[Security Solution] Complete telemetry for Alerts tables #150656

YulNaumenko · 2023-02-09T03:07:55Z

Number of users selecting grouping
Most used group by fields
TODO: add more

elasticmachine · 2023-02-09T03:07:58Z

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

angorayc · 2023-02-27T15:12:00Z

Original issue: #144945

Alerts Grouping - [SecuritySolution] Add UI tracking for grouping options #151708

logeekal · 2023-02-28T12:12:27Z

  6. Columns toggled `alerts_table_{tableId}_group-{groupNumber}_toggle_{fieldName}_{on|off}` @elastic/response-ops
     
  7. Fields toggled `alerts_table_{tableId}_group-{groupNumber}_toggle_{fieldName}_{on|off}` @elastic/response-ops

What is the difference between these two @angorayc ?

angorayc · 2023-02-28T14:39:23Z

  6. Columns toggled `alerts_table_{tableId}_group-{groupNumber}_toggle_{fieldName}_{on|off}` @elastic/response-ops
     
  7. Fields toggled `alerts_table_{tableId}_group-{groupNumber}_toggle_{fieldName}_{on|off}` @elastic/response-ops

What is the difference between these two @angorayc ?

These are the columns and fields toggle I'd like to track if it's doable.

## Summary Relevant issues: Overall telemetry: #144945 Alerts telemetry: #150656 Preview dashboard: https://telemetry-v2-staging.elastic.dev/s/securitysolution/app/dashboards#/view/40755fc0-b454-11ed-a6e6-d32d2209b7b7?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-7d%2Fd,to:now)) **UI counter added** - overall counts 1. alerts_table_group_by_{tableId}_{groupByField} - `alerts_table_group_by_alerts-page_host.name ` triggered on grouping option changed. 2. alerts_table_toggled_{on|off}_{tableId}_group-{groupNumber} - `alerts_table_toggled_off_alerts-page_group-0` sent when grouped alerts toggled 3. alerts_table_{tableId}_group-{groupNumber}_mark-{status} - `alerts_table_alerts-page_group-0_mark-open` sent when group actions taken **Event based telemetry added** - extra info from `properties` can be aggregated / visualised 1. Alerts grouping take action - sent when group actions taken 2. Alerts grouping toggled - sent when grouped alerts toggled 3. Alerts grouping changed - triggered on grouping option changed [Example events](https://telemetry-v2-staging.elastic.dev/s/securitysolution/app/discover#/view/9b0f2080-bcd1-11ed-a6e6-d32d2209b7b7?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-7d%2Fd,to:now))&_a=(columns:!(context.applicationId,properties,properties.groupingId,properties.groupNumber,properties.status,event_type,properties.tableId),filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:c5dc7cd0-2950-4e51-b428-d0451b1b8d9d,key:context.applicationId,negate:!f,params:(query:securitySolutionUI),type:phrase),query:(match_phrase:(context.applicationId:securitySolutionUI)))),grid:(),hideChart:!f,index:c5dc7cd0-2950-4e51-b428-d0451b1b8d9d,interval:auto,query:(language:kuery,query:'event_type%20:%20Alerts%20Grouping*'),sort:!(!(timestamp,desc)))) **Steps to verify:** 1. add telemetry.optIn: true to kibana.dev.yml 2. Visit alerts page or rule details page, change the grouping , toggle each group, and take actions to grouped alerts 3. Usually the event would be sent every hour to [staging](https://telemetry-v2-staging.elastic.dev/s/securitysolution/app/discover#/view/9b0f2080-bcd1-11ed-a6e6-d32d2209b7b7?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-7d%2Fd,to:now))&_a=(columns:!(context.applicationId,properties,properties.groupingId,properties.groupNumber,properties.status,event_type,properties.tableId),filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:c5dc7cd0-2950-4e51-b428-d0451b1b8d9d,key:context.applicationId,negate:!f,params:(query:securitySolutionUI),type:phrase),query:(match_phrase:(context.applicationId:securitySolutionUI)))),grid:(),hideChart:!f,index:c5dc7cd0-2950-4e51-b428-d0451b1b8d9d,interval:auto,query:(language:kuery,query:'event_type%20:%20Alerts%20Grouping*'),sort:!(!(timestamp,desc)))), if not, visit staging again on the next day. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Pablo Neves Machado <[email protected]>

## Summary Relevant issues: Overall telemetry: elastic#144945 Alerts telemetry: elastic#150656 Preview dashboard: https://telemetry-v2-staging.elastic.dev/s/securitysolution/app/dashboards#/view/40755fc0-b454-11ed-a6e6-d32d2209b7b7?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-7d%2Fd,to:now)) **UI counter added** - overall counts 1. alerts_table_group_by_{tableId}_{groupByField} - `alerts_table_group_by_alerts-page_host.name ` triggered on grouping option changed. 2. alerts_table_toggled_{on|off}_{tableId}_group-{groupNumber} - `alerts_table_toggled_off_alerts-page_group-0` sent when grouped alerts toggled 3. alerts_table_{tableId}_group-{groupNumber}_mark-{status} - `alerts_table_alerts-page_group-0_mark-open` sent when group actions taken **Event based telemetry added** - extra info from `properties` can be aggregated / visualised 1. Alerts grouping take action - sent when group actions taken 2. Alerts grouping toggled - sent when grouped alerts toggled 3. Alerts grouping changed - triggered on grouping option changed [Example events](https://telemetry-v2-staging.elastic.dev/s/securitysolution/app/discover#/view/9b0f2080-bcd1-11ed-a6e6-d32d2209b7b7?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-7d%2Fd,to:now))&_a=(columns:!(context.applicationId,properties,properties.groupingId,properties.groupNumber,properties.status,event_type,properties.tableId),filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:c5dc7cd0-2950-4e51-b428-d0451b1b8d9d,key:context.applicationId,negate:!f,params:(query:securitySolutionUI),type:phrase),query:(match_phrase:(context.applicationId:securitySolutionUI)))),grid:(),hideChart:!f,index:c5dc7cd0-2950-4e51-b428-d0451b1b8d9d,interval:auto,query:(language:kuery,query:'event_type%20:%20Alerts%20Grouping*'),sort:!(!(timestamp,desc)))) **Steps to verify:** 1. add telemetry.optIn: true to kibana.dev.yml 2. Visit alerts page or rule details page, change the grouping , toggle each group, and take actions to grouped alerts 3. Usually the event would be sent every hour to [staging](https://telemetry-v2-staging.elastic.dev/s/securitysolution/app/discover#/view/9b0f2080-bcd1-11ed-a6e6-d32d2209b7b7?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-7d%2Fd,to:now))&_a=(columns:!(context.applicationId,properties,properties.groupingId,properties.groupNumber,properties.status,event_type,properties.tableId),filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:c5dc7cd0-2950-4e51-b428-d0451b1b8d9d,key:context.applicationId,negate:!f,params:(query:securitySolutionUI),type:phrase),query:(match_phrase:(context.applicationId:securitySolutionUI)))),grid:(),hideChart:!f,index:c5dc7cd0-2950-4e51-b428-d0451b1b8d9d,interval:auto,query:(language:kuery,query:'event_type%20:%20Alerts%20Grouping*'),sort:!(!(timestamp,desc)))), if not, visit staging again on the next day. ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Pablo Neves Machado <[email protected]>

stephmilovic · 2023-05-04T20:38:56Z

bumping to 8.10 per @asnehalb conversation

YulNaumenko added Team:Threat Hunting Security Solution Threat Hunting Team Team:Threat Hunting:Explore 8.8 candidate v8.8.0 labels Feb 9, 2023

YulNaumenko mentioned this issue Feb 9, 2023

[Security Solution][Epic] Grouping feature #150517

Open

14 tasks

angorayc self-assigned this Feb 21, 2023

This was referenced Feb 21, 2023

[SecuritySolution] Add UI tracking for grouping options #151708

Merged

[Security Solution] Define the telemetry list, which is missing and be valuable to add to host, user and network pages #144945

Open

stephmilovic added 8.9 candidate and removed 8.8 candidate labels Apr 6, 2023

stephmilovic changed the title ~~[Security Solution] Add telemetry for grouping feature usage for Alerts tables~~ [Security Solution] Complete telemetry for Alerts tables May 4, 2023

stephmilovic removed the 8.9 candidate label May 4, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security Solution] Complete telemetry for Alerts tables #150656

[Security Solution] Complete telemetry for Alerts tables #150656

YulNaumenko commented Feb 9, 2023 •

edited

Loading

elasticmachine commented Feb 9, 2023

angorayc commented Feb 27, 2023 •

edited

Loading

logeekal commented Feb 28, 2023

angorayc commented Feb 28, 2023

stephmilovic commented May 4, 2023

[Security Solution] Complete telemetry for Alerts tables #150656

[Security Solution] Complete telemetry for Alerts tables #150656

Comments

YulNaumenko commented Feb 9, 2023 • edited Loading

elasticmachine commented Feb 9, 2023

angorayc commented Feb 27, 2023 • edited Loading

logeekal commented Feb 28, 2023

angorayc commented Feb 28, 2023

stephmilovic commented May 4, 2023

YulNaumenko commented Feb 9, 2023 •

edited

Loading

angorayc commented Feb 27, 2023 •

edited

Loading