## [Security Solution] Restores the `@timestamp` column actions and fixes an `@timestamp` alignment issue
This PR fixes the `@timestamp` column issues described in https://github.com/elastic/kibana/issues/118989
The PR:
- Fixes an issue where the `Filter in`, `Filter out`, and `Investigate in timeline` actions were disabled in the `Security > Alerts` table, per the before / after screenshots below:
**Before**
_Above: The `Filter in`, `Filter out`, and `Investigate in timeline` actions were disabled for `@timestamp` in Security > Alerts_
**After**
_Above: The `Filter in`, `Filter out`, and `Investigate in timeline` actions are enabled for `@timestamp` in Security > Alerts_
- Fixes a CSS issue where text truncation styles were causing the `@timestamp` column to be mis-aligned in Timeline, per the before / after screenshots below:
**Before**
_Above: The `@timestamp` column in Timeline was vertically mis-aligned_
**After**
_Above: The `@timestamp` column in Timeline is correctly (vertically) aligned_
### No changes to the o11y alert actions
There are no changes to the actions shown in the `o11y` alerts table, per the before / after screenshots below:
_Above: Before - the `@timestamp` field in the `o11y` alerts table does NOT have actions_
_Above: After - the `@timestamp` field in the `o11y` alerts table (still) does NOT have actions_
### Field browser search input auto-focus
- Fixed an issue where the `Fields` browser search input was not auto-focused, per the screenshot above:
_Above: The search input is auto-focused when the `Fields` browser is opened_
### Details
The fix that re-enables the `Filter in`, `Filter out`, and `Investigate in timeline` actions in the `Security > Alerts` required removing a recently-introduced `TODO` in `x-pack/plugins/timelines/public/components/t_grid/body/index.tsx`, which defined a common set of disabled actions for both the `o11y` and `Security` solutions.
The `TODO` was replaced by a `disabledCellActions` prop, which enables each solution to configure the disabled cell actions independently.
### Desk testing
While desk testing the `@timestamp` alignment issue:
> - Fixes a CSS issue where text truncation styles were causing the `@timestamp` column to be mis-aligned in Timeline
You may find it informative to locally edit `x-pack/plugins/security_solution/public/common/components/drag_and_drop/draggable_wrapper.tsx` to add the following styles:
```css
background-color: red;
```
and
```css
background-color: green;
```
to `ProviderContentWrapper`, as shown in the code below:
```typescript
export const ProviderContentWrapper = styled.span`
> span.euiToolTipAnchor {
background-color: red;
display: block; /* allow EuiTooltip content to be truncatable */
}
> span.euiToolTipAnchor.eui-textTruncate {
background-color: green;
display: inline-block; /* do not override display when a tooltip is truncated via eui-textTruncate */
}
`;
```
as illustrated by the `diff` below:
_Above: `background-color: green` and `background-color: red` styles added locally for desk testing_
With the (temporary) style changes above, the effect (and scope) of the new style is easily seen, as shown in the screenshot below:
_Above: The effect of the (green) style changes compared with the (red) unchanged styles_
When the new style introduced in this PR is commented-out for desk testing, as shown in the code below:
```typescript
export const ProviderContentWrapper = styled.span`
> span.euiToolTipAnchor {
background-color: red;
display: block; /* allow EuiTooltip content to be truncatable */
}
/*
> span.euiToolTipAnchor.eui-textTruncate {
background-color: green;
display: inline-block; /* do not override display when a tooltip is truncated via eui-textTruncate */
}
*/
`;
```
the behavior of `@timestamp` reverts to the behavior prior to this PR, as shown in the screenshot below:
_Above: The `@timestamp` column defaults to the old (red) unchanged behavior when the new style is commented-out for desk testing_
Co-authored-by: Andrew Goldstein <andrew-goldstein@users.noreply.github.com>
* [Security Solution] [Sourcerer] [Feature Branch] Update to use Kibana Data Views (#114806)
* fix type
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Remove timelion app and stuff which related to it
* Fix CI
* Fix lint
* Fix tests
* Fix tests
* Fis tests
* Fix some comments
* Clean up
* fix CI
* fix some comments
* Fix deprecation examples
* Return `enabled` property in config for timelion vis
* Remove unused angular lib
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Alexey Antonov <alexwizp@gmail.com>
* make owner attribute required
* Add owner properties in more places
* add test for owner attribute
* add error check too in the test
* Fix tests
* fix tests and update docs
* wip
* More test fixes
* Fix All The Errorz
* Adding more owner attributes
* Update x-pack/test/saved_object_api_integration/common/fixtures/saved_object_test_plugin/kibana.json
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
* Update x-pack/test/ui_capabilities/common/fixtures/plugins/foo_plugin/kibana.json
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
* commeeeooonnnn
* Update docs
* soooo many kibanajsons
* adjust plugin generator to add an owner
* Add owner to the plugin generator scripts
* update snapshot
* Fix snapshot
* review updates
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* get back index names in o11y
* testing and integration
* fix types
* Avoid using the rule data client for field list
* Remove left-over index argument
* no needs of alert consumer anymore
Co-authored-by: Felix Stürmer <stuermer@weltenwort.de>
* [RAC][Security Solution][Observability] Add the add to new case and add to existing case actions to observability alerts table
* Remove fake data and make features work with observability data format
* Remove console.log and unused translations
* Remove commented out code
* Remove unneeded copy pasta id, create initializeStore function in timelines
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
### Summary
### Fields used moving forward
`kibana.alert.rule.consumer` will refer to the context in which a rule instance is created. Rules created in:
- stack --> `alerts`
- security solution --> `siem`
- apm --> `apm`
`kibana.alert.rule.producer` will refer to the plugin that registered a rule type. Rules registered in:
- stack --> `alerts`
- security solution --> `siem`
- apm --> `apm`
So an `apm.error_rate` rule created in stack will have:
- consumer: `alerts` and producer: `apm`
An `apm.error_rate` rule created in apm will have:
- consumer: `apm` and producer: `apm`
`kibana.alert.rule.rule_type_id` will refer to a rule's rule type id. Examples:
- `apm.error_rate`
- `siem.signals`
- `siem.threshold`
Also renamed the following because `rule.*` fields are meant to be ecs fields pulled from the source/event document, not refer to our rule fields.
`rule.name` --> `kibana.alert.rule.name` will refer to the rule's name.
`rule.category` --> `kibana.alert.rule.category` will refer to the rule's category.
`rule.id` --> `kibana.alert.rule.uuid` will refer to the rule's uuid.
Closes#98611
## Summary
Add alerts table in Observability =>
### Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.
When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:
| Risk | Probability | Severity | Mitigation/Notes |
|---------------------------|-------------|----------|-------------------------|
| Multiple Spaces—unexpected behavior in non-default Kibana Space. | Low | High | Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces. |
| Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks. | High | Low | Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure. |
| Code should gracefully handle cases when feature X or plugin Y are disabled. | Medium | High | Unit tests will verify that any feature flag or plugin combination still results in our service operational. |
| [See more potential risk examples](https://github.com/elastic/kibana/blob/master/RISK_MATRIX.mdx) |
### For maintainers
- [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
* wip
* First pass at standalone and embedded redux stores and usage
* wip
* First pass at standalone and embedded redux stores and usage
* wip
* clean up
* wip
* refact(NA): remove extra pkg_npm target and add specific target folders on @kbn/i18n
* cleanup
* - fixes type errors in tests
* WIP remove use_manage_timeline
* wip add query + selector
* finishing integrating timeline manage context from redux
* integrating t-grid in security solution
* fix RowRender type
* WIP begin to move components from package to plugin
* integration of t-grid inside of security solution
* wip to make redux work
* little trick to make it render
* - fixes a few type errors
* better integration betwen tgrid and security solutions
* bringing back tsconfig on timeline
* wip integration t-grid in observability
* fix types
* fix type in security solutions
* add type to import + trie dto get the bundle size as small as possible
* fix type in integration test
* fix type in integration test
* - fix tests
* clean up to use technical fields
* - fixes unit tests
* - mocks the `useDateFormat` function of the `useKibana` service to fix unit tests
* fix t-grid settings vs create timeline + fix inspect button
* fix last suites test
* Update unit tests, snapshots and lint
* Fix bad merge
* fix plugin export
* Fix some failing tests
* fix unit tets in timelines plugins
* fix latest test
* fix i18n
* free obs from t-grid
* Fix timeline functional plugin types
* fix store provider
* Update failing defaultHeader test
* Fix i18n usage in security solution
* Fix remaining i18n errors in timelines plugin
* Dedupe common shared types
* move drag and drop utils in package to avoid duplication
* More shared type cleanup
* add feature flag
* review I
* fix merge with master
* fix i18n translation
* More type deduping
* Use @kbn/common-utils, fix remaining types
* fix types
* fix tests
* missing type
* fix cypress tests
Co-authored-by: Kevin Qualters <kevin.qualters@elastic.co>
Co-authored-by: Tiago Costa <tiagoffcc@hotmail.com>
Co-authored-by: Andrew Goldstein <andrew.goldstein@elastic.co>
In 7.x, when saved objects point to an index and not an alias it will
assume it's pre-6.8 and perform a legacy migration. This causes issues
with the removal of oss builds. This update prevents that from happening
by using an alias.
Signed-off-by: Tyler Smalley <tyler.smalley@elastic.co>
* chore(NA): move elastic-datemath into a ts package
* chore(NA): finish elastic-datemath
* chore(NA): finish elastic-datemath
* chore(NA): source folder for elastic-datemath
* chore(NA): add source-maps ace, analytics, apm-config-loader and apm-utils packages
* chore(NA): add sourcemaps to packages on typescript
* chore(NA): move test fixtures within source
* chore(NA): correct exclusions on packages
* chore(NA): correct package.json on all packages
* chore(NA): correct package.json on all packages
* chore(NA): complete kbn pm
* chore(NA): default export on elastic-datemath
* chore(NA): include logs on kbn-logging
* chore(NA): update bundle ref module to last code used in the webpack upstream
* chore(NA): update bundle ref module to last code used in the webpack upstream - refactored
* chore(NA): remove override method for exportsArgument
* fix(NA): typechecking problems by use @internal at javascript import sources on kbn-test package
* fix(NA): typescript projects check
* fix(NA): run optimizer integration tests from source
* chore(NA): fix usage from target for kbn optimizer
* chore(NA): path on tsconfig
* chore(NA): move tsignore into ts-expect-error
* chore(NA): include souce maps on kbn cli dev
* chore(NA): include souce maps on kbn-crypto, kbn-server-http-tools and kbn-telemetry-tools
* chore(NA): add issue links into the ts-expect-error comments
* chore(NA): create new x-pack cigroups and rebalancing them all
* chore(NA): better cigroups balancing
* chore(NA): push rollup tests back into ciGroup1
* chore(NA): move some functional ml tests from cigroup3 into cigroup13
* chore(NA): move some more tests into ciGroup13
* chore(NA): use a single top level describe at x-pack/test/functional/apps/ml
* chore(NA): move settings into ciGroup13
* temporary test for es snapshots env
* Revert "temporary test for es snapshots env"
This reverts commit 789ebe7b9c.
* docs(NA): add missing documentation on the function tests describe split
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* add search syntax parsing logic
* fix ts types
* use type filter in providers
* move search syntax logic to the searchbar
* fix test plugin types
* fix test plugin types again
* use `onSearch` prop to disable internal component search
* add tag filter support
* add FTR tests
* move away from CI group 7
* fix unit tests
* add unit tests
* remove the API test suite
* Add icons to the SO results
* add test for unknown type / tag
* nits
* ignore case for the `type` filter
* Add syntax help text
* remove unused import
* hide icon for non-application results
* add tsdoc on query utils
* coerce known filter values to string
Co-authored-by: Ryan Keairns <contactryank@gmail.com>
This PR adds screenshot comparison tests for the nodes in the graph on the test plugin.
Run the tests using this command:
`yarn test:ftr --config x-pack/test/plugin_functional/config.ts --grep Resolver`
Resolver has a test plugin. It can be found in `x-pack/tests/plugin_functional`. You can try it out like this:
```
yarn start --plugin-path x-pack/test/plugin_functional/plugins/resolver_test/
```
This PR enables automated tests for the test plugin. This ensures that the test plugin will render.
* Moved `descriptiveName` from the 'common' event model into the panel view. It is now a component. Each type of event has its own translation string. Translation placeholders have more specific names.
* Reorganized 'breadcrumb' components.
* Use safer types many places
* Add `useLinkProps` hook. It takes `PanelViewAndParameters` and returns `onClick` and `href`. Remove a bunch of copy-pasted code that did the same.
* Add new common event methods to safely expose fields that were being read directly (`processPID`, `userName`, `userDomain`, `parentPID`, `md5HashForProcess`, `argsForProcess`
* Removed 'primaryEventCategory' from the event model.
* Removed the 'aggregate' total count concept from the panel
* The mock data access layer calle no_ancestors_two_children now has related events. This will allow the click through to test all panels and it will allow the resolver test plugin to view all panels.
* The `mockEndpointEvent` factory can now return events of any type instead of just process events.
* Several mocks that were using unsafe casting now return the correct types. The unsafe casting was fine for testing but it made refactoring difficult because typescript couldn't find issues.
* The mock helper function `withRelatedEventsOnOrigin` now takes the related events to add to the origin instead of an array describing events to be created.
* The data state's `tree` field was optional but the initial state incorrectly set it to an invalid object. Now code checks for the presence of a tree object.
* Added a selector called `eventByID` which is used to get the event shown in the event detail panel. This will be replaced with an API call in the near future.
* Added a selector called `relatedEventCountByType` which finds the count of related events for a type from the `byCategory` structure returned from the API. We should consider changing this as it requires metaprogramming as it is.
* Created a new middleware 'fetcher' to fetch related events. This is a stop-gap implementation that we expect to replace before release.
* Removed the action called `appDetectedNewIdFromQueryParams`. Use `appReceivedNewExternal...` instead.
* Added the first simulator test for a graph node. It checks that the origin node has 'Analyzed Event' in the label.
* Added a new panel test that navigates to the nodeEvents panel view and verifies the items in the list.
* Added a new panel component called 'Breadcrumbs'.
* Fixed an issue where the CubeForProcess component was using `0 0 100% 100%` in the `viewBox` attribute.
* The logic that calculates the 'entries' to show when viewing the details of an event was moved into a separate function and unit tested. It is called `deepObjectEntries`.
* The code that shows the name of an event is now a component called `DescriptiveName`. It has an enzyme test. Each event type has its own `i18n` string which includes more descriptive placeholders. I'm not sure, but I think this will make it possible for translators to provide better contextual formatting around the values.
* Refactored most panel views. They have loading components and breadcrumb components. Links are moved to their own components, allowing them to call `useLinkProps`.
* Introduced a hook called `useLinkProps` which combines the `relativeHref` selector with the `useNavigateOrReplace` hook.
* Removed the hook called `useRelatedEventDetailNavigation`. Use `useLinkProps` instead.
* Move various styled-components into `styles` modules.
* The graph node label wasn't translating 'Analyzed Event'. It now does so using a `select` expression in the ICU message.
* Renamed a method on the common event model from `getAncestryAsArray` to `ancestry` for consistency. It no longer takes `undefined` for the event it operates on.
* Some translations were removed due to code de-duping.
* More comments
* Adding tests for mapping without entity_id
* Removing unnecessary comments
* Fixing type errors
* Removing unnecessary import
* Fixups and style
* change 'data' state shape, nesting the tree fetcher data
* rename 'TreeFetcherParameters' from 'DatabaseParameters' to make it
more specific to the API it works on
* fix bug in 'equal' method of 'TreeFetcherParameters'`
* use mockTreeFetcherParameters method in tests that need to specify a
TreeFetcherParameters but when the value isn't relevant to the test
* Hide Resolver if there is no databaseDocumentID
* add doc comments
* Fixing test name and adding comments
* Pulling in roberts test name changes
* [Resolver] Only render resolver once we have a signals index
Co-authored-by: oatkiller <robert.austin@elastic.co>
Restore the resolverTest plugin. This will allow us to run the test plugin and try out Resolver using our mock data access layers. Eventually this could be expanded to support multiple different data access layers. It could even be expanded to allow us to control the data access layer via the browser. Another option: we could export the APIs from the server and use those in this test plugin.
We eventually expect other plugins to use Resolver. This test plugin could allow us to test Resolver via the FTR (separately of the Security Solution.)
This would also be useful for writing tests than use the FTR but which are essentially unit tests. For example: taking screenshots, using the mouse to zoom/pan.
Start using: `yarn start --plugin-path x-pack/test/plugin_functional/plugins/resolver_test/`
