[Attack Discovery][Scheduling] Telemetry (elastic#12008) (elastic#220998)

## Summary

Main ticket ([Internal
link](elastic/security-team#12008))

These changes add attack discovery schedules telemetry similarly to
existing manually generated attack discoveries added in this commit
elastic@3c41972.

## NOTES

The feature is hidden behind the feature flag (in `kibana.dev.yml`):

```
feature_flags.overrides:
  securitySolution.assistantAttackDiscoverySchedulingEnabled: true
```

Author: e40pud

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/persistence/transforms/transform_to_alert_documents/index.test.ts

@@ -6,12 +6,14 @@
  */
 
 import { EcsVersion } from '@elastic/ecs';
+import { Alert } from '@kbn/alerts-as-data-utils';
 import { AuthenticatedUser } from '@kbn/core/server';
 import {
   ATTACK_DISCOVERY_AD_HOC_RULE_ID,
   ATTACK_DISCOVERY_AD_HOC_RULE_TYPE_ID,
   type CreateAttackDiscoveryAlertsParams,
   replaceAnonymizedValuesWithOriginalValues,
+  AttackDiscovery,
 } from '@kbn/elastic-assistant-common';
 import {
   ALERT_INSTANCE_ID,
@@ -55,6 +57,80 @@ import {
 } from '../../../schedules/fields/field_names';
 import { AttackDiscoveryAlertDocument } from '../../../schedules/types';
 
+type AttackDiscoveryAlertDocumentBase = Omit<AttackDiscoveryAlertDocument, keyof Alert>;
+
+export const transformToBaseAlertDocument = ({
+  attackDiscovery,
+  alertsParams,
+}: {
+  attackDiscovery: AttackDiscovery;
+  alertsParams: Omit<CreateAttackDiscoveryAlertsParams, 'attackDiscoveries' | 'generationUuid'>;
+}): AttackDiscoveryAlertDocumentBase => {
+  const { alertsContextCount, anonymizedAlerts, apiConfig, connectorName, replacements } =
+    alertsParams;
+
+  const {
+    alertIds,
+    entitySummaryMarkdown,
+    detailsMarkdown,
+    mitreAttackTactics,
+    summaryMarkdown,
+    title,
+  } = attackDiscovery;
+
+  return {
+    // Alert base fields
+    [ECS_VERSION]: EcsVersion,
+    [ALERT_RISK_SCORE]: getAlertRiskScore({
+      alertIds,
+      anonymizedAlerts,
+    }),
+
+    // Attack discovery fields
+    [ALERT_ATTACK_DISCOVERY_ALERT_IDS]: alertIds,
+    [ALERT_ATTACK_DISCOVERY_ALERTS_CONTEXT_COUNT]: alertsContextCount,
+    [ALERT_ATTACK_DISCOVERY_API_CONFIG]: {
+      action_type_id: apiConfig.actionTypeId,
+      connector_id: apiConfig.connectorId,
+      model: apiConfig.model,
+      name: connectorName,
+      provider: apiConfig.provider,
+    },
+    [ALERT_ATTACK_DISCOVERY_DETAILS_MARKDOWN]: detailsMarkdown,
+    [ALERT_ATTACK_DISCOVERY_DETAILS_MARKDOWN_WITH_REPLACEMENTS]:
+      replaceAnonymizedValuesWithOriginalValues({
+        messageContent: detailsMarkdown,
+        replacements,
+      }),
+    [ALERT_ATTACK_DISCOVERY_ENTITY_SUMMARY_MARKDOWN]: entitySummaryMarkdown,
+    [ALERT_ATTACK_DISCOVERY_ENTITY_SUMMARY_MARKDOWN_WITH_REPLACEMENTS]:
+      entitySummaryMarkdown != null
+        ? replaceAnonymizedValuesWithOriginalValues({
+            messageContent: entitySummaryMarkdown,
+            replacements,
+          })
+        : undefined,
+    [ALERT_ATTACK_DISCOVERY_MITRE_ATTACK_TACTICS]: mitreAttackTactics,
+    [ALERT_ATTACK_DISCOVERY_REPLACEMENTS]: !isEmpty(replacements)
+      ? Object.entries(replacements).map(([uuid, value]) => ({
+          uuid,
+          value,
+        }))
+      : undefined,
+    [ALERT_ATTACK_DISCOVERY_SUMMARY_MARKDOWN]: summaryMarkdown,
+    [ALERT_ATTACK_DISCOVERY_SUMMARY_MARKDOWN_WITH_REPLACEMENTS]:
+      replaceAnonymizedValuesWithOriginalValues({
+        messageContent: summaryMarkdown,
+        replacements,
+      }),
+    [ALERT_ATTACK_DISCOVERY_TITLE]: title,
+    [ALERT_ATTACK_DISCOVERY_TITLE_WITH_REPLACEMENTS]: replaceAnonymizedValuesWithOriginalValues({
+      messageContent: title,
+      replacements,
+    }),
+  };
+};
+
 export const transformToAlertDocuments = ({
   authenticatedUser,
   createAttackDiscoveryAlertsParams,
@@ -66,102 +142,42 @@ export const transformToAlertDocuments = ({
   now: Date;
   spaceId: string;
 }): AttackDiscoveryAlertDocument[] => {
-  const {
-    alertsContextCount,
-    anonymizedAlerts,
-    apiConfig,
-    attackDiscoveries,
-    connectorName,
-    generationUuid,
-    replacements,
-  } = createAttackDiscoveryAlertsParams;
+  const { attackDiscoveries, generationUuid, ...restParams } = createAttackDiscoveryAlertsParams;
 
-  const replacementsOrEmpty = replacements ?? {};
+  return attackDiscoveries.map((attackDiscovery) => {
+    const alertUuid = uuidv4();
 
-  return attackDiscoveries.map(
-    ({
-      alertIds,
-      entitySummaryMarkdown,
-      detailsMarkdown,
-      mitreAttackTactics,
-      summaryMarkdown,
-      title,
-    }) => {
-      const alertUuid = uuidv4();
+    const baseAlertDocument = transformToBaseAlertDocument({
+      attackDiscovery,
+      alertsParams: restParams,
+    });
+
+    return {
+      ...baseAlertDocument,
 
-      return {
-        '@timestamp': now.toISOString(),
-        [ALERT_ATTACK_DISCOVERY_ALERT_IDS]: alertIds,
-        [ALERT_ATTACK_DISCOVERY_ALERTS_CONTEXT_COUNT]: alertsContextCount,
-        [ALERT_ATTACK_DISCOVERY_API_CONFIG]: {
-          action_type_id: apiConfig.actionTypeId,
-          connector_id: apiConfig.connectorId,
-          model: apiConfig.model,
-          name: connectorName,
-          provider: apiConfig.provider,
+      '@timestamp': now.toISOString(),
+      [ALERT_ATTACK_DISCOVERY_USER_ID]: authenticatedUser.profile_uid,
+      [ALERT_ATTACK_DISCOVERY_USER_NAME]: authenticatedUser.username,
+      [ALERT_ATTACK_DISCOVERY_USERS]: [
+        {
+          id: authenticatedUser.profile_uid,
+          name: authenticatedUser.username,
         },
-        [ALERT_ATTACK_DISCOVERY_DETAILS_MARKDOWN]: detailsMarkdown,
-        [ALERT_ATTACK_DISCOVERY_DETAILS_MARKDOWN_WITH_REPLACEMENTS]:
-          replaceAnonymizedValuesWithOriginalValues({
-            messageContent: detailsMarkdown,
-            replacements: replacementsOrEmpty,
-          }),
-        [ALERT_ATTACK_DISCOVERY_ENTITY_SUMMARY_MARKDOWN]: entitySummaryMarkdown,
-        [ALERT_ATTACK_DISCOVERY_ENTITY_SUMMARY_MARKDOWN_WITH_REPLACEMENTS]:
-          entitySummaryMarkdown != null
-            ? replaceAnonymizedValuesWithOriginalValues({
-                messageContent: entitySummaryMarkdown,
-                replacements: replacementsOrEmpty,
-              })
-            : undefined,
-        [ALERT_ATTACK_DISCOVERY_MITRE_ATTACK_TACTICS]: mitreAttackTactics,
-        [ALERT_ATTACK_DISCOVERY_REPLACEMENTS]: !isEmpty(replacementsOrEmpty)
-          ? Object.entries(replacementsOrEmpty).map(([uuid, value]) => ({
-              uuid,
-              value,
-            }))
-          : undefined,
-        [ALERT_ATTACK_DISCOVERY_SUMMARY_MARKDOWN]: summaryMarkdown,
-        [ALERT_ATTACK_DISCOVERY_SUMMARY_MARKDOWN_WITH_REPLACEMENTS]:
-          replaceAnonymizedValuesWithOriginalValues({
-            messageContent: summaryMarkdown,
-            replacements: replacementsOrEmpty,
-          }),
-        [ALERT_ATTACK_DISCOVERY_TITLE]: title,
-        [ALERT_ATTACK_DISCOVERY_TITLE_WITH_REPLACEMENTS]: replaceAnonymizedValuesWithOriginalValues(
-          {
-            messageContent: title,
-            replacements: replacementsOrEmpty,
-          }
-        ),
-        [ALERT_ATTACK_DISCOVERY_USER_ID]: authenticatedUser.profile_uid,
-        [ALERT_ATTACK_DISCOVERY_USER_NAME]: authenticatedUser.username,
-        [ALERT_ATTACK_DISCOVERY_USERS]: [
-          {
-            id: authenticatedUser.profile_uid,
-            name: authenticatedUser.username,
-          },
-        ],
-        [ALERT_RULE_EXECUTION_UUID]: generationUuid,
-        [ALERT_INSTANCE_ID]: alertUuid,
-        [ALERT_RISK_SCORE]: getAlertRiskScore({
-          alertIds,
-          anonymizedAlerts,
-        }),
-        [ALERT_RULE_CATEGORY]: 'Attack discovery ad hoc (placeholder rule category)',
-        [ALERT_RULE_CONSUMER]: 'siem',
-        [ALERT_RULE_NAME]: 'Attack discovery ad hoc (placeholder rule name)',
-        [ALERT_RULE_PRODUCER]: 'siem',
-        [ALERT_RULE_REVISION]: 1,
-        [ALERT_RULE_TYPE_ID]: ATTACK_DISCOVERY_AD_HOC_RULE_TYPE_ID, // sentinel value
-        [ALERT_RULE_UUID]: ATTACK_DISCOVERY_AD_HOC_RULE_ID, // sentinel value
-        [ALERT_STATUS]: 'active',
-        [ALERT_UUID]: alertUuid, // IMPORTANT: the document _id should be the same as this field when it's bulk inserted
-        [ALERT_WORKFLOW_STATUS]: 'open',
-        [ECS_VERSION]: EcsVersion,
-        [EVENT_KIND]: 'signal',
-        [SPACE_IDS]: [spaceId],
-      };
-    }
-  );
+      ],
+      [ALERT_RULE_EXECUTION_UUID]: generationUuid,
+      [ALERT_INSTANCE_ID]: alertUuid,
+      [ALERT_RULE_CATEGORY]: 'Attack discovery ad hoc (placeholder rule category)',
+      [ALERT_RULE_CONSUMER]: 'siem',
+      [ALERT_RULE_NAME]: 'Attack discovery ad hoc (placeholder rule name)',
+      [ALERT_RULE_PRODUCER]: 'siem',
+      [ALERT_RULE_REVISION]: 1,
+      [ALERT_RULE_TYPE_ID]: ATTACK_DISCOVERY_AD_HOC_RULE_TYPE_ID, // sentinel value
+      [ALERT_RULE_UUID]: ATTACK_DISCOVERY_AD_HOC_RULE_ID, // sentinel value
+      [ALERT_STATUS]: 'active',
+      [ALERT_UUID]: alertUuid, // IMPORTANT: the document _id should be the same as this field when it's bulk inserted
+      [ALERT_WORKFLOW_STATUS]: 'open',
+      [EVENT_KIND]: 'signal',
+      [SPACE_IDS]: [spaceId],
+    };
+  });
 };

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/persistence/transforms/transform_to_alert_documents/index.ts

@@ -6,6 +6,7 @@
  */
 
 import { loggerMock } from '@kbn/logging-mocks';
+import { analyticsServiceMock } from '@kbn/core/server/mocks';
 import {
   ATTACK_DISCOVERY_SCHEDULES_ALERT_TYPE_ID,
   AttackDiscoveryScheduleParams,
@@ -16,13 +17,17 @@ import { ATTACK_DISCOVERY_ALERTS_AAD_CONFIG } from '../constants';
 
 describe('getAttackDiscoveryScheduleType', () => {
   const mockLogger = loggerMock.create();
+  const mockTelemetry = analyticsServiceMock.createAnalyticsServiceSetup();
 
   beforeEach(() => {
     jest.clearAllMocks();
   });
 
   it('should return schedule type definition', async () => {
-    const scheduleType = getAttackDiscoveryScheduleType({ logger: mockLogger });
+    const scheduleType = getAttackDiscoveryScheduleType({
+      logger: mockLogger,
+      telemetry: mockTelemetry,
+    });
 
     expect(scheduleType).toEqual({
       id: ATTACK_DISCOVERY_SCHEDULES_ALERT_TYPE_ID,

x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/schedules/register_schedule/definition.test.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { DEFAULT_APP_CATEGORIES, Logger } from '@kbn/core/server';
+import { AnalyticsServiceSetup, DEFAULT_APP_CATEGORIES, Logger } from '@kbn/core/server';
 import {
   ATTACK_DISCOVERY_SCHEDULES_ALERT_TYPE_ID,
   AttackDiscoveryScheduleParams,
@@ -17,10 +17,12 @@ import { attackDiscoveryScheduleExecutor } from './executor';
 
 export interface GetAttackDiscoveryScheduleParams {
   logger: Logger;
+  telemetry: AnalyticsServiceSetup;
 }
 
 export const getAttackDiscoveryScheduleType = ({
   logger,
+  telemetry,
 }: GetAttackDiscoveryScheduleParams): AttackDiscoveryScheduleType => {
   return {
     id: ATTACK_DISCOVERY_SCHEDULES_ALERT_TYPE_ID,
@@ -52,6 +54,7 @@ export const getAttackDiscoveryScheduleType = ({
       return attackDiscoveryScheduleExecutor({
         options,
         logger,
+        telemetry,
       });
     },
   };