# Backport
This will backport the following commits from `main` to `8.x`:
- [[SecuritySolution] Breaking out timeline & note privileges
(#201780)](https://github.com/elastic/kibana/pull/201780)
<!--- Backport version: 9.6.4 -->
### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)
<!--BACKPORT [{"author":{"name":"Jan
Monschke","email":"jan.monschke@elastic.co"},"sourceCommit":{"committedDate":"2025-01-20T13:09:16Z","message":"[SecuritySolution]
Breaking out timeline & note privileges (#201780)\n\n## Summary\n\nEpic:
https://github.com/elastic/security-team/issues/7998\n\nIn this PR we're
breaking out the `timeline` and `notes` features into\ntheir own feature
privilege definition. Previously, access to both\nfeatures was granted
implicitly through the `siem` feature. However, we\nfound that this
level of access control is not sufficient for all\nclients who wanted a
more fine-grained way to grant access to parts of\nsecurity
solution.\n\nIn order to break out `timeline` and `notes` from `siem`,
we had to\ndeprecate it feature privilege definition for. That is why
you'll find\nplenty of changes of `siem` to `siemV2` in this PR. We're
making use of\nthe feature privilege's `replacedBy` functionality,
allowing for a\nseamless migration of deprecated roles.\n\nThis means
that roles that previously granted `siem.all` are now
granted\n`siemV2.all`, `timeline.all` and `notes.all` (same for
`*.read`).\nExisting users are not impacted and should all still have
the correct\naccess. We added tests to make sure this is working as
expected.\n\nAlongside the `ui` privileges, this PR also adds dedicated
API tags.\nThose tags haven been added to the new and previous version
of the\nprivilege definitions to allow for a clean
migration:\n\n```mermaid\nflowchart LR\n subgraph v1\n A(siem) -->
Y(all)\n A --> X(read)\n Y -->|api| W(timeline_write / timeline_read /
notes_read / notes_write)\n X -->|api| V(timeline_read /notes_read)\n
end\n\n subgraph v2\n A-->|replacedBy| C[siemV2]\n A-->|replacedBy|
E[timeline]\n A-->|replacedBy| G[notes]\n \n\n E --> L(all)\n E -->
M(read)\n L -->|api| N(timeline_write / timeline_read)\n M -->|api|
P(timeline_read)\n\n G --> Q(all)\n G --> I(read)\n\n Q -->|api|
R(notes_write / notes_read)\n I -->|api| S(notes_read)\n end\n```\n\n###
Visual changes\n\n#### Hidden/disabled elements\n\nMost of the changes
are happening \"under\" the hood and are only\nexpressed in case a user
has a role with `timeline.none` or\n`notes.none`. This would hide and/or
disable elements that would usually\nallow them to interact with either
timeline or the notes feature (within\ntimeline or the event flyout
currently).\n\nAs an example, this is how the hover actions look for a
user with and\nwithout timeline access:\n\n| With timeline access |
Without timeline access |\n| --- | --- |\n| <img width=\"616\"
alt=\"Screenshot 2024-12-18 at 17 22
49\"\nsrc=\"https://github.com/user-attachments/assets/a767fbb5-49c8-422a-817e-23e7fe1f0042\"\n/>
| <img width=\"724\" alt=\"Screenshot 2024-12-18 at 17 23
29\"\nsrc=\"https://github.com/user-attachments/assets/3490306a-d1c3-41aa-af5b-05a1dd804b47\"\n/>
|\n\n#### Roles\n\nAnother visible change of this PR is the addition of
`Timeline` and\n`Notes` in the edit-role screen:\n\n| Before | After
|\n| ------- | ------ |\n| <img width=\"746\" alt=\"Screenshot
2024-12-12 at 16 31
43\"\nsrc=\"https://github.com/user-attachments/assets/20a80dd4-c214-48a5-8c6e-3dc19c0cbc43\"\n/>
| <img width=\"738\" alt=\"Screenshot 2024-12-12 at 16 32
53\"\nsrc=\"https://github.com/user-attachments/assets/afb1eab4-1729-4c4e-9f51-fddabc32b1dd\"\n/>
|\n\nWe made sure that for migrated roles that hard `security.all`
selected,\nthis screen correctly shows `security.all`, `timeline.all`
and\n`notes.all` after the privilege migration.\n\n#### Timeline
toast\n\nThere are tons of places in security solution where
`Investigate / Add\nto timeline` are shown. We did our best to disable
all of these actions\nbut there is no guarantee that this PR catches all
the places where we\nlink to timeline (actions). One layer of extra
protection is that the\nAPI endpoints don't give access to timelines to
users without the\ncorrect privileges. Another one is a Redux middleware
that makes sure\ntimelines cannot be shown in missed cases. The
following toast will be\nshown instead of the timeline:\n\n<img
width=\"354\" alt=\"Screenshot 2024-12-19 at 10 34
23\"\nsrc=\"https://github.com/user-attachments/assets/1304005e-2753-4268-b6e7-bd7e22d8a1e3\"\n/>\n\n###
Changes to predefined security roles\n\nAll predefined security roles
have been updated to grant the new\nprivileges (in ESS and serverless).
In accordance with the migration,\nall roles with `siem.all` have been
assigned `siemV2.all`,\n`timeline.all` and `notes.all` (and `*.read`
respectively).\n\n### Checklist\n\nCheck the PR satisfies following
conditions. \n\nReviewers should verify this PR satisfies this list as
well.\n\n- [x] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\n-
[x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [x] This was
checked for breaking HTTP API changes, and any breaking\nchanges have
been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
PhilippeOberti <philippe.oberti@elastic.co>\nCo-authored-by: Steph
Milovic
<stephanie.milovic@elastic.co>","sha":"1b167d9dc23a9e0e8e47992a37563ca89ccf3c7d","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Fleet","v9.0.0","release_note:feature","Team:Threat
Hunting:Investigations","backport:prev-minor","ci:cloud-deploy","ci:project-persist-deployment","v8.18.0"],"title":"[SecuritySolution]
Breaking out timeline & note
privileges","number":201780,"url":"https://github.com/elastic/kibana/pull/201780","mergeCommit":{"message":"[SecuritySolution]
Breaking out timeline & note privileges (#201780)\n\n## Summary\n\nEpic:
https://github.com/elastic/security-team/issues/7998\n\nIn this PR we're
breaking out the `timeline` and `notes` features into\ntheir own feature
privilege definition. Previously, access to both\nfeatures was granted
implicitly through the `siem` feature. However, we\nfound that this
level of access control is not sufficient for all\nclients who wanted a
more fine-grained way to grant access to parts of\nsecurity
solution.\n\nIn order to break out `timeline` and `notes` from `siem`,
we had to\ndeprecate it feature privilege definition for. That is why
you'll find\nplenty of changes of `siem` to `siemV2` in this PR. We're
making use of\nthe feature privilege's `replacedBy` functionality,
allowing for a\nseamless migration of deprecated roles.\n\nThis means
that roles that previously granted `siem.all` are now
granted\n`siemV2.all`, `timeline.all` and `notes.all` (same for
`*.read`).\nExisting users are not impacted and should all still have
the correct\naccess. We added tests to make sure this is working as
expected.\n\nAlongside the `ui` privileges, this PR also adds dedicated
API tags.\nThose tags haven been added to the new and previous version
of the\nprivilege definitions to allow for a clean
migration:\n\n```mermaid\nflowchart LR\n subgraph v1\n A(siem) -->
Y(all)\n A --> X(read)\n Y -->|api| W(timeline_write / timeline_read /
notes_read / notes_write)\n X -->|api| V(timeline_read /notes_read)\n
end\n\n subgraph v2\n A-->|replacedBy| C[siemV2]\n A-->|replacedBy|
E[timeline]\n A-->|replacedBy| G[notes]\n \n\n E --> L(all)\n E -->
M(read)\n L -->|api| N(timeline_write / timeline_read)\n M -->|api|
P(timeline_read)\n\n G --> Q(all)\n G --> I(read)\n\n Q -->|api|
R(notes_write / notes_read)\n I -->|api| S(notes_read)\n end\n```\n\n###
Visual changes\n\n#### Hidden/disabled elements\n\nMost of the changes
are happening \"under\" the hood and are only\nexpressed in case a user
has a role with `timeline.none` or\n`notes.none`. This would hide and/or
disable elements that would usually\nallow them to interact with either
timeline or the notes feature (within\ntimeline or the event flyout
currently).\n\nAs an example, this is how the hover actions look for a
user with and\nwithout timeline access:\n\n| With timeline access |
Without timeline access |\n| --- | --- |\n| <img width=\"616\"
alt=\"Screenshot 2024-12-18 at 17 22
49\"\nsrc=\"https://github.com/user-attachments/assets/a767fbb5-49c8-422a-817e-23e7fe1f0042\"\n/>
| <img width=\"724\" alt=\"Screenshot 2024-12-18 at 17 23
29\"\nsrc=\"https://github.com/user-attachments/assets/3490306a-d1c3-41aa-af5b-05a1dd804b47\"\n/>
|\n\n#### Roles\n\nAnother visible change of this PR is the addition of
`Timeline` and\n`Notes` in the edit-role screen:\n\n| Before | After
|\n| ------- | ------ |\n| <img width=\"746\" alt=\"Screenshot
2024-12-12 at 16 31
43\"\nsrc=\"https://github.com/user-attachments/assets/20a80dd4-c214-48a5-8c6e-3dc19c0cbc43\"\n/>
| <img width=\"738\" alt=\"Screenshot 2024-12-12 at 16 32
53\"\nsrc=\"https://github.com/user-attachments/assets/afb1eab4-1729-4c4e-9f51-fddabc32b1dd\"\n/>
|\n\nWe made sure that for migrated roles that hard `security.all`
selected,\nthis screen correctly shows `security.all`, `timeline.all`
and\n`notes.all` after the privilege migration.\n\n#### Timeline
toast\n\nThere are tons of places in security solution where
`Investigate / Add\nto timeline` are shown. We did our best to disable
all of these actions\nbut there is no guarantee that this PR catches all
the places where we\nlink to timeline (actions). One layer of extra
protection is that the\nAPI endpoints don't give access to timelines to
users without the\ncorrect privileges. Another one is a Redux middleware
that makes sure\ntimelines cannot be shown in missed cases. The
following toast will be\nshown instead of the timeline:\n\n<img
width=\"354\" alt=\"Screenshot 2024-12-19 at 10 34
23\"\nsrc=\"https://github.com/user-attachments/assets/1304005e-2753-4268-b6e7-bd7e22d8a1e3\"\n/>\n\n###
Changes to predefined security roles\n\nAll predefined security roles
have been updated to grant the new\nprivileges (in ESS and serverless).
In accordance with the migration,\nall roles with `siem.all` have been
assigned `siemV2.all`,\n`timeline.all` and `notes.all` (and `*.read`
respectively).\n\n### Checklist\n\nCheck the PR satisfies following
conditions. \n\nReviewers should verify this PR satisfies this list as
well.\n\n- [x] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\n-
[x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [x] This was
checked for breaking HTTP API changes, and any breaking\nchanges have
been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
PhilippeOberti <philippe.oberti@elastic.co>\nCo-authored-by: Steph
Milovic
<stephanie.milovic@elastic.co>","sha":"1b167d9dc23a9e0e8e47992a37563ca89ccf3c7d"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201780","number":201780,"mergeCommit":{"message":"[SecuritySolution]
Breaking out timeline & note privileges (#201780)\n\n## Summary\n\nEpic:
https://github.com/elastic/security-team/issues/7998\n\nIn this PR we're
breaking out the `timeline` and `notes` features into\ntheir own feature
privilege definition. Previously, access to both\nfeatures was granted
implicitly through the `siem` feature. However, we\nfound that this
level of access control is not sufficient for all\nclients who wanted a
more fine-grained way to grant access to parts of\nsecurity
solution.\n\nIn order to break out `timeline` and `notes` from `siem`,
we had to\ndeprecate it feature privilege definition for. That is why
you'll find\nplenty of changes of `siem` to `siemV2` in this PR. We're
making use of\nthe feature privilege's `replacedBy` functionality,
allowing for a\nseamless migration of deprecated roles.\n\nThis means
that roles that previously granted `siem.all` are now
granted\n`siemV2.all`, `timeline.all` and `notes.all` (same for
`*.read`).\nExisting users are not impacted and should all still have
the correct\naccess. We added tests to make sure this is working as
expected.\n\nAlongside the `ui` privileges, this PR also adds dedicated
API tags.\nThose tags haven been added to the new and previous version
of the\nprivilege definitions to allow for a clean
migration:\n\n```mermaid\nflowchart LR\n subgraph v1\n A(siem) -->
Y(all)\n A --> X(read)\n Y -->|api| W(timeline_write / timeline_read /
notes_read / notes_write)\n X -->|api| V(timeline_read /notes_read)\n
end\n\n subgraph v2\n A-->|replacedBy| C[siemV2]\n A-->|replacedBy|
E[timeline]\n A-->|replacedBy| G[notes]\n \n\n E --> L(all)\n E -->
M(read)\n L -->|api| N(timeline_write / timeline_read)\n M -->|api|
P(timeline_read)\n\n G --> Q(all)\n G --> I(read)\n\n Q -->|api|
R(notes_write / notes_read)\n I -->|api| S(notes_read)\n end\n```\n\n###
Visual changes\n\n#### Hidden/disabled elements\n\nMost of the changes
are happening \"under\" the hood and are only\nexpressed in case a user
has a role with `timeline.none` or\n`notes.none`. This would hide and/or
disable elements that would usually\nallow them to interact with either
timeline or the notes feature (within\ntimeline or the event flyout
currently).\n\nAs an example, this is how the hover actions look for a
user with and\nwithout timeline access:\n\n| With timeline access |
Without timeline access |\n| --- | --- |\n| <img width=\"616\"
alt=\"Screenshot 2024-12-18 at 17 22
49\"\nsrc=\"https://github.com/user-attachments/assets/a767fbb5-49c8-422a-817e-23e7fe1f0042\"\n/>
| <img width=\"724\" alt=\"Screenshot 2024-12-18 at 17 23
29\"\nsrc=\"https://github.com/user-attachments/assets/3490306a-d1c3-41aa-af5b-05a1dd804b47\"\n/>
|\n\n#### Roles\n\nAnother visible change of this PR is the addition of
`Timeline` and\n`Notes` in the edit-role screen:\n\n| Before | After
|\n| ------- | ------ |\n| <img width=\"746\" alt=\"Screenshot
2024-12-12 at 16 31
43\"\nsrc=\"https://github.com/user-attachments/assets/20a80dd4-c214-48a5-8c6e-3dc19c0cbc43\"\n/>
| <img width=\"738\" alt=\"Screenshot 2024-12-12 at 16 32
53\"\nsrc=\"https://github.com/user-attachments/assets/afb1eab4-1729-4c4e-9f51-fddabc32b1dd\"\n/>
|\n\nWe made sure that for migrated roles that hard `security.all`
selected,\nthis screen correctly shows `security.all`, `timeline.all`
and\n`notes.all` after the privilege migration.\n\n#### Timeline
toast\n\nThere are tons of places in security solution where
`Investigate / Add\nto timeline` are shown. We did our best to disable
all of these actions\nbut there is no guarantee that this PR catches all
the places where we\nlink to timeline (actions). One layer of extra
protection is that the\nAPI endpoints don't give access to timelines to
users without the\ncorrect privileges. Another one is a Redux middleware
that makes sure\ntimelines cannot be shown in missed cases. The
following toast will be\nshown instead of the timeline:\n\n<img
width=\"354\" alt=\"Screenshot 2024-12-19 at 10 34
23\"\nsrc=\"https://github.com/user-attachments/assets/1304005e-2753-4268-b6e7-bd7e22d8a1e3\"\n/>\n\n###
Changes to predefined security roles\n\nAll predefined security roles
have been updated to grant the new\nprivileges (in ESS and serverless).
In accordance with the migration,\nall roles with `siem.all` have been
assigned `siemV2.all`,\n`timeline.all` and `notes.all` (and `*.read`
respectively).\n\n### Checklist\n\nCheck the PR satisfies following
conditions. \n\nReviewers should verify this PR satisfies this list as
well.\n\n- [x] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\n-
[x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [x] This was
checked for breaking HTTP API changes, and any breaking\nchanges have
been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
PhilippeOberti <philippe.oberti@elastic.co>\nCo-authored-by: Steph
Milovic
<stephanie.milovic@elastic.co>","sha":"1b167d9dc23a9e0e8e47992a37563ca89ccf3c7d"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
## Summary
This PR enables Session View to support for auditbeat data stream and
adds the `event.action: executed`.
- In the `Security>Explore>Hosts>Events` and
`Security>Explore>Hosts>Session` tab, shows process events from
Auditbeats and should show `event.action: [ fork, executed, end ]`.
- Auditbeat session events now has alerts capabiltiy
<img width="1722" alt="image"
src="3824347f-fc34-4b24-b949-284e530ada19">
1fb7dcc7-184f-4e02-a431-892e62f239f6
---------
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary
This PR adds logs-cloud_defend.process as a source to load process
events in SessionView. _(note: I have plans to optimize sessionview so
it only pulls from the index that the session leader came from)._
The cloud-defend service (WIP) implements a technique to reduce process
event volume by squishing the 3 lifecycle **event.action** s (fork,
exec, end) into a single event. SessionView has been updated to handle
these new merged events.
Much of the information across a fork, exec and end event does not
change, so given a short window, the cloud-defend service buffers the
events, and merges the values from event.action and event.type into an
array of the values from each event.
In most cases an SSH session leader process (e.g bash) will have two
events. One event containing event.action: ['fork', 'exec'] (2
merged events), and one final event with event.action: 'end' when the
user exits the session.
The nice thing about the above is that in the majority of situations
processes are short lived, and so most events should contain all three
actions [fork, exec, end]. In our tests, this has provided roughly a 50%
savings in process event volume. It should also be noted that any rules
using event.action or event.type should be unaffected by this change, as
the query languages don't care if it's comparing a single value, or an
array of values.
A minor change has also been made in the process analyzer feature to
handle the merging of event.type
e.g event.type = ['start', 'end']
cc @kqualters-elastic if you know of any other places I need to update.
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
* Fetch output events in process_events_route and show output button accordingly
* Add unit tests for rendering output button
* Update process event route fetch process with output
* tty output POC
output poc stuff
oh baby, tty output search working nice.
output poc work
primitive playback mechanism added, xterm render callback improved. infinite pagination working
minor css tweaks
* stash restore
* stash restore
* refactor
* code shuffle/refactor
* cleanup/refactor
* component renamed
* search improved
* new route to get total bytes of io added. it will hide tty player button if no output, so removes the need for a feature flag
* some jest test coverage added
* basic jest test coverage added to tty_player
* [CI] Auto-commit changed files from 'node scripts/precommit_hook.js --ref HEAD~1..HEAD --fix'
* removed search addon. i've commited a modified version of it
* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'
* tweaks to mock data
* tests added for tty_search_bar
* translations added for aria labels in session_view component
* mocking of window.matchMedia moved to beforeAll
* lint fix
* fixed build error
* event action name updated. lint fixes
* fix for ftr tests
* addresses jacks comments
Co-authored-by: mitodrummer <karlgodard@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
* aggregate and count routes added for kubernetes_security plugins.
includes FTR e2e tests. some e2e tests also created for session view plugin.
* naming fixes
Co-authored-by: mitodrummer <karlgodard@elastic.co>
