[SecruitySolution][Endpoint][ResponseActions] Capture response actions usage on all rule types#225081
Merged
ashokaditya merged 4 commits intoelastic:mainfrom Jun 24, 2025
Conversation
ashokaditya
added
the
release_note:skip
ashokaditya
added
Team:Defend Workflows
Contributor
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
ashokaditya
added
v9.1.0
v8.19.0
backport:version
ashokaditya
force-pushed
the
task/edr-rules-snapshot-telemetry
branch
from
705d651 to
5a15e0e
Compare
Bamieh
approved these changes
Jun 24, 2025
Contributor
Bamieh
left a comment
Bamieh
left a comment
There was a problem hiding this comment.
telemetry schema changes lgtm (only new additional fields)
…ditya/kibana into task/edr-rules-snapshot-telemetry
Contributor
💚 Build Succeeded
Metrics [docs]
History
cc @ashokaditya |
rylnd
approved these changes
Jun 24, 2025
Contributor
rylnd
left a comment
rylnd
left a comment
There was a problem hiding this comment.
Detection engine changes (addition of these new usage fields in a few files) LGTM. I didn't check this out to verify, but the updated integration tests demonstrate the default values being generated.
rylnd
approved these changes
Jun 24, 2025
Contributor
rylnd
left a comment
rylnd
left a comment
There was a problem hiding this comment.
Detection engine changes (addition of these new usage fields in a few files) LGTM. I didn't check this out to verify, but the updated integration tests demonstrate the default values being generated.
Contributor
|
Starting backport for target branches: 8.17, 8.18, 8.19, 9.0 https://github.com/elastic/kibana/actions/runs/15859898252 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jun 24, 2025
…s usage on all rule types (elastic#225081) ## Summary This PR is adding additional (snapshot) telemetry to detection rules to capture response actions usage. - Mapping PR elastic/telemetry#4878 ## Testing 1. Create rules with response actions (Osquery or Elastic Defend). 2. Make sure the rule has excuted and alerts triggered. 3. Test snapshot telemetry by: - using the API call on Kibana dev console or, <details><summary>API call</summary> <code> POST kbn:/internal/telemetry/clusters/_stats?apiVersion=2 { "unencrypted": true, "refreshCache": true } </code> </details> - navigating to `app/management/kibana/settings`, click on `cluster data` under `Usage collection` section. Snapshot data should show up in a flyout. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... (cherry picked from commit a3ff2f7)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jun 24, 2025
…s usage on all rule types (elastic#225081) ## Summary This PR is adding additional (snapshot) telemetry to detection rules to capture response actions usage. - Mapping PR elastic/telemetry#4878 ## Testing 1. Create rules with response actions (Osquery or Elastic Defend). 2. Make sure the rule has excuted and alerts triggered. 3. Test snapshot telemetry by: - using the API call on Kibana dev console or, <details><summary>API call</summary> <code> POST kbn:/internal/telemetry/clusters/_stats?apiVersion=2 { "unencrypted": true, "refreshCache": true } </code> </details> - navigating to `app/management/kibana/settings`, click on `cluster data` under `Usage collection` section. Snapshot data should show up in a flyout. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... (cherry picked from commit a3ff2f7)
Contributor
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jun 24, 2025
… actions usage on all rule types (#225081) (#225158) # Backport This will backport the following commits from `main` to `8.19`: - [[SecruitySolution][Endpoint][ResponseActions] Capture response actions usage on all rule types (#225081)](#225081) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Ash","email":"1849116+ashokaditya@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-06-24T19:39:19Z","message":"[SecruitySolution][Endpoint][ResponseActions] Capture response actions usage on all rule types (#225081)\n\n## Summary\n\nThis PR is adding additional (snapshot) telemetry to detection rules to\ncapture response actions usage.\n\n- Mapping PR https://github.com/elastic/telemetry/pull/4878\n\n## Testing\n1. Create rules with response actions (Osquery or Elastic Defend). \n2. Make sure the rule has excuted and alerts triggered.\n3. Test snapshot telemetry by:\n - using the API call on Kibana dev console or,\n <details><summary>API call</summary>\n <code>\n POST kbn:/internal/telemetry/clusters/_stats?apiVersion=2\n { \"unencrypted\": true, \"refreshCache\": true }\n </code>\n </details> \n- navigating to `app/management/kibana/settings`, click on `cluster\ndata` under `Usage collection` section. Snapshot data should show up in\na flyout.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"a3ff2f7b6b1ca22e4c5b29e8d684660a81700224","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Defend Workflows","OLM Sprint","backport:prev-minor","backport:prev-major","backport:all-open","backport:version","v9.1.0"],"title":"[SecruitySolution][Endpoint][ResponseActions] Capture response actions usage on all rule types","number":225081,"url":"https://github.com/elastic/kibana/pull/225081","mergeCommit":{"message":"[SecruitySolution][Endpoint][ResponseActions] Capture response actions usage on all rule types (#225081)\n\n## Summary\n\nThis PR is adding additional (snapshot) telemetry to detection rules to\ncapture response actions usage.\n\n- Mapping PR https://github.com/elastic/telemetry/pull/4878\n\n## Testing\n1. Create rules with response actions (Osquery or Elastic Defend). \n2. Make sure the rule has excuted and alerts triggered.\n3. Test snapshot telemetry by:\n - using the API call on Kibana dev console or,\n <details><summary>API call</summary>\n <code>\n POST kbn:/internal/telemetry/clusters/_stats?apiVersion=2\n { \"unencrypted\": true, \"refreshCache\": true }\n </code>\n </details> \n- navigating to `app/management/kibana/settings`, click on `cluster\ndata` under `Usage collection` section. Snapshot data should show up in\na flyout.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"a3ff2f7b6b1ca22e4c5b29e8d684660a81700224"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/225081","number":225081,"mergeCommit":{"message":"[SecruitySolution][Endpoint][ResponseActions] Capture response actions usage on all rule types (#225081)\n\n## Summary\n\nThis PR is adding additional (snapshot) telemetry to detection rules to\ncapture response actions usage.\n\n- Mapping PR https://github.com/elastic/telemetry/pull/4878\n\n## Testing\n1. Create rules with response actions (Osquery or Elastic Defend). \n2. Make sure the rule has excuted and alerts triggered.\n3. Test snapshot telemetry by:\n - using the API call on Kibana dev console or,\n <details><summary>API call</summary>\n <code>\n POST kbn:/internal/telemetry/clusters/_stats?apiVersion=2\n { \"unencrypted\": true, \"refreshCache\": true }\n </code>\n </details> \n- navigating to `app/management/kibana/settings`, click on `cluster\ndata` under `Usage collection` section. Snapshot data should show up in\na flyout.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"a3ff2f7b6b1ca22e4c5b29e8d684660a81700224"}}]}] BACKPORT--> Co-authored-by: Ash <1849116+ashokaditya@users.noreply.github.com>
kibanamachine
added a commit
that referenced
this pull request
Jun 24, 2025
…actions usage on all rule types (#225081) (#225159) # Backport This will backport the following commits from `main` to `9.0`: - [[SecruitySolution][Endpoint][ResponseActions] Capture response actions usage on all rule types (#225081)](#225081) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Ash","email":"1849116+ashokaditya@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-06-24T19:39:19Z","message":"[SecruitySolution][Endpoint][ResponseActions] Capture response actions usage on all rule types (#225081)\n\n## Summary\n\nThis PR is adding additional (snapshot) telemetry to detection rules to\ncapture response actions usage.\n\n- Mapping PR https://github.com/elastic/telemetry/pull/4878\n\n## Testing\n1. Create rules with response actions (Osquery or Elastic Defend). \n2. Make sure the rule has excuted and alerts triggered.\n3. Test snapshot telemetry by:\n - using the API call on Kibana dev console or,\n <details><summary>API call</summary>\n <code>\n POST kbn:/internal/telemetry/clusters/_stats?apiVersion=2\n { \"unencrypted\": true, \"refreshCache\": true }\n </code>\n </details> \n- navigating to `app/management/kibana/settings`, click on `cluster\ndata` under `Usage collection` section. Snapshot data should show up in\na flyout.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"a3ff2f7b6b1ca22e4c5b29e8d684660a81700224","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Defend Workflows","OLM Sprint","backport:prev-minor","backport:prev-major","backport:all-open","backport:version","v9.1.0"],"title":"[SecruitySolution][Endpoint][ResponseActions] Capture response actions usage on all rule types","number":225081,"url":"https://github.com/elastic/kibana/pull/225081","mergeCommit":{"message":"[SecruitySolution][Endpoint][ResponseActions] Capture response actions usage on all rule types (#225081)\n\n## Summary\n\nThis PR is adding additional (snapshot) telemetry to detection rules to\ncapture response actions usage.\n\n- Mapping PR https://github.com/elastic/telemetry/pull/4878\n\n## Testing\n1. Create rules with response actions (Osquery or Elastic Defend). \n2. Make sure the rule has excuted and alerts triggered.\n3. Test snapshot telemetry by:\n - using the API call on Kibana dev console or,\n <details><summary>API call</summary>\n <code>\n POST kbn:/internal/telemetry/clusters/_stats?apiVersion=2\n { \"unencrypted\": true, \"refreshCache\": true }\n </code>\n </details> \n- navigating to `app/management/kibana/settings`, click on `cluster\ndata` under `Usage collection` section. Snapshot data should show up in\na flyout.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"a3ff2f7b6b1ca22e4c5b29e8d684660a81700224"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/225081","number":225081,"mergeCommit":{"message":"[SecruitySolution][Endpoint][ResponseActions] Capture response actions usage on all rule types (#225081)\n\n## Summary\n\nThis PR is adding additional (snapshot) telemetry to detection rules to\ncapture response actions usage.\n\n- Mapping PR https://github.com/elastic/telemetry/pull/4878\n\n## Testing\n1. Create rules with response actions (Osquery or Elastic Defend). \n2. Make sure the rule has excuted and alerts triggered.\n3. Test snapshot telemetry by:\n - using the API call on Kibana dev console or,\n <details><summary>API call</summary>\n <code>\n POST kbn:/internal/telemetry/clusters/_stats?apiVersion=2\n { \"unencrypted\": true, \"refreshCache\": true }\n </code>\n </details> \n- navigating to `app/management/kibana/settings`, click on `cluster\ndata` under `Usage collection` section. Snapshot data should show up in\na flyout.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...","sha":"a3ff2f7b6b1ca22e4c5b29e8d684660a81700224"}}]}] BACKPORT--> Co-authored-by: Ash <1849116+ashokaditya@users.noreply.github.com>
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Jun 25, 2025
…esponse actions usage on all rule types (elastic#225081) (elastic#225159)" This reverts commit d19f92f.
9 tasks
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Jun 25, 2025
…esponse actions usage on all rule types (elastic#225081) (elastic#225159)" This reverts commit d19f92f.
ashokaditya
added
backport:version
akowalska622
pushed a commit
to akowalska622/kibana
that referenced
this pull request
Jun 25, 2025
…s usage on all rule types (elastic#225081) ## Summary This PR is adding additional (snapshot) telemetry to detection rules to capture response actions usage. - Mapping PR elastic/telemetry#4878 ## Testing 1. Create rules with response actions (Osquery or Elastic Defend). 2. Make sure the rule has excuted and alerts triggered. 3. Test snapshot telemetry by: - using the API call on Kibana dev console or, <details><summary>API call</summary> <code> POST kbn:/internal/telemetry/clusters/_stats?apiVersion=2 { "unencrypted": true, "refreshCache": true } </code> </details> - navigating to `app/management/kibana/settings`, click on `cluster data` under `Usage collection` section. Snapshot data should show up in a flyout. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR is adding additional (snapshot) telemetry to detection rules to capture response actions usage.
Testing
API call
POST kbn:/internal/telemetry/clusters/_stats?apiVersion=2 { "unencrypted": true, "refreshCache": true }app/management/kibana/settings, click oncluster dataunderUsage collectionsection. Snapshot data should show up in a flyout.Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
release_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesIdentify risks
Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging.