diff --git a/x-pack/plugins/security_solution/common/detection_engine/rule_monitoring/api/urls.ts b/x-pack/plugins/security_solution/common/detection_engine/rule_monitoring/api/urls.ts index 8e5a25227ece1..d525239ac0956 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/rule_monitoring/api/urls.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/rule_monitoring/api/urls.ts @@ -28,6 +28,13 @@ export const GET_SPACE_HEALTH_URL = `${INTERNAL_URL}/health/_space` as const; */ export const GET_RULE_HEALTH_URL = `${INTERNAL_URL}/health/_rule` as const; +/** + * Similar to the "setup" command of beats, this endpoint installs resources + * (dashboards, data views, etc) related to rule monitoring and Detection Engine health, + * and can do any other setup work. + */ +export const SETUP_HEALTH_URL = `${INTERNAL_URL}/health/_setup` as const; + // ------------------------------------------------------------------------------------------------- // Rule execution logs API diff --git a/x-pack/plugins/security_solution/public/app/home/index.tsx b/x-pack/plugins/security_solution/public/app/home/index.tsx index 7d2b3d4417e52..5e2bf87961927 100644 --- a/x-pack/plugins/security_solution/public/app/home/index.tsx +++ b/x-pack/plugins/security_solution/public/app/home/index.tsx @@ -25,8 +25,9 @@ import { TourContextProvider } from '../../common/components/guided_onboarding_t import { useUrlState } from '../../common/hooks/use_url_state'; import { useUpdateBrowserTitle } from '../../common/hooks/use_update_browser_title'; -import { useUpgradeSecurityPackages } from '../../detection_engine/rule_management/logic/use_upgrade_security_packages'; import { useUpdateExecutionContext } from '../../common/hooks/use_update_execution_context'; +import { useUpgradeSecurityPackages } from '../../detection_engine/rule_management/logic/use_upgrade_security_packages'; +import { useSetupDetectionEngineHealthApi } from '../../detection_engine/rule_monitoring'; interface HomePageProps { children: React.ReactNode; @@ -41,12 +42,14 @@ const HomePageComponent: React.FC = ({ children, setHeaderActionM useUpdateExecutionContext(); const { browserFields } = useSourcererDataView(getScopeFromPath(pathname)); + // side effect: this will attempt to upgrade the endpoint package if it is not up to date // this will run when a user navigates to the Security Solution app and when they navigate between // tabs in the app. This is useful for keeping the endpoint package as up to date as possible until // a background task solution can be built on the server side. Once a background task solution is available we // can remove this. useUpgradeSecurityPackages(); + useSetupDetectionEngineHealthApi(); return ( diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/__mocks__/api_client.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/__mocks__/api_client.ts index 9fb1656ad4603..e9e37998998c8 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/__mocks__/api_client.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/__mocks__/api_client.ts @@ -21,6 +21,8 @@ import type { } from '../api_client_interface'; export const api: jest.Mocked = { + setupDetectionEngineHealthApi: jest.fn, []>().mockResolvedValue(), + fetchRuleExecutionEvents: jest .fn, [FetchRuleExecutionEventsArgs]>() .mockResolvedValue({ diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/api_client.test.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/api_client.test.ts index 9c69b92210146..7f2a3e6726a10 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/api_client.test.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/api_client.test.ts @@ -27,6 +27,23 @@ describe('Rule Monitoring API Client', () => { const signal = new AbortController().signal; + describe('setupDetectionEngineHealthApi', () => { + const responseMock = {}; + + beforeEach(() => { + fetchMock.mockClear(); + fetchMock.mockResolvedValue(responseMock); + }); + + it('calls API with correct parameters', async () => { + await api.setupDetectionEngineHealthApi(); + + expect(fetchMock).toHaveBeenCalledWith('/internal/detection_engine/health/_setup', { + method: 'POST', + }); + }); + }); + describe('fetchRuleExecutionEvents', () => { const responseMock: GetRuleExecutionEventsResponse = { events: [], diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/api_client.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/api_client.ts index 01bc89b7a6be9..54f84c9934f39 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/api_client.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/api_client.ts @@ -16,6 +16,7 @@ import type { import { getRuleExecutionEventsUrl, getRuleExecutionResultsUrl, + SETUP_HEALTH_URL, } from '../../../../common/detection_engine/rule_monitoring'; import type { @@ -25,6 +26,12 @@ import type { } from './api_client_interface'; export const api: IRuleMonitoringApiClient = { + setupDetectionEngineHealthApi: async (): Promise => { + await http().fetch(SETUP_HEALTH_URL, { + method: 'POST', + }); + }, + fetchRuleExecutionEvents: ( args: FetchRuleExecutionEventsArgs ): Promise => { diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/api_client_interface.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/api_client_interface.ts index b6136a15e2366..cfe7eb03b874b 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/api_client_interface.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/api/api_client_interface.ts @@ -16,6 +16,12 @@ import type { } from '../../../../common/detection_engine/rule_monitoring'; export interface IRuleMonitoringApiClient { + /** + * Installs resources (dashboards, data views, etc) related to rule monitoring + * and Detection Engine health, and can do any other setup work. + */ + setupDetectionEngineHealthApi(): Promise; + /** * Fetches plain rule execution events (status changes, metrics, generic events) from Event Log. * @throws An error if response is not OK. @@ -33,7 +39,14 @@ export interface IRuleMonitoringApiClient { ): Promise; } -export interface FetchRuleExecutionEventsArgs { +export interface RuleMonitoringApiCallArgs { + /** + * Optional signal for cancelling the request. + */ + signal?: AbortSignal; +} + +export interface FetchRuleExecutionEventsArgs extends RuleMonitoringApiCallArgs { /** * Saved Object ID of the rule (`rule.id`, not static `rule.rule_id`). */ @@ -63,14 +76,9 @@ export interface FetchRuleExecutionEventsArgs { * Number of results to fetch per page. */ perPage?: number; - - /** - * Optional signal for cancelling the request. - */ - signal?: AbortSignal; } -export interface FetchRuleExecutionResultsArgs { +export interface FetchRuleExecutionResultsArgs extends RuleMonitoringApiCallArgs { /** * Saved Object ID of the rule (`rule.id`, not static `rule.rule_id`). */ @@ -116,9 +124,4 @@ export interface FetchRuleExecutionResultsArgs { * Number of results to fetch per page. */ perPage?: number; - - /** - * Optional signal for cancelling the request. - */ - signal?: AbortSignal; } diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/index.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/index.ts index b778a4b1034d6..b186a8d7fd837 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/index.ts +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/index.ts @@ -12,4 +12,5 @@ export * from './components/basic/indicators/execution_status_indicator'; export * from './components/execution_events_table/execution_events_table'; export * from './components/execution_results_table/use_execution_results'; +export * from './logic/detection_engine_health/use_setup_detection_engine_health_api'; export * from './logic/execution_settings/use_execution_settings'; diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/logic/detection_engine_health/use_setup_detection_engine_health_api.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/logic/detection_engine_health/use_setup_detection_engine_health_api.ts new file mode 100644 index 0000000000000..a60536717d4ef --- /dev/null +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_monitoring/logic/detection_engine_health/use_setup_detection_engine_health_api.ts @@ -0,0 +1,29 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { UseMutationOptions } from '@tanstack/react-query'; +import { useMutation } from '@tanstack/react-query'; +import { useEffect } from 'react'; + +import { SETUP_HEALTH_URL } from '../../../../../common/detection_engine/rule_monitoring'; +import { api } from '../../api'; + +export const SETUP_DETECTION_ENGINE_HEALTH_API_MUTATION_KEY = ['POST', SETUP_HEALTH_URL]; + +export const useSetupDetectionEngineHealthApi = (options?: UseMutationOptions) => { + const { mutate: setupDetectionEngineHealthApi } = useMutation( + () => api.setupDetectionEngineHealthApi(), + { + ...options, + mutationKey: SETUP_DETECTION_ENGINE_HEALTH_API_MUTATION_KEY, + } + ); + + useEffect(() => { + setupDetectionEngineHealthApi(); + }, [setupDetectionEngineHealthApi]); +}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/setup/setup_health_route.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/setup/setup_health_route.ts new file mode 100644 index 0000000000000..4d4face86b825 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/setup/setup_health_route.ts @@ -0,0 +1,47 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { transformError } from '@kbn/securitysolution-es-utils'; +import { buildSiemResponse } from '../../../../routes/utils'; +import type { SecuritySolutionPluginRouter } from '../../../../../../types'; + +import { SETUP_HEALTH_URL } from '../../../../../../../common/detection_engine/rule_monitoring'; + +/** + * Similar to the "setup" command of beats, this endpoint installs resources + * (dashboards, data views, etc) related to rule monitoring and Detection Engine health, + * and can do any other setup work. + */ +export const setupHealthRoute = (router: SecuritySolutionPluginRouter) => { + router.post( + { + path: SETUP_HEALTH_URL, + validate: {}, + options: { + tags: ['access:securitySolution'], + }, + }, + async (context, request, response) => { + const siemResponse = buildSiemResponse(response); + + try { + const ctx = await context.resolve(['securitySolution']); + const healthClient = ctx.securitySolution.getDetectionEngineHealthClient(); + + await healthClient.installAssetsForMonitoringHealth(); + + return response.ok({ body: {} }); + } catch (err) { + const error = transformError(err); + return siemResponse.error({ + body: error.message, + statusCode: error.statusCode, + }); + } + } + ); +}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/register_routes.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/register_routes.ts index ba376d15a8402..dd911c203ee68 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/register_routes.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/register_routes.ts @@ -9,6 +9,7 @@ import type { SecuritySolutionPluginRouter } from '../../../../types'; import { getClusterHealthRoute } from './detection_engine_health/get_cluster_health/get_cluster_health_route'; import { getRuleHealthRoute } from './detection_engine_health/get_rule_health/get_rule_health_route'; import { getSpaceHealthRoute } from './detection_engine_health/get_space_health/get_space_health_route'; +import { setupHealthRoute } from './detection_engine_health/setup/setup_health_route'; import { getRuleExecutionEventsRoute } from './rule_execution_logs/get_rule_execution_events/get_rule_execution_events_route'; import { getRuleExecutionResultsRoute } from './rule_execution_logs/get_rule_execution_results/get_rule_execution_results_route'; @@ -17,6 +18,7 @@ export const registerRuleMonitoringRoutes = (router: SecuritySolutionPluginRoute getClusterHealthRoute(router); getSpaceHealthRoute(router); getRuleHealthRoute(router); + setupHealthRoute(router); // Rule execution logs API getRuleExecutionEventsRoute(router); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/__mocks__/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/__mocks__/index.ts index eb4566518c932..306bd5f624439 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/__mocks__/index.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/__mocks__/index.ts @@ -16,6 +16,8 @@ import type { IDetectionEngineHealthClient } from '../detection_engine_health_cl type CalculateRuleHealth = IDetectionEngineHealthClient['calculateRuleHealth']; type CalculateSpaceHealth = IDetectionEngineHealthClient['calculateSpaceHealth']; type CalculateClusterHealth = IDetectionEngineHealthClient['calculateClusterHealth']; +type InstallAssetsForMonitoringHealth = + IDetectionEngineHealthClient['installAssetsForMonitoringHealth']; export const detectionEngineHealthClientMock = { create: (): jest.Mocked => ({ @@ -30,5 +32,12 @@ export const detectionEngineHealthClientMock = { calculateClusterHealth: jest .fn, Parameters>() .mockResolvedValue(clusterHealthSnapshotMock.getEmptyClusterHealthSnapshot()), + + installAssetsForMonitoringHealth: jest + .fn< + ReturnType, + Parameters + >() + .mockResolvedValue(), }), }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/dashboard_rule_monitoring.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/dashboard_rule_monitoring.json new file mode 100644 index 0000000000000..b85d9ffe84e45 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/dashboard_rule_monitoring.json @@ -0,0 +1,236 @@ +{ + "type": "dashboard", + "id": "security-detection-rule-monitoring-", + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.9.0", + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", + "panelsJSON": "{\"0c2b3354-f4a0-4f90-b1d1-56f053869463\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"timeSlider\",\"explicitInput\":{\"title\":\"Time slider\",\"id\":\"0c2b3354-f4a0-4f90-b1d1-56f053869463\",\"timesliceStartAsPercentageOfTimeRange\":-0.0008844444444444444,\"timesliceEndAsPercentageOfTimeRange\":1.0002266666666666,\"enhancements\":{}}},\"c9c507d9-a157-40b4-aec4-0a2e204c559c\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"c9c507d9-a157-40b4-aec4-0a2e204c559c\",\"fieldName\":\"rule.category\",\"title\":\"Rule type\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"8b3b697c-2abf-4801-8a08-a1a29d483571\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"8b3b697c-2abf-4801-8a08-a1a29d483571\",\"fieldName\":\"kibana.space_ids\",\"title\":\"Kibana space\",\"grow\":true,\"width\":\"small\",\"selectedOptions\":[],\"enhancements\":{}}}}" + }, + "description": "This dashboard can be helpful for monitoring the health and performance of Security detection rules.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", + "panelsJSON": "[{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":10,\"h\":8,\"i\":\"52ec5ce0-3ea9-42ee-91f2-0f664d6cb74d\"},\"panelIndex\":\"52ec5ce0-3ea9-42ee-91f2-0f664d6cb74d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Enabled rules\",\"description\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-66195a85-b71e-45f5-a5ea-4388416cf5f7\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"874e1b4c-a64b-426a-b43e-d4ee226610a9\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"66195a85-b71e-45f5-a5ea-4388416cf5f7\",\"accessor\":\"9449b851-8169-44e9-8418-bd0e586bbf94\",\"layerType\":\"data\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\",\"size\":\"xl\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}},\"meta\":{\"index\":\"kibana-event-log-data-view\",\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"execute\"},\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.category\",\"field\":\"event.category\",\"params\":{\"query\":\"siem\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}}}],\"index\":\"874e1b4c-a64b-426a-b43e-d4ee226610a9\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"66195a85-b71e-45f5-a5ea-4388416cf5f7\":{\"columns\":{\"9449b851-8169-44e9-8418-bd0e586bbf94\":{\"label\":\"Enabled rules\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"rule.id\",\"isBucketed\":false,\"customLabel\":true}},\"columnOrder\":[\"9449b851-8169-44e9-8418-bd0e586bbf94\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false,\"description\":\"Number of rules that were executed during the selected timeframe.\"}},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":10,\"y\":0,\"w\":11,\"h\":8,\"i\":\"91a23437-071d-4739-b57e-2881caa980eb\"},\"panelIndex\":\"91a23437-071d-4739-b57e-2881caa980eb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"37539143-7ea2-4353-ae4e-78ec772d1508\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"accessor\":\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\",\"layerType\":\"data\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\",\"size\":\"xl\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}},\"meta\":{\"index\":\"kibana-event-log-data-view\",\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"execute\"},\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.category\",\"field\":\"event.category\",\"params\":{\"query\":\"siem\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}}}],\"index\":\"37539143-7ea2-4353-ae4e-78ec772d1508\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\":{\"columns\":{\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\":{\"label\":\"Rule executions\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false,\"description\":\"Number of rule executions within the selected timeframe.\"},\"title\":\"Rule executions\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":0,\"w\":9,\"h\":8,\"i\":\"9770096c-3ba7-42e4-9783-5042ff08896d\"},\"panelIndex\":\"9770096c-3ba7-42e4-9783-5042ff08896d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"32816692-7d96-4a12-abe3-3016e8a3844c\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"accessor\":\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\",\"layerType\":\"data\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\",\"size\":\"xl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":12}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"status-change\"}},\"meta\":{\"index\":\"kibana-event-log-data-view\",\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"status-change\"},\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"kibana.alert.rule.execution.status\",\"field\":\"kibana.alert.rule.execution.status\",\"params\":{\"query\":\"succeeded\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"kibana.alert.rule.execution.status\":\"succeeded\"}}}],\"index\":\"32816692-7d96-4a12-abe3-3016e8a3844c\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\":{\"columns\":{\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\":{\"label\":\"Succeeded\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false,\"description\":\"Number of rule executions with a succeeded status (outcome of the rule execution) within the selected timeframe.\"},\"title\":\"\\\"Succeeded\\\" statuses\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":30,\"y\":0,\"w\":9,\"h\":8,\"i\":\"12011f8d-0d0d-40d6-8ef5-0d50bfe570f8\"},\"panelIndex\":\"12011f8d-0d0d-40d6-8ef5-0d50bfe570f8\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"9acb5e9e-8c72-4ba6-a4f5-7f2901353c16\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"accessor\":\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\",\"layerType\":\"data\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\",\"size\":\"xl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#d6bf57\",\"stop\":4104}],\"colorStops\":[{\"color\":\"#d6bf57\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"status-change\"}},\"meta\":{\"index\":\"kibana-event-log-data-view\",\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"status-change\"},\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"kibana.alert.rule.execution.status\",\"field\":\"kibana.alert.rule.execution.status\",\"params\":{\"query\":\"partial failure\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"kibana.alert.rule.execution.status\":\"partial failure\"}}}],\"index\":\"9acb5e9e-8c72-4ba6-a4f5-7f2901353c16\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\":{\"columns\":{\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\":{\"label\":\"Warning\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false,\"description\":\"Number of rule executions with a warning status (outcome of the rule execution) within the selected timeframe.\"},\"title\":\"\\\"Warning\\\" statuses\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":39,\"y\":0,\"w\":9,\"h\":8,\"i\":\"b3b0743e-9a2c-4173-babc-dc93204cc0f2\"},\"panelIndex\":\"b3b0743e-9a2c-4173-babc-dc93204cc0f2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"9adf5837-270f-43bf-92d8-af2d74022292\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"accessor\":\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\",\"layerType\":\"data\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\",\"size\":\"xl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#cc5642\",\"stop\":94}],\"colorStops\":[{\"color\":\"#cc5642\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"status-change\"}},\"meta\":{\"index\":\"kibana-event-log-data-view\",\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"status-change\"},\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"kibana.alert.rule.execution.status\",\"field\":\"kibana.alert.rule.execution.status\",\"params\":{\"query\":\"failed\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"kibana.alert.rule.execution.status\":\"failed\"}}}],\"index\":\"9adf5837-270f-43bf-92d8-af2d74022292\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\":{\"columns\":{\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\":{\"label\":\"Failed\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false,\"description\":\"Number of rule executions with a failed status (outcome of the rule execution) within the selected timeframe.\"},\"title\":\"\\\"Failed\\\" statuses\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":8,\"w\":21,\"h\":13,\"i\":\"78c659aa-a001-4c30-9452-e9c7d0c0ec5d\"},\"panelIndex\":\"78c659aa-a001-4c30-9452-e9c7d0c0ec5d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-4eaf036b-c9f5-4206-bcfe-8033bec44a21\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"abcc85f3-00cd-48bd-a313-de50207ab1b6\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"top\",\"isInside\":false,\"showSingleSeries\":false,\"shouldTruncate\":false,\"verticalAlignment\":\"top\",\"horizontalAlignment\":\"left\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"4eaf036b-c9f5-4206-bcfe-8033bec44a21\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"44be5a39-e31d-4242-9778-58ee5ffefbb8\",\"splitAccessor\":\"124a76f1-8df0-4410-87b0-25b9cb2398d9\",\"accessors\":[\"cb5d803d-fa0a-4062-a595-2cec9118bd31\"],\"layerType\":\"data\"}],\"valuesInLegend\":true},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}},\"meta\":{\"index\":\"kibana-event-log-data-view\",\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"execute\"},\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.category\",\"field\":\"event.category\",\"params\":{\"query\":\"siem\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}}}],\"index\":\"abcc85f3-00cd-48bd-a313-de50207ab1b6\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4eaf036b-c9f5-4206-bcfe-8033bec44a21\":{\"columns\":{\"44be5a39-e31d-4242-9778-58ee5ffefbb8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"cb5d803d-fa0a-4062-a595-2cec9118bd31\":{\"label\":\"Number of executions\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"124a76f1-8df0-4410-87b0-25b9cb2398d9\":{\"label\":\"Rule type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.category\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"cb5d803d-fa0a-4062-a595-2cec9118bd31\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"124a76f1-8df0-4410-87b0-25b9cb2398d9\",\"44be5a39-e31d-4242-9778-58ee5ffefbb8\",\"cb5d803d-fa0a-4062-a595-2cec9118bd31\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{},\"description\":\"Histogram where each column shows a number of rule executions broken down by rule type.\"},\"title\":\"Executions by rule type\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":8,\"w\":27,\"h\":13,\"i\":\"b3dd29a9-c051-46ab-b1fa-facf899f7af9\"},\"panelIndex\":\"b3dd29a9-c051-46ab-b1fa-facf899f7af9\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-4eaf036b-c9f5-4206-bcfe-8033bec44a21\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"0ccd359c-35a9-42ee-9b53-e0061755ffef\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"top\",\"isInside\":false,\"showSingleSeries\":false,\"shouldTruncate\":false,\"verticalAlignment\":\"top\",\"horizontalAlignment\":\"left\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"4eaf036b-c9f5-4206-bcfe-8033bec44a21\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"44be5a39-e31d-4242-9778-58ee5ffefbb8\",\"splitAccessor\":\"124a76f1-8df0-4410-87b0-25b9cb2398d9\",\"accessors\":[\"cb5d803d-fa0a-4062-a595-2cec9118bd31\"],\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\"}}],\"valuesInLegend\":true},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"status-change\"}},\"meta\":{\"index\":\"kibana-event-log-data-view\",\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"status-change\"},\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":true,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"kibana.alert.rule.execution.status\",\"field\":\"kibana.alert.rule.execution.status\",\"params\":{\"query\":\"running\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"kibana.alert.rule.execution.status\":\"running\"}}}],\"index\":\"0ccd359c-35a9-42ee-9b53-e0061755ffef\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4eaf036b-c9f5-4206-bcfe-8033bec44a21\":{\"columns\":{\"44be5a39-e31d-4242-9778-58ee5ffefbb8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"cb5d803d-fa0a-4062-a595-2cec9118bd31\":{\"label\":\"Number of executions\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"124a76f1-8df0-4410-87b0-25b9cb2398d9\":{\"label\":\"Statuses\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"Succeeded\",\"input\":{\"query\":\"kibana.alert.rule.execution.status: \\\"succeeded\\\" \",\"language\":\"kuery\"}},{\"input\":{\"query\":\"kibana.alert.rule.execution.status: \\\"partial failure\\\" \",\"language\":\"kuery\"},\"label\":\"Warning\"},{\"input\":{\"query\":\"kibana.alert.rule.execution.status: \\\"failed\\\"\",\"language\":\"kuery\"},\"label\":\"Failed\"}]},\"customLabel\":true}},\"columnOrder\":[\"124a76f1-8df0-4410-87b0-25b9cb2398d9\",\"44be5a39-e31d-4242-9778-58ee5ffefbb8\",\"cb5d803d-fa0a-4062-a595-2cec9118bd31\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{},\"description\":\"Histogram where each column shows a number of rule executions broken down by rule status (outcome of the rule execution).\"},\"title\":\"Executions by status\"},{\"version\":\"8.9.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":21,\"w\":48,\"h\":4,\"i\":\"e2b4b41a-2fd5-4733-a297-c67571b8bb57\"},\"panelIndex\":\"e2b4b41a-2fd5-4733-a297-c67571b8bb57\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"**Total rule execution duration** tells how much time it took for a rule to run from the very start to the very end.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":25,\"w\":21,\"h\":15,\"i\":\"ad5995be-bf0f-48ba-8dc8-7313ca3bfbae\"},\"panelIndex\":\"ad5995be-bf0f-48ba-8dc8-7313ca3bfbae\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"2720edea-b96b-47d7-bf57-ff3a4c91ab9d\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\",\"maxLines\":1},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"yConfig\":[{\"forAccessor\":\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"color\":\"#d36086\",\"axisMode\":\"left\"},{\"forAccessor\":\"f623346f-da47-4819-b485-d3527bd4506e\",\"axisMode\":\"left\",\"color\":\"#9170b8\"},{\"forAccessor\":\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\",\"axisMode\":\"left\",\"color\":\"#6092c0\"}]}],\"curveType\":\"CURVE_MONOTONE_X\",\"yTitle\":\"Total execution duration, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"execute\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}}},{\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}},\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"siem\"},\"index\":\"kibana-event-log-data-view\",\"disabled\":false,\"alias\":null}}],\"index\":\"2720edea-b96b-47d7-bf57-ff3a4c91ab9d\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\":{\"label\":\"99th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_run_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":99},\"customLabel\":true},\"f623346f-da47-4819-b485-d3527bd4506e\":{\"label\":\"95th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_run_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":95},\"customLabel\":true},\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\":{\"label\":\"50th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_run_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":50},\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{},\"description\":\"This chart aggregates this metric across all rules and shows how a few important percentiles of the metric were changing over time. 99th percentile means that 99% of rule executions had a total duration less than the percentile's value.\"},\"title\":\"Total rule execution duration, percentiles\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":25,\"w\":27,\"h\":15,\"i\":\"2eac0a4e-9ec7-433e-89bc-e8edc1dadae7\"},\"panelIndex\":\"2eac0a4e-9ec7-433e-89bc-e8edc1dadae7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"0b7e01b1-974a-4de9-867d-46fc000c63e3\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"splitAccessor\":\"3a521678-3e76-49b6-a379-eb75ef03604b\"}],\"yTitle\":\"Total execution duration, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}},\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"execute\"},\"index\":\"kibana-event-log-data-view\",\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.category\",\"field\":\"event.category\",\"params\":{\"query\":\"siem\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}}}],\"index\":\"0b7e01b1-974a-4de9-867d-46fc000c63e3\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"3a521678-3e76-49b6-a379-eb75ef03604b\":{\"label\":\"Top 5 values of rule.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"secondaryFields\":[],\"parentFormat\":{\"id\":\"terms\"}}},\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\":{\"label\":\"Total execution duration\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_run_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"3a521678-3e76-49b6-a379-eb75ef03604b\",\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Total rule execution duration, top 5 rules per @timestamp\"},{\"version\":\"8.9.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":40,\"w\":48,\"h\":5,\"i\":\"a0f62bb1-a9c3-4c46-b0fb-137c7f2b4a0c\"},\"panelIndex\":\"a0f62bb1-a9c3-4c46-b0fb-137c7f2b4a0c\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"**Rule schedule delay** shows the difference between the planned rule start time (according to its schedule) and the time when it actually started. Normally, it should be about 3 seconds or less. When the cluster is overloaded, it can be way more than 3 seconds. This is when you'd want to scale your cluster according to the load or reduce it by disabling or optimizing the rules.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}}},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":45,\"w\":21,\"h\":15,\"i\":\"d2e87680-4d92-4067-9f27-7749854dedce\"},\"panelIndex\":\"d2e87680-4d92-4067-9f27-7749854dedce\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"4101bdcb-5ba8-406f-8893-07356a98d49b\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\",\"maxLines\":1},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\",\"niceValues\":true},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"yConfig\":[{\"forAccessor\":\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"color\":\"#d36086\",\"axisMode\":\"left\"},{\"forAccessor\":\"f623346f-da47-4819-b485-d3527bd4506e\",\"axisMode\":\"left\",\"color\":\"#9170b8\"},{\"forAccessor\":\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\",\"axisMode\":\"left\",\"color\":\"#6092c0\"}]}],\"curveType\":\"CURVE_MONOTONE_X\",\"yTitle\":\"Schedule delay, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"execute\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}}},{\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}},\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"siem\"},\"index\":\"kibana-event-log-data-view\",\"disabled\":false,\"alias\":null}}],\"index\":\"4101bdcb-5ba8-406f-8893-07356a98d49b\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"44728b87-025d-4b13-b3b9-35bfd5cc7d26X0\":{\"label\":\"Part of 99th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.task.schedule_delay\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":99},\"customLabel\":true},\"44728b87-025d-4b13-b3b9-35bfd5cc7d26X1\":{\"label\":\"Part of 99th percentile\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"44728b87-025d-4b13-b3b9-35bfd5cc7d26X0\",1000000],\"location\":{\"min\":0,\"max\":63},\"text\":\"percentile(kibana.task.schedule_delay, percentile=99) / 1000000\"}},\"references\":[\"44728b87-025d-4b13-b3b9-35bfd5cc7d26X0\"],\"customLabel\":true},\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\":{\"label\":\"99th percentile\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"percentile(kibana.task.schedule_delay, percentile=99) / 1000000\",\"isFormulaBroken\":false},\"references\":[\"44728b87-025d-4b13-b3b9-35bfd5cc7d26X1\"],\"customLabel\":true},\"f623346f-da47-4819-b485-d3527bd4506eX0\":{\"label\":\"Part of 95th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.task.schedule_delay\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":95},\"customLabel\":true},\"f623346f-da47-4819-b485-d3527bd4506eX1\":{\"label\":\"Part of 95th percentile\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"f623346f-da47-4819-b485-d3527bd4506eX0\",1000000],\"location\":{\"min\":0,\"max\":63},\"text\":\"percentile(kibana.task.schedule_delay, percentile=95) / 1000000\"}},\"references\":[\"f623346f-da47-4819-b485-d3527bd4506eX0\"],\"customLabel\":true},\"f623346f-da47-4819-b485-d3527bd4506e\":{\"label\":\"95th percentile\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"percentile(kibana.task.schedule_delay, percentile=95) / 1000000\",\"isFormulaBroken\":false},\"references\":[\"f623346f-da47-4819-b485-d3527bd4506eX1\"],\"customLabel\":true},\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9eX0\":{\"label\":\"Part of 50th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.task.schedule_delay\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":50},\"customLabel\":true},\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9eX1\":{\"label\":\"Part of 50th percentile\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9eX0\",1000000],\"location\":{\"min\":0,\"max\":63},\"text\":\"percentile(kibana.task.schedule_delay, percentile=50) / 1000000\"}},\"references\":[\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9eX0\"],\"customLabel\":true},\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\":{\"label\":\"50th percentile\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"percentile(kibana.task.schedule_delay, percentile=50) / 1000000\",\"isFormulaBroken\":false},\"references\":[\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9eX1\"],\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\",\"44728b87-025d-4b13-b3b9-35bfd5cc7d26X0\",\"44728b87-025d-4b13-b3b9-35bfd5cc7d26X1\",\"f623346f-da47-4819-b485-d3527bd4506eX0\",\"f623346f-da47-4819-b485-d3527bd4506eX1\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9eX0\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9eX1\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{},\"description\":\"This chart aggregates this metric across all rules and shows how a few important percentiles of the metric were changing over time. 99th percentile means that 99% of rule executions had a schedule delay less than the percentile's value.\"},\"title\":\"Rule scheduling delay, percentiles\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":45,\"w\":27,\"h\":15,\"i\":\"2372c630-207e-4859-83a9-de5a7bc638dc\"},\"panelIndex\":\"2372c630-207e-4859-83a9-de5a7bc638dc\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"adafccc0-9c17-4249-89e1-e61a8d00079b\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"splitAccessor\":\"3a521678-3e76-49b6-a379-eb75ef03604b\"}],\"yTitle\":\"Rule schedule delay, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}},\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"execute\"},\"index\":\"kibana-event-log-data-view\",\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.category\",\"field\":\"event.category\",\"params\":{\"query\":\"siem\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}}}],\"index\":\"adafccc0-9c17-4249-89e1-e61a8d00079b\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"3a521678-3e76-49b6-a379-eb75ef03604b\":{\"label\":\"Top 5 values of rule.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"custom\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"secondaryFields\":[],\"parentFormat\":{\"id\":\"terms\"},\"orderAgg\":{\"label\":\"Maximum of kibana.task.schedule_delay\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.task.schedule_delay\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true}}}},\"707ff766-8ef2-47ca-9559-d7ace1bc0a4bX0\":{\"label\":\"Part of Rule schedule delay\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.task.schedule_delay\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"707ff766-8ef2-47ca-9559-d7ace1bc0a4bX1\":{\"label\":\"Part of Rule schedule delay\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"707ff766-8ef2-47ca-9559-d7ace1bc0a4bX0\",1000000],\"location\":{\"min\":0,\"max\":41},\"text\":\"max(kibana.task.schedule_delay) / 1000000\"}},\"references\":[\"707ff766-8ef2-47ca-9559-d7ace1bc0a4bX0\"],\"customLabel\":true},\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\":{\"label\":\"Rule schedule delay\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"max(kibana.task.schedule_delay) / 1000000\",\"isFormulaBroken\":false},\"references\":[\"707ff766-8ef2-47ca-9559-d7ace1bc0a4bX1\"],\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"3a521678-3e76-49b6-a379-eb75ef03604b\",\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\",\"707ff766-8ef2-47ca-9559-d7ace1bc0a4bX0\",\"707ff766-8ef2-47ca-9559-d7ace1bc0a4bX1\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Rule scheduling delay, top 5 rules per @timestamp\"},{\"version\":\"8.9.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":60,\"w\":48,\"h\":4,\"i\":\"054eb35b-90a8-4b45-9821-7c0eefb22a85\"},\"panelIndex\":\"054eb35b-90a8-4b45-9821-7c0eefb22a85\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"**Search/query duration** metric shows how much time it took for a rule when it was executing to query source indices (or data views) to find source events matching the rule's criteria.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":64,\"w\":21,\"h\":15,\"i\":\"e2504c27-3027-4c13-85c0-a66416c53bd4\"},\"panelIndex\":\"e2504c27-3027-4c13-85c0-a66416c53bd4\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"edb4ad7f-1ef2-477f-980c-c6fe47d6470d\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\",\"maxLines\":1},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"yConfig\":[{\"forAccessor\":\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"color\":\"#d36086\",\"axisMode\":\"left\"},{\"forAccessor\":\"f623346f-da47-4819-b485-d3527bd4506e\",\"axisMode\":\"left\",\"color\":\"#9170b8\"},{\"forAccessor\":\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\",\"axisMode\":\"left\",\"color\":\"#6092c0\"}]}],\"curveType\":\"CURVE_MONOTONE_X\",\"yTitle\":\"Search duration, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"execution-metrics\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.action\":\"execution-metrics\"}}}],\"index\":\"edb4ad7f-1ef2-477f-980c-c6fe47d6470d\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\":{\"label\":\"99th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_search_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":99},\"customLabel\":true},\"f623346f-da47-4819-b485-d3527bd4506e\":{\"label\":\"95th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_search_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":95},\"customLabel\":true},\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\":{\"label\":\"50th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_search_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"kibana.alert.rule.execution.metrics.total_run_duration_ms: *\",\"language\":\"kuery\"},\"params\":{\"percentile\":50},\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{},\"description\":\"This chart aggregates this metric across all rules and shows how a few important percentiles of the metric were changing over time. 99th percentile means that 99% of rule executions had a search/query duration less than the percentile's value.\"},\"title\":\"Search/query duration, percentiles\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":64,\"w\":27,\"h\":15,\"i\":\"fe382f90-aa03-47e0-a8a0-d6a8de877467\"},\"panelIndex\":\"fe382f90-aa03-47e0-a8a0-d6a8de877467\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"505272a2-f4fb-4778-9fdf-11415f36cc51\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"splitAccessor\":\"3a521678-3e76-49b6-a379-eb75ef03604b\"}],\"yTitle\":\"Search duration, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"execution-metrics\"}},\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"execution-metrics\"},\"index\":\"kibana-event-log-data-view\",\"disabled\":false,\"alias\":null}}],\"index\":\"505272a2-f4fb-4778-9fdf-11415f36cc51\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"3a521678-3e76-49b6-a379-eb75ef03604b\":{\"label\":\"Top 5 values of rule.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"secondaryFields\":[],\"parentFormat\":{\"id\":\"terms\"}}},\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\":{\"label\":\"Search duration\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_search_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"3a521678-3e76-49b6-a379-eb75ef03604b\",\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Search/query duration, top 5 rules per @timestamp\"},{\"version\":\"8.9.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":79,\"w\":48,\"h\":4,\"i\":\"267d2068-2d64-4e8e-bccb-efc580f90762\"},\"panelIndex\":\"267d2068-2d64-4e8e-bccb-efc580f90762\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"**Indexing duration** metric shows how much time it took for a rule when it was executing to write generated alerts to the `.alerts-security.alerts-*` index.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":83,\"w\":21,\"h\":15,\"i\":\"0b6f467f-f784-457e-9351-839874bef66e\"},\"panelIndex\":\"0b6f467f-f784-457e-9351-839874bef66e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"e0a238a9-104e-46c0-890a-c7b3e1c08018\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\",\"maxLines\":1},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"yConfig\":[{\"forAccessor\":\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"color\":\"#d36086\",\"axisMode\":\"left\"},{\"forAccessor\":\"f623346f-da47-4819-b485-d3527bd4506e\",\"axisMode\":\"left\",\"color\":\"#9170b8\"},{\"forAccessor\":\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\",\"axisMode\":\"left\",\"color\":\"#6092c0\"}]}],\"curveType\":\"CURVE_MONOTONE_X\",\"yTitle\":\"Indexing duration, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"execution-metrics\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.action\":\"execution-metrics\"}}}],\"index\":\"e0a238a9-104e-46c0-890a-c7b3e1c08018\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\":{\"label\":\"99th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_indexing_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":99},\"customLabel\":true},\"f623346f-da47-4819-b485-d3527bd4506e\":{\"label\":\"95th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_indexing_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":95},\"customLabel\":true},\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\":{\"label\":\"50th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_indexing_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"kibana.alert.rule.execution.metrics.total_run_duration_ms: *\",\"language\":\"kuery\"},\"params\":{\"percentile\":50},\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{},\"description\":\"This chart aggregates this metric across all rules and shows how a few important percentiles of the metric were changing over time. 99th percentile means that 99% of rule executions had an indexing duration less than the percentile's value.\"},\"title\":\"Indexing duration, percentiles\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":83,\"w\":27,\"h\":15,\"i\":\"2ad1eb6c-c19b-41b1-897e-2d1d192cedae\"},\"panelIndex\":\"2ad1eb6c-c19b-41b1-897e-2d1d192cedae\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"5f5acf46-a12a-43cf-8d4a-b1ef1a971771\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"splitAccessor\":\"3a521678-3e76-49b6-a379-eb75ef03604b\"}],\"yTitle\":\"Indexing duration, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"execution-metrics\"}},\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"execution-metrics\"},\"index\":\"kibana-event-log-data-view\",\"disabled\":false,\"alias\":null}}],\"index\":\"5f5acf46-a12a-43cf-8d4a-b1ef1a971771\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"3a521678-3e76-49b6-a379-eb75ef03604b\":{\"label\":\"Top 5 values of rule.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"secondaryFields\":[],\"parentFormat\":{\"id\":\"terms\"}}},\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\":{\"label\":\"Indexing duration\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_indexing_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"3a521678-3e76-49b6-a379-eb75ef03604b\",\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Indexing duration, top 5 rules per @timestamp\"},{\"version\":\"8.9.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":98,\"w\":48,\"h\":4,\"i\":\"0fcc0476-eb8c-4c41-8325-2a9084a12e59\"},\"panelIndex\":\"0fcc0476-eb8c-4c41-8325-2a9084a12e59\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"Top 10 rules by various criteria.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":102,\"w\":24,\"h\":16,\"i\":\"6ce283f7-115a-4a0f-9184-71e141149183\"},\"panelIndex\":\"6ce283f7-115a-4a0f-9184-71e141149183\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e\"},{\"type\":\"index-pattern\",\"name\":\"651cb393-d7ee-4ac2-a4d4-d8a325b4690b\",\"id\":\"kibana-event-log-data-view\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"isTransposed\":false,\"width\":495.5},{\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\",\"isTransposed\":false,\"width\":111},{\"columnId\":\"75b295c8-00ac-4f62-8952-e4cb44b5f183\",\"isTransposed\":false,\"width\":163.66666666666669},{\"columnId\":\"2fe7ca3c-5c52-4d5e-9892-afb9141d6319\",\"isTransposed\":false,\"width\":239.16666666666663}],\"layerId\":\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}},\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null}},{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"execute\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.category\",\"field\":\"event.category\",\"params\":{\"query\":\"siem\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}}}],\"index\":\"651cb393-d7ee-4ac2-a4d4-d8a325b4690b\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\":{\"columns\":{\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\":{\"label\":\"Duration, ms\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_run_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"75b295c8-00ac-4f62-8952-e4cb44b5f183\":{\"label\":\"Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.category\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"2fe7ca3c-5c52-4d5e-9892-afb9141d6319\":{\"label\":\"ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"75b295c8-00ac-4f62-8952-e4cb44b5f183\",\"2fe7ca3c-5c52-4d5e-9892-afb9141d6319\",\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 slowest rules by total execution duration\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":102,\"w\":24,\"h\":16,\"i\":\"f5d7a9c8-839c-408c-b798-68d019483bc7\"},\"panelIndex\":\"f5d7a9c8-839c-408c-b798-68d019483bc7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e\"},{\"type\":\"index-pattern\",\"name\":\"17149e33-97c0-48c2-8772-d7bd0c5dd6d8\",\"id\":\"kibana-event-log-data-view\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"isTransposed\":false,\"width\":495.5},{\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\",\"isTransposed\":false,\"width\":111},{\"columnId\":\"75b295c8-00ac-4f62-8952-e4cb44b5f183\",\"isTransposed\":false,\"width\":163.66666666666669},{\"columnId\":\"2fe7ca3c-5c52-4d5e-9892-afb9141d6319\",\"isTransposed\":false,\"width\":239.16666666666663}],\"layerId\":\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}},\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null}},{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"execute\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.category\",\"field\":\"event.category\",\"params\":{\"query\":\"siem\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}}}],\"index\":\"17149e33-97c0-48c2-8772-d7bd0c5dd6d8\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\":{\"columns\":{\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"custom\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[],\"orderAgg\":{\"label\":\"Maximum of kibana.task.schedule_delay\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.task.schedule_delay\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true}}},\"customLabel\":true},\"ce86886d-db33-4d81-a0c4-b2d5499cf2efX0\":{\"label\":\"Part of Schedule delay, ms\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.task.schedule_delay\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"ce86886d-db33-4d81-a0c4-b2d5499cf2efX1\":{\"label\":\"Part of Schedule delay, ms\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"ce86886d-db33-4d81-a0c4-b2d5499cf2efX0\",1000000],\"location\":{\"min\":0,\"max\":41},\"text\":\"max(kibana.task.schedule_delay) / 1000000\"}},\"references\":[\"ce86886d-db33-4d81-a0c4-b2d5499cf2efX0\"],\"customLabel\":true},\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\":{\"label\":\"Delay, ms\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"max(kibana.task.schedule_delay) / 1000000\",\"isFormulaBroken\":false},\"references\":[\"ce86886d-db33-4d81-a0c4-b2d5499cf2efX1\"],\"customLabel\":true},\"75b295c8-00ac-4f62-8952-e4cb44b5f183\":{\"label\":\"Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.category\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":true},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"2fe7ca3c-5c52-4d5e-9892-afb9141d6319\":{\"label\":\"ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":true},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"75b295c8-00ac-4f62-8952-e4cb44b5f183\",\"2fe7ca3c-5c52-4d5e-9892-afb9141d6319\",\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\",\"ce86886d-db33-4d81-a0c4-b2d5499cf2efX0\",\"ce86886d-db33-4d81-a0c4-b2d5499cf2efX1\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 slowest rules by schedule delay\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":118,\"w\":24,\"h\":16,\"i\":\"2168b471-9a51-4ead-a51e-15e52ba85d86\"},\"panelIndex\":\"2168b471-9a51-4ead-a51e-15e52ba85d86\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e\"},{\"type\":\"index-pattern\",\"name\":\"274e3567-2129-4d26-a778-d5220531ba86\",\"id\":\"kibana-event-log-data-view\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"isTransposed\":false},{\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\",\"isTransposed\":false},{\"columnId\":\"729ee95a-5bf6-4f18-9350-dce536b55dea\",\"isTransposed\":false},{\"columnId\":\"fa6462ca-54c3-470e-a9c3-66ff58c37536\",\"isTransposed\":false}],\"layerId\":\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}},\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null}},{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"status-change\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.action\":\"status-change\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"kibana.alert.rule.execution.status\",\"field\":\"kibana.alert.rule.execution.status\",\"params\":{\"query\":\"failed\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"kibana.alert.rule.execution.status\":\"failed\"}}}],\"index\":\"274e3567-2129-4d26-a778-d5220531ba86\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\":{\"columns\":{\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"729ee95a-5bf6-4f18-9350-dce536b55dea\":{\"label\":\"Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.category\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"fa6462ca-54c3-470e-a9c3-66ff58c37536\":{\"label\":\"ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"729ee95a-5bf6-4f18-9350-dce536b55dea\",\"fa6462ca-54c3-470e-a9c3-66ff58c37536\",\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 rules by status \\\"Failed\\\"\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":118,\"w\":24,\"h\":16,\"i\":\"075d7dff-442b-4091-bfe2-3844e7e7e3f4\"},\"panelIndex\":\"075d7dff-442b-4091-bfe2-3844e7e7e3f4\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e\"},{\"type\":\"index-pattern\",\"name\":\"20d11002-bf00-477f-8221-2ceb641baf3f\",\"id\":\"kibana-event-log-data-view\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"isTransposed\":false,\"width\":702.5},{\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\",\"isTransposed\":false},{\"columnId\":\"7ea81631-0dff-4ec6-929f-592e29101149\",\"isTransposed\":false},{\"columnId\":\"9f1d7602-e75b-427f-b740-c2b8167fed33\",\"isTransposed\":false}],\"layerId\":\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}},\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null}},{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"status-change\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.action\":\"status-change\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"kibana.alert.rule.execution.status\",\"field\":\"kibana.alert.rule.execution.status\",\"params\":{\"query\":\"partial failure\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"kibana.alert.rule.execution.status\":\"partial failure\"}}}],\"index\":\"20d11002-bf00-477f-8221-2ceb641baf3f\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\":{\"columns\":{\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"7ea81631-0dff-4ec6-929f-592e29101149\":{\"label\":\"Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.category\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"9f1d7602-e75b-427f-b740-c2b8167fed33\":{\"label\":\"ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"7ea81631-0dff-4ec6-929f-592e29101149\",\"9f1d7602-e75b-427f-b740-c2b8167fed33\",\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 rules by status \\\"Warning\\\"\"}]", + "timeRestore": false, + "title": "[Elastic Security] Detection rule monitoring", + "version": 1 + }, + "references": [ + { + "id": "kibana-event-log-data-view", + "name": "52ec5ce0-3ea9-42ee-91f2-0f664d6cb74d:indexpattern-datasource-layer-66195a85-b71e-45f5-a5ea-4388416cf5f7", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "52ec5ce0-3ea9-42ee-91f2-0f664d6cb74d:874e1b4c-a64b-426a-b43e-d4ee226610a9", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "91a23437-071d-4739-b57e-2881caa980eb:indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "91a23437-071d-4739-b57e-2881caa980eb:37539143-7ea2-4353-ae4e-78ec772d1508", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "9770096c-3ba7-42e4-9783-5042ff08896d:indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "9770096c-3ba7-42e4-9783-5042ff08896d:32816692-7d96-4a12-abe3-3016e8a3844c", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "12011f8d-0d0d-40d6-8ef5-0d50bfe570f8:indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "12011f8d-0d0d-40d6-8ef5-0d50bfe570f8:9acb5e9e-8c72-4ba6-a4f5-7f2901353c16", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "b3b0743e-9a2c-4173-babc-dc93204cc0f2:indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "b3b0743e-9a2c-4173-babc-dc93204cc0f2:9adf5837-270f-43bf-92d8-af2d74022292", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "78c659aa-a001-4c30-9452-e9c7d0c0ec5d:indexpattern-datasource-layer-4eaf036b-c9f5-4206-bcfe-8033bec44a21", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "78c659aa-a001-4c30-9452-e9c7d0c0ec5d:abcc85f3-00cd-48bd-a313-de50207ab1b6", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "b3dd29a9-c051-46ab-b1fa-facf899f7af9:indexpattern-datasource-layer-4eaf036b-c9f5-4206-bcfe-8033bec44a21", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "b3dd29a9-c051-46ab-b1fa-facf899f7af9:0ccd359c-35a9-42ee-9b53-e0061755ffef", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "ad5995be-bf0f-48ba-8dc8-7313ca3bfbae:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "ad5995be-bf0f-48ba-8dc8-7313ca3bfbae:2720edea-b96b-47d7-bf57-ff3a4c91ab9d", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "2eac0a4e-9ec7-433e-89bc-e8edc1dadae7:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "2eac0a4e-9ec7-433e-89bc-e8edc1dadae7:0b7e01b1-974a-4de9-867d-46fc000c63e3", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "d2e87680-4d92-4067-9f27-7749854dedce:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "d2e87680-4d92-4067-9f27-7749854dedce:4101bdcb-5ba8-406f-8893-07356a98d49b", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "2372c630-207e-4859-83a9-de5a7bc638dc:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "2372c630-207e-4859-83a9-de5a7bc638dc:adafccc0-9c17-4249-89e1-e61a8d00079b", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "e2504c27-3027-4c13-85c0-a66416c53bd4:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "e2504c27-3027-4c13-85c0-a66416c53bd4:edb4ad7f-1ef2-477f-980c-c6fe47d6470d", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "fe382f90-aa03-47e0-a8a0-d6a8de877467:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "fe382f90-aa03-47e0-a8a0-d6a8de877467:505272a2-f4fb-4778-9fdf-11415f36cc51", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "0b6f467f-f784-457e-9351-839874bef66e:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "0b6f467f-f784-457e-9351-839874bef66e:e0a238a9-104e-46c0-890a-c7b3e1c08018", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "2ad1eb6c-c19b-41b1-897e-2d1d192cedae:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "2ad1eb6c-c19b-41b1-897e-2d1d192cedae:5f5acf46-a12a-43cf-8d4a-b1ef1a971771", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "6ce283f7-115a-4a0f-9184-71e141149183:indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "6ce283f7-115a-4a0f-9184-71e141149183:651cb393-d7ee-4ac2-a4d4-d8a325b4690b", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "f5d7a9c8-839c-408c-b798-68d019483bc7:indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "f5d7a9c8-839c-408c-b798-68d019483bc7:17149e33-97c0-48c2-8772-d7bd0c5dd6d8", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "2168b471-9a51-4ead-a51e-15e52ba85d86:indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "2168b471-9a51-4ead-a51e-15e52ba85d86:274e3567-2129-4d26-a778-d5220531ba86", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "075d7dff-442b-4091-bfe2-3844e7e7e3f4:indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "075d7dff-442b-4091-bfe2-3844e7e7e3f4:20d11002-bf00-477f-8221-2ceb641baf3f", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "controlGroup_c9c507d9-a157-40b4-aec4-0a2e204c559c:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "kibana-event-log-data-view", + "name": "controlGroup_8b3b697c-2abf-4801-8a08-a1a29d483571:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "fleet-managed-", + "name": "tag-ref-fleet-managed", + "type": "tag" + }, + { + "id": "security-solution-", + "name": "tag-ref-security-solution", + "type": "tag" + } + ] +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/data_view_kibana_event_log.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/data_view_kibana_event_log.json new file mode 100644 index 0000000000000..0ee6d796d6d66 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/data_view_kibana_event_log.json @@ -0,0 +1,14 @@ +{ + "type": "index-pattern", + "id": "kibana-event-log-data-view", + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.0.0", + "attributes": { + "name": ".kibana-event-log-*", + "title": ".kibana-event-log-*", + "timeFieldName": "@timestamp", + "allowNoIndex": true + }, + "references": [] +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/install_assets_for_rule_monitoring.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/install_assets_for_rule_monitoring.ts new file mode 100644 index 0000000000000..6eabd84901535 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/install_assets_for_rule_monitoring.ts @@ -0,0 +1,106 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { ISavedObjectsImporter, Logger } from '@kbn/core/server'; +import { SavedObjectsUtils } from '@kbn/core/server'; +import { cloneDeep } from 'lodash'; +import pRetry from 'p-retry'; +import { Readable } from 'stream'; + +import sourceRuleMonitoringDashboard from './dashboard_rule_monitoring.json'; +import sourceKibanaEventLogDataView from './data_view_kibana_event_log.json'; +import sourceManagedTag from './tag_managed.json'; +import sourceSecuritySolutionTag from './tag_security_solution.json'; + +const MAX_RETRIES = 2; + +/** + * Installs managed assets for monitoring rules and health of Detection Engine. + */ +export const installAssetsForRuleMonitoring = async ( + savedObjectsImporter: ISavedObjectsImporter, + logger: Logger, + currentSpaceId: string +): Promise => { + const operation = async (attemptCount: number) => { + logger.debug(`Installing assets for rule monitoring (attempt ${attemptCount})...`); + + const assets = getAssetsForRuleMonitoring(currentSpaceId); + + // The assets are marked as "managed: true" at the saved object level, which in the future + // should be reflected in the UI for the user. Ticket to track: + // https://github.com/elastic/kibana/issues/140364 + const importResult = await savedObjectsImporter.import({ + readStream: Readable.from(assets), + managed: true, + overwrite: true, + createNewCopies: false, + refresh: false, + namespace: spaceIdToNamespace(currentSpaceId), + }); + + importResult.warnings.forEach((w) => { + logger.warn(w.message); + }); + + if (!importResult.success) { + const errors = (importResult.errors ?? []).map( + (e) => `Couldn't import "${e.type}:${e.id}": ${JSON.stringify(e.error)}` + ); + + errors.forEach((e) => { + logger.error(e); + }); + + // This will retry the operation + throw new Error(errors.length > 0 ? errors[0] : `Unknown error (attempt ${attemptCount})`); + } + + logger.debug('Assets for rule monitoring installed'); + }; + + await pRetry(operation, { retries: MAX_RETRIES }); +}; + +const getAssetsForRuleMonitoring = (currentSpaceId: string) => { + const withSpaceId = appendSpaceId(currentSpaceId); + + const assetRuleMonitoringDashboard = cloneDeep(sourceRuleMonitoringDashboard); + const assetKibanaEventLogDataView = cloneDeep(sourceKibanaEventLogDataView); + const assetManagedTag = cloneDeep(sourceManagedTag); + const assetSecuritySolutionTag = cloneDeep(sourceSecuritySolutionTag); + + // Update ids of the assets to include the current space id + assetRuleMonitoringDashboard.id = withSpaceId('security-detection-rule-monitoring'); + assetManagedTag.id = withSpaceId('fleet-managed'); + assetSecuritySolutionTag.id = withSpaceId('security-solution'); + + // Update saved object references of the dashboard accordingly + assetRuleMonitoringDashboard.references = assetRuleMonitoringDashboard.references.map( + (reference) => { + if (reference.id === 'fleet-managed-') { + return { ...reference, id: assetManagedTag.id }; + } + if (reference.id === 'security-solution-') { + return { ...reference, id: assetSecuritySolutionTag.id }; + } + + return reference; + } + ); + + return [ + assetManagedTag, + assetSecuritySolutionTag, + assetKibanaEventLogDataView, + assetRuleMonitoringDashboard, + ]; +}; + +const appendSpaceId = (spaceId: string) => (str: string) => `${str}-${spaceId}`; + +const spaceIdToNamespace = SavedObjectsUtils.namespaceStringToId; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/tag_managed.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/tag_managed.json new file mode 100644 index 0000000000000..6f871a25b9ca7 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/tag_managed.json @@ -0,0 +1,9 @@ +{ + "type": "tag", + "id": "fleet-managed-", + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.0.0", + "attributes": { "name": "Managed", "description": "", "color": "#FFFFFF" }, + "references": [] +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/tag_security_solution.json b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/tag_security_solution.json new file mode 100644 index 0000000000000..2e8214e4f484f --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/assets/tag_security_solution.json @@ -0,0 +1,9 @@ +{ + "type": "tag", + "id": "security-solution-", + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "8.0.0", + "attributes": { "name": "Security Solution", "description": "", "color": "#D36086" }, + "references": [] +} diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/detection_engine_health_client.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/detection_engine_health_client.ts index 232731e762ea9..8adfbf1ad21e8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/detection_engine_health_client.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/detection_engine_health_client.ts @@ -5,7 +5,7 @@ * 2.0. */ -import type { Logger } from '@kbn/core/server'; +import type { ISavedObjectsImporter, Logger } from '@kbn/core/server'; import { withSecuritySpan } from '../../../../../utils/with_security_span'; import type { ExtMeta } from '../utils/console_logging'; @@ -21,10 +21,12 @@ import type { import type { IEventLogHealthClient } from './event_log/event_log_health_client'; import type { IRuleObjectsHealthClient } from './rule_objects/rule_objects_health_client'; import type { IDetectionEngineHealthClient } from './detection_engine_health_client_interface'; +import { installAssetsForRuleMonitoring } from './assets/install_assets_for_rule_monitoring'; export const createDetectionEngineHealthClient = ( ruleObjectsHealthClient: IRuleObjectsHealthClient, eventLogHealthClient: IEventLogHealthClient, + savedObjectsImporter: ISavedObjectsImporter, logger: Logger, currentSpaceId: string ): IDetectionEngineHealthClient => { @@ -50,9 +52,10 @@ export const createDetectionEngineHealthClient = ( } catch (e) { const logMessage = 'Error calculating rule health'; const logReason = e instanceof Error ? e.message : String(e); - const logSuffix = `[rule id ${ruleId}]`; + const logSuffix = `[rule id ${ruleId}][space id ${currentSpaceId}]`; const logMeta: ExtMeta = { rule: { id: ruleId }, + kibana: { spaceId: currentSpaceId }, }; logger.error(`${logMessage}: ${logReason} ${logSuffix}`, logMeta); @@ -112,11 +115,36 @@ export const createDetectionEngineHealthClient = ( } catch (e) { const logMessage = 'Error calculating cluster health'; const logReason = e instanceof Error ? e.message : String(e); + const logSuffix = `[space id ${currentSpaceId}]`; + const logMeta: ExtMeta = { + kibana: { spaceId: currentSpaceId }, + }; - logger.error(`${logMessage}: ${logReason}`); + logger.error(`${logMessage}: ${logReason} ${logSuffix}`, logMeta); throw e; } }); }, + + installAssetsForMonitoringHealth: (): Promise => { + return withSecuritySpan( + 'IDetectionEngineHealthClient.installAssetsForMonitoringHealth', + async () => { + try { + await installAssetsForRuleMonitoring(savedObjectsImporter, logger, currentSpaceId); + } catch (e) { + const logMessage = 'Error installing assets for monitoring Detection Engine health'; + const logReason = e instanceof Error ? e.message : String(e); + const logSuffix = `[space id ${currentSpaceId}]`; + const logMeta: ExtMeta = { + kibana: { spaceId: currentSpaceId }, + }; + + logger.error(`${logMessage}: ${logReason} ${logSuffix}`, logMeta); + throw e; + } + } + ); + }, }; }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/detection_engine_health_client_interface.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/detection_engine_health_client_interface.ts index e24a5b9fca2eb..e55768c1a352f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/detection_engine_health_client_interface.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/detection_engine_health_client_interface.ts @@ -32,4 +32,9 @@ export interface IDetectionEngineHealthClient { * Calculates health stats for the whole cluster. */ calculateClusterHealth(args: ClusterHealthParameters): Promise; + + /** + * Installs assets for monitoring Detection Engine health, such as dashboards and data views. + */ + installAssetsForMonitoringHealth(): Promise; } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/service.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/service.ts index 65f637ab7cef2..b2381d3dbcf26 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/service.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/service.ts @@ -6,12 +6,15 @@ */ import type { Logger } from '@kbn/core/server'; +import { SavedObjectsClient } from '@kbn/core/server'; import { invariant } from '../../../../../common/utils/invariant'; import type { ConfigType } from '../../../../config'; import { withSecuritySpan } from '../../../../utils/with_security_span'; import type { SecuritySolutionPluginCoreSetupDependencies, + SecuritySolutionPluginCoreStartDependencies, SecuritySolutionPluginSetupDependencies, + SecuritySolutionPluginStartDependencies, } from '../../../../plugin_contract'; import type { IDetectionEngineHealthClient } from './detection_engine_health/detection_engine_health_client_interface'; @@ -36,24 +39,53 @@ import type { export const createRuleMonitoringService = ( config: ConfigType, - logger: Logger, - core: SecuritySolutionPluginCoreSetupDependencies, - plugins: SecuritySolutionPluginSetupDependencies + logger: Logger ): IRuleMonitoringService => { + let coreSetup: SecuritySolutionPluginCoreSetupDependencies | null = null; + let pluginsSetup: SecuritySolutionPluginSetupDependencies | null = null; + let coreStart: SecuritySolutionPluginCoreStartDependencies | null = null; + return { - registerEventLogProvider: () => { + setup: ( + core: SecuritySolutionPluginCoreSetupDependencies, + plugins: SecuritySolutionPluginSetupDependencies + ): void => { + coreSetup = core; + pluginsSetup = plugins; + registerEventLogProvider(plugins.eventLog); }, + start: ( + core: SecuritySolutionPluginCoreStartDependencies, + plugins: SecuritySolutionPluginStartDependencies + ): void => { + coreStart = core; + }, + createDetectionEngineHealthClient: ( params: DetectionEngineHealthClientParams ): IDetectionEngineHealthClient => { + invariant(coreStart, 'Dependencies of RuleMonitoringService are not initialized'); + const { rulesClient, eventLogClient, currentSpaceId } = params; + const { savedObjects } = coreStart; + const ruleObjectsHealthClient = createRuleObjectsHealthClient(rulesClient); const eventLogHealthClient = createEventLogHealthClient(eventLogClient); + + // Create an importer that can import saved objects on behalf of the internal Kibana user. + // This is important because we want to let users with access to Security Solution + // to be able to install our internal assets like rule monitoring dashboard without + // the need to configure the additional `Saved Objects Management: All` privilege. + const savedObjectsRepository = savedObjects.createInternalRepository(); + const savedObjectsClient = new SavedObjectsClient(savedObjectsRepository); + const savedObjectsImporter = savedObjects.createImporter(savedObjectsClient); + return createDetectionEngineHealthClient( ruleObjectsHealthClient, eventLogHealthClient, + savedObjectsImporter, logger, currentSpaceId ); @@ -75,6 +107,8 @@ export const createRuleMonitoringService = ( async () => { const { savedObjectsClient, context, ruleMonitoringService, ruleResultService } = params; + invariant(coreSetup, 'Dependencies of RuleMonitoringService are not initialized'); + invariant(pluginsSetup, 'Dependencies of RuleMonitoringService are not initialized'); invariant(ruleMonitoringService, 'ruleMonitoringService required for detection rules'); invariant(ruleResultService, 'ruleResultService required for detection rules'); @@ -83,11 +117,11 @@ export const createRuleMonitoringService = ( const ruleExecutionSettings = await fetchRuleExecutionSettings( config, childLogger, - core, + coreSetup, savedObjectsClient ); - const eventLogWriter = createEventLogWriter(plugins.eventLog); + const eventLogWriter = createEventLogWriter(pluginsSetup.eventLog); return createRuleExecutionLogClientForExecutors( ruleExecutionSettings, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/service_interface.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/service_interface.ts index 14ee470aaae12..4b6f7a20ee2c5 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/service_interface.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/service_interface.ts @@ -13,6 +13,13 @@ import type { RulesClientApi, } from '@kbn/alerting-plugin/server/types'; +import type { + SecuritySolutionPluginCoreSetupDependencies, + SecuritySolutionPluginCoreStartDependencies, + SecuritySolutionPluginSetupDependencies, + SecuritySolutionPluginStartDependencies, +} from '../../../../plugin_contract'; + import type { IDetectionEngineHealthClient } from './detection_engine_health/detection_engine_health_client_interface'; import type { IRuleExecutionLogForRoutes } from './rule_execution_log/client_for_routes/client_interface'; import type { @@ -21,7 +28,15 @@ import type { } from './rule_execution_log/client_for_executors/client_interface'; export interface IRuleMonitoringService { - registerEventLogProvider(): void; + setup( + core: SecuritySolutionPluginCoreSetupDependencies, + plugins: SecuritySolutionPluginSetupDependencies + ): void; + + start( + core: SecuritySolutionPluginCoreStartDependencies, + plugins: SecuritySolutionPluginStartDependencies + ): void; createDetectionEngineHealthClient( params: DetectionEngineHealthClientParams @@ -37,7 +52,6 @@ export interface IRuleMonitoringService { } export interface DetectionEngineHealthClientParams { - savedObjectsClient: SavedObjectsClientContract; rulesClient: RulesClientApi; eventLogClient: IEventLogClient; currentSpaceId: string; diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts index 12603232a34a3..a838c83a31e2b 100644 --- a/x-pack/plugins/security_solution/server/plugin.ts +++ b/x-pack/plugins/security_solution/server/plugin.ts @@ -55,6 +55,7 @@ import { TelemetryReceiver } from './lib/telemetry/receiver'; import { licenseService } from './lib/license'; import { PolicyWatcher } from './endpoint/lib/policy/license_watch'; import previewPolicy from './lib/detection_engine/routes/index/preview_policy.json'; +import type { IRuleMonitoringService } from './lib/detection_engine/rule_monitoring'; import { createRuleMonitoringService } from './lib/detection_engine/rule_monitoring'; import { EndpointMetadataService } from './endpoint/services/metadata'; import type { @@ -104,6 +105,7 @@ export class Plugin implements ISecuritySolutionPlugin { private readonly appClientFactory: AppClientFactory; private readonly appFeatures: AppFeatures; + private readonly ruleMonitoringService: IRuleMonitoringService; private readonly endpointAppContextService = new EndpointAppContextService(); private readonly telemetryReceiver: ITelemetryReceiver; private readonly telemetryEventsSender: ITelemetryEventsSender; @@ -126,6 +128,7 @@ export class Plugin implements ISecuritySolutionPlugin { this.appClientFactory = new AppClientFactory(); this.appFeatures = new AppFeatures(this.logger, this.config.experimentalFeatures); + this.ruleMonitoringService = createRuleMonitoringService(this.config, this.logger); this.telemetryEventsSender = new TelemetryEventsSender(this.logger); this.telemetryReceiver = new TelemetryReceiver(this.logger); @@ -154,8 +157,7 @@ export class Plugin implements ISecuritySolutionPlugin { initUiSettings(core.uiSettings, experimentalFeatures); appFeatures.init(plugins.features); - const ruleMonitoringService = createRuleMonitoringService(config, logger, core, plugins); - ruleMonitoringService.registerEventLogProvider(); + this.ruleMonitoringService.setup(core, plugins); const requestContextFactory = new RequestContextFactory({ config, @@ -163,7 +165,7 @@ export class Plugin implements ISecuritySolutionPlugin { core, plugins, endpointAppContextService: this.endpointAppContextService, - ruleMonitoringService, + ruleMonitoringService: this.ruleMonitoringService, kibanaVersion: pluginContext.env.packageInfo.version, kibanaBranch: pluginContext.env.packageInfo.branch, }); @@ -233,7 +235,8 @@ export class Plugin implements ISecuritySolutionPlugin { config: this.config, publicBaseUrl: core.http.basePath.publicBaseUrl, ruleDataClient, - ruleExecutionLoggerFactory: ruleMonitoringService.createRuleExecutionLogClientForExecutors, + ruleExecutionLoggerFactory: + this.ruleMonitoringService.createRuleExecutionLogClientForExecutors, version: pluginContext.env.packageInfo.version, }; @@ -397,6 +400,8 @@ export class Plugin implements ISecuritySolutionPlugin { ): SecuritySolutionPluginStart { const { config, logger } = this; + this.ruleMonitoringService.start(core, plugins); + const savedObjectsClient = new SavedObjectsClient(core.savedObjects.createInternalRepository()); const registerIngestCallback = plugins.fleet?.registerExternalCallback; // eslint-disable-next-line @typescript-eslint/no-non-null-assertion diff --git a/x-pack/plugins/security_solution/server/request_context_factory.ts b/x-pack/plugins/security_solution/server/request_context_factory.ts index e35d15acdd869..e56df95a10650 100644 --- a/x-pack/plugins/security_solution/server/request_context_factory.ts +++ b/x-pack/plugins/security_solution/server/request_context_factory.ts @@ -105,7 +105,6 @@ export class RequestContextFactory implements IRequestContextFactory { getDetectionEngineHealthClient: memoize(() => ruleMonitoringService.createDetectionEngineHealthClient({ - savedObjectsClient: coreContext.savedObjects.client, rulesClient: startPlugins.alerting.getRulesClientWithRequest(request), eventLogClient: startPlugins.eventLog.getClient(request), currentSpaceId: getSpaceId(),