[Security Solution] Add "alerts_candidate_count" rule execution metric#259917
Merged
maximpn merged 4 commits intoelastic:mainfrom Mar 31, 2026
Merged
[Security Solution] Add "alerts_candidate_count" rule execution metric#259917maximpn merged 4 commits intoelastic:mainfrom
maximpn merged 4 commits intoelastic:mainfrom
Conversation
maximpn
added
release_note:skip
Contributor
Author
|
/ci |
2 tasks
maximpn
changed the title
Contributor
Author
|
/ci |
Contributor
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Contributor
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
banderror
added
release_note:enhancement
and removed
release_note:skip
nikitaindik
approved these changes
Mar 30, 2026
Contributor
nikitaindik
left a comment
nikitaindik
left a comment
There was a problem hiding this comment.
I read through the code and tested that alerts_suppressed_count is calculated correctly for each rule type.
On a high level, for each rule type, I created two rules: one with suppression, one without. Then for each rule I ingested a few source events, ran a rule, inspected metrics.alerts_candidate_count and metrics.alerts_suppressed_count on the the resulting "execute" events in the event log. I expected alerts_candidate_count to be equal to the number of events I ingested and more than alerts_suppressed_count.
- ✅ Query
- ✅ EQL
- ✅ ESQL
- ✅ New Terms
- ✅ Indicator Match
- ✅ Threshold
- ✅ ML
Contributor
💚 Build Succeeded
Metrics [docs]
cc @maximpn |
dhurley14
approved these changes
Mar 31, 2026
mbondyra
added a commit
to mbondyra/kibana
that referenced
this pull request
Mar 31, 2026
…e_for_children6 * commit '3402744f63ca1196e97b11ffac4e7f7efab240df': (80 commits) [PerUserAuth] Add EARS auth type for Connectors V2 (elastic#253695) Fix `@elastic/eui/require-aria-label-for-modals` lint violations across `@elastic/kibana-core` files (elastic#259757) [Entity Analytics][Leads generation][4] Add API routes, LeadDataClient, and async generation (elastic#257046) [Agent Builder] Agent-centric UX redesign (elastic#258005) fix query streams failing test (elastic#260277) [Lens as code] Add list layout to the new API (elastic#259967) [FTR] Add warning comments to deployment-agnostic FTR base configs (elastic#260018) [Discover][Logs profile] Fix missing search highlights (elastic#260056) Plugin system: safe deletion (elastic#259038) [Infra] Fix Hosts filter options to match selected schema (elastic#259825) Manual Entity Resolution and flyout representation (elastic#260162) [Cascade] Handle grouping on fields with unset values (elastic#260033) [Fleet] generate OTel config for integration packages with otelcol inputs (elastic#259968) [Search] Switch over to V2 index management details (elastic#259866) [inference] increase timeout for ES inference calls (elastic#260382) [ES|QL] Enable subqueries (elastic#257455) [ES|QL] Change Point order free options (elastic#260282) [Auth] Added authentication strategy for UIAM OAuth (elastic#256182) [Security Solution] Add "alerts_candidate_count" rule execution metric (elastic#259917) [api-docs] 2026-03-31 Daily api_docs build (elastic#260380) ...
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Apr 1, 2026
elastic#259917) **Addresses:** elastic#255513 **Relates to:** elastic#257203 ## Summary This PR adds logic to calculate `alerts_candidate_count` rule execution metric. The mapping was added in elastic#257203. ## Details `alerts_candidate_count` rule execution metric represents the number of detected alerts before any alerts suppression is applied. Alerts may be suppressed when alerts suppression by some field(s) in a certain time window is configured. Or it's a duplicate alert so Elasticsearch won't index alert documents with the same ids. The calculation logic varies based on the rule type but the logic described in the previous paragraph persists.
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Apr 2, 2026
elastic#259917) **Addresses:** elastic#255513 **Relates to:** elastic#257203 ## Summary This PR adds logic to calculate `alerts_candidate_count` rule execution metric. The mapping was added in elastic#257203. ## Details `alerts_candidate_count` rule execution metric represents the number of detected alerts before any alerts suppression is applied. Alerts may be suppressed when alerts suppression by some field(s) in a certain time window is configured. Or it's a duplicate alert so Elasticsearch won't index alert documents with the same ids. The calculation logic varies based on the rule type but the logic described in the previous paragraph persists.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses: #255513
Relates to: #257203
Summary
This PR adds logic to calculate
alerts_candidate_countrule execution metric. The mapping was added in #257203.Details
alerts_candidate_countrule execution metric represents the number of detected alerts before any alerts suppression is applied. Alerts may be suppressed when alerts suppression by some field(s) in a certain time window is configured. Or it's a duplicate alert so Elasticsearch won't index alert documents with the same ids.The calculation logic varies based on the rule type but the logic described in the previous paragraph persists.