[Security Solution] Get rid of rule execution metrics written in rule's SO monitoring object #259493
Description
Epic: https://github.com/elastic/security-team/issues/15618 (internal)
Summary
Investigate whether we require rule execution metrics to be written to rule's SO monitoring. Remove the metrics from the rule's SO if it's not used.
Details
Currently we log rule execution metrics to rule's Saved Object monitoring object. It doesn't look like we use those metrics anywhere but it requires double checking. Thanks to #257203 we have rule execution metrics written to framework's execute and execute-backfill events. It means we should be able to get rid of rule execution metrics in the rule's SO monitoring object.
Examples
Rule's SO monitoring object screenshot
Rule's SO example
{
"alert": {
"name": "Test rule 1",
"tags": [],
"enabled": false,
"alertTypeId": "siem.queryRule",
"consumer": "siem",
"legacyId": null,
"schedule": {
"interval": "5m"
},
"actions": [],
"params": {
"author": [],
"description": "123",
"falsePositives": [],
"from": "now-6m",
"ruleId": "209f0b32-01d7-4674-a415-d8bd5299e9e0",
"immutable": false,
"ruleSource": {
"type": "internal"
},
"license": "",
"outputIndex": "",
"meta": {
"kibana_siem_app_url": "http://localhost:5601/kbn/app/security"
},
"maxSignals": 100,
"riskScore": 21,
"riskScoreMapping": [],
"severity": "low",
"severityMapping": [],
"threat": [],
"to": "now",
"references": [],
"version": 1,
"exceptionsList": [],
"relatedIntegrations": [],
"requiredFields": [],
"setup": "",
"type": "query",
"language": "kuery",
"index": [
"apm-*-transaction*",
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"traces-apm*",
"winlogbeat-*",
"-*elastic-cloud-logs-*"
],
"query": "*:*",
"filters": []
},
"mapped_params": {
"risk_score": 21,
"severity": "20-low"
},
"createdBy": "elastic",
"updatedBy": "elastic",
"createdAt": "2026-03-23T13:18:35.463Z",
"updatedAt": "2026-03-25T07:59:05.698Z",
"apiKey": "4JuFItfiPcbBbJ9ztqC/p8qdWZ2SKgh/vzI/ZLSNf18xuCMM5nnjf/iYYjWb6wtuLGv/c52y+bQXNhEsGkujrRkJYPqwuqME8hlqFUaUHVnimMdV2T1VByAEQlPDQu6q/gkP2MiC+mSNIdOa7+/xMS7kXV7Xowaq2evl3K2E3dlchnvcrCI4XG1DZzeMEFVGWNoA379IMbrUSQ==",
"apiKeyOwner": "elastic",
"apiKeyCreatedByUser": false,
"throttle": null,
"notifyWhen": null,
"muteAll": false,
"mutedInstanceIds": [],
"executionStatus": {
"status": "error",
"lastDuration": 331,
"lastExecutionDate": "2026-03-25T07:59:00.778Z",
"error": {
"reason": "unknown",
"message": "18 hours (65481953ms) were not queried between this rule execution and the last execution, so signals may have been missed. Consider increasing your look behind time or adding more Kibana instances"
},
"warning": null
},
"monitoring": {
"run": {
"history": [
{
"duration": 16,
"success": false,
"timestamp": 1774272890100
},
{
"duration": 272,
"success": true,
"timestamp": 1774272899107
},
{
"duration": 190,
"success": true,
"timestamp": 1774273544259
},
{
"duration": 140,
"success": true,
"timestamp": 1774273844333
},
{
"duration": 131,
"success": true,
"timestamp": 1774274144382
},
{
"duration": 562,
"success": false,
"timestamp": 1774277661784
},
{
"duration": 77,
"success": true,
"timestamp": 1774277962437
},
{
"duration": 64,
"success": true,
"timestamp": 1774278262486
},
{
"duration": 127,
"success": true,
"timestamp": 1774278562544
},
{
"duration": 123,
"success": true,
"timestamp": 1774278862601
},
{
"duration": 133,
"success": true,
"timestamp": 1774279162671
},
{
"duration": 118,
"success": true,
"timestamp": 1774279462724
},
{
"duration": 129,
"success": true,
"timestamp": 1774279762792
},
{
"duration": 145,
"success": true,
"timestamp": 1774280242703
},
{
"duration": 162,
"success": true,
"timestamp": 1774280542740
},
{
"duration": 122,
"success": true,
"timestamp": 1774280842818
},
{
"duration": 130,
"success": true,
"timestamp": 1774281143459
},
{
"duration": 153,
"success": true,
"timestamp": 1774281443528
},
{
"duration": 122,
"success": true,
"timestamp": 1774281743596
},
{
"duration": 161,
"success": true,
"timestamp": 1774282043399
},
{
"duration": 109,
"success": true,
"timestamp": 1774282345693
},
{
"duration": 445,
"success": false,
"timestamp": 1774290468743
},
{
"duration": 274,
"success": true,
"timestamp": 1774290684901
},
{
"duration": 141,
"success": true,
"timestamp": 1774290714899
},
{
"duration": 231,
"success": false,
"timestamp": 1774345980120
},
{
"duration": 71,
"success": true,
"timestamp": 1774345989129
},
{
"duration": 90,
"success": true,
"timestamp": 1774346074104
},
{
"duration": 69,
"success": true,
"timestamp": 1774346083105
},
{
"duration": 72,
"success": true,
"timestamp": 1774346194816
},
{
"duration": 291,
"success": true,
"timestamp": 1774347578962
},
{
"duration": 92,
"success": true,
"timestamp": 1774347636645
},
{
"duration": 79,
"success": true,
"timestamp": 1774347657158
},
{
"duration": 94,
"success": true,
"timestamp": 1774347669146
},
{
"duration": 70,
"success": true,
"timestamp": 1774347724638
},
{
"duration": 75,
"success": true,
"timestamp": 1774347731657
},
{
"duration": 73,
"success": true,
"timestamp": 1774347740653
},
{
"duration": 251,
"success": true,
"timestamp": 1774347878674
},
{
"duration": 209,
"success": true,
"timestamp": 1774347887675
},
{
"duration": 197,
"success": true,
"timestamp": 1774347970253
},
{
"duration": 674,
"success": false,
"timestamp": 1774358498817
},
{
"duration": 331,
"success": false,
"timestamp": 1774425540778
}
],
"calculated_metrics": {
"success_ratio": 0.8536585365853658,
"p99": 674,
"p50": 130,
"p95": 497.6499999999995
},
"last_run": {
"timestamp": "2026-03-25T07:59:00.778Z",
"metrics": {
"duration": 331,
"total_search_duration_ms": null,
"total_indexing_duration_ms": null,
"total_alerts_detected": null,
"total_alerts_created": null,
"gap_duration_s": 65482,
"gap_range": {
"gte": "2026-03-24T13:21:38.791Z",
"lte": "2026-03-25T07:33:00.744Z"
}
}
}
}
},
"snoozeSchedule": [],
"revision": 0,
"running": false,
"artifacts": {
"dashboards": [],
"investigation_guide": {
"blob": ""
}
},
"meta": {
"versionApiKeyLastmodified": "9.4.0"
},
"lastEnabledAt": "2026-03-25T07:58:58.782Z",
"scheduledTaskId": "93254425-29d0-4bfd-849f-3406a83b34ad",
"lastRun": {
"outcomeOrder": 20,
"alertsCount": {
"new": 0,
"ignored": 0,
"recovered": 0,
"active": 0
},
"outcomeMsg": [
"18 hours (65481953ms) were not queried between this rule execution and the last execution, so signals may have been missed. Consider increasing your look behind time or adding more Kibana instances"
],
"warning": null,
"outcome": "failed"
},
"nextRun": "2026-03-25T08:04:00.744Z"
},
"type": "alert",
"references": [],
"managed": false,
"namespaces": [
"default"
],
"coreMigrationVersion": "8.8.0",
"typeMigrationVersion": "10.10.0",
"updated_at": "2026-03-25T07:59:05.698Z",
"created_at": "2026-03-25T07:59:05.698Z"
}Metadata
Metadata
Assignees
Labels
Type
Fields
Give feedbackNo fields configured for issues without a type.