[Security Solution] Add "matched_indices_count" rule execution metric#259938
Merged
maximpn merged 13 commits intoelastic:mainfrom Apr 2, 2026
Merged
Conversation
maximpn
added
release_note:skip
2 tasks
banderror
added
release_note:enhancement
and removed
release_note:skip
maximpn
force-pushed
the
add-matched_indices_count-rule-execution-metric
branch
from
8fc4dbc to
5c24306
Compare
Contributor
Author
|
/ci |
Contributor
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Contributor
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
src/platform/plugins/shared/data_views/server/fetcher/index_patterns_fetcher.ts
Outdated
Show resolved
Hide resolved
pmuellr
approved these changes
Mar 31, 2026
Contributor
pmuellr
left a comment
pmuellr
left a comment
There was a problem hiding this comment.
ResponseOps changes LGTM
maximpn
force-pushed
the
add-matched_indices_count-rule-execution-metric
branch
from
8b672c8 to
9588c3d
Compare
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
.../rule_execution_logic/indicator_match/trial_license_complete_tier/indicator_match_metrics.ts
Outdated
Show resolved
Hide resolved
src/platform/plugins/shared/data_views/server/fetcher/index_patterns_fetcher.ts
Show resolved
Hide resolved
maximpn
force-pushed
the
add-matched_indices_count-rule-execution-metric
branch
from
9588c3d to
eb94455
Compare
src/platform/plugins/shared/data_views/server/fetcher/index_patterns_fetcher.ts
Show resolved
Hide resolved
maximpn
force-pushed
the
add-matched_indices_count-rule-execution-metric
branch
from
86f4c94 to
c639813
Compare
marshallmain
reviewed
Apr 1, 2026
x-pack/platform/plugins/shared/event_log/generated/mappings.json
Outdated
Show resolved
Hide resolved
marshallmain
approved these changes
Apr 1, 2026
nikitaindik
approved these changes
Apr 1, 2026
Contributor
nikitaindik
left a comment
nikitaindik
left a comment
There was a problem hiding this comment.
Thanks, @maximpn! I skimmed through the changes and tested the PR locally with the new Execution Results table. The metrics were collected properly in my tests.
One minor technicality I found is that when a data view doesn't match any indices, we write 0 matched_indices_count to metrics, but if a data view doesn't exist at all, we don't write anything. Which is technically correct (nothing was queried), but might be confusing, as the end result is practically the same. Anyways, we can discuss it further when we work on handling 0 / null values for metrics later.
davismcphee
approved these changes
Apr 2, 2026
Contributor
davismcphee
left a comment
davismcphee
left a comment
There was a problem hiding this comment.
Data Discovery changes LGTM 👍
patrykkopycinski
approved these changes
Apr 2, 2026
mbondyra
added a commit
to mbondyra/kibana
that referenced
this pull request
Apr 2, 2026
…heck * commit 'af66aadafa7470ca8ba3e3edd3793bde81fa4596': (31 commits) [Scout] Update test config manifests (elastic#260850) [SLO]: register alerts schema embeddable (elastic#256570) [Discover][Flyout] Update overview fields table with new prop headerVisibility set to false (elastic#260692) [AiButton/Security] Migrate ai-related buttons to use custom styles (elastic#259847) [One Workflow] Fix connector step icons falling back to generic plugs in YAML editor (elastic#260785) [Agent Builder] Dashboard skill: Guard against editing non-ESQL based panels (elastic#260714) Security quality gate Cypress cleanup - Periodic Pipeline (elastic#260820) [Search] Deprecate search indices in favour of index management (elastic#260210) Upgrade dependency @elastic/charts to v71.4.0 (elastic#260593) [Security Solution] [HDQ]: integration-based targeting and descriptor versioning (elastic#258418) docs(saved-objects): consolidate docs and document scoped vs system client (elastic#260743) Fix observability UIAM config and add CPS observability variant (elastic#260485) [Security Solution] Add "matched_indices_count" rule execution metric (elastic#259938) [SigEvents] Add callout with working promote action. (elastic#260433) [Alerting V2] Episode table actions (elastic#260195) [Automatic Migration] Add ability to skip Reference Set step in QRadar upload workflow (elastic#259959) [Rules] KQL-to-DSL conversion without data view produces incorrect queries for keyword fields for Metric threshold rule (elastic#260046) Update dependency lightningcss to v1.32.0 (main) (elastic#259017) Update postcss (main) (elastic#255420) Migrate server-side apm.addLabels to OTel dual-write helpers (elastic#259619) ...
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Apr 2, 2026
…elastic#259938) **Addresses:** elastic#255513 **Relates to:** elastic#257203 ## Summary This PR adds `matched_indices_count` rule executor metric. On top of that it adds `matched_indicator_indices_count` for Indicator Match rules to cover indicator match indices. ## Details `matched_indices_count` rule execution metric represents the number of indices matched during rule execution. While obviously matched indices might be calculated in several ways we stick to the logic used in `runExecutionValidation()` function. It checks whether rule's index patterns has any matching indices to break rule execution when there are 0 matching indices. Under the hood it boils down to a request the [ES field caps API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-field-caps).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses: #255513
Relates to: #257203
Summary
This PR adds
matched_indices_countrule executor metric. On top of that it addsmatched_indicator_indices_countfor Indicator Match rules to cover indicator match indices.Details
matched_indices_countrule execution metric represents the number of indices matched during rule execution. While obviously matched indices might be calculated in several ways we stick to the logic used inrunExecutionValidation()function. It checks whether rule's index patterns has any matching indices to break rule execution when there are 0 matching indices. Under the hood it boils down to a request the ES field caps API.