[Security Solution][Attacks/Alerts] Telemetry for Attacks and Alerts Alignment (#256117)#256200
Merged
e40pud merged 4 commits intoMar 6, 2026
Conversation
e40pud
added
release_note:skip
Contributor
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Contributor
|
Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations) |
NicholasPeretti
approved these changes
Mar 5, 2026
Contributor
|
Important Review skippedAuto reviews are limited based on label configuration. 🏷️ Required labels (at least one) (6)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Page load bundle
History
cc @e40pud |
andrew-goldstein
approved these changes
Mar 6, 2026
kapral18
pushed a commit
to kapral18/kibana
that referenced
this pull request
Mar 9, 2026
…Alignment (elastic#256117) (elastic#256200) ## Summary Closes elastic#256117 This PR implements comprehensive **client-side Event-Based Telemetry (EBT)** for the new Attacks page. This validation effort aims to track user adoption, feature usage, and key interaction patterns across the Attacks workflow. ## Events The following events are emitted when users interact with the Attacks page components, flyouts, and actions. All events are prefixed with `Attacks` in their human-readable name and are part of the `AttacksEventTypes` enum. ### Table & View Interactions - **`Attacks Table Sort Changed`**: Emitted when sorting the attacks table. - `field`: The field used for sorting. - `direction`: `asc` or `desc`. - **`Attacks View Option Changed`**: Emitted when toggling view options (e.g., anonymization). - `option`: The view option name. - `enabled`: Boolean status. - **`Attacks KPI View Changed`**: Emitted when switching KPI panel views. - `view`: The selected view (`summary`, `trend`, `count`, `treemap`). - **`Attacks Expanded View Tab Clicked`**: Emitted when switching tabs in the inline expanded attack view. - `tab`: `summary` or `alerts`. ### Action Interactions All action events include a `source` property to distinguish between actions taken from different UI locations: - `attacks_page_group_take_action` - `attacks_page_group_summary` - `attacks_page_flyout_take_action` - `attacks_page_flyout_header` * **`Attacks Action Status Updated`**: Emitted when updating attack status (Open, Acknowledge, Close). - `status`: The new status. - `scope`: `attack_only` or `attack_and_related_alerts`. * **`Attacks Action Assignee Updated`**: Emitted when modifying assignees. - `scope`: `attack_only` or `attack_and_related_alerts`. * **`Attacks Action Tags Updated`**: Emitted when adding/removing tags. - `scope`: `attack_only` or `attack_and_related_alerts`. * **`Attacks Action Added To Case`**: Emitted when adding an attack to a case. - `action`: `add_to_new_case` or `add_to_existing_case`. * **`Attacks Timeline Investigation Opened`**: Emitted when clicking "Investigate in timeline". * **`Attacks AI Assistant Opened`**: Emitted when opening the AI Assistant for an attack. ### Feature & Navigation Events - **`Attacks Details Flyout Opened`**: Emitted when opening the full attack details flyout. - `id`: The ID of the attack. - `source`: Where the flyout was opened from. - **`Attacks Schedule Flyout Opened`**: Emitted when opening the scheduling flyout. - `source`: `attacks_page_header` or `attacks_page_empty_state`. - **`Attacks Feature Promotion Callout Action`**: Emitted for interactions with the "Attack Discovery is moving" callout. - `action`: `view_attacks` or `hide`. ## How to verify (dev) 1. Enable local EBT shipping in `kibana.dev.yml` (or `kibana.yml`): ```yaml telemetry: optIn: true localShipper: true ``` 2. In Discover, query the **Browser** index pattern: - **Index Pattern**: `ebt-kibana-browser*` 3. Filter for Attacks events: - `event_type: "Attacks *"` or `event_name` containing "Attacks" ### Verification Steps 1. **Table Interactions**: - Sort the Attacks table by any column. - Verify `Attacks Table Sort Changed` event with correct `field` and `direction`. - Toggle "Show anonymized data". - Verify `Attacks View Option Changed` event. 2. **KPI Views**: - Switch between Summary, Trend, Count, and Treemap views. - Verify `Attacks KPI View Changed` event with correct `view`. 3. **Actions (Table & Flyout)**: - Select an attack and use the "Take action" menu to: - Change status (Open/Close/Ack). - Add/Remove tags. - Assign a user. - Add to case. - Verify corresponding `Attacks Action *` events. - Check that the `source` field correctly identifies the location (`attacks_page_group_take_action`). - For Status, Assignee, and Tag updates, verify the `scope` matches user selection (only attack vs. attack + alerts). - For "Add to case", verify the `action` distinguishes between new and existing cases. 4. **Flyout Navigation**: - Click an attack ID to open the flyout. - Verify `Attacks Details Flyout Opened`. - Inside the flyout, perform an action (e.g., status update). - Verify the action event has `source: "attacks_page_flyout_take_action"` (or header source). 5. **Promotion Callout**: - On the legacy Attack Discovery page, interact with the "Moving to Detections" callout. - Verify `Attacks Feature Promotion Callout Action` with `view_attacks` or `hide`. --- _PR developed with Cursor + Gemini 3 Pro_
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Mar 11, 2026
…Alignment (elastic#256117) (elastic#256200) ## Summary Closes elastic#256117 This PR implements comprehensive **client-side Event-Based Telemetry (EBT)** for the new Attacks page. This validation effort aims to track user adoption, feature usage, and key interaction patterns across the Attacks workflow. ## Events The following events are emitted when users interact with the Attacks page components, flyouts, and actions. All events are prefixed with `Attacks` in their human-readable name and are part of the `AttacksEventTypes` enum. ### Table & View Interactions - **`Attacks Table Sort Changed`**: Emitted when sorting the attacks table. - `field`: The field used for sorting. - `direction`: `asc` or `desc`. - **`Attacks View Option Changed`**: Emitted when toggling view options (e.g., anonymization). - `option`: The view option name. - `enabled`: Boolean status. - **`Attacks KPI View Changed`**: Emitted when switching KPI panel views. - `view`: The selected view (`summary`, `trend`, `count`, `treemap`). - **`Attacks Expanded View Tab Clicked`**: Emitted when switching tabs in the inline expanded attack view. - `tab`: `summary` or `alerts`. ### Action Interactions All action events include a `source` property to distinguish between actions taken from different UI locations: - `attacks_page_group_take_action` - `attacks_page_group_summary` - `attacks_page_flyout_take_action` - `attacks_page_flyout_header` * **`Attacks Action Status Updated`**: Emitted when updating attack status (Open, Acknowledge, Close). - `status`: The new status. - `scope`: `attack_only` or `attack_and_related_alerts`. * **`Attacks Action Assignee Updated`**: Emitted when modifying assignees. - `scope`: `attack_only` or `attack_and_related_alerts`. * **`Attacks Action Tags Updated`**: Emitted when adding/removing tags. - `scope`: `attack_only` or `attack_and_related_alerts`. * **`Attacks Action Added To Case`**: Emitted when adding an attack to a case. - `action`: `add_to_new_case` or `add_to_existing_case`. * **`Attacks Timeline Investigation Opened`**: Emitted when clicking "Investigate in timeline". * **`Attacks AI Assistant Opened`**: Emitted when opening the AI Assistant for an attack. ### Feature & Navigation Events - **`Attacks Details Flyout Opened`**: Emitted when opening the full attack details flyout. - `id`: The ID of the attack. - `source`: Where the flyout was opened from. - **`Attacks Schedule Flyout Opened`**: Emitted when opening the scheduling flyout. - `source`: `attacks_page_header` or `attacks_page_empty_state`. - **`Attacks Feature Promotion Callout Action`**: Emitted for interactions with the "Attack Discovery is moving" callout. - `action`: `view_attacks` or `hide`. ## How to verify (dev) 1. Enable local EBT shipping in `kibana.dev.yml` (or `kibana.yml`): ```yaml telemetry: optIn: true localShipper: true ``` 2. In Discover, query the **Browser** index pattern: - **Index Pattern**: `ebt-kibana-browser*` 3. Filter for Attacks events: - `event_type: "Attacks *"` or `event_name` containing "Attacks" ### Verification Steps 1. **Table Interactions**: - Sort the Attacks table by any column. - Verify `Attacks Table Sort Changed` event with correct `field` and `direction`. - Toggle "Show anonymized data". - Verify `Attacks View Option Changed` event. 2. **KPI Views**: - Switch between Summary, Trend, Count, and Treemap views. - Verify `Attacks KPI View Changed` event with correct `view`. 3. **Actions (Table & Flyout)**: - Select an attack and use the "Take action" menu to: - Change status (Open/Close/Ack). - Add/Remove tags. - Assign a user. - Add to case. - Verify corresponding `Attacks Action *` events. - Check that the `source` field correctly identifies the location (`attacks_page_group_take_action`). - For Status, Assignee, and Tag updates, verify the `scope` matches user selection (only attack vs. attack + alerts). - For "Add to case", verify the `action` distinguishes between new and existing cases. 4. **Flyout Navigation**: - Click an attack ID to open the flyout. - Verify `Attacks Details Flyout Opened`. - Inside the flyout, perform an action (e.g., status update). - Verify the action event has `source: "attacks_page_flyout_take_action"` (or header source). 5. **Promotion Callout**: - On the legacy Attack Discovery page, interact with the "Moving to Detections" callout. - Verify `Attacks Feature Promotion Callout Action` with `view_attacks` or `hide`. --- _PR developed with Cursor + Gemini 3 Pro_
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #256117
This PR implements comprehensive client-side Event-Based Telemetry (EBT) for the new Attacks page. This validation effort aims to track user adoption, feature usage, and key interaction patterns across the Attacks workflow.
Events
The following events are emitted when users interact with the Attacks page components, flyouts, and actions. All events are prefixed with
Attacksin their human-readable name and are part of theAttacksEventTypesenum.Table & View Interactions
Attacks Table Sort Changed: Emitted when sorting the attacks table.field: The field used for sorting.direction:ascordesc.Attacks View Option Changed: Emitted when toggling view options (e.g., anonymization).option: The view option name.enabled: Boolean status.Attacks KPI View Changed: Emitted when switching KPI panel views.view: The selected view (summary,trend,count,treemap).Attacks Expanded View Tab Clicked: Emitted when switching tabs in the inline expanded attack view.tab:summaryoralerts.Action Interactions
All action events include a
sourceproperty to distinguish between actions taken from different UI locations:attacks_page_group_take_actionattacks_page_group_summaryattacks_page_flyout_take_actionattacks_page_flyout_headerAttacks Action Status Updated: Emitted when updating attack status (Open, Acknowledge, Close).status: The new status.scope:attack_onlyorattack_and_related_alerts.Attacks Action Assignee Updated: Emitted when modifying assignees.scope:attack_onlyorattack_and_related_alerts.Attacks Action Tags Updated: Emitted when adding/removing tags.scope:attack_onlyorattack_and_related_alerts.Attacks Action Added To Case: Emitted when adding an attack to a case.action:add_to_new_caseoradd_to_existing_case.Attacks Timeline Investigation Opened: Emitted when clicking "Investigate in timeline".Attacks AI Assistant Opened: Emitted when opening the AI Assistant for an attack.Feature & Navigation Events
Attacks Details Flyout Opened: Emitted when opening the full attack details flyout.id: The ID of the attack.source: Where the flyout was opened from.Attacks Schedule Flyout Opened: Emitted when opening the scheduling flyout.source:attacks_page_headerorattacks_page_empty_state.Attacks Feature Promotion Callout Action: Emitted for interactions with the "Attack Discovery is moving" callout.action:view_attacksorhide.How to verify (dev)
kibana.dev.yml(orkibana.yml):In Discover, query the Browser index pattern:
ebt-kibana-browser*Filter for Attacks events:
event_type: "Attacks *"orevent_namecontaining "Attacks"Verification Steps
Table Interactions:
Attacks Table Sort Changedevent with correctfieldanddirection.Attacks View Option Changedevent.KPI Views:
Attacks KPI View Changedevent with correctview.Actions (Table & Flyout):
Attacks Action *events.sourcefield correctly identifies the location (attacks_page_group_take_action).scopematches user selection (only attack vs. attack + alerts).actiondistinguishes between new and existing cases.Flyout Navigation:
Attacks Details Flyout Opened.source: "attacks_page_flyout_take_action"(or header source).Promotion Callout:
Attacks Feature Promotion Callout Actionwithview_attacksorhide.PR developed with Cursor + Gemini 3 Pro