Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SecuritySolution][Endpoint][ResponseActions] Response action telemetry (endpoint/third party) #192685

Merged
merged 34 commits into from
Sep 27, 2024
Merged

[SecuritySolution][Endpoint][ResponseActions] Response action telemetry (endpoint/third party) #192685

merged 34 commits into from
Sep 27, 2024

Conversation

ashokaditya
Copy link
Member

@ashokaditya ashokaditya commented Sep 12, 2024
edited by kibanamachine
Loading

Summary

Adds server-side telemetry collection for response action creation and responses.
part of elastic/security-team/issues/7466

Events from telemetry staging
Dashboard on staging

This PR adds Server Side EBTs (event-based telemetry) for:

Action creation event

"event_type": [
    "endpoint_response_action_sent"
  ],
  "properties": [
    {
      "responseActions": {
        "actionId": "696608a5-1908-457d-9072-5f555c740ffc",
        "agentType": "sentinel_one",
        "command": "unisolate",
        "isAutomated": false
      }
    }
  ],

Action response event

{
"event_type": [
    "endpoint_response_action_status_change_event"
  ],
  "properties": [
    {
      "responseActions": {
        "actionId": "696608a5-1908-457d-9072-5f555c740ffc",
        "agentType": "sentinel_one",
        "actionStatus": "successful",
        "command": "unisolate",
      }
    }
  ],
}

Action creation error event

"event_type": [
    "endpoint_response_action_sent_error"
  ],
  "properties": [
    {
      "responseActions": {
        "command": "execute",
        "error": "error message",
        "agentType": "endpoint"
      }
    }
  ],

Note: This PR does not add response completion telemetry for endpoint agent type. There would be follow up PRs to add that and some usage/snapshot telemetry.

Checklist

@ashokaditya ashokaditya self-assigned this Sep 12, 2024
@ashokaditya ashokaditya added Team:Defend Workflows “EDR Workflows” sub-team of Security Solution OLM Sprint v8.16.0 labels Sep 12, 2024
@ashokaditya ashokaditya force-pushed the task/edr-workflows-response-actions-telemetry-v1-7466 branch 7 times, most recently from 4cb32b0 to 73201c6 Compare September 17, 2024 14:23
@ashokaditya
Copy link
Member Author

/ci

@ashokaditya ashokaditya force-pushed the task/edr-workflows-response-actions-telemetry-v1-7466 branch from 73201c6 to 9826a8f Compare September 19, 2024 09:04
@ashokaditya ashokaditya marked this pull request as ready for review September 19, 2024 15:44
@ashokaditya ashokaditya requested review from a team as code owners September 19, 2024 15:44
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

paul-tavares
paul-tavares approved these changes Sep 23, 2024
View reviewed changes
Copy link
Contributor

@paul-tavares paul-tavares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

paul-tavares
paul-tavares approved these changes Sep 26, 2024
View reviewed changes
Copy link
Contributor

@paul-tavares paul-tavares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

...curity_solution/server/endpoint/services/actions/clients/lib/base_response_actions_client.ts Outdated
@@ -513,8 +518,16 @@ export abstract class ResponseActionsClientImpl implements ResponseActionsClient
);
}

if (this.options.endpointService.experimentalFeatures.responseActionsTelemetryEnabled) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe in a follow up PR - perhaps the checks for the feature flag should be moved to the actual methods (sendActionCreationTelemetry(), sendActionCreationErrorTelemetry(), etc.) instead of having to sprinkle them through out the code. Doing so would also protect if the methods are called from other areas without first having done the check on the feature flag. Something for you to consider 😄

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I thought about that too. I can just make that change in this PR.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done 6fc895f

@ashokaditya ashokaditya enabled auto-merge (squash) September 27, 2024 06:43
@ashokaditya
Copy link
Member Author

LGTM 👍 Good to see some data finally :)

Are you planning to add snapshot telemetry regarding actions too?

Yes, those will follow.

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 20.5MB 20.5MB -2.7KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 87.2KB 87.2KB +35.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @ashokaditya

@ashokaditya ashokaditya merged commit a80335e into elastic:main Sep 27, 2024
42 checks passed
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/11066915521

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Sep 27, 2024
@ashokaditya
[SecuritySolution][Endpoint][ResponseActions] Response action telemet…
d3cd296 
…ry (endpoint/third party) (elastic#192685)

## Summary

Adds server-side telemetry collection for response action creation and
responses.
part of elastic/security-team/issues/7466

<details><summary>Events from telemetry staging</summary>
<img
src="https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b"
/>
<img
src="https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb"
/>
</details>

<details><summary>Dashboard on staging</summary>
<img
src="https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4">
</details>

This PR adds  Server Side EBTs (event-based telemetry) for:
### Action creation event
```json5
"event_type": [
    "endpoint_response_action_sent"
  ],
  "properties": [
    {
      "responseActions": {
        "actionId": "696608a5-1908-457d-9072-5f555c740ffc",
        "agentType": "sentinel_one",
        "command": "unisolate",
        "isAutomated": false
      }
    }
  ],
```
### Action response event
```json5
{
"event_type": [
    "endpoint_response_action_status_change_event"
  ],
  "properties": [
    {
      "responseActions": {
        "actionId": "696608a5-1908-457d-9072-5f555c740ffc",
        "agentType": "sentinel_one",
        "actionStatus": "successful",
        "command": "unisolate",
      }
    }
  ],
}
```

### Action creation error event
```json5
"event_type": [
    "endpoint_response_action_sent_error"
  ],
  "properties": [
    {
      "responseActions": {
        "command": "execute",
        "error": "error message",
        "agentType": "endpoint"
      }
    }
  ],
```

**Note:** This PR does not add response completion telemetry for
`endpoint` agent type. There would be follow up PRs to add that and some
usage/snapshot telemetry.

### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] If a plugin configuration key changed, check if it needs to be
allow-listed in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)

(cherry picked from commit a80335e)
@kibanamachine kibanamachine mentioned this pull request Sep 27, 2024
Merged
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

@ashokaditya ashokaditya deleted the task/edr-workflows-response-actions-telemetry-v1-7466 branch September 27, 2024 08:18
kibanamachine added a commit that referenced this pull request Sep 27, 2024
@kibanamachine @ashokaditya
[8.x] [SecuritySolution][Endpoint][ResponseActions] Response action t…
3627544 
…elemetry (endpoint/third party) (#192685) (#194262)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[SecuritySolution][Endpoint][ResponseActions] Response action
telemetry (endpoint/third party)
(#192685)](#192685)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT
[{"author":{"name":"Ash","email":"1849116+ashokaditya@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-09-27T08:06:31Z","message":"[SecuritySolution][Endpoint][ResponseActions]
Response action telemetry (endpoint/third party) (#192685)\n\n##
Summary\r\n\r\nAdds server-side telemetry collection for response action
creation and\r\nresponses.\r\npart of
elastic/security-team/issues/7466\r\n\r\n<details><summary>Events from
telemetry
staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b\"\r\n/>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb\"\r\n/>\r\n</details>
\r\n\r\n<details><summary>Dashboard on
staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4\">\r\n</details>
\r\n\r\nThis PR adds Server Side EBTs (event-based telemetry)
for:\r\n### Action creation event\r\n```json5\r\n\"event_type\": [\r\n
\"endpoint_response_action_sent\"\r\n ],\r\n \"properties\": [\r\n {\r\n
\"responseActions\": {\r\n \"actionId\":
\"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\":
\"sentinel_one\",\r\n \"command\": \"unisolate\",\r\n \"isAutomated\":
false\r\n }\r\n }\r\n ],\r\n```\r\n### Action response
event\r\n```json5\r\n{\r\n\"event_type\": [\r\n
\"endpoint_response_action_status_change_event\"\r\n ],\r\n
\"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\":
\"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\":
\"sentinel_one\",\r\n \"actionStatus\": \"successful\",\r\n \"command\":
\"unisolate\",\r\n }\r\n }\r\n ],\r\n}\r\n```\r\n\r\n### Action creation
error event\r\n```json5\r\n\"event_type\": [\r\n
\"endpoint_response_action_sent_error\"\r\n ],\r\n \"properties\": [\r\n
{\r\n \"responseActions\": {\r\n \"command\": \"execute\",\r\n
\"error\": \"error message\",\r\n \"agentType\": \"endpoint\"\r\n }\r\n
}\r\n ],\r\n```\r\n\r\n\r\n**Note:** This PR does not add response
completion telemetry for\r\n`endpoint` agent type. There would be follow
up PRs to add that and some\r\nusage/snapshot telemetry.\r\n\r\n###
Checklist\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n- [ ] If a plugin configuration key
changed, check if it needs to be\r\nallow-listed in the cloud and added
to the
[docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)","sha":"a80335e378da3a063bb79a191c550a88578afd07","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend
Workflows","OLM
Sprint","v8.16.0","backport:version"],"title":"[SecuritySolution][Endpoint][ResponseActions]
Response action telemetry (endpoint/third
party)","number":192685,"url":"https://github.com/elastic/kibana/pull/192685","mergeCommit":{"message":"[SecuritySolution][Endpoint][ResponseActions]
Response action telemetry (endpoint/third party) (#192685)\n\n##
Summary\r\n\r\nAdds server-side telemetry collection for response action
creation and\r\nresponses.\r\npart of
elastic/security-team/issues/7466\r\n\r\n<details><summary>Events from
telemetry
staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b\"\r\n/>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb\"\r\n/>\r\n</details>
\r\n\r\n<details><summary>Dashboard on
staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4\">\r\n</details>
\r\n\r\nThis PR adds Server Side EBTs (event-based telemetry)
for:\r\n### Action creation event\r\n```json5\r\n\"event_type\": [\r\n
\"endpoint_response_action_sent\"\r\n ],\r\n \"properties\": [\r\n {\r\n
\"responseActions\": {\r\n \"actionId\":
\"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\":
\"sentinel_one\",\r\n \"command\": \"unisolate\",\r\n \"isAutomated\":
false\r\n }\r\n }\r\n ],\r\n```\r\n### Action response
event\r\n```json5\r\n{\r\n\"event_type\": [\r\n
\"endpoint_response_action_status_change_event\"\r\n ],\r\n
\"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\":
\"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\":
\"sentinel_one\",\r\n \"actionStatus\": \"successful\",\r\n \"command\":
\"unisolate\",\r\n }\r\n }\r\n ],\r\n}\r\n```\r\n\r\n### Action creation
error event\r\n```json5\r\n\"event_type\": [\r\n
\"endpoint_response_action_sent_error\"\r\n ],\r\n \"properties\": [\r\n
{\r\n \"responseActions\": {\r\n \"command\": \"execute\",\r\n
\"error\": \"error message\",\r\n \"agentType\": \"endpoint\"\r\n }\r\n
}\r\n ],\r\n```\r\n\r\n\r\n**Note:** This PR does not add response
completion telemetry for\r\n`endpoint` agent type. There would be follow
up PRs to add that and some\r\nusage/snapshot telemetry.\r\n\r\n###
Checklist\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n- [ ] If a plugin configuration key
changed, check if it needs to be\r\nallow-listed in the cloud and added
to the
[docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)","sha":"a80335e378da3a063bb79a191c550a88578afd07"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192685","number":192685,"mergeCommit":{"message":"[SecuritySolution][Endpoint][ResponseActions]
Response action telemetry (endpoint/third party) (#192685)\n\n##
Summary\r\n\r\nAdds server-side telemetry collection for response action
creation and\r\nresponses.\r\npart of
elastic/security-team/issues/7466\r\n\r\n<details><summary>Events from
telemetry
staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b\"\r\n/>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb\"\r\n/>\r\n</details>
\r\n\r\n<details><summary>Dashboard on
staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4\">\r\n</details>
\r\n\r\nThis PR adds Server Side EBTs (event-based telemetry)
for:\r\n### Action creation event\r\n```json5\r\n\"event_type\": [\r\n
\"endpoint_response_action_sent\"\r\n ],\r\n \"properties\": [\r\n {\r\n
\"responseActions\": {\r\n \"actionId\":
\"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\":
\"sentinel_one\",\r\n \"command\": \"unisolate\",\r\n \"isAutomated\":
false\r\n }\r\n }\r\n ],\r\n```\r\n### Action response
event\r\n```json5\r\n{\r\n\"event_type\": [\r\n
\"endpoint_response_action_status_change_event\"\r\n ],\r\n
\"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\":
\"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\":
\"sentinel_one\",\r\n \"actionStatus\": \"successful\",\r\n \"command\":
\"unisolate\",\r\n }\r\n }\r\n ],\r\n}\r\n```\r\n\r\n### Action creation
error event\r\n```json5\r\n\"event_type\": [\r\n
\"endpoint_response_action_sent_error\"\r\n ],\r\n \"properties\": [\r\n
{\r\n \"responseActions\": {\r\n \"command\": \"execute\",\r\n
\"error\": \"error message\",\r\n \"agentType\": \"endpoint\"\r\n }\r\n
}\r\n ],\r\n```\r\n\r\n\r\n**Note:** This PR does not add response
completion telemetry for\r\n`endpoint` agent type. There would be follow
up PRs to add that and some\r\nusage/snapshot telemetry.\r\n\r\n###
Checklist\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n- [ ] If a plugin configuration key
changed, check if it needs to be\r\nallow-listed in the cloud and added
to the
[docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)","sha":"a80335e378da3a063bb79a191c550a88578afd07"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Ash <1849116+ashokaditya@users.noreply.github.com>
angorayc pushed a commit to angorayc/kibana that referenced this pull request Oct 1, 2024
@ashokaditya @angorayc
[SecuritySolution][Endpoint][ResponseActions] Response action telemet…
8c43f51 
…ry (endpoint/third party) (elastic#192685)

## Summary

Adds server-side telemetry collection for response action creation and
responses.
part of elastic/security-team/issues/7466

<details><summary>Events from telemetry staging</summary>
<img
src="https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b"
/>
<img
src="https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb"
/>
</details> 

<details><summary>Dashboard on staging</summary>
<img
src="https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4">
</details> 

This PR adds  Server Side EBTs (event-based telemetry) for:
### Action creation event
```json5
"event_type": [
    "endpoint_response_action_sent"
  ],
  "properties": [
    {
      "responseActions": {
        "actionId": "696608a5-1908-457d-9072-5f555c740ffc",
        "agentType": "sentinel_one",
        "command": "unisolate",
        "isAutomated": false
      }
    }
  ],
```
### Action response event
```json5
{
"event_type": [
    "endpoint_response_action_status_change_event"
  ],
  "properties": [
    {
      "responseActions": {
        "actionId": "696608a5-1908-457d-9072-5f555c740ffc",
        "agentType": "sentinel_one",
        "actionStatus": "successful",
        "command": "unisolate",
      }
    }
  ],
}
```

### Action creation error event
```json5
"event_type": [
    "endpoint_response_action_sent_error"
  ],
  "properties": [
    {
      "responseActions": {
        "command": "execute",
        "error": "error message",
        "agentType": "endpoint"
      }
    }
  ],
```


**Note:** This PR does not add response completion telemetry for
`endpoint` agent type. There would be follow up PRs to add that and some
usage/snapshot telemetry.

### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] If a plugin configuration key changed, check if it needs to be
allow-listed in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
neptunian pushed a commit to neptunian/kibana that referenced this pull request Oct 1, 2024
@kibanamachine @ashokaditya @neptunian
[8.x] [SecuritySolution][Endpoint][ResponseActions] Response action t…
371f34a 
…elemetry (endpoint/third party) (elastic#192685) (elastic#194262)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[SecuritySolution][Endpoint][ResponseActions] Response action
telemetry (endpoint/third party)
(elastic#192685)](elastic#192685)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT
[{"author":{"name":"Ash","email":"1849116+ashokaditya@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-09-27T08:06:31Z","message":"[SecuritySolution][Endpoint][ResponseActions]
Response action telemetry (endpoint/third party) (elastic#192685)\n\n##
Summary\r\n\r\nAdds server-side telemetry collection for response action
creation and\r\nresponses.\r\npart of
elastic/security-team/issues/7466\r\n\r\n<details><summary>Events from
telemetry
staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b\"\r\n/>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb\"\r\n/>\r\n</details>
\r\n\r\n<details><summary>Dashboard on
staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4\">\r\n</details>
\r\n\r\nThis PR adds Server Side EBTs (event-based telemetry)
for:\r\n### Action creation event\r\n```json5\r\n\"event_type\": [\r\n
\"endpoint_response_action_sent\"\r\n ],\r\n \"properties\": [\r\n {\r\n
\"responseActions\": {\r\n \"actionId\":
\"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\":
\"sentinel_one\",\r\n \"command\": \"unisolate\",\r\n \"isAutomated\":
false\r\n }\r\n }\r\n ],\r\n```\r\n### Action response
event\r\n```json5\r\n{\r\n\"event_type\": [\r\n
\"endpoint_response_action_status_change_event\"\r\n ],\r\n
\"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\":
\"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\":
\"sentinel_one\",\r\n \"actionStatus\": \"successful\",\r\n \"command\":
\"unisolate\",\r\n }\r\n }\r\n ],\r\n}\r\n```\r\n\r\n### Action creation
error event\r\n```json5\r\n\"event_type\": [\r\n
\"endpoint_response_action_sent_error\"\r\n ],\r\n \"properties\": [\r\n
{\r\n \"responseActions\": {\r\n \"command\": \"execute\",\r\n
\"error\": \"error message\",\r\n \"agentType\": \"endpoint\"\r\n }\r\n
}\r\n ],\r\n```\r\n\r\n\r\n**Note:** This PR does not add response
completion telemetry for\r\n`endpoint` agent type. There would be follow
up PRs to add that and some\r\nusage/snapshot telemetry.\r\n\r\n###
Checklist\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n- [ ] If a plugin configuration key
changed, check if it needs to be\r\nallow-listed in the cloud and added
to the
[docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)","sha":"a80335e378da3a063bb79a191c550a88578afd07","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend
Workflows","OLM
Sprint","v8.16.0","backport:version"],"title":"[SecuritySolution][Endpoint][ResponseActions]
Response action telemetry (endpoint/third
party)","number":192685,"url":"https://github.com/elastic/kibana/pull/192685","mergeCommit":{"message":"[SecuritySolution][Endpoint][ResponseActions]
Response action telemetry (endpoint/third party) (elastic#192685)\n\n##
Summary\r\n\r\nAdds server-side telemetry collection for response action
creation and\r\nresponses.\r\npart of
elastic/security-team/issues/7466\r\n\r\n<details><summary>Events from
telemetry
staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b\"\r\n/>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb\"\r\n/>\r\n</details>
\r\n\r\n<details><summary>Dashboard on
staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4\">\r\n</details>
\r\n\r\nThis PR adds Server Side EBTs (event-based telemetry)
for:\r\n### Action creation event\r\n```json5\r\n\"event_type\": [\r\n
\"endpoint_response_action_sent\"\r\n ],\r\n \"properties\": [\r\n {\r\n
\"responseActions\": {\r\n \"actionId\":
\"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\":
\"sentinel_one\",\r\n \"command\": \"unisolate\",\r\n \"isAutomated\":
false\r\n }\r\n }\r\n ],\r\n```\r\n### Action response
event\r\n```json5\r\n{\r\n\"event_type\": [\r\n
\"endpoint_response_action_status_change_event\"\r\n ],\r\n
\"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\":
\"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\":
\"sentinel_one\",\r\n \"actionStatus\": \"successful\",\r\n \"command\":
\"unisolate\",\r\n }\r\n }\r\n ],\r\n}\r\n```\r\n\r\n### Action creation
error event\r\n```json5\r\n\"event_type\": [\r\n
\"endpoint_response_action_sent_error\"\r\n ],\r\n \"properties\": [\r\n
{\r\n \"responseActions\": {\r\n \"command\": \"execute\",\r\n
\"error\": \"error message\",\r\n \"agentType\": \"endpoint\"\r\n }\r\n
}\r\n ],\r\n```\r\n\r\n\r\n**Note:** This PR does not add response
completion telemetry for\r\n`endpoint` agent type. There would be follow
up PRs to add that and some\r\nusage/snapshot telemetry.\r\n\r\n###
Checklist\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n- [ ] If a plugin configuration key
changed, check if it needs to be\r\nallow-listed in the cloud and added
to the
[docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)","sha":"a80335e378da3a063bb79a191c550a88578afd07"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192685","number":192685,"mergeCommit":{"message":"[SecuritySolution][Endpoint][ResponseActions]
Response action telemetry (endpoint/third party) (elastic#192685)\n\n##
Summary\r\n\r\nAdds server-side telemetry collection for response action
creation and\r\nresponses.\r\npart of
elastic/security-team/issues/7466\r\n\r\n<details><summary>Events from
telemetry
staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b\"\r\n/>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb\"\r\n/>\r\n</details>
\r\n\r\n<details><summary>Dashboard on
staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4\">\r\n</details>
\r\n\r\nThis PR adds Server Side EBTs (event-based telemetry)
for:\r\n### Action creation event\r\n```json5\r\n\"event_type\": [\r\n
\"endpoint_response_action_sent\"\r\n ],\r\n \"properties\": [\r\n {\r\n
\"responseActions\": {\r\n \"actionId\":
\"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\":
\"sentinel_one\",\r\n \"command\": \"unisolate\",\r\n \"isAutomated\":
false\r\n }\r\n }\r\n ],\r\n```\r\n### Action response
event\r\n```json5\r\n{\r\n\"event_type\": [\r\n
\"endpoint_response_action_status_change_event\"\r\n ],\r\n
\"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\":
\"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\":
\"sentinel_one\",\r\n \"actionStatus\": \"successful\",\r\n \"command\":
\"unisolate\",\r\n }\r\n }\r\n ],\r\n}\r\n```\r\n\r\n### Action creation
error event\r\n```json5\r\n\"event_type\": [\r\n
\"endpoint_response_action_sent_error\"\r\n ],\r\n \"properties\": [\r\n
{\r\n \"responseActions\": {\r\n \"command\": \"execute\",\r\n
\"error\": \"error message\",\r\n \"agentType\": \"endpoint\"\r\n }\r\n
}\r\n ],\r\n```\r\n\r\n\r\n**Note:** This PR does not add response
completion telemetry for\r\n`endpoint` agent type. There would be follow
up PRs to add that and some\r\nusage/snapshot telemetry.\r\n\r\n###
Checklist\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n- [ ] If a plugin configuration key
changed, check if it needs to be\r\nallow-listed in the cloud and added
to the
[docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)","sha":"a80335e378da3a063bb79a191c550a88578afd07"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Ash <1849116+ashokaditya@users.noreply.github.com>
seanrathier pushed a commit to seanrathier/kibana that referenced this pull request Oct 2, 2024
@ashokaditya @seanrathier
[SecuritySolution][Endpoint][ResponseActions] Response action telemet…
36852cf 
…ry (endpoint/third party) (elastic#192685)

## Summary

Adds server-side telemetry collection for response action creation and
responses.
part of elastic/security-team/issues/7466

<details><summary>Events from telemetry staging</summary>
<img
src="https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b"
/>
<img
src="https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb"
/>
</details> 

<details><summary>Dashboard on staging</summary>
<img
src="https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4">
</details> 

This PR adds  Server Side EBTs (event-based telemetry) for:
### Action creation event
```json5
"event_type": [
    "endpoint_response_action_sent"
  ],
  "properties": [
    {
      "responseActions": {
        "actionId": "696608a5-1908-457d-9072-5f555c740ffc",
        "agentType": "sentinel_one",
        "command": "unisolate",
        "isAutomated": false
      }
    }
  ],
```
### Action response event
```json5
{
"event_type": [
    "endpoint_response_action_status_change_event"
  ],
  "properties": [
    {
      "responseActions": {
        "actionId": "696608a5-1908-457d-9072-5f555c740ffc",
        "agentType": "sentinel_one",
        "actionStatus": "successful",
        "command": "unisolate",
      }
    }
  ],
}
```

### Action creation error event
```json5
"event_type": [
    "endpoint_response_action_sent_error"
  ],
  "properties": [
    {
      "responseActions": {
        "command": "execute",
        "error": "error message",
        "agentType": "endpoint"
      }
    }
  ],
```


**Note:** This PR does not add response completion telemetry for
`endpoint` agent type. There would be follow up PRs to add that and some
usage/snapshot telemetry.

### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] If a plugin configuration key changed, check if it needs to be
allow-listed in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@szaffarano szaffarano szaffarano approved these changes

@joeypoon joeypoon joeypoon approved these changes

@tomsonpl tomsonpl tomsonpl approved these changes

@paul-tavares paul-tavares paul-tavares approved these changes

@parkiino parkiino Awaiting requested review from parkiino parkiino is a code owner automatically assigned from elastic/security-defend-workflows

@JDKurma JDKurma Awaiting requested review from JDKurma

@donaherc donaherc Awaiting requested review from donaherc

Assignees

@ashokaditya ashokaditya

Labels
backport:version Backport to applied version labels OLM Sprint release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.16.0 v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@ashokaditya @elasticmachine @kibana-ci @kibanamachine @szaffarano @joeypoon @tomsonpl @paul-tavares