Add searchDuration to EQL and Threshold rules (#93149)

ecezalp · ecezalp · commit ffc649ad5e35 · 2021-03-03T10:09:09.000-05:00
Closes #82861.
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.ts
@@ -11,6 +11,7 @@ import { Logger, KibanaRequest } from 'src/core/server';
 import isEmpty from 'lodash/isEmpty';
 import { chain, tryCatch } from 'fp-ts/lib/TaskEither';
 import { flow } from 'fp-ts/lib/function';
+import { performance } from 'perf_hooks';
 
 import { toError, toPromise } from '../../../../common/fp_utils';
 
@@ -52,6 +53,7 @@ import {
   checkPrivileges,
   hasTimestampFields,
   hasReadIndexPrivileges,
+  makeFloatString,
 } from './utils';
 import { signalParamsSchema } from './signal_params_schema';
 import { siemRuleActionGroups } from './siem_rule_action_groups';
@@ -409,7 +411,11 @@ export const signalRulesAlertType = ({
             lists: exceptionItems ?? [],
           });
 
-          const { searchResult: thresholdResults, searchErrors } = await findThresholdSignals({
+          const {
+            searchResult: thresholdResults,
+            searchErrors,
+            searchDuration: thresholdSearchDuration,
+          } = await findThresholdSignals({
             inputIndexPattern: inputIndex,
             from,
             to,
@@ -464,6 +470,7 @@ export const signalRulesAlertType = ({
               createdSignalsCount: createdItemsCount,
               createdSignals: createdItems,
               bulkCreateTimes: bulkCreateDuration ? [bulkCreateDuration] : [],
+              searchAfterTimes: [thresholdSearchDuration],
             }),
           ]);
         } else if (isThreatMatchRule(type)) {
@@ -599,10 +606,14 @@ export const signalRulesAlertType = ({
             exceptionItems ?? [],
             eventCategoryOverride
           );
+          const eqlSignalSearchStart = performance.now();
           const response: EqlSignalSearchResponse = await services.callCluster(
             'transport.request',
             request
           );
+          const eqlSignalSearchEnd = performance.now();
+          const eqlSearchDuration = makeFloatString(eqlSignalSearchEnd - eqlSignalSearchStart);
+          result.searchAfterTimes = [eqlSearchDuration];
           let newSignals: WrappedSignalHit[] | undefined;
           if (response.hits.sequences !== undefined) {
             newSignals = response.hits.sequences.reduce(
@@ -643,7 +654,6 @@ export const signalRulesAlertType = ({
 
             const fromInMs = parseScheduleDates(`now-${interval}`)?.format('x');
             const toInMs = parseScheduleDates('now')?.format('x');
-
             const resultsLink = getNotificationResultsLink({
               from: fromInMs,
               to: toInMs,
