cases security and spaces enabled: basic Common import and export cases imports a case with a comment and user actions"
[00:07:40]                 └-> "after each" hook for "imports a case with a comment and user actions"
[00:07:40]                 └-> imports a case with a connector
[00:07:40]                   └-> "before each" hook: global before each for "imports a case with a connector"
[00:07:41]                   │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/6hTUXiCkTiqDhfRDMBu1FQ] update_mapping [_doc]
[00:07:41]                   └- ✖ fail: cases security and spaces enabled: basic Common import and export cases imports a case with a connector
[00:07:41]                   │      Error: expected undefined to sort of equal '1cd34740-06ad-11ec-babc-0b08808e8e01'
[00:07:41]                   │       at Assertion.assert (/dev/shm/workspace/parallel/15/kibana/node_modules/@kbn/expect/expect.js:100:11)
[00:07:41]                   │       at Assertion.eql (/dev/shm/workspace/parallel/15/kibana/node_modules/@kbn/expect/expect.js:244:8)
[00:07:41]                   │       at Context.<anonymous> (test/case_api_integration/security_and_spaces/tests/common/cases/import_export.ts:156:50)
[00:07:41]                   │       at runMicrotasks (<anonymous>)
[00:07:41]                   │       at processTicksAndRejections (internal/process/task_queues.js:95:5)
[00:07:41]                   │       at Object.apply (/dev/shm/workspace/parallel/15/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)
[00:07:41]                   │ 
[00:07:41]                   │ 

Stack Trace

Error: expected undefined to sort of equal '1cd34740-06ad-11ec-babc-0b08808e8e01'
    at Assertion.assert (/dev/shm/workspace/parallel/15/kibana/node_modules/@kbn/expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/parallel/15/kibana/node_modules/@kbn/expect/expect.js:244:8)
    at Context.<anonymous> (test/case_api_integration/security_and_spaces/tests/common/cases/import_export.ts:156:50)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at Object.apply (/dev/shm/workspace/parallel/15/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16) {
  actual: undefined,
  expected: '1cd34740-06ad-11ec-babc-0b08808e8e01',
  showDiff: true
}

---

Kibana Pipeline / general / X-Pack Case API Integration Tests.x-pack/test/case_api_integration/security_and_spaces/tests/common/cases/import_export·ts.cases security and spaces enabled: basic Common import and export cases imports a case with a connector

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

[00:00:00]         │
[00:00:00]           └-: cases security and spaces enabled: basic
[00:00:00]             └-> "before all" hook in "cases security and spaces enabled: basic"
[00:00:00]             └-> "before all" hook in "cases security and spaces enabled: basic"
[00:00:00]               │ debg creating space
[00:00:00]               │ debg created space
[00:00:00]               │ debg creating space
[00:00:01]               │ debg created space
[00:00:01]               │ debg creating role no_kibana_privileges
[00:00:01]               │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [no_kibana_privileges]
[00:00:01]               │ debg creating role global_read
[00:00:01]               │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [global_read]
[00:00:01]               │ debg creating role sec_only_all
[00:00:01]               │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [sec_only_all]
[00:00:01]               │ debg creating role sec_only_read
[00:00:01]               │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [sec_only_read]
[00:00:01]               │ debg creating role obs_only_all
[00:00:01]               │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [obs_only_all]
[00:00:01]               │ debg creating role obs_only_read
[00:00:01]               │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [obs_only_read]
[00:00:01]               │ debg creating role test_disabled_plugin_all
[00:00:01]               │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [test_disabled_plugin_all]
[00:00:01]               │ debg creating user superuser
[00:00:01]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [superuser]
[00:00:01]               │ debg created user superuser
[00:00:01]               │ debg creating user sec_only
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [sec_only]
[00:00:02]               │ debg created user sec_only
[00:00:02]               │ debg creating user sec_only_read
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [sec_only_read]
[00:00:02]               │ debg created user sec_only_read
[00:00:02]               │ debg creating user obs_only
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [obs_only]
[00:00:02]               │ debg created user obs_only
[00:00:02]               │ debg creating user obs_only_read
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [obs_only_read]
[00:00:02]               │ debg created user obs_only_read
[00:00:02]               │ debg creating user obs_sec
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [obs_sec]
[00:00:02]               │ debg created user obs_sec
[00:00:02]               │ debg creating user obs_sec_read
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [obs_sec_read]
[00:00:02]               │ debg created user obs_sec_read
[00:00:02]               │ debg creating user global_read
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [global_read]
[00:00:02]               │ debg created user global_read
[00:00:02]               │ debg creating user no_kibana_privileges
[00:00:02]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [no_kibana_privileges]
[00:00:02]               │ debg created user no_kibana_privileges
[00:00:02]               │ debg creating user test_disabled
[00:00:03]               │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [test_disabled]
[00:00:03]               │ debg created user test_disabled
[00:00:06]             └-: Common
[00:00:06]               └-> "before all" hook in "Common"
[00:07:35]               └-: import and export cases
[00:07:35]                 └-> "before all" hook for "exports a case with its associated user actions and comments"
[00:07:35]                 └-> exports a case with its associated user actions and comments
[00:07:35]                   └-> "before each" hook: global before each for "exports a case with its associated user actions and comments"
[00:07:39]                   └- ✓ pass  (4.0s) "cases security and spaces enabled: basic Common import and export cases exports a case with its associated user actions and comments"
[00:07:39]                 └-> "after each" hook for "exports a case with its associated user actions and comments"
[00:07:39]                 └-> imports a case with a comment and user actions
[00:07:39]                   └-> "before each" hook: global before each for "imports a case with a comment and user actions"
[00:07:40]                   └- ✓ pass  (977ms) "cases security and spaces enabled: basic Common import and export cases imports a case with a comment and user actions"
[00:07:40]                 └-> "after each" hook for "imports a case with a comment and user actions"
[00:07:40]                 └-> imports a case with a connector
[00:07:40]                   └-> "before each" hook: global before each for "imports a case with a connector"
[00:07:40]                   │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/n1AQKqqsTUiTBrZlwZ5oVQ] update_mapping [_doc]
[00:07:41]                   └- ✖ fail: cases security and spaces enabled: basic Common import and export cases imports a case with a connector
[00:07:41]                   │      Error: expected undefined to sort of equal '1cd34740-06ad-11ec-babc-0b08808e8e01'
[00:07:41]                   │       at Assertion.assert (/dev/shm/workspace/parallel/15/kibana/node_modules/@kbn/expect/expect.js:100:11)
[00:07:41]                   │       at Assertion.eql (/dev/shm/workspace/parallel/15/kibana/node_modules/@kbn/expect/expect.js:244:8)
[00:07:41]                   │       at Context.<anonymous> (test/case_api_integration/security_and_spaces/tests/common/cases/import_export.ts:156:50)
[00:07:41]                   │       at runMicrotasks (<anonymous>)
[00:07:41]                   │       at processTicksAndRejections (internal/process/task_queues.js:95:5)
[00:07:41]                   │       at Object.apply (/dev/shm/workspace/parallel/15/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)
[00:07:41]                   │ 
[00:07:41]                   │ 

Stack Trace

Error: expected undefined to sort of equal '1cd34740-06ad-11ec-babc-0b08808e8e01'
    at Assertion.assert (/dev/shm/workspace/parallel/15/kibana/node_modules/@kbn/expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/parallel/15/kibana/node_modules/@kbn/expect/expect.js:244:8)
    at Context.<anonymous> (test/case_api_integration/security_and_spaces/tests/common/cases/import_export.ts:156:50)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at Object.apply (/dev/shm/workspace/parallel/15/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16) {
  actual: undefined,
  expected: '1cd34740-06ad-11ec-babc-0b08808e8e01',
  showDiff: true
}

---

and 1 more failures, only showing the first 3.

Metrics [docs]

✅ unchanged

History

• 💔 Build #153173 failed dbcfa06
• 💔 Build #108914 failed dbcfa06
• 💚 Build #108619 succeeded fbe8bb1
• 💚 Build #107464 succeeded b2c6048

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @YulNaumenko

[pmuellr]

As of commit 2efb2b8 , I've got master merged again after this PR was closed for a few months, and also done a subsequent merge master.

Still a lot of work to go:

• we're not sure what kind of RBAC we want for this call - we may want to make use of the alerting RBAC filter generation code, but that requires consumer and spaceIds fields in the event log, which we don't have yet via PR 108117. If we do want to go that route, the aggs API shouldn't deal with any security filtering, and should not be exposed as an HTTP API. The RBAC filter would be provided by alerting, and an HTTP API and rulesClient API will need to be added to call this API, calculating the RBAC filter and passing it in as part of the query

• if we alternatively want to do use the existing filtering mechanism of SO references, we can make an HTTP endpoint available, and we could add a rulesClient API and HTTP API to alerting to do a find() on the SO's first, then passing the result to the event log API, to make it a little easier to use.

• if we are dealing with SO references, we'll want the legacy id support (for shareable SO migrations) in here (it's in the basic query support) to look for legacy SO ids

• need to determine the final shape of the parameters / return value

[pmuellr]

Closing as we still don't have a hard requirement for this (I don't think) and the PR is quite old at this point. We'll have to dust it off again next time we make a go at it ...

[pmuellr]

We've started doing some aggs on the event log, through another mechanism, for telemetry purposes. These usages don't need the RBAC support, but presumably we'd have some "core" aggs support which would then be used with an RBAC filter (or SO id filter). Examples:

• https://github.com/elastic/kibana/blob/main/x-pack/plugins/alerting/server/usage/alerting_telemetry.ts
• https://github.com/elastic/kibana/blob/main/x-pack/plugins/actions/server/usage/actions_telemetry.ts

Both of these use cases also use scripts, so if we want those use cases to also be fulfilled with first class aggs support on the event log, we'd also need to add script support. Perhaps that would just be internal?

[gmmorris]

I've asked @spong to file an issue with clear requirements given the needs raised in #124198.

Perhaps that would just be internal?

Indeed, the first pass should likely be internal, exposed for the needs raised in @spong 's issue. We can then explore opening it up once we're confident the API makes sense for broader use.

[spong]

@banderror has created this issue for the Detection Rules Area (#125645) outlining the requirements for adding aggregations to the event-log client.