search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.71k stars 8.12k forks source link

[Security Solution] Dashboards security tag gets duplicated on upgrade #164849

Open machadoum opened 1 year ago

machadoum commented 1 year ago

Describe the bug: When I upgrade to 8.10 the security tag gets duplicated Kibana/Elasticsearch Stack version: 8.9->8.10

Steps to reproduce:

  1. Install kibana 8.9
  2. Create a dashboard with a security solution tag
  3. Upgrade kibana from 8.9 to 8.10
  4. I open the dashboard table
  5. I has 2 different security solution tags

Current behavior: It shows duplicated tags

Expected behavior: It should show one tag

Screenshots (if relevant):

Screenshot 2023-08-25 at 16 18 56
elasticmachine commented 1 year ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 1 year ago

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

angorayc commented 11 months ago

Hello @machadoum , when you have a chance to see this happening again, can you please go to stack management > save objects and provide the saved objects attributes of these two Security Solution for me please?

Wondering if that's the same as this issue: https://github.com/elastic/kibana/pull/159486#issuecomment-1741337498

machadoum commented 11 months ago

Hello @machadoum , when you have a chance to see this happening again, can you please go to stack management > save objects and provide the saved objects attributes of these two Security Solution for me please?

Wondering if that's the same as this issue: #159486 (comment)

It looks like the same issue. I noticed that both tags were created on 8.9. Here are the saved objects:

Detection rule monitoring saved object ``` { "id": "security-detection-rule-monitoring-default", "type": "dashboard", "namespaces": [ "default" ], "updated_at": "2023-10-09T14:48:56.065Z", "created_at": "2023-10-09T14:48:56.065Z", "version": "WzIyLDJd", "attributes": { "controlGroupInput": { "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", "panelsJSON": "{\"0c2b3354-f4a0-4f90-b1d1-56f053869463\":{\"order\":0,\"width\":\"large\",\"grow\":true,\"type\":\"timeSlider\",\"explicitInput\":{\"title\":\"Time slider\",\"id\":\"0c2b3354-f4a0-4f90-b1d1-56f053869463\",\"timesliceStartAsPercentageOfTimeRange\":-0.0005311111111111111,\"timesliceEndAsPercentageOfTimeRange\":1.00058,\"enhancements\":{}}},\"c9c507d9-a157-40b4-aec4-0a2e204c559c\":{\"type\":\"optionsListControl\",\"order\":1,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"c9c507d9-a157-40b4-aec4-0a2e204c559c\",\"fieldName\":\"rule.category\",\"title\":\"Rule type\",\"grow\":true,\"width\":\"medium\",\"enhancements\":{}}},\"8b3b697c-2abf-4801-8a08-a1a29d483571\":{\"type\":\"optionsListControl\",\"order\":2,\"grow\":true,\"width\":\"small\",\"explicitInput\":{\"id\":\"8b3b697c-2abf-4801-8a08-a1a29d483571\",\"fieldName\":\"kibana.space_ids\",\"title\":\"Kibana space\",\"grow\":true,\"width\":\"small\",\"selectedOptions\":[],\"enhancements\":{}}}}" }, "description": "This dashboard helps you monitor the health and performance of detection rules.", "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" }, "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"8.9.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":7,\"i\":\"35a9ff89-705a-45b7-ae86-67037fc66f15\"},\"panelIndex\":\"35a9ff89-705a-45b7-ae86-67037fc66f15\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"This dashboard helps you monitor the health and performance of detection rules.\\n- You need at least `read` privileges for the `.kibana-event-log-*` index to access the necessary data.\\n- This Kibana-managed dashboard can not be customized. To make a custom version, clone it or edit and save it as a new dashboard.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}}},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":7,\"w\":10,\"h\":8,\"i\":\"52ec5ce0-3ea9-42ee-91f2-0f664d6cb74d\"},\"panelIndex\":\"52ec5ce0-3ea9-42ee-91f2-0f664d6cb74d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Enabled rules\",\"description\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-66195a85-b71e-45f5-a5ea-4388416cf5f7\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"874e1b4c-a64b-426a-b43e-d4ee226610a9\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"66195a85-b71e-45f5-a5ea-4388416cf5f7\",\"accessor\":\"9449b851-8169-44e9-8418-bd0e586bbf94\",\"layerType\":\"data\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\",\"size\":\"xl\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}},\"meta\":{\"index\":\"kibana-event-log-data-view\",\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"execute\"},\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.category\",\"field\":\"event.category\",\"params\":{\"query\":\"siem\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}}}],\"index\":\"874e1b4c-a64b-426a-b43e-d4ee226610a9\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"66195a85-b71e-45f5-a5ea-4388416cf5f7\":{\"columns\":{\"9449b851-8169-44e9-8418-bd0e586bbf94\":{\"label\":\"Enabled rules\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"rule.id\",\"isBucketed\":false,\"customLabel\":true}},\"columnOrder\":[\"9449b851-8169-44e9-8418-bd0e586bbf94\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false,\"description\":\"Number of rules that were executed during the selected timeframe.\"}},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":10,\"y\":7,\"w\":11,\"h\":8,\"i\":\"91a23437-071d-4739-b57e-2881caa980eb\"},\"panelIndex\":\"91a23437-071d-4739-b57e-2881caa980eb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"37539143-7ea2-4353-ae4e-78ec772d1508\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"accessor\":\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\",\"layerType\":\"data\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\",\"size\":\"xl\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}},\"meta\":{\"index\":\"kibana-event-log-data-view\",\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"execute\"},\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.category\",\"field\":\"event.category\",\"params\":{\"query\":\"siem\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}}}],\"index\":\"37539143-7ea2-4353-ae4e-78ec772d1508\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\":{\"columns\":{\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\":{\"label\":\"Rule executions\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false,\"description\":\"Number of rule executions within the selected timeframe.\"},\"title\":\"Rule executions\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":7,\"w\":9,\"h\":8,\"i\":\"9770096c-3ba7-42e4-9783-5042ff08896d\"},\"panelIndex\":\"9770096c-3ba7-42e4-9783-5042ff08896d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"32816692-7d96-4a12-abe3-3016e8a3844c\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"accessor\":\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\",\"layerType\":\"data\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\",\"size\":\"xl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#209280\",\"stop\":12}],\"colorStops\":[{\"color\":\"#209280\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"status-change\"}},\"meta\":{\"index\":\"kibana-event-log-data-view\",\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"status-change\"},\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"kibana.alert.rule.execution.status\",\"field\":\"kibana.alert.rule.execution.status\",\"params\":{\"query\":\"succeeded\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"kibana.alert.rule.execution.status\":\"succeeded\"}}}],\"index\":\"32816692-7d96-4a12-abe3-3016e8a3844c\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\":{\"columns\":{\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\":{\"label\":\"Succeeded\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false,\"description\":\"Number of rule executions with a succeeded status (outcome of the rule execution) within the selected timeframe.\"},\"title\":\"\\\"Succeeded\\\" statuses\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":30,\"y\":7,\"w\":9,\"h\":8,\"i\":\"12011f8d-0d0d-40d6-8ef5-0d50bfe570f8\"},\"panelIndex\":\"12011f8d-0d0d-40d6-8ef5-0d50bfe570f8\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"9acb5e9e-8c72-4ba6-a4f5-7f2901353c16\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"accessor\":\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\",\"layerType\":\"data\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\",\"size\":\"xl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#d6bf57\",\"stop\":4104}],\"colorStops\":[{\"color\":\"#d6bf57\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"status-change\"}},\"meta\":{\"index\":\"kibana-event-log-data-view\",\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"status-change\"},\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"kibana.alert.rule.execution.status\",\"field\":\"kibana.alert.rule.execution.status\",\"params\":{\"query\":\"partial failure\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"kibana.alert.rule.execution.status\":\"partial failure\"}}}],\"index\":\"9acb5e9e-8c72-4ba6-a4f5-7f2901353c16\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\":{\"columns\":{\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\":{\"label\":\"Warning\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false,\"description\":\"Number of rule executions with a warning status (outcome of the rule execution) within the selected timeframe.\"},\"title\":\"\\\"Warning\\\" statuses\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":39,\"y\":7,\"w\":9,\"h\":8,\"i\":\"b3b0743e-9a2c-4173-babc-dc93204cc0f2\"},\"panelIndex\":\"b3b0743e-9a2c-4173-babc-dc93204cc0f2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"9adf5837-270f-43bf-92d8-af2d74022292\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\",\"accessor\":\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\",\"layerType\":\"data\",\"textAlign\":\"center\",\"titlePosition\":\"bottom\",\"size\":\"xl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#cc5642\",\"stop\":94}],\"colorStops\":[{\"color\":\"#cc5642\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"status-change\"}},\"meta\":{\"index\":\"kibana-event-log-data-view\",\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"status-change\"},\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"kibana.alert.rule.execution.status\",\"field\":\"kibana.alert.rule.execution.status\",\"params\":{\"query\":\"failed\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"kibana.alert.rule.execution.status\":\"failed\"}}}],\"index\":\"9adf5837-270f-43bf-92d8-af2d74022292\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"17c4f52b-ef17-43d7-8282-91e48cbe11e7\":{\"columns\":{\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\":{\"label\":\"Failed\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"53cbc7e3-a396-4c55-8a28-f068d2eb3c5d\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false,\"description\":\"Number of rule executions with a failed status (outcome of the rule execution) within the selected timeframe.\"},\"title\":\"\\\"Failed\\\" statuses\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":15,\"w\":21,\"h\":13,\"i\":\"78c659aa-a001-4c30-9452-e9c7d0c0ec5d\"},\"panelIndex\":\"78c659aa-a001-4c30-9452-e9c7d0c0ec5d\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-4eaf036b-c9f5-4206-bcfe-8033bec44a21\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"abcc85f3-00cd-48bd-a313-de50207ab1b6\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"top\",\"isInside\":false,\"showSingleSeries\":false,\"shouldTruncate\":false,\"verticalAlignment\":\"top\",\"horizontalAlignment\":\"left\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"4eaf036b-c9f5-4206-bcfe-8033bec44a21\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"44be5a39-e31d-4242-9778-58ee5ffefbb8\",\"splitAccessor\":\"124a76f1-8df0-4410-87b0-25b9cb2398d9\",\"accessors\":[\"cb5d803d-fa0a-4062-a595-2cec9118bd31\"],\"layerType\":\"data\"}],\"valuesInLegend\":true},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}},\"meta\":{\"index\":\"kibana-event-log-data-view\",\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"execute\"},\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.category\",\"field\":\"event.category\",\"params\":{\"query\":\"siem\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}}}],\"index\":\"abcc85f3-00cd-48bd-a313-de50207ab1b6\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4eaf036b-c9f5-4206-bcfe-8033bec44a21\":{\"columns\":{\"44be5a39-e31d-4242-9778-58ee5ffefbb8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"cb5d803d-fa0a-4062-a595-2cec9118bd31\":{\"label\":\"Number of executions\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"124a76f1-8df0-4410-87b0-25b9cb2398d9\":{\"label\":\"Rule type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.category\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"cb5d803d-fa0a-4062-a595-2cec9118bd31\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"secondaryFields\":[]},\"customLabel\":true}},\"columnOrder\":[\"124a76f1-8df0-4410-87b0-25b9cb2398d9\",\"44be5a39-e31d-4242-9778-58ee5ffefbb8\",\"cb5d803d-fa0a-4062-a595-2cec9118bd31\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{},\"description\":\"Histogram where each column shows a number of rule executions broken down by rule type.\"},\"title\":\"Executions by rule type\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":15,\"w\":27,\"h\":13,\"i\":\"b3dd29a9-c051-46ab-b1fa-facf899f7af9\"},\"panelIndex\":\"b3dd29a9-c051-46ab-b1fa-facf899f7af9\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-4eaf036b-c9f5-4206-bcfe-8033bec44a21\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"0ccd359c-35a9-42ee-9b53-e0061755ffef\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"top\",\"isInside\":false,\"showSingleSeries\":false,\"shouldTruncate\":false,\"verticalAlignment\":\"top\",\"horizontalAlignment\":\"left\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"4eaf036b-c9f5-4206-bcfe-8033bec44a21\",\"seriesType\":\"bar_stacked\",\"xAccessor\":\"44be5a39-e31d-4242-9778-58ee5ffefbb8\",\"splitAccessor\":\"124a76f1-8df0-4410-87b0-25b9cb2398d9\",\"accessors\":[\"cb5d803d-fa0a-4062-a595-2cec9118bd31\"],\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"status\"}}],\"valuesInLegend\":true},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"status-change\"}},\"meta\":{\"index\":\"kibana-event-log-data-view\",\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"status-change\"},\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":true,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"kibana.alert.rule.execution.status\",\"field\":\"kibana.alert.rule.execution.status\",\"params\":{\"query\":\"running\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"kibana.alert.rule.execution.status\":\"running\"}}}],\"index\":\"0ccd359c-35a9-42ee-9b53-e0061755ffef\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"4eaf036b-c9f5-4206-bcfe-8033bec44a21\":{\"columns\":{\"44be5a39-e31d-4242-9778-58ee5ffefbb8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"cb5d803d-fa0a-4062-a595-2cec9118bd31\":{\"label\":\"Number of executions\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"124a76f1-8df0-4410-87b0-25b9cb2398d9\":{\"label\":\"Statuses\",\"dataType\":\"string\",\"operationType\":\"filters\",\"scale\":\"ordinal\",\"isBucketed\":true,\"params\":{\"filters\":[{\"label\":\"Succeeded\",\"input\":{\"query\":\"kibana.alert.rule.execution.status: \\\"succeeded\\\" \",\"language\":\"kuery\"}},{\"input\":{\"query\":\"kibana.alert.rule.execution.status: \\\"partial failure\\\" \",\"language\":\"kuery\"},\"label\":\"Warning\"},{\"input\":{\"query\":\"kibana.alert.rule.execution.status: \\\"failed\\\"\",\"language\":\"kuery\"},\"label\":\"Failed\"}]},\"customLabel\":true}},\"columnOrder\":[\"124a76f1-8df0-4410-87b0-25b9cb2398d9\",\"44be5a39-e31d-4242-9778-58ee5ffefbb8\",\"cb5d803d-fa0a-4062-a595-2cec9118bd31\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{},\"description\":\"Histogram where each column shows a number of rule executions broken down by rule status (outcome of the rule execution).\"},\"title\":\"Executions by status\"},{\"version\":\"8.9.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":28,\"w\":48,\"h\":4,\"i\":\"e2b4b41a-2fd5-4733-a297-c67571b8bb57\"},\"panelIndex\":\"e2b4b41a-2fd5-4733-a297-c67571b8bb57\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"**Total rule execution duration** shows how much time it took for a rule to run from the very start to the very end.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":32,\"w\":21,\"h\":15,\"i\":\"ad5995be-bf0f-48ba-8dc8-7313ca3bfbae\"},\"panelIndex\":\"ad5995be-bf0f-48ba-8dc8-7313ca3bfbae\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"2720edea-b96b-47d7-bf57-ff3a4c91ab9d\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\",\"maxLines\":1},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"yConfig\":[{\"forAccessor\":\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"color\":\"#d36086\",\"axisMode\":\"left\"},{\"forAccessor\":\"f623346f-da47-4819-b485-d3527bd4506e\",\"axisMode\":\"left\",\"color\":\"#9170b8\"},{\"forAccessor\":\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\",\"axisMode\":\"left\",\"color\":\"#6092c0\"}]}],\"curveType\":\"CURVE_MONOTONE_X\",\"yTitle\":\"Total execution duration, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"execute\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}}},{\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}},\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"siem\"},\"index\":\"kibana-event-log-data-view\",\"disabled\":false,\"alias\":null}}],\"index\":\"2720edea-b96b-47d7-bf57-ff3a4c91ab9d\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\":{\"label\":\"99th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_run_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":99},\"customLabel\":true},\"f623346f-da47-4819-b485-d3527bd4506e\":{\"label\":\"95th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_run_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":95},\"customLabel\":true},\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\":{\"label\":\"50th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_run_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":50},\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{},\"description\":\"This chart aggregates this metric across all rules and shows how a few important percentiles of the metric were changing over time. 99th percentile means that 99% of rule executions had a total duration less than the percentile's value.\"},\"title\":\"Total rule execution duration, percentiles\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":32,\"w\":27,\"h\":15,\"i\":\"2eac0a4e-9ec7-433e-89bc-e8edc1dadae7\"},\"panelIndex\":\"2eac0a4e-9ec7-433e-89bc-e8edc1dadae7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"0b7e01b1-974a-4de9-867d-46fc000c63e3\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"splitAccessor\":\"3a521678-3e76-49b6-a379-eb75ef03604b\"}],\"yTitle\":\"Total execution duration, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}},\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"execute\"},\"index\":\"kibana-event-log-data-view\",\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.category\",\"field\":\"event.category\",\"params\":{\"query\":\"siem\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}}}],\"index\":\"0b7e01b1-974a-4de9-867d-46fc000c63e3\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"3a521678-3e76-49b6-a379-eb75ef03604b\":{\"label\":\"Top 5 values of rule.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"secondaryFields\":[],\"parentFormat\":{\"id\":\"terms\"}}},\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\":{\"label\":\"Total execution duration\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_run_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"3a521678-3e76-49b6-a379-eb75ef03604b\",\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Total rule execution duration, top 5 rules per @timestamp\"},{\"version\":\"8.9.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":5,\"i\":\"a0f62bb1-a9c3-4c46-b0fb-137c7f2b4a0c\"},\"panelIndex\":\"a0f62bb1-a9c3-4c46-b0fb-137c7f2b4a0c\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"**Rule schedule delay** shows the difference between the planned rule start time (according to its schedule) and the time when it actually started. Normally, it should be about 3 seconds or less. When the cluster is overloaded, it can be way more than 3 seconds. This is when you'd want to scale your cluster according to the load or reduce it by disabling or optimizing the rules.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}}},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":52,\"w\":21,\"h\":15,\"i\":\"d2e87680-4d92-4067-9f27-7749854dedce\"},\"panelIndex\":\"d2e87680-4d92-4067-9f27-7749854dedce\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"4101bdcb-5ba8-406f-8893-07356a98d49b\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\",\"maxLines\":1},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\",\"niceValues\":true},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"yConfig\":[{\"forAccessor\":\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"color\":\"#d36086\",\"axisMode\":\"left\"},{\"forAccessor\":\"f623346f-da47-4819-b485-d3527bd4506e\",\"axisMode\":\"left\",\"color\":\"#9170b8\"},{\"forAccessor\":\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\",\"axisMode\":\"left\",\"color\":\"#6092c0\"}]}],\"curveType\":\"CURVE_MONOTONE_X\",\"yTitle\":\"Schedule delay, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"execute\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}}},{\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}},\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"siem\"},\"index\":\"kibana-event-log-data-view\",\"disabled\":false,\"alias\":null}}],\"index\":\"4101bdcb-5ba8-406f-8893-07356a98d49b\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"44728b87-025d-4b13-b3b9-35bfd5cc7d26X0\":{\"label\":\"Part of 99th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.task.schedule_delay\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":99},\"customLabel\":true},\"44728b87-025d-4b13-b3b9-35bfd5cc7d26X1\":{\"label\":\"Part of 99th percentile\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"44728b87-025d-4b13-b3b9-35bfd5cc7d26X0\",1000000],\"location\":{\"min\":0,\"max\":63},\"text\":\"percentile(kibana.task.schedule_delay, percentile=99) / 1000000\"}},\"references\":[\"44728b87-025d-4b13-b3b9-35bfd5cc7d26X0\"],\"customLabel\":true},\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\":{\"label\":\"99th percentile\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"percentile(kibana.task.schedule_delay, percentile=99) / 1000000\",\"isFormulaBroken\":false},\"references\":[\"44728b87-025d-4b13-b3b9-35bfd5cc7d26X1\"],\"customLabel\":true},\"f623346f-da47-4819-b485-d3527bd4506eX0\":{\"label\":\"Part of 95th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.task.schedule_delay\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":95},\"customLabel\":true},\"f623346f-da47-4819-b485-d3527bd4506eX1\":{\"label\":\"Part of 95th percentile\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"f623346f-da47-4819-b485-d3527bd4506eX0\",1000000],\"location\":{\"min\":0,\"max\":63},\"text\":\"percentile(kibana.task.schedule_delay, percentile=95) / 1000000\"}},\"references\":[\"f623346f-da47-4819-b485-d3527bd4506eX0\"],\"customLabel\":true},\"f623346f-da47-4819-b485-d3527bd4506e\":{\"label\":\"95th percentile\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"percentile(kibana.task.schedule_delay, percentile=95) / 1000000\",\"isFormulaBroken\":false},\"references\":[\"f623346f-da47-4819-b485-d3527bd4506eX1\"],\"customLabel\":true},\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9eX0\":{\"label\":\"Part of 50th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.task.schedule_delay\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":50},\"customLabel\":true},\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9eX1\":{\"label\":\"Part of 50th percentile\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9eX0\",1000000],\"location\":{\"min\":0,\"max\":63},\"text\":\"percentile(kibana.task.schedule_delay, percentile=50) / 1000000\"}},\"references\":[\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9eX0\"],\"customLabel\":true},\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\":{\"label\":\"50th percentile\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"percentile(kibana.task.schedule_delay, percentile=50) / 1000000\",\"isFormulaBroken\":false},\"references\":[\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9eX1\"],\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\",\"44728b87-025d-4b13-b3b9-35bfd5cc7d26X0\",\"44728b87-025d-4b13-b3b9-35bfd5cc7d26X1\",\"f623346f-da47-4819-b485-d3527bd4506eX0\",\"f623346f-da47-4819-b485-d3527bd4506eX1\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9eX0\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9eX1\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{},\"description\":\"This chart aggregates this metric across all rules and shows how a few important percentiles of the metric were changing over time. 99th percentile means that 99% of rule executions had a schedule delay less than the percentile's value.\"},\"title\":\"Rule scheduling delay, percentiles\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":52,\"w\":27,\"h\":15,\"i\":\"2372c630-207e-4859-83a9-de5a7bc638dc\"},\"panelIndex\":\"2372c630-207e-4859-83a9-de5a7bc638dc\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"adafccc0-9c17-4249-89e1-e61a8d00079b\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"splitAccessor\":\"3a521678-3e76-49b6-a379-eb75ef03604b\"}],\"yTitle\":\"Rule schedule delay, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}},\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"execute\"},\"index\":\"kibana-event-log-data-view\",\"disabled\":false,\"alias\":null}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.category\",\"field\":\"event.category\",\"params\":{\"query\":\"siem\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}}}],\"index\":\"adafccc0-9c17-4249-89e1-e61a8d00079b\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"3a521678-3e76-49b6-a379-eb75ef03604b\":{\"label\":\"Top 5 values of rule.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"custom\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"secondaryFields\":[],\"parentFormat\":{\"id\":\"terms\"},\"orderAgg\":{\"label\":\"Maximum of kibana.task.schedule_delay\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.task.schedule_delay\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true}}}},\"707ff766-8ef2-47ca-9559-d7ace1bc0a4bX0\":{\"label\":\"Part of Rule schedule delay\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.task.schedule_delay\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"707ff766-8ef2-47ca-9559-d7ace1bc0a4bX1\":{\"label\":\"Part of Rule schedule delay\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"707ff766-8ef2-47ca-9559-d7ace1bc0a4bX0\",1000000],\"location\":{\"min\":0,\"max\":41},\"text\":\"max(kibana.task.schedule_delay) / 1000000\"}},\"references\":[\"707ff766-8ef2-47ca-9559-d7ace1bc0a4bX0\"],\"customLabel\":true},\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\":{\"label\":\"Rule schedule delay\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"max(kibana.task.schedule_delay) / 1000000\",\"isFormulaBroken\":false},\"references\":[\"707ff766-8ef2-47ca-9559-d7ace1bc0a4bX1\"],\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"3a521678-3e76-49b6-a379-eb75ef03604b\",\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\",\"707ff766-8ef2-47ca-9559-d7ace1bc0a4bX0\",\"707ff766-8ef2-47ca-9559-d7ace1bc0a4bX1\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Rule scheduling delay, top 5 rules per @timestamp\"},{\"version\":\"8.9.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":67,\"w\":48,\"h\":4,\"i\":\"054eb35b-90a8-4b45-9821-7c0eefb22a85\"},\"panelIndex\":\"054eb35b-90a8-4b45-9821-7c0eefb22a85\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"**Search/query duration** metric shows how much time it took for a rule when it was executing to query source indices (or data views) to find source events matching the rule's criteria.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":71,\"w\":21,\"h\":15,\"i\":\"e2504c27-3027-4c13-85c0-a66416c53bd4\"},\"panelIndex\":\"e2504c27-3027-4c13-85c0-a66416c53bd4\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"edb4ad7f-1ef2-477f-980c-c6fe47d6470d\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\",\"maxLines\":1},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"yConfig\":[{\"forAccessor\":\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"color\":\"#d36086\",\"axisMode\":\"left\"},{\"forAccessor\":\"f623346f-da47-4819-b485-d3527bd4506e\",\"axisMode\":\"left\",\"color\":\"#9170b8\"},{\"forAccessor\":\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\",\"axisMode\":\"left\",\"color\":\"#6092c0\"}]}],\"curveType\":\"CURVE_MONOTONE_X\",\"yTitle\":\"Search duration, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"execution-metrics\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.action\":\"execution-metrics\"}}}],\"index\":\"edb4ad7f-1ef2-477f-980c-c6fe47d6470d\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\":{\"label\":\"99th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_search_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":99},\"customLabel\":true},\"f623346f-da47-4819-b485-d3527bd4506e\":{\"label\":\"95th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_search_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":95},\"customLabel\":true},\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\":{\"label\":\"50th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_search_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"kibana.alert.rule.execution.metrics.total_run_duration_ms: *\",\"language\":\"kuery\"},\"params\":{\"percentile\":50},\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{},\"description\":\"This chart aggregates this metric across all rules and shows how a few important percentiles of the metric were changing over time. 99th percentile means that 99% of rule executions had a search/query duration less than the percentile's value.\"},\"title\":\"Search/query duration, percentiles\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":71,\"w\":27,\"h\":15,\"i\":\"fe382f90-aa03-47e0-a8a0-d6a8de877467\"},\"panelIndex\":\"fe382f90-aa03-47e0-a8a0-d6a8de877467\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"505272a2-f4fb-4778-9fdf-11415f36cc51\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"splitAccessor\":\"3a521678-3e76-49b6-a379-eb75ef03604b\"}],\"yTitle\":\"Search duration, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"execution-metrics\"}},\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"execution-metrics\"},\"index\":\"kibana-event-log-data-view\",\"disabled\":false,\"alias\":null}}],\"index\":\"505272a2-f4fb-4778-9fdf-11415f36cc51\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"3a521678-3e76-49b6-a379-eb75ef03604b\":{\"label\":\"Top 5 values of rule.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"secondaryFields\":[],\"parentFormat\":{\"id\":\"terms\"}}},\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\":{\"label\":\"Search duration\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_search_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"3a521678-3e76-49b6-a379-eb75ef03604b\",\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Search/query duration, top 5 rules per @timestamp\"},{\"version\":\"8.9.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":86,\"w\":48,\"h\":4,\"i\":\"267d2068-2d64-4e8e-bccb-efc580f90762\"},\"panelIndex\":\"267d2068-2d64-4e8e-bccb-efc580f90762\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"**Indexing duration** metric shows how much time it took for a rule when it was executing to write generated alerts to the `.alerts-security.alerts-*` index.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":90,\"w\":21,\"h\":15,\"i\":\"0b6f467f-f784-457e-9351-839874bef66e\"},\"panelIndex\":\"0b6f467f-f784-457e-9351-839874bef66e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"e0a238a9-104e-46c0-890a-c7b3e1c08018\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\",\"maxLines\":1},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"yConfig\":[{\"forAccessor\":\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"color\":\"#d36086\",\"axisMode\":\"left\"},{\"forAccessor\":\"f623346f-da47-4819-b485-d3527bd4506e\",\"axisMode\":\"left\",\"color\":\"#9170b8\"},{\"forAccessor\":\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\",\"axisMode\":\"left\",\"color\":\"#6092c0\"}]}],\"curveType\":\"CURVE_MONOTONE_X\",\"yTitle\":\"Indexing duration, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"execution-metrics\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.action\":\"execution-metrics\"}}}],\"index\":\"e0a238a9-104e-46c0-890a-c7b3e1c08018\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\":{\"label\":\"99th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_indexing_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":99},\"customLabel\":true},\"f623346f-da47-4819-b485-d3527bd4506e\":{\"label\":\"95th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_indexing_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"percentile\":95},\"customLabel\":true},\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\":{\"label\":\"50th percentile\",\"dataType\":\"number\",\"operationType\":\"percentile\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_indexing_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"filter\":{\"query\":\"kibana.alert.rule.execution.metrics.total_run_duration_ms: *\",\"language\":\"kuery\"},\"params\":{\"percentile\":50},\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"44728b87-025d-4b13-b3b9-35bfd5cc7d26\",\"f623346f-da47-4819-b485-d3527bd4506e\",\"861f06ed-3ef1-4e60-93fe-ddf176e5aa9e\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{},\"description\":\"This chart aggregates this metric across all rules and shows how a few important percentiles of the metric were changing over time. 99th percentile means that 99% of rule executions had an indexing duration less than the percentile's value.\"},\"title\":\"Indexing duration, percentiles\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":21,\"y\":90,\"w\":27,\"h\":15,\"i\":\"2ad1eb6c-c19b-41b1-897e-2d1d192cedae\"},\"panelIndex\":\"2ad1eb6c-c19b-41b1-897e-2d1d192cedae\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"5f5acf46-a12a-43cf-8d4a-b1ef1a971771\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\",\"legendSize\":\"auto\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\",\"accessors\":[\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"xAccessor\":\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"splitAccessor\":\"3a521678-3e76-49b6-a379-eb75ef03604b\"}],\"yTitle\":\"Indexing duration, ms\"},\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}}},{\"query\":{\"match_phrase\":{\"event.action\":\"execution-metrics\"}},\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"execution-metrics\"},\"index\":\"kibana-event-log-data-view\",\"disabled\":false,\"alias\":null}}],\"index\":\"5f5acf46-a12a-43cf-8d4a-b1ef1a971771\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8\":{\"columns\":{\"2e39ea80-4360-44ef-b24b-91adba3184f8\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true}},\"3a521678-3e76-49b6-a379-eb75ef03604b\":{\"label\":\"Top 5 values of rule.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"secondaryFields\":[],\"parentFormat\":{\"id\":\"terms\"}}},\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\":{\"label\":\"Indexing duration\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_indexing_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2e39ea80-4360-44ef-b24b-91adba3184f8\",\"3a521678-3e76-49b6-a379-eb75ef03604b\",\"707ff766-8ef2-47ca-9559-d7ace1bc0a4b\"],\"incompleteColumns\":{}}}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Indexing duration, top 5 rules per @timestamp\"},{\"version\":\"8.9.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":105,\"w\":48,\"h\":4,\"i\":\"0fcc0476-eb8c-4c41-8325-2a9084a12e59\"},\"panelIndex\":\"0fcc0476-eb8c-4c41-8325-2a9084a12e59\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"Top 10 rules by various criteria.\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}},\"title\":\"\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":109,\"w\":24,\"h\":16,\"i\":\"6ce283f7-115a-4a0f-9184-71e141149183\"},\"panelIndex\":\"6ce283f7-115a-4a0f-9184-71e141149183\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"a1fed0ee-76a2-476e-8614-9fe8e71128b3\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"isTransposed\":false},{\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\",\"isTransposed\":false,\"width\":135},{\"columnId\":\"75b295c8-00ac-4f62-8952-e4cb44b5f183\",\"isTransposed\":false,\"width\":153.66666666666669},{\"columnId\":\"2fe7ca3c-5c52-4d5e-9892-afb9141d6319\",\"isTransposed\":false,\"width\":86.16666666666663}],\"layerId\":\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}},\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null}},{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"execute\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.category\",\"field\":\"event.category\",\"params\":{\"query\":\"siem\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}}}],\"index\":\"a1fed0ee-76a2-476e-8614-9fe8e71128b3\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\":{\"columns\":{\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\":{\"label\":\"Duration, ms\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.alert.rule.execution.metrics.total_run_duration_ms\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"75b295c8-00ac-4f62-8952-e4cb44b5f183\":{\"label\":\"Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.category\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"2fe7ca3c-5c52-4d5e-9892-afb9141d6319\":{\"label\":\"ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"2fe7ca3c-5c52-4d5e-9892-afb9141d6319\",\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"75b295c8-00ac-4f62-8952-e4cb44b5f183\",\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 slowest rules by total execution duration\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":109,\"w\":24,\"h\":16,\"i\":\"f5d7a9c8-839c-408c-b798-68d019483bc7\"},\"panelIndex\":\"f5d7a9c8-839c-408c-b798-68d019483bc7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"ee506497-3313-49d4-9cc9-353e55305547\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"isTransposed\":false},{\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\",\"isTransposed\":false,\"width\":130},{\"columnId\":\"75b295c8-00ac-4f62-8952-e4cb44b5f183\",\"isTransposed\":false,\"width\":163.66666666666669},{\"columnId\":\"2fe7ca3c-5c52-4d5e-9892-afb9141d6319\",\"isTransposed\":false,\"width\":84.16666666666663}],\"layerId\":\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"query\":{\"match_phrase\":{\"event.provider\":\"alerting\"}},\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"alerting\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null}},{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"execute\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.action\":\"execute\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.category\",\"field\":\"event.category\",\"params\":{\"query\":\"siem\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"event.category\":\"siem\"}}}],\"index\":\"ee506497-3313-49d4-9cc9-353e55305547\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\":{\"columns\":{\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":false},\"orderDirection\":\"asc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"ce86886d-db33-4d81-a0c4-b2d5499cf2efX0\":{\"label\":\"Part of Schedule delay, ms\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.task.schedule_delay\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":false},\"customLabel\":true},\"ce86886d-db33-4d81-a0c4-b2d5499cf2efX1\":{\"label\":\"Part of Schedule delay, ms\",\"dataType\":\"number\",\"operationType\":\"math\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"tinymathAst\":{\"type\":\"function\",\"name\":\"divide\",\"args\":[\"ce86886d-db33-4d81-a0c4-b2d5499cf2efX0\",1000000],\"location\":{\"min\":0,\"max\":41},\"text\":\"max(kibana.task.schedule_delay) / 1000000\"}},\"references\":[\"ce86886d-db33-4d81-a0c4-b2d5499cf2efX0\"],\"customLabel\":true},\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\":{\"label\":\"Delay, ms\",\"dataType\":\"number\",\"operationType\":\"formula\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"formula\":\"max(kibana.task.schedule_delay) / 1000000\",\"isFormulaBroken\":false},\"references\":[\"ce86886d-db33-4d81-a0c4-b2d5499cf2efX1\"],\"customLabel\":true},\"75b295c8-00ac-4f62-8952-e4cb44b5f183\":{\"label\":\"Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.category\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":true},\"orderDirection\":\"asc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"2fe7ca3c-5c52-4d5e-9892-afb9141d6319\":{\"label\":\"ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"custom\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"orderAgg\":{\"label\":\"Maximum of kibana.task.schedule_delay\",\"dataType\":\"number\",\"operationType\":\"max\",\"sourceField\":\"kibana.task.schedule_delay\",\"isBucketed\":false,\"scale\":\"ratio\",\"params\":{\"emptyAsNull\":true}}},\"customLabel\":true}},\"columnOrder\":[\"2fe7ca3c-5c52-4d5e-9892-afb9141d6319\",\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"75b295c8-00ac-4f62-8952-e4cb44b5f183\",\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\",\"ce86886d-db33-4d81-a0c4-b2d5499cf2efX0\",\"ce86886d-db33-4d81-a0c4-b2d5499cf2efX1\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 slowest rules by schedule delay\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":125,\"w\":24,\"h\":16,\"i\":\"2168b471-9a51-4ead-a51e-15e52ba85d86\"},\"panelIndex\":\"2168b471-9a51-4ead-a51e-15e52ba85d86\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"c5902ca2-58ae-4b1c-b420-5208b7cb16c4\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"isTransposed\":false},{\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\",\"isTransposed\":false,\"width\":122.08333333333331},{\"columnId\":\"729ee95a-5bf6-4f18-9350-dce536b55dea\",\"isTransposed\":false,\"width\":164.75},{\"columnId\":\"fa6462ca-54c3-470e-a9c3-66ff58c37536\",\"isTransposed\":false,\"width\":82.08333333333334}],\"layerId\":\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}},\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null}},{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"status-change\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.action\":\"status-change\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"kibana.alert.rule.execution.status\",\"field\":\"kibana.alert.rule.execution.status\",\"params\":{\"query\":\"failed\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"kibana.alert.rule.execution.status\":\"failed\"}}}],\"index\":\"c5902ca2-58ae-4b1c-b420-5208b7cb16c4\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\":{\"columns\":{\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\":{\"label\":\"# \\\"Failed\\\"\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"kibana.alert.rule.execution.uuid\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"729ee95a-5bf6-4f18-9350-dce536b55dea\":{\"label\":\"Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.category\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"fa6462ca-54c3-470e-a9c3-66ff58c37536\":{\"label\":\"ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"fa6462ca-54c3-470e-a9c3-66ff58c37536\",\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"729ee95a-5bf6-4f18-9350-dce536b55dea\",\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 rules by status \\\"Failed\\\"\"},{\"version\":\"8.9.0\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":125,\"w\":24,\"h\":16,\"i\":\"075d7dff-442b-4091-bfe2-3844e7e7e3f4\"},\"panelIndex\":\"075d7dff-442b-4091-bfe2-3844e7e7e3f4\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"kibana-event-log-data-view\",\"name\":\"indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e\",\"type\":\"index-pattern\"},{\"id\":\"kibana-event-log-data-view\",\"name\":\"64b1a767-a32b-4a59-9fae-de5f08d38208\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"isTransposed\":false},{\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\",\"isTransposed\":false,\"width\":126.25},{\"columnId\":\"7ea81631-0dff-4ec6-929f-592e29101149\",\"isTransposed\":false,\"width\":165.375},{\"columnId\":\"9f1d7602-e75b-427f-b740-c2b8167fed33\",\"isTransposed\":false,\"width\":82}],\"layerId\":\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"type\":\"combined\",\"relation\":\"AND\",\"params\":[{\"query\":{\"match_phrase\":{\"event.provider\":\"securitySolution.ruleExecution\"}},\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.provider\",\"field\":\"event.provider\",\"params\":{\"query\":\"securitySolution.ruleExecution\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null}},{\"meta\":{\"negate\":false,\"index\":\"kibana-event-log-data-view\",\"key\":\"event.action\",\"field\":\"event.action\",\"params\":{\"query\":\"status-change\"},\"type\":\"phrase\",\"disabled\":false,\"alias\":null},\"query\":{\"match_phrase\":{\"event.action\":\"status-change\"}}},{\"meta\":{\"disabled\":false,\"negate\":false,\"alias\":null,\"index\":\"kibana-event-log-data-view\",\"key\":\"kibana.alert.rule.execution.status\",\"field\":\"kibana.alert.rule.execution.status\",\"params\":{\"query\":\"partial failure\"},\"type\":\"phrase\"},\"$state\":{\"store\":\"appState\"},\"query\":{\"match_phrase\":{\"kibana.alert.rule.execution.status\":\"partial failure\"}}}],\"index\":\"64b1a767-a32b-4a59-9fae-de5f08d38208\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"dd23be91-5d0e-41d8-8907-ae3c9a577e2e\":{\"columns\":{\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\":{\"label\":\"Name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.name\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\":{\"label\":\"# \\\"Warning\\\"\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"kibana.alert.rule.execution.uuid\",\"isBucketed\":false,\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"7ea81631-0dff-4ec6-929f-592e29101149\":{\"label\":\"Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.category\",\"isBucketed\":true,\"params\":{\"size\":1,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"9f1d7602-e75b-427f-b740-c2b8167fed33\":{\"label\":\"ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"9f1d7602-e75b-427f-b740-c2b8167fed33\",\"29b3609c-9891-4c1c-94ee-17bc4410cbbb\",\"7ea81631-0dff-4ec6-929f-592e29101149\",\"ce86886d-db33-4d81-a0c4-b2d5499cf2ef\"],\"sampling\":1,\"ignoreGlobalFilters\":false,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Top 10 rules by status \\\"Warning\\\"\"}]", "timeRestore": false, "title": "[Elastic Security] Detection rule monitoring", "version": 1 }, "references": [ { "id": "kibana-event-log-data-view", "name": "52ec5ce0-3ea9-42ee-91f2-0f664d6cb74d:indexpattern-datasource-layer-66195a85-b71e-45f5-a5ea-4388416cf5f7", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "52ec5ce0-3ea9-42ee-91f2-0f664d6cb74d:874e1b4c-a64b-426a-b43e-d4ee226610a9", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "91a23437-071d-4739-b57e-2881caa980eb:indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "91a23437-071d-4739-b57e-2881caa980eb:37539143-7ea2-4353-ae4e-78ec772d1508", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "9770096c-3ba7-42e4-9783-5042ff08896d:indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "9770096c-3ba7-42e4-9783-5042ff08896d:32816692-7d96-4a12-abe3-3016e8a3844c", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "12011f8d-0d0d-40d6-8ef5-0d50bfe570f8:indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "12011f8d-0d0d-40d6-8ef5-0d50bfe570f8:9acb5e9e-8c72-4ba6-a4f5-7f2901353c16", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "b3b0743e-9a2c-4173-babc-dc93204cc0f2:indexpattern-datasource-layer-17c4f52b-ef17-43d7-8282-91e48cbe11e7", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "b3b0743e-9a2c-4173-babc-dc93204cc0f2:9adf5837-270f-43bf-92d8-af2d74022292", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "78c659aa-a001-4c30-9452-e9c7d0c0ec5d:indexpattern-datasource-layer-4eaf036b-c9f5-4206-bcfe-8033bec44a21", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "78c659aa-a001-4c30-9452-e9c7d0c0ec5d:abcc85f3-00cd-48bd-a313-de50207ab1b6", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "b3dd29a9-c051-46ab-b1fa-facf899f7af9:indexpattern-datasource-layer-4eaf036b-c9f5-4206-bcfe-8033bec44a21", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "b3dd29a9-c051-46ab-b1fa-facf899f7af9:0ccd359c-35a9-42ee-9b53-e0061755ffef", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "ad5995be-bf0f-48ba-8dc8-7313ca3bfbae:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "ad5995be-bf0f-48ba-8dc8-7313ca3bfbae:2720edea-b96b-47d7-bf57-ff3a4c91ab9d", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "2eac0a4e-9ec7-433e-89bc-e8edc1dadae7:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "2eac0a4e-9ec7-433e-89bc-e8edc1dadae7:0b7e01b1-974a-4de9-867d-46fc000c63e3", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "d2e87680-4d92-4067-9f27-7749854dedce:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "d2e87680-4d92-4067-9f27-7749854dedce:4101bdcb-5ba8-406f-8893-07356a98d49b", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "2372c630-207e-4859-83a9-de5a7bc638dc:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "2372c630-207e-4859-83a9-de5a7bc638dc:adafccc0-9c17-4249-89e1-e61a8d00079b", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "e2504c27-3027-4c13-85c0-a66416c53bd4:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "e2504c27-3027-4c13-85c0-a66416c53bd4:edb4ad7f-1ef2-477f-980c-c6fe47d6470d", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "fe382f90-aa03-47e0-a8a0-d6a8de877467:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "fe382f90-aa03-47e0-a8a0-d6a8de877467:505272a2-f4fb-4778-9fdf-11415f36cc51", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "0b6f467f-f784-457e-9351-839874bef66e:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "0b6f467f-f784-457e-9351-839874bef66e:e0a238a9-104e-46c0-890a-c7b3e1c08018", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "2ad1eb6c-c19b-41b1-897e-2d1d192cedae:indexpattern-datasource-layer-59ae5f24-20ed-4c11-bf5c-229d2dbb3cc8", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "2ad1eb6c-c19b-41b1-897e-2d1d192cedae:5f5acf46-a12a-43cf-8d4a-b1ef1a971771", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "6ce283f7-115a-4a0f-9184-71e141149183:indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "6ce283f7-115a-4a0f-9184-71e141149183:a1fed0ee-76a2-476e-8614-9fe8e71128b3", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "f5d7a9c8-839c-408c-b798-68d019483bc7:indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "f5d7a9c8-839c-408c-b798-68d019483bc7:ee506497-3313-49d4-9cc9-353e55305547", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "2168b471-9a51-4ead-a51e-15e52ba85d86:indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "2168b471-9a51-4ead-a51e-15e52ba85d86:c5902ca2-58ae-4b1c-b420-5208b7cb16c4", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "075d7dff-442b-4091-bfe2-3844e7e7e3f4:indexpattern-datasource-layer-dd23be91-5d0e-41d8-8907-ae3c9a577e2e", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "075d7dff-442b-4091-bfe2-3844e7e7e3f4:64b1a767-a32b-4a59-9fae-de5f08d38208", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "controlGroup_c9c507d9-a157-40b4-aec4-0a2e204c559c:optionsListDataView", "type": "index-pattern" }, { "id": "kibana-event-log-data-view", "name": "controlGroup_8b3b697c-2abf-4801-8a08-a1a29d483571:optionsListDataView", "type": "index-pattern" }, { "id": "fleet-managed-default", "name": "tag-ref-fleet-managed", "type": "tag" }, { "id": "security-solution-default", "name": "tag-ref-security-solution", "type": "tag" } ], "managed": true, "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "8.9.0" } ```
custom dashboard saved object ``` { "id": "038a9a80-66ab-11ee-aa14-15a9aa54546e", "type": "dashboard", "namespaces": [ "default" ], "updated_at": "2023-10-09T13:51:57.992Z", "created_at": "2023-10-09T13:51:57.992Z", "version": "WzExLDFd", "attributes": { "kibanaSavedObjectMeta": { "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" }, "description": "", "timeRestore": false, "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"8.9.2-SNAPSHOT\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":24,\"h\":15,\"i\":\"e0bb28bb-5ea3-4409-a4c9-3289be36fdb4\"},\"panelIndex\":\"e0bb28bb-5ea3-4409-a4c9-3289be36fdb4\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"description\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"security-solution-default\",\"name\":\"indexpattern-datasource-layer-82e55bf7-1b17-4619-848d-9a635b30cc72\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"82e55bf7-1b17-4619-848d-9a635b30cc72\",\"accessors\":[\"6e5fd69c-ef15-4912-b682-cd526ab809de\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"11583337-150f-45fb-aad1-28c1eead6c5d\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"82e55bf7-1b17-4619-848d-9a635b30cc72\":{\"columns\":{\"11583337-150f-45fb-aad1-28c1eead6c5d\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"6e5fd69c-ef15-4912-b682-cd526ab809de\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"11583337-150f-45fb-aad1-28c1eead6c5d\",\"6e5fd69c-ef15-4912-b682-cd526ab809de\"],\"incompleteColumns\":{},\"sampling\":1}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}}]", "title": "aaaa", "version": 1 }, "references": [ { "type": "index-pattern", "id": "security-solution-default", "name": "e0bb28bb-5ea3-4409-a4c9-3289be36fdb4:indexpattern-datasource-layer-82e55bf7-1b17-4619-848d-9a635b30cc72" }, { "type": "tag", "id": "f7bce7d0-66aa-11ee-aa14-15a9aa54546e", "name": "tag-ref-f7bce7d0-66aa-11ee-aa14-15a9aa54546e" } ], "managed": false, "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "8.9.0" } ```
angorayc commented 11 months ago

After checking the saved object data of these two Security Solution tag, I can confirm that this is the same issue as https://github.com/elastic/kibana/issues/167694. This issue happens without upgrading as well.

This behaviour is the expected behaviour but it is not friendly to users. The tag with security-solution-default was created when importing [Elastic Security] Detection rule monitoring dashboard. The other was created when landing on Security Solution dashboard page. Ideally we should just have one SecuritySolution tag.

Screenshot 2023-10-10 at 09 31 50 Screenshot 2023-10-10 at 09 31 28