-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SecuritySolution][Endpoint][ResponseActions] Response action telemetry (endpoint/third party) #192685
[SecuritySolution][Endpoint][ResponseActions] Response action telemetry (endpoint/third party) #192685
Conversation
4cb32b0
to
73201c6
Compare
/ci |
73201c6
to
9826a8f
Compare
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
@@ -513,8 +518,16 @@ export abstract class ResponseActionsClientImpl implements ResponseActionsClient | |||
); | |||
} | |||
|
|||
if (this.options.endpointService.experimentalFeatures.responseActionsTelemetryEnabled) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe in a follow up PR - perhaps the checks for the feature flag should be moved to the actual methods (sendActionCreationTelemetry()
, sendActionCreationErrorTelemetry()
, etc.) instead of having to sprinkle them through out the code. Doing so would also protect if the methods are called from other areas without first having done the check on the feature flag. Something for you to consider 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I thought about that too. I can just make that change in this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done 6fc895f
Yes, those will follow. |
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @ashokaditya |
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/11066915521 |
…ry (endpoint/third party) (elastic#192685) ## Summary Adds server-side telemetry collection for response action creation and responses. part of elastic/security-team/issues/7466 <details><summary>Events from telemetry staging</summary> <img src="https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b" /> <img src="https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb" /> </details> <details><summary>Dashboard on staging</summary> <img src="https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4"> </details> This PR adds Server Side EBTs (event-based telemetry) for: ### Action creation event ```json5 "event_type": [ "endpoint_response_action_sent" ], "properties": [ { "responseActions": { "actionId": "696608a5-1908-457d-9072-5f555c740ffc", "agentType": "sentinel_one", "command": "unisolate", "isAutomated": false } } ], ``` ### Action response event ```json5 { "event_type": [ "endpoint_response_action_status_change_event" ], "properties": [ { "responseActions": { "actionId": "696608a5-1908-457d-9072-5f555c740ffc", "agentType": "sentinel_one", "actionStatus": "successful", "command": "unisolate", } } ], } ``` ### Action creation error event ```json5 "event_type": [ "endpoint_response_action_sent_error" ], "properties": [ { "responseActions": { "command": "execute", "error": "error message", "agentType": "endpoint" } } ], ``` **Note:** This PR does not add response completion telemetry for `endpoint` agent type. There would be follow up PRs to add that and some usage/snapshot telemetry. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] If a plugin configuration key changed, check if it needs to be allow-listed in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) (cherry picked from commit a80335e)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…elemetry (endpoint/third party) (#192685) (#194262) # Backport This will backport the following commits from `main` to `8.x`: - [[SecuritySolution][Endpoint][ResponseActions] Response action telemetry (endpoint/third party) (#192685)](#192685) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Ash","email":"1849116+ashokaditya@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-09-27T08:06:31Z","message":"[SecuritySolution][Endpoint][ResponseActions] Response action telemetry (endpoint/third party) (#192685)\n\n## Summary\r\n\r\nAdds server-side telemetry collection for response action creation and\r\nresponses.\r\npart of elastic/security-team/issues/7466\r\n\r\n<details><summary>Events from telemetry staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b\"\r\n/>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb\"\r\n/>\r\n</details> \r\n\r\n<details><summary>Dashboard on staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4\">\r\n</details> \r\n\r\nThis PR adds Server Side EBTs (event-based telemetry) for:\r\n### Action creation event\r\n```json5\r\n\"event_type\": [\r\n \"endpoint_response_action_sent\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\": \"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\": \"sentinel_one\",\r\n \"command\": \"unisolate\",\r\n \"isAutomated\": false\r\n }\r\n }\r\n ],\r\n```\r\n### Action response event\r\n```json5\r\n{\r\n\"event_type\": [\r\n \"endpoint_response_action_status_change_event\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\": \"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\": \"sentinel_one\",\r\n \"actionStatus\": \"successful\",\r\n \"command\": \"unisolate\",\r\n }\r\n }\r\n ],\r\n}\r\n```\r\n\r\n### Action creation error event\r\n```json5\r\n\"event_type\": [\r\n \"endpoint_response_action_sent_error\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"command\": \"execute\",\r\n \"error\": \"error message\",\r\n \"agentType\": \"endpoint\"\r\n }\r\n }\r\n ],\r\n```\r\n\r\n\r\n**Note:** This PR does not add response completion telemetry for\r\n`endpoint` agent type. There would be follow up PRs to add that and some\r\nusage/snapshot telemetry.\r\n\r\n### Checklist\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n- [ ] If a plugin configuration key changed, check if it needs to be\r\nallow-listed in the cloud and added to the [docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)","sha":"a80335e378da3a063bb79a191c550a88578afd07","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend Workflows","OLM Sprint","v8.16.0","backport:version"],"title":"[SecuritySolution][Endpoint][ResponseActions] Response action telemetry (endpoint/third party)","number":192685,"url":"https://github.com/elastic/kibana/pull/192685","mergeCommit":{"message":"[SecuritySolution][Endpoint][ResponseActions] Response action telemetry (endpoint/third party) (#192685)\n\n## Summary\r\n\r\nAdds server-side telemetry collection for response action creation and\r\nresponses.\r\npart of elastic/security-team/issues/7466\r\n\r\n<details><summary>Events from telemetry staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b\"\r\n/>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb\"\r\n/>\r\n</details> \r\n\r\n<details><summary>Dashboard on staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4\">\r\n</details> \r\n\r\nThis PR adds Server Side EBTs (event-based telemetry) for:\r\n### Action creation event\r\n```json5\r\n\"event_type\": [\r\n \"endpoint_response_action_sent\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\": \"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\": \"sentinel_one\",\r\n \"command\": \"unisolate\",\r\n \"isAutomated\": false\r\n }\r\n }\r\n ],\r\n```\r\n### Action response event\r\n```json5\r\n{\r\n\"event_type\": [\r\n \"endpoint_response_action_status_change_event\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\": \"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\": \"sentinel_one\",\r\n \"actionStatus\": \"successful\",\r\n \"command\": \"unisolate\",\r\n }\r\n }\r\n ],\r\n}\r\n```\r\n\r\n### Action creation error event\r\n```json5\r\n\"event_type\": [\r\n \"endpoint_response_action_sent_error\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"command\": \"execute\",\r\n \"error\": \"error message\",\r\n \"agentType\": \"endpoint\"\r\n }\r\n }\r\n ],\r\n```\r\n\r\n\r\n**Note:** This PR does not add response completion telemetry for\r\n`endpoint` agent type. There would be follow up PRs to add that and some\r\nusage/snapshot telemetry.\r\n\r\n### Checklist\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n- [ ] If a plugin configuration key changed, check if it needs to be\r\nallow-listed in the cloud and added to the [docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)","sha":"a80335e378da3a063bb79a191c550a88578afd07"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192685","number":192685,"mergeCommit":{"message":"[SecuritySolution][Endpoint][ResponseActions] Response action telemetry (endpoint/third party) (#192685)\n\n## Summary\r\n\r\nAdds server-side telemetry collection for response action creation and\r\nresponses.\r\npart of elastic/security-team/issues/7466\r\n\r\n<details><summary>Events from telemetry staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b\"\r\n/>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb\"\r\n/>\r\n</details> \r\n\r\n<details><summary>Dashboard on staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4\">\r\n</details> \r\n\r\nThis PR adds Server Side EBTs (event-based telemetry) for:\r\n### Action creation event\r\n```json5\r\n\"event_type\": [\r\n \"endpoint_response_action_sent\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\": \"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\": \"sentinel_one\",\r\n \"command\": \"unisolate\",\r\n \"isAutomated\": false\r\n }\r\n }\r\n ],\r\n```\r\n### Action response event\r\n```json5\r\n{\r\n\"event_type\": [\r\n \"endpoint_response_action_status_change_event\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\": \"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\": \"sentinel_one\",\r\n \"actionStatus\": \"successful\",\r\n \"command\": \"unisolate\",\r\n }\r\n }\r\n ],\r\n}\r\n```\r\n\r\n### Action creation error event\r\n```json5\r\n\"event_type\": [\r\n \"endpoint_response_action_sent_error\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"command\": \"execute\",\r\n \"error\": \"error message\",\r\n \"agentType\": \"endpoint\"\r\n }\r\n }\r\n ],\r\n```\r\n\r\n\r\n**Note:** This PR does not add response completion telemetry for\r\n`endpoint` agent type. There would be follow up PRs to add that and some\r\nusage/snapshot telemetry.\r\n\r\n### Checklist\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n- [ ] If a plugin configuration key changed, check if it needs to be\r\nallow-listed in the cloud and added to the [docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)","sha":"a80335e378da3a063bb79a191c550a88578afd07"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Ash <1849116+ashokaditya@users.noreply.github.com>
…ry (endpoint/third party) (elastic#192685) ## Summary Adds server-side telemetry collection for response action creation and responses. part of elastic/security-team/issues/7466 <details><summary>Events from telemetry staging</summary> <img src="https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b" /> <img src="https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb" /> </details> <details><summary>Dashboard on staging</summary> <img src="https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4"> </details> This PR adds Server Side EBTs (event-based telemetry) for: ### Action creation event ```json5 "event_type": [ "endpoint_response_action_sent" ], "properties": [ { "responseActions": { "actionId": "696608a5-1908-457d-9072-5f555c740ffc", "agentType": "sentinel_one", "command": "unisolate", "isAutomated": false } } ], ``` ### Action response event ```json5 { "event_type": [ "endpoint_response_action_status_change_event" ], "properties": [ { "responseActions": { "actionId": "696608a5-1908-457d-9072-5f555c740ffc", "agentType": "sentinel_one", "actionStatus": "successful", "command": "unisolate", } } ], } ``` ### Action creation error event ```json5 "event_type": [ "endpoint_response_action_sent_error" ], "properties": [ { "responseActions": { "command": "execute", "error": "error message", "agentType": "endpoint" } } ], ``` **Note:** This PR does not add response completion telemetry for `endpoint` agent type. There would be follow up PRs to add that and some usage/snapshot telemetry. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] If a plugin configuration key changed, check if it needs to be allow-listed in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
…elemetry (endpoint/third party) (elastic#192685) (elastic#194262) # Backport This will backport the following commits from `main` to `8.x`: - [[SecuritySolution][Endpoint][ResponseActions] Response action telemetry (endpoint/third party) (elastic#192685)](elastic#192685) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Ash","email":"1849116+ashokaditya@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-09-27T08:06:31Z","message":"[SecuritySolution][Endpoint][ResponseActions] Response action telemetry (endpoint/third party) (elastic#192685)\n\n## Summary\r\n\r\nAdds server-side telemetry collection for response action creation and\r\nresponses.\r\npart of elastic/security-team/issues/7466\r\n\r\n<details><summary>Events from telemetry staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b\"\r\n/>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb\"\r\n/>\r\n</details> \r\n\r\n<details><summary>Dashboard on staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4\">\r\n</details> \r\n\r\nThis PR adds Server Side EBTs (event-based telemetry) for:\r\n### Action creation event\r\n```json5\r\n\"event_type\": [\r\n \"endpoint_response_action_sent\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\": \"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\": \"sentinel_one\",\r\n \"command\": \"unisolate\",\r\n \"isAutomated\": false\r\n }\r\n }\r\n ],\r\n```\r\n### Action response event\r\n```json5\r\n{\r\n\"event_type\": [\r\n \"endpoint_response_action_status_change_event\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\": \"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\": \"sentinel_one\",\r\n \"actionStatus\": \"successful\",\r\n \"command\": \"unisolate\",\r\n }\r\n }\r\n ],\r\n}\r\n```\r\n\r\n### Action creation error event\r\n```json5\r\n\"event_type\": [\r\n \"endpoint_response_action_sent_error\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"command\": \"execute\",\r\n \"error\": \"error message\",\r\n \"agentType\": \"endpoint\"\r\n }\r\n }\r\n ],\r\n```\r\n\r\n\r\n**Note:** This PR does not add response completion telemetry for\r\n`endpoint` agent type. There would be follow up PRs to add that and some\r\nusage/snapshot telemetry.\r\n\r\n### Checklist\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n- [ ] If a plugin configuration key changed, check if it needs to be\r\nallow-listed in the cloud and added to the [docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)","sha":"a80335e378da3a063bb79a191c550a88578afd07","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend Workflows","OLM Sprint","v8.16.0","backport:version"],"title":"[SecuritySolution][Endpoint][ResponseActions] Response action telemetry (endpoint/third party)","number":192685,"url":"https://github.com/elastic/kibana/pull/192685","mergeCommit":{"message":"[SecuritySolution][Endpoint][ResponseActions] Response action telemetry (endpoint/third party) (elastic#192685)\n\n## Summary\r\n\r\nAdds server-side telemetry collection for response action creation and\r\nresponses.\r\npart of elastic/security-team/issues/7466\r\n\r\n<details><summary>Events from telemetry staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b\"\r\n/>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb\"\r\n/>\r\n</details> \r\n\r\n<details><summary>Dashboard on staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4\">\r\n</details> \r\n\r\nThis PR adds Server Side EBTs (event-based telemetry) for:\r\n### Action creation event\r\n```json5\r\n\"event_type\": [\r\n \"endpoint_response_action_sent\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\": \"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\": \"sentinel_one\",\r\n \"command\": \"unisolate\",\r\n \"isAutomated\": false\r\n }\r\n }\r\n ],\r\n```\r\n### Action response event\r\n```json5\r\n{\r\n\"event_type\": [\r\n \"endpoint_response_action_status_change_event\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\": \"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\": \"sentinel_one\",\r\n \"actionStatus\": \"successful\",\r\n \"command\": \"unisolate\",\r\n }\r\n }\r\n ],\r\n}\r\n```\r\n\r\n### Action creation error event\r\n```json5\r\n\"event_type\": [\r\n \"endpoint_response_action_sent_error\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"command\": \"execute\",\r\n \"error\": \"error message\",\r\n \"agentType\": \"endpoint\"\r\n }\r\n }\r\n ],\r\n```\r\n\r\n\r\n**Note:** This PR does not add response completion telemetry for\r\n`endpoint` agent type. There would be follow up PRs to add that and some\r\nusage/snapshot telemetry.\r\n\r\n### Checklist\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n- [ ] If a plugin configuration key changed, check if it needs to be\r\nallow-listed in the cloud and added to the [docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)","sha":"a80335e378da3a063bb79a191c550a88578afd07"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192685","number":192685,"mergeCommit":{"message":"[SecuritySolution][Endpoint][ResponseActions] Response action telemetry (endpoint/third party) (elastic#192685)\n\n## Summary\r\n\r\nAdds server-side telemetry collection for response action creation and\r\nresponses.\r\npart of elastic/security-team/issues/7466\r\n\r\n<details><summary>Events from telemetry staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b\"\r\n/>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb\"\r\n/>\r\n</details> \r\n\r\n<details><summary>Dashboard on staging</summary>\r\n<img\r\nsrc=\"https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4\">\r\n</details> \r\n\r\nThis PR adds Server Side EBTs (event-based telemetry) for:\r\n### Action creation event\r\n```json5\r\n\"event_type\": [\r\n \"endpoint_response_action_sent\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\": \"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\": \"sentinel_one\",\r\n \"command\": \"unisolate\",\r\n \"isAutomated\": false\r\n }\r\n }\r\n ],\r\n```\r\n### Action response event\r\n```json5\r\n{\r\n\"event_type\": [\r\n \"endpoint_response_action_status_change_event\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"actionId\": \"696608a5-1908-457d-9072-5f555c740ffc\",\r\n \"agentType\": \"sentinel_one\",\r\n \"actionStatus\": \"successful\",\r\n \"command\": \"unisolate\",\r\n }\r\n }\r\n ],\r\n}\r\n```\r\n\r\n### Action creation error event\r\n```json5\r\n\"event_type\": [\r\n \"endpoint_response_action_sent_error\"\r\n ],\r\n \"properties\": [\r\n {\r\n \"responseActions\": {\r\n \"command\": \"execute\",\r\n \"error\": \"error message\",\r\n \"agentType\": \"endpoint\"\r\n }\r\n }\r\n ],\r\n```\r\n\r\n\r\n**Note:** This PR does not add response completion telemetry for\r\n`endpoint` agent type. There would be follow up PRs to add that and some\r\nusage/snapshot telemetry.\r\n\r\n### Checklist\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n- [ ] If a plugin configuration key changed, check if it needs to be\r\nallow-listed in the cloud and added to the [docker\r\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)","sha":"a80335e378da3a063bb79a191c550a88578afd07"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Ash <1849116+ashokaditya@users.noreply.github.com>
…ry (endpoint/third party) (elastic#192685) ## Summary Adds server-side telemetry collection for response action creation and responses. part of elastic/security-team/issues/7466 <details><summary>Events from telemetry staging</summary> <img src="https://github.com/user-attachments/assets/2e9f37f1-c5b5-46e9-be34-c3bdcff4015b" /> <img src="https://github.com/user-attachments/assets/85a5a75d-f9f1-4d76-a782-272d9d7da0cb" /> </details> <details><summary>Dashboard on staging</summary> <img src="https://github.com/user-attachments/assets/9faa96a2-a553-4def-b5da-6b66b5728ca4"> </details> This PR adds Server Side EBTs (event-based telemetry) for: ### Action creation event ```json5 "event_type": [ "endpoint_response_action_sent" ], "properties": [ { "responseActions": { "actionId": "696608a5-1908-457d-9072-5f555c740ffc", "agentType": "sentinel_one", "command": "unisolate", "isAutomated": false } } ], ``` ### Action response event ```json5 { "event_type": [ "endpoint_response_action_status_change_event" ], "properties": [ { "responseActions": { "actionId": "696608a5-1908-457d-9072-5f555c740ffc", "agentType": "sentinel_one", "actionStatus": "successful", "command": "unisolate", } } ], } ``` ### Action creation error event ```json5 "event_type": [ "endpoint_response_action_sent_error" ], "properties": [ { "responseActions": { "command": "execute", "error": "error message", "agentType": "endpoint" } } ], ``` **Note:** This PR does not add response completion telemetry for `endpoint` agent type. There would be follow up PRs to add that and some usage/snapshot telemetry. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] If a plugin configuration key changed, check if it needs to be allow-listed in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
Summary
Adds server-side telemetry collection for response action creation and responses.
part of elastic/security-team/issues/7466
Events from telemetry staging
Dashboard on staging
This PR adds Server Side EBTs (event-based telemetry) for:
Action creation event
Action response event
Action creation error event
Note: This PR does not add response completion telemetry for
endpoint
agent type. There would be follow up PRs to add that and some usage/snapshot telemetry.Checklist