Elastic Security Rules Analytics

Is there a way to get how much time it gets to execute all security rules. In "Stack Management" -> "Rules and Connectors" analytics available per each rule but summary analytics seems to be missing. For example all rules duration summary.
In my case 500 rules duration summary is 1 hour (made manual summary). How can I get this info using API?
Also I'm interested how this value changes:

  • during the day (peak hours vs non-peak hours)
  • when new rules added/enabled
  • when rules updated
  • when new data streams added

It will be good to have this analytics available.

1 Like

Hey there @Alexander_A, thanks for posting!

So we're still working on surfacing high level KPI's and metrics summarizing all rule executions, but we are writing all the data from each execution to the kibana event log, so you should be able to build a custom dashboard around this data for your needs in the interim.

If you go to Discover, and create a Data View for the .kibana-event-log-* system index you'll see all the events that are written as part of each rule execution. Please check out this source file for details on relevant field names -- this is the source for the Rule Execution Log that we have on Rule Details here:

Appreciate the feedback, and I've forwarded the details on to our product folks -- thanks! :slightly_smiling_face:


1 Like

Thanks @spong I've been able to get data I was looking for.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.