[ResponseOps] Cases analytics index (#223405)

This PR is for a feature branch that is being merged into main.

The relevant PRs are:
- #219211
- #222820
- #223241
- #224388
- #224682

## Summary

This PR adds 4 new indexes with case analytics data, which are created
when the cases plugin starts.

  - `.internal.cases`
  - `.internal.cases-comments`
  - `.internal.cases-attachments`
  - `.internal.cases-activity`

After the indexes are created, a backfill task for each of them is
scheduled to run 1 minute after creation. This task populates the
indexes with relevant data from `.kibana_alerting_cases`.

A second type of task is registered, the index synchronization task.
Four of these tasks, one for each index, are scheduled to run every 5
minutes. The synchronization tasks populated the indexes with data from
`.kibana_alerting_cases` that was created or updated in the last five
minutes.

## How to test

You might want to start Kibana with `--verbose` to see relevant index
messages in the console.

Alternatively(what I normally do), is go to `analytics_index.ts`,
`backfill_task_runner.ts`, and `synchronization_task_runner.ts`, and
change the `logDebug` function to call `this.logger.info` instead. This
way, you will have less spam in the console.

Every log message starts with the index name between square brackets, so
you can look for `[.internal.cases-` and follow what is happening.

1. You should have some existing case data, so before anything else,
please create some activity, attachments, etc.
2. Add `xpack.cases.analytics.index.enabled: true` to `kibana.dev.yml`
and restart Kibana.
3. Check out [this
branch](elastic/elasticsearch#129414) from the
ES project.
4. Start Elastic Search with `yarn es source`. This will use the above
version of Elasticsearch.
5. Wait a bit for the indexes to be created and populated(backfilled).
6. Using the dev tools:
    - Confirm the indexes exist.
- Check the index mapping. Does it match the one in the code? Is the
`_meta` field correct?
-
`x-pack/platform/plugins/shared/cases/server/cases_analytics/******_index/mappings.ts`
    - Check that the painless scripts match the code.
-
`x-pack/platform/plugins/shared/cases/server/cases_analytics/******_index/painless_scripts.ts`
- Confirm your existing case data is in the indexes. (See **Queries**
section below.)
7. Play around with cases. Some examples:
    - Create a case
    - Change status/severity
    - Attach alerts
    - Add files
    - Change category/tags
    - Add comments
    - etc
8. Go to the dev tools again and confirm all this shows up in the
relevant indexes. (See **Queries** section below.)

## Queries

In addition to the ones, below I have a few more. Things like reindexing
with specific scripts or fetching relevant data from
`.kibana_alerting_cases`. Ping me if you want those queries.

### Checking index content
```
GET /.internal.cases/_search
GET /.internal.cases-comments/_search
GET /.internal.cases-attachments/_search
GET /.internal.cases-activity/_search
```

### Checking index mappings
```
GET /.internal.cases
GET /.internal.cases-comments
GET /.internal.cases-attachments
GET /.internal.cases-activity
```

### Fetching the painless scripts
```
GET /_scripts/cai_cases_script_1
GET /_scripts/cai_attachments_script_1
GET /_scripts/cai_comments_script_1
GET /_scripts/cai_activity_script_1
```

### Emptying the indexes

It is sometimes useful for testing.
```
POST /.internal.cases/_delete_by_query
POST /.internal.cases-comments/_delete_by_query
POST /.internal.cases-attachments/_delete_by_query
POST /.internal.cases-activity/_delete_by_query
```

### Deleting the indexes

It is sometimes useful for testing.
```
DELETE /.internal.cases
DELETE /.internal.cases-comments
DELETE /.internal.cases-attachments
DELETE /.internal.cases-activity
```

## Release notes

Four dedicated case analytics indexes were created, allowing users to
build dashboards and metrics over case data. These indexes are created
on Kibana startup and updated periodically with cases, comments,
attachments, and activity data.

---------

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Elastic Machine <[email protected]>
Co-authored-by: Christos Nasikas <[email protected]>

Author: 4 people

x-pack/platform/plugins/shared/cases/server/cases_analytics/activity_index/constants.ts

@@ -0,0 +1,119 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { QueryDslQueryContainer } from '@elastic/elasticsearch/lib/api/types';
+
+import { ALERTING_CASES_SAVED_OBJECT_INDEX } from '@kbn/core-saved-objects-server';
+
+export const CAI_ACTIVITY_INDEX_NAME = '.internal.cases-activity';
+
+export const CAI_ACTIVITY_INDEX_ALIAS = '.cases-activity';
+
+export const CAI_ACTIVITY_INDEX_VERSION = 1;
+
+export const CAI_ACTIVITY_SOURCE_QUERY: QueryDslQueryContainer = {
+  bool: {
+    must: [
+      {
+        term: {
+          type: 'cases-user-actions',
+        },
+      },
+      {
+        bool: {
+          should: [
+            {
+              term: {
+                'cases-user-actions.type': 'severity',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'delete_case',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'category',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'status',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'tags',
+              },
+            },
+          ],
+          minimum_should_match: 1,
+        },
+      },
+    ],
+  },
+};
+
+export const CAI_ACTIVITY_SOURCE_INDEX = ALERTING_CASES_SAVED_OBJECT_INDEX;
+
+export const CAI_ACTIVITY_BACKFILL_TASK_ID = 'cai_activity_backfill_task';
+
+export const CAI_ACTIVITY_SYNCHRONIZATION_TASK_ID = 'cai_cases_activity_synchronization_task';
+
+export const getActivitySynchronizationSourceQuery = (
+  lastSyncAt: Date
+): QueryDslQueryContainer => ({
+  bool: {
+    must: [
+      {
+        term: {
+          type: 'cases-user-actions',
+        },
+      },
+      {
+        range: {
+          'cases-user-actions.created_at': {
+            gte: lastSyncAt.toISOString(),
+          },
+        },
+      },
+      {
+        bool: {
+          should: [
+            {
+              term: {
+                'cases-user-actions.type': 'severity',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'delete_case',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'category',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'status',
+              },
+            },
+            {
+              term: {
+                'cases-user-actions.type': 'tags',
+              },
+            },
+          ],
+          minimum_should_match: 1,
+        },
+      },
+    ],
+  },
+});

x-pack/platform/plugins/shared/cases/server/cases_analytics/activity_index/index.ts

@@ -0,0 +1,69 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { ElasticsearchClient, Logger } from '@kbn/core/server';
+import type { TaskManagerStartContract } from '@kbn/task-manager-plugin/server';
+import { AnalyticsIndex } from '../analytics_index';
+import {
+  CAI_ACTIVITY_INDEX_NAME,
+  CAI_ACTIVITY_INDEX_ALIAS,
+  CAI_ACTIVITY_INDEX_VERSION,
+  CAI_ACTIVITY_SOURCE_INDEX,
+  CAI_ACTIVITY_SOURCE_QUERY,
+  CAI_ACTIVITY_BACKFILL_TASK_ID,
+  CAI_ACTIVITY_SYNCHRONIZATION_TASK_ID,
+} from './constants';
+import { CAI_ACTIVITY_INDEX_MAPPINGS } from './mappings';
+import { CAI_ACTIVITY_INDEX_SCRIPT, CAI_ACTIVITY_INDEX_SCRIPT_ID } from './painless_scripts';
+import { scheduleCAISynchronizationTask } from '../tasks/synchronization_task';
+
+export const createActivityAnalyticsIndex = ({
+  esClient,
+  logger,
+  isServerless,
+  taskManager,
+}: {
+  esClient: ElasticsearchClient;
+  logger: Logger;
+  isServerless: boolean;
+  taskManager: TaskManagerStartContract;
+}): AnalyticsIndex =>
+  new AnalyticsIndex({
+    logger,
+    esClient,
+    isServerless,
+    taskManager,
+    indexName: CAI_ACTIVITY_INDEX_NAME,
+    indexAlias: CAI_ACTIVITY_INDEX_ALIAS,
+    indexVersion: CAI_ACTIVITY_INDEX_VERSION,
+    mappings: CAI_ACTIVITY_INDEX_MAPPINGS,
+    painlessScriptId: CAI_ACTIVITY_INDEX_SCRIPT_ID,
+    painlessScript: CAI_ACTIVITY_INDEX_SCRIPT,
+    taskId: CAI_ACTIVITY_BACKFILL_TASK_ID,
+    sourceIndex: CAI_ACTIVITY_SOURCE_INDEX,
+    sourceQuery: CAI_ACTIVITY_SOURCE_QUERY,
+  });
+
+export const scheduleActivityAnalyticsSyncTask = ({
+  taskManager,
+  logger,
+}: {
+  taskManager: TaskManagerStartContract;
+  logger: Logger;
+}) => {
+  scheduleCAISynchronizationTask({
+    taskId: CAI_ACTIVITY_SYNCHRONIZATION_TASK_ID,
+    sourceIndex: CAI_ACTIVITY_SOURCE_INDEX,
+    destIndex: CAI_ACTIVITY_INDEX_NAME,
+    taskManager,
+    logger,
+  }).catch((e) => {
+    logger.error(
+      `Error scheduling ${CAI_ACTIVITY_SYNCHRONIZATION_TASK_ID} task, received ${e.message}`
+    );
+  });
+};

x-pack/platform/plugins/shared/cases/server/cases_analytics/activity_index/mappings.ts

@@ -0,0 +1,70 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { MappingTypeMapping } from '@elastic/elasticsearch/lib/api/types';
+
+export const CAI_ACTIVITY_INDEX_MAPPINGS: MappingTypeMapping = {
+  dynamic: false,
+  properties: {
+    '@timestamp': {
+      type: 'date',
+    },
+    case_id: {
+      type: 'keyword',
+    },
+    action: {
+      type: 'keyword',
+    },
+    type: {
+      type: 'keyword',
+    },
+    payload: {
+      properties: {
+        status: {
+          type: 'keyword',
+        },
+        tags: {
+          type: 'keyword',
+        },
+        category: {
+          type: 'keyword',
+        },
+        severity: {
+          type: 'keyword',
+        },
+      },
+    },
+    created_at: {
+      type: 'date',
+    },
+    created_at_ms: {
+      type: 'long',
+    },
+    created_by: {
+      properties: {
+        username: {
+          type: 'keyword',
+        },
+        profile_uid: {
+          type: 'keyword',
+        },
+        full_name: {
+          type: 'keyword',
+        },
+        email: {
+          type: 'keyword',
+        },
+      },
+    },
+    owner: {
+      type: 'keyword',
+    },
+    space_ids: {
+      type: 'keyword',
+    },
+  },
+};

x-pack/platform/plugins/shared/cases/server/cases_analytics/activity_index/painless_scripts.ts

@@ -0,0 +1,70 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { StoredScript } from '@elastic/elasticsearch/lib/api/types';
+import { CAI_ACTIVITY_INDEX_VERSION } from './constants';
+
+export const CAI_ACTIVITY_INDEX_SCRIPT_ID = `cai_activity_script_${CAI_ACTIVITY_INDEX_VERSION}`;
+export const CAI_ACTIVITY_INDEX_SCRIPT: StoredScript = {
+  lang: 'painless',
+  source: `
+    def source = [:];
+    source.putAll(ctx._source);
+    ctx._source.clear();
+
+    ctx._source.action = source["cases-user-actions"].action;
+    ctx._source.type = source["cases-user-actions"].type;
+
+    long milliSinceEpoch = new Date().getTime();
+    Instant instant = Instant.ofEpochMilli(milliSinceEpoch);
+    ctx._source['@timestamp'] = ZonedDateTime.ofInstant(instant, ZoneId.of('Z'));
+
+    ZonedDateTime zdt_created =
+      ZonedDateTime.parse(source["cases-user-actions"].created_at);
+    ctx._source.created_at_ms = zdt_created.toInstant().toEpochMilli();
+    ctx._source.created_at = source["cases-user-actions"].created_at;
+
+    if (source["cases-user-actions"].created_by != null) {
+        ctx._source.created_by = new HashMap();
+        ctx._source.created_by.full_name = source["cases-user-actions"].created_by.full_name;
+        ctx._source.created_by.username = source["cases-user-actions"].created_by.username;
+        ctx._source.created_by.profile_uid = source["cases-user-actions"].created_by.profile_uid;
+        ctx._source.created_by.email = source["cases-user-actions"].created_by.email;
+    }
+
+    if (source["cases-user-actions"].payload != null) {
+      ctx._source.payload = new HashMap();
+
+      if (source["cases-user-actions"].type == "severity" && source["cases-user-actions"].payload.severity != null) {
+        ctx._source.payload.severity = source["cases-user-actions"].payload.severity;
+      }
+
+      if (source["cases-user-actions"].type == "category" && source["cases-user-actions"].payload.category != null) {
+        ctx._source.payload.category = source["cases-user-actions"].payload.category;
+      }
+
+      if (source["cases-user-actions"].type == "status" && source["cases-user-actions"].payload.status != null) {
+        ctx._source.payload.status = source["cases-user-actions"].payload.status;
+      }
+
+      if (source["cases-user-actions"].type == "tags" && source["cases-user-actions"].payload.tags != null) {
+        ctx._source.payload.tags = source["cases-user-actions"].payload.tags;
+      }
+    }
+
+    if (source.references != null) {
+      for (item in source.references) {
+        if (item.type == "cases") {
+          ctx._source.case_id = item.id;
+        }
+      }
+    }
+
+    ctx._source.owner = source["cases-user-actions"].owner;
+    ctx._source.space_ids = source.namespaces;
+  `,
+};