* Hide timeline bar if user does not have security solution crud capability
* change visibility to be based on show instead of crud
* PR fix
Co-authored-by: Kristof-Pierre Cummings <kristofpierre.cummings@elastic.co>
(cherry picked from commit 5aa26ed37d)
Co-authored-by: Kristof C <kpac.ja@gmail.com>
* Apply field aliases to all legacy indices, not just <= version 45
* Update unit tests
(cherry picked from commit 5b752653f4)
Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>
* [Security Solution] Remove a data fetching hook from the add to timeline action component (#124331)
* Fetch alert ecs data in actions.tsx and not a hook in every table row
* Add error handling and tests for theshold timelines
* Fix bad merge
* Remove unused imports
* Actually remove unused file
* Remove usage of alertIds and dead code from cases
* Add basic sanity tests that ensure no extra network calls are being made
* Remove unused operator
* Remove unused imports
* Remove unused mock
(cherry picked from commit e312c36e4c)
# Conflicts:
# x-pack/plugins/cases/public/components/case_view/case_view_page.tsx
# x-pack/plugins/cases/public/components/user_actions/types.ts
# x-pack/plugins/security_solution/public/cases/pages/index.tsx
# x-pack/plugins/security_solution/public/timelines/components/side_panel/event_details/footer.tsx
* Fix types
* Fix failing tests
* Add integration tests for alerts-on-legacy-alerts
* Remove query rule tests from prior location - they were moved
* Remove 'kibana' field from alerts on legacy alerts
* Fix tests
* Delete alerts before proceeding from compatibility tests
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit 7d186f945b)
Co-authored-by: Madison Caldwell <madison.caldwell@elastic.co>
* [SecuritySolution] Close field editor when page context is lost (#124378)
* close field editor when context is lost
* tests added
* typecheck clean
* close editor when timeline is unmounted
(cherry picked from commit 21710dfb77)
# Conflicts:
# x-pack/plugins/security_solution/public/timelines/components/create_field_button/index.tsx
* fix test
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* add ability for network map to be toggable, prevent map from displaying without permissions
* PR & test additions
* Found rogue semicolon
Co-authored-by: Kristof-Pierre Cummings <kristofpierre.cummings@elastic.co>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit 57d507c121)
* chore: add message about missing index in data view
* fix: typo
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit 9f6c78139e)
Co-authored-by: Jan Monschke <jan.monschke@elastic.co>
* [Security Solutions] Fixes the telemetry to use the new rule types (#123781)
## Summary
Telemetry was not updated to use the newer rule types so it was not querying the elastic package rules.
The query before was:
```json
# Original query which will not get the new elastic pre-packaged rule types
GET .kibana*/_search
{
"query": {
"bool": {
"filter": [
{
"term": {
"alert.alertTypeId": "siem.signals"
}
},
{
"term": {
"alert.params.immutable": true
}
}
]
}
}
}
```
The query after this change uses the new rule types and I tested it by manually executing this query to ensure everything works as expected:
```json
# Modified query which filters against two arrays of terms. One for the set of rules
# and the second terms which filters against the rule being immutable
GET .kibana*/_search
{
"query": {
"bool": {
"must": [
{
"bool": {
"filter": {
"terms": {
"alert.alertTypeId": [
"siem.signals",
"siem.eqlRule",
"siem.mlRule",
"siem.queryRule",
"siem.savedQueryRule",
"siem.indicatorRule",
"siem.thresholdRule"
]
}
}
}
},
{
"bool": {
"filter": {
"terms": {
"alert.params.immutable": [true]
}
}
}
}
]
}
}
}
```
### Checklist
- [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
There doesn't look to be integration tests started for these or how to test them at this moment.
(cherry picked from commit ba6f77ca37)
* Updated to pass build since the types did not like boolean. Tested in ES directly, should still work as a string of a boolean.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Change error to warning toast
* Add test for addWarning
Co-authored-by: Kristof-Pierre Cummings <kristofpierre.cummings@elastic.co>
(cherry picked from commit 11537eacfd)
Co-authored-by: Kristof C <kpac.ja@gmail.com>
* tooltip added to OS column
* change os info message
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit 16642e0028)
Co-authored-by: Sergi Massaneda <sergi.massaneda@elastic.co>
Addresses #121758 and #121759.
Updates exceptions table export icon to be "download" icon and updates exceptions table header to use native EUI page headers.
(cherry picked from commit 8c0fbdf502)
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* search responses without a specific namespace to show pending actions
fixes elastic/kibana/issues/123707
* search over all endpoint response indices irrespective of namespace suffix
fixes elastic/kibana/issues/123707
* match namespace suffixes for endpoint action and response indices
fixes elastic/kibana/issues/123707
(cherry picked from commit dfd8bfbd90)
Co-authored-by: Ashokaditya <1849116+ashokaditya@users.noreply.github.com>
## Summary
See this PR from here:
https://github.com/elastic/kibana/pull/123094
Where `"rule": { "id": null, "name": null },` can be null. This just adds guards around it to prevent possible errors. Note, I tested it first and there aren't errors with this even if we don't merge but that is not a guarantee that later NodeJS wouldn't cause errors if the implementation details of [Map](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map) change.
Note, I don't try to do any additional lookups if these are `null` as the release is coming very quickly and I do not want to overcomplicate telemetry and we don't have dashboards around the cases feature. Over time I would expect the telemetry to become more accurate again even if cases are `nulled` out.
**Manual testing**
Either create a true upgrade where all the id's changed by going to 7.16 and making a new space, then within that space outside of default creating cases and alerts and then do an upgrade to 8.0.0 ... or ...
Downgrade a `case-comments` like so manually in dev tools:
```ts
# Get all case-comments to choose an id
GET .kibana/_search
{
"query": {
"term": {
"type": "cases-comments"
}
}
}
```
```ts
# Downgrades a case comment of id "25554290-7a36-11ec-8d37-0d0e30a77b60"
POST .kibana/_update/cases-comments:25554290-7a36-11ec-8d37-0d0e30a77b60
{
"script" : {
"source": """
ctx._source.migrationVersion['cases-comments'] = "7.16.3";
""",
"lang": "painless"
}
}
```
Restart Kibana and you should query the same `case-comments` and see that the `"rule": { "id": null, "name": null },` are all null.
Either way once you have a null rule go to `Advanced Settings -> cluster data` and ensure that you still get metrics flowing and that one is no longer counted but if you create a new one everything still works as expected:
<img width="647" alt="Screen Shot 2022-01-24 at 11 48 39 AM" src="https://user-images.githubusercontent.com/1151048/150846789-d94ac212-6c45-44cc-a663-cd304bfda22e.png">
### Checklist
- [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
We still don't have this for the existing telemetry and are running out of time for 8.0.0 to add them. We might re-write this part of telemetry as well so I am not adding tests just yet.
(cherry picked from commit 607feecb20)
Co-authored-by: Frank Hassanabad <frank.hassanabad@elastic.co>
* Open alerts with a template, with a template
* Add default values back instead of template derived ones
* Use data providers over filters always, set timeline description to alert id
* Remove prepopulated description from non threshold alerts
* Open any event in timeline, use correct timestamp
* Remove unneeded @timestamp, make sure alertsEcsData is not empty array
* Add basic getField tests
* Explicity check if alertGroupId is an array instead of using length
* Always use a valid date for time range
* Only use filter if more than 1 alert is present
* Possibly controversial change to calculate threshold time range with a template, fix test that should never have passed
* Create threshold timeline in separate function
* Use better type for createTimeline passed to createThresholdTimeline
* Invert negation as suggested in pr comment
* Use template timeline filters/query/data providers for threshold alerts
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit cef886f073)
Co-authored-by: Kevin Qualters <56408403+kqualters-elastic@users.noreply.github.com>
## Summary
Related and previous PR:
https://github.com/elastic/kibana/pull/122472
This removes the above structure from the PR above and instead opts to use a more finer grained level of telemetry. The new structure adds to each rule these four counters to the telemetry:
* legacy_notifications_enabled - The number of legacy notifications on rules that are enabled/active
* legacy_notifications_disabled - The number of legacy notifications on rules that are disabled/in-active
* notifications_enabled - The number of notifications on rules that are enabled/active
* notifications_disabled - The number of notifications on rules that are disabled/in-active
For pre-built rules you have these booleans:
* has_legacy_notification - True if the pre-built rule has a legacy notification attached, otherwise false.
* has_notification - True if the pre-built rule has a notification attached, otherwise false.
Note, both those booleans are `false` if the pre-built rule has no notifications attached and both can never be `true` together.
These will show up within each rule type like for example on a query rule it will look like:
```json
"detection_rule_usage": {
"query": {
"enabled": 2,
"disabled": 1,
"cases": 0,
"legacy_notifications_enabled": 1, <-- New
"legacy_notifications_disabled": 0, <-- New
"notifications_enabled": 1, <-- New
"notifications_disabled": 1 <-- New
}
```
Within the counts/total sections it will show up on both the `elastic` rules and the `custom` rules like so:
```json
"elastic_total": {
"enabled": 0,
"disabled": 0,
"alerts": 0,
"cases": 0,
"legacy_notifications_enabled": 0, <-- New
"legacy_notifications_disabled": 0, <-- New
"notifications_enabled": 0, <-- New
"notifications_disabled": 0 <-- New
},
"custom_total": {
"enabled": 2,
"disabled": 1,
"alerts": 7218,
"cases": 0,
"legacy_notifications_enabled": 1, <-- New
"legacy_notifications_disabled": 0, <-- New
"notifications_enabled": 1, <-- New
"notifications_disabled": 1 <-- New
}
```
For pre-built it will be:
```json
"detection_rule_detail": [
{
"rule_name": "Potential Evasion via Filter Manager",
"rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a",
"rule_type": "eql",
"rule_version": 8,
"enabled": false,
"elastic_rule": true,
"created_on": "2022-01-19T01:29:25.540Z",
"updated_on": "2022-01-19T01:29:25.540Z",
"alert_count_daily": 0,
"cases_count_total": 0,
"has_legacy_notification": false, <-- New
"has_notification": false <-- New
},
```
Screen shot of it if you go to "Advanced settings -> cluster data":
<img width="802" alt="Screen Shot 2022-01-18 at 6 27 14 PM" src="https://user-images.githubusercontent.com/1151048/150046445-b1850b1c-bca6-41e0-b101-1bac5f67dbb3.png">
<img width="798" alt="Screen Shot 2022-01-18 at 6 30 33 PM" src="https://user-images.githubusercontent.com/1151048/150046808-1109a4c9-8a54-4da8-8b42-5f957a9d3ed5.png">
Follow the manual test instructions on https://github.com/elastic/kibana/pull/122472 for how to test this. The same manual testing applies here for seeing how these work out. You should be able to see a higher granularity with these stats.
### Checklist
- [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
(cherry picked from commit d2a8bb90be)
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* updates rule indices to include indices from the enriched alert data
* quick fix for type failure
* rely on functions, not types
(cherry picked from commit 51ac9a0c89)
Co-authored-by: Devin W. Hurley <devin.hurley@elastic.co>
* exposes additional errors when ES failures occur during the swap of old, pre-8.0 action ids with the new migrated action SO ids. Ref: https://github.com/elastic/kibana/pull/120975#discussion_r778449187 for more information
* fix test error
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit 467d111566)
Co-authored-by: Devin W. Hurley <devin.hurley@elastic.co>
### Summary
Fix bug on rule export where toaster reports export total as being rule objects + exceptions objects, but should just be rule objects total. Adds cypress test.
(cherry picked from commit b2c9f10691)
Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com>
* Fix success message to show correct language based on timeline type
* Fix translation problems
Co-authored-by: Kristof-Pierre Cummings <kristofpierre.cummings@elastic.co>
(cherry picked from commit 91a35c20ce)
Co-authored-by: Kristof C <kpac.ja@gmail.com>
* Add aliases, fix types, remove extra fields
* Update aliases version and update tests
* Update aliases version test
* Remove dangling references to fields
* Update test
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit 886ad6fdaf)
Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>
* Move beats metadata script to timelines plugin
This is the plugin that consumes the artifacts of the script, not
security_solution.
* Remove unused beats metadata file
This file also exists in the timelines plugin, but only that one is
used.
* Update fields metadata from beats 8.0.0-rc1
This will serve as the data source for our metadata in kibana 8.0.
* Update indexFields unit tests following ECS update
8.0 introduced some textual changes to field descriptions.
* Revert "Move beats metadata script to timelines plugin"
This reverts commit cbc8e9db1a.
* Update script to modify the appropriate timelines file
This is the one used by IndexFields.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit 8c11be1154)
Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
