## Summary
Adds an advanced option to allow users to configure up to 5 env vars to
capture in endpoint events.
Co-authored-by: Karl Godard <karlgodard@elastic.co>
## Summary
Addresses https://github.com/elastic/kibana/issues/130699
This PR implements alert throttling per rule execution for query and
saved query rules. The implementation is very similar in concept to
threshold rules. We allow users to pick one or more fields to group
source documents by and use a composite aggregation to collect documents
bucketed by those fields. We create 1 alert for each bucket based on the
first document in the bucket and add metadata to the alert that
represents how to retrieve the rest of the documents in the bucket.
The metadata fields are:
- `kibana.alert.suppression.terms`: `{field: string; value: Array<string
| number>}` An array of objects, each object represents one of the terms
used to group these alerts
- `kibana.alert.suppression.start`: `Date` The timestamp of the first
document in the bucket
- `kibana.alert.suppression.end`: `Date` The timestamp of the last
document in the bucket
- `kibana.alert.suppression.docs_count`: `number` The number of
suppressed alerts
There is one new rule parameter, currently implemented at the solution
level, to enable this feature: `alertSuppression.groupBy`: `string[]`.
Similar to threshold rules, the throttled query rules keep track of
created alerts in the rule state in order to filter out duplicate
documents in subsequent rule executions. When a throttled alert is
created, we store the bucket information including field names, values,
and end date in the rule state. Subsequent rule executions convert this
state into a filter that excludes documents that have already been
covered by existing alerts. This is necessary because consecutive rule
executions will typically query overlapping time ranges.
## Screenshots
### Rule Create/Edit With License
<details>
</details>
### Rule Details With License
<details>
</details>
### Rule Create, or Rule Edit of a rule without existing suppression
configuration, Without License
<details>
</details>
### Editing a rule that has existing suppression configuration, but
without the correct license, still allows changing the configuration (to
allow removing the params)
<details>
</details>
### Rule Details Without License
<details>
</details>
### Alerts table
<details>
</details>
### Known issues
- The layers icon in the rule name for suppressed alerts does not show
up in the rule preview table
Co-authored-by: Madi Caldwell <madison.caldwell@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Rule duplication with/without exceptions
Majority of work done by @yctercero in this
[branch](https://github.com/yctercero/kibana/tree/dupe)
Some integration tests are left, but PR is ready for review.
2 flow when you duplicate rule:
### Without exceptions
Don't duplicate any exceptions
### With exceptions
Shared exceptions should duplicate reference
Rule default exceptions are not duplicated by reference, but create a
copy of exceptions. So if you remove it from duplicate rules, the
original rule is not changed.
https://user-images.githubusercontent.com/7609147/200863319-4cb56749-42dd-42d8-8896-f45782c21838.mov
# TODO;
[] integrations tests
[] cypress tests
Co-authored-by: Yara Tercero <yara.tercero@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
- Remove `file_operations_all` from list of sub-feature of SIEM
(security solution). This sub-feature [was recently placed behind an
experimental feature
flag](https://github.com/elastic/kibana/pull/145042), which is disabled
by default for 8.6.
- Un-skips tests
Fixes: #145134Fixes: #145135Fixes: #145136
## Summary
Related meta issue: https://github.com/elastic/kibana/issues/143330
This PR adds ensures that the tooltip will include both lines even if
results for a time have been deleted. The second line now shows 'null'
as the count to make it clear it does not exist or is missing.
- This PR fills in missing values with 'null' from source or results
data if the timestamps don't match.
- This PR adds the 'showNullValues' property to the tooltip for the
chart to ensure those values are displayed in the tooltip.
Shown with `N/A` when value is null:
<img width="655" alt="image"
src="https://user-images.githubusercontent.com/6446462/201482789-ddb79f3f-a980-4618-ae6f-95cd5d5bb93e.png">
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Added active endpoint count to usage collector. Endpoint count is
technically already being counted via the daily usage counter; however,
it is counted during the execution of the endpoint task which could
potentially stall/timeout or even fail leading to inconsistent reporting
of active endpoint counts(thanks to @pjhampton for bringing this up and
suggesting to add this to the usage collector)
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
**Related to: https://github.com/elastic/kibana/pull/144016**
## Summary
This follow-up PR addresses guided onboarding feedback mentioned
[here](https://github.com/elastic/security-team/issues/5386) and
[here](https://github.com/elastic/kibana/issues/144458).
To summarize:
- We're keeping the first step (install prebuilt rules) intact, but most
users wouldn't see it as the rules are installed automatically during
previous stages. This step is needed to cover edge cases when rules were
deleted for some reason.
- We're splitting the second step into two: 1) search the first rule and
2) activate it.
- We're adding "Next" buttons to these steps.
- For the search step, the "Next" button will automatically filter the
rules table, so the first rule becomes visible.
- For the activate step, the "Next" button automatically activates the
first rule.
- The "Next" button stays optional; we still automatically progress the
guide once user actions satisfy certain conditions, like the user
filtered the rules table manually or activated the first rule by
clicking its toggle.
## Summary
When a user doesn't have the needed Kibana Privileges, more precisely
the sub-feature privileges for Security Management pages, they will see
a _Privileges Required_ page. It is already merged, see
https://github.com/elastic/security-team/issues/5222
What is missing is the correct URL for the documentation page. The goal
of this PR is to add this link.
## Summary
Fixes#145020
This PR adjusts typing for search source alert to handle no data views
state in flyout.
### Checklist
- [X] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Removes the feature flag for the guided onboarding tour in security
To be merged after #144160. Make sure we run the Cypress tests after
#144160 is merged before merging this
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Yulia Čech <6585477+yuliacech@users.noreply.github.com>
## Summary
Fixes https://github.com/elastic/kibana/issues/141129
Fixes https://github.com/elastic/kibana/issues/144515
This PR introduces a new state to the guided onboarding plugin. The
state keeps track of the `creationDate` and of the overall `status` of
the plugin. The creation date allows us to detect an "active" period
during which the header button will be displayed more prominently in the
header. Currently, the active period is set to 30 days. During this
time, if the user has not started any guide, has quit a guide before
completion or skipped the guide on the landing page, the header button
will be displayed and when clicked, redirect the user to the landing
page to start/continue a guide.
Also this PR adds a check for Cloud deployments and prevents the code
from sending any API requests when not on Cloud, because guided
onboarding is disabled on prem.
#### Screenshot
<img width="298" alt="Screenshot 2022-11-10 at 18 42 18"
src="https://user-images.githubusercontent.com/6585477/201168414-391a7cd4-0709-492b-9001-1432b5bed3c8.png">
### Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
[Alert Flyout Detail panel doesn't show in session
view](https://github.com/elastic/kibana/issues/144346)
Summarize your PR. If it involves visual changes include a screenshot or
gif.
When clicking on the expand icon in the process alert row or `View
details` in the Alert tab content, the Alert flyout doesn't show.
Before the alerts flyout was showing in session view until
`isTimelineScope()` was added. We need to dispatch the toggle to the
details panel even if the timeline is not in scope.
<img width="1484" alt="image"
src="https://user-images.githubusercontent.com/17135495/201720513-11ee770c-ac6f-4582-8ddb-c49dbfc2fa52.png">
## Summary
Resolves the parent issue:
https://github.com/elastic/kibana/issues/136039
Also resolves the subtasks:
- https://github.com/elastic/kibana/issues/143461
- https://github.com/elastic/kibana/issues/143460
This is the backend portion of the consolidated rule status feature. It
mainly contains changes to the `rules_client.ts` and `task_runner.ts` to
support the new consolidated rule statuses.
This PR added a new property: `lastRun` to the rules saved object to
hold the new rule outcome statuses (`succeeded`, `warning`, and
`failed`) as the new simplified rule status over the existing
`executionStatus` property. However, we are keeping the old
`executionStatus` so we can slowly migrate the rest of the application
to use the new `lastRun` outcomes.
In addition, we have enriched the `monitoring` property to be the source
of truth for metrics related to the last run (as well as new fields that
other plugins will find useful). We also added a monitoring service that
allows other plugins to easily add data to the monitoring field.
To test this PR, please use
https://github.com/elastic/kibana/pull/144466 since it has both the
frontend and backend changes.
### Checklist
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Jiawei Wu <jiawei.wu@cmd.com>
