Skip to content

ETW Threat-Intelligence API Event metrics #370

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 12, 2023
Merged

ETW Threat-Intelligence API Event metrics #370

merged 2 commits into from
Jun 12, 2023

Conversation

jdu2600
Copy link
Contributor

@jdu2600 jdu2600 commented May 4, 2023

Change Summary

Adds new metrics fields for the API Event type and the ETW Threat-Intelligence API Event provider.

Endpoint.metrics.documents_volume.api_events.sent_bytes
Endpoint.metrics.documents_volume.api_events.sent_count
Endpoint.metrics.documents_volume.api_events.suppressed_bytes
Endpoint.metrics.documents_volume.api_events.suppressed_count
Endpoint.metrics.documents_volume.api_events.sources[].source
Endpoint.metrics.documents_volume.api_events.sources[].sent_bytes
Endpoint.metrics.documents_volume.api_events.sources[].sent_count
Endpoint.metrics.documents_volume.api_events.sources[].suppressed_bytes
Endpoint.metrics.documents_volume.api_events.sources[].suppressed_count
Endpoint.metrics.system_impact.threat_intelligence_events.week_idle_ms
Endpoint.metrics.system_impact.threat_intelligence_events.week_ms

Release Target

These events are diagnostic in 8.8 and will be released in a future version.

For mapping changes:

  • I ran make after making the schema changes, and committed all changes
  • If these field(s) are "exception"-able, I made a companion PR to Kibana adding it (see Readme)
  • If this is a metadata change, I also updated both transform destination schemas to match

@jdu2600 jdu2600 requested a review from a team as a code owner May 4, 2023 07:16
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-05-04T07:16:14.386+0000

  • Duration: 8 min 49 sec

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

intxgo
intxgo approved these changes May 4, 2023
View reviewed changes
Copy link
Contributor

@intxgo intxgo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jdu2600 jdu2600 requested a review from nfritts May 5, 2023 01:58
kevinlog
kevinlog reviewed May 5, 2023
View reviewed changes
custom_schemas/custom_endpoint.yml
@@ -846,17 +896,17 @@
index: false
description: The total milliseconds spent queueing process events for the process over the last week

- name: metrics.system_impact.etw_events.week_ms
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add new mappings for these instead of renaming? The reason being is that there will still be old Endpoints that stream data to these fields.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah. Sorry for not providing the background on this. I've been removing vestigial code in endpoint-dev - and just did the same here automatically.

So Endpoint has never generated etw_events metrics. This appears to have been added optimistically because of a feature in endgame and never used.
cc: @nfritts

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the explanation. This should be fine to merge as long as we're sure there's no backwards compatibility issues with older Endpoints

kevinlog
kevinlog reviewed May 5, 2023
View reviewed changes
@jdu2600 jdu2600 merged commit 7065108 into main Jun 12, 2023
@kevinlog kevinlog deleted the etwti_metrics branch June 12, 2023 12:43
jdu2600
jdu2600 commented Jun 12, 2023
View reviewed changes
custom_schemas/custom_endpoint.yml

- name: metrics.documents_volume.api_events.sources.source
level: custom
type: string
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should have been keyword.
See #373

@elasticmachine
Copy link
Contributor

Package endpoint - 8.9.0 containing this change is available at https://epr.elastic.co/search?package=endpoint

@AsuNa-jp AsuNa-jp added v8.10.0 and removed v8.10.0 labels Jul 28, 2023
@jdu2600 jdu2600 self-assigned this Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patrykkopycinski patrykkopycinski patrykkopycinski approved these changes

@intxgo intxgo intxgo approved these changes

@kevinlog kevinlog kevinlog approved these changes

@parkiino parkiino Awaiting requested review from parkiino parkiino is a code owner automatically assigned from elastic/security-defend-workflows

@magermark magermark Awaiting requested review from magermark

@nfritts nfritts Awaiting requested review from nfritts

Assignees

@jdu2600 jdu2600

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jdu2600 @elasticmachine @patrykkopycinski @intxgo @kevinlog @AsuNa-jp