Skip to content

[Security Solution] Use aggregation queries in the internal _rule_management_filters endpoint #166364

New issue
New issue
Open
Open
[Security Solution] Use aggregation queries in the internal _rule_management_filters endpoint#166364

Description

@banderror

banderror
openedon Sep 13, 2023

Related to: #137428

Summary

In the _rule_management_filters endpoint, we fetch aggregated information needed for filters on the Rule Management page.

In order to fetch how many prebuilt and custom rules we have, we run two search requests in parallel:

https://github.com/banderror/kibana/blob/bf22a48a91f55d4d72961da074ede02118b318c7/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/rules/filters/route.ts#L34-L52

We could do it using a single aggregation request similar to how it is done for fetching aggregated tags in the same endpoint:

https://github.com/banderror/kibana/blob/bf22a48a91f55d4d72961da074ede02118b318c7/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/api/tags/read_tags/read_tags.ts#L19-L35

We could go further and combine aggs for fetching aggregated tags and the number of rules into a single call to rulesClient.aggregate(), optimizing this endpoint to making only one call to Elasticsearch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    Feature:Rule ManagementSecurity Solution Detection Rule ManagementTeam: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:Detection Rule ManagementSecurity Detection Rule Management TeamTeam:Detections and RespSecurity Detection Response Teamperformancerefactoringtechnical debtImprovement of the software architecture and operational architecture

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions