# Backport
This will backport the following commits from `main` to `8.8`:
- [[Security Solution] getDataViewStateFromIndexFields was using wrong
type as part of a cast
(#158594)](https://github.com/elastic/kibana/pull/158594)
<!--- Backport version: 8.9.7 -->
### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)
<!--BACKPORT [{"author":{"name":"Kevin
Qualters","email":"56408403+kqualters-elastic@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-05-31T21:13:36Z","message":"[Security
Solution] getDataViewStateFromIndexFields was using wrong type as part
of a cast (#158594)\n\n## Summary\r\n\r\nFixes an issue with the field
browser where all types currently display\r\nas unkown, this was because
in a code path where a type cast happens, we\r\nwere using the wrong
type. To see this, remove the as unknown from the\r\ncast, and the
typescript compiler will show the problem:\r\n```\r\n'BrowserField' is
deprecated.ts(6385)\r\nindex.ts(70, 4): The declaration was marked as
deprecated here.\r\nConversion of type 'DataViewField' to type
'BrowserField' may be a mistake because neither type sufficiently
overlaps with the other. If this was intentional, convert the expression
to 'unknown' first.\r\n Type 'DataViewField' is missing the following
properties from type 'BrowserField': category, description, example,
fields, and 2 more.ts(2352)\r\n```\r\nDataViewField actually only has
spec and kbnFieldType properties, spec\r\nis of type FieldSpec which is
basically the same type as BrowserField,\r\nand has sufficient overlap
for the (still unsafe, but more safe than as\r\nunknown) cast to
occur.\r\n\r\nBefore:\r\n<img width=\"338\"
alt=\"image\"\r\nsrc=\"f31c1f9e-25f0-41ee-9e1c-a70171e41d29\">\r\n\r\n\r\nAfter:\r\n<img
width=\"555\"
alt=\"image\"\r\nsrc=\"8b462477-2dce-41bb-9592-f34b20634b84\">\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"1c75903f92b639e2dcffe76ed8b4ef4d6db3b70d","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Team:Threat
Hunting:Investigations","v8.9.0","v8.8.1"],"number":158594,"url":"https://github.com/elastic/kibana/pull/158594","mergeCommit":{"message":"[Security
Solution] getDataViewStateFromIndexFields was using wrong type as part
of a cast (#158594)\n\n## Summary\r\n\r\nFixes an issue with the field
browser where all types currently display\r\nas unkown, this was because
in a code path where a type cast happens, we\r\nwere using the wrong
type. To see this, remove the as unknown from the\r\ncast, and the
typescript compiler will show the problem:\r\n```\r\n'BrowserField' is
deprecated.ts(6385)\r\nindex.ts(70, 4): The declaration was marked as
deprecated here.\r\nConversion of type 'DataViewField' to type
'BrowserField' may be a mistake because neither type sufficiently
overlaps with the other. If this was intentional, convert the expression
to 'unknown' first.\r\n Type 'DataViewField' is missing the following
properties from type 'BrowserField': category, description, example,
fields, and 2 more.ts(2352)\r\n```\r\nDataViewField actually only has
spec and kbnFieldType properties, spec\r\nis of type FieldSpec which is
basically the same type as BrowserField,\r\nand has sufficient overlap
for the (still unsafe, but more safe than as\r\nunknown) cast to
occur.\r\n\r\nBefore:\r\n<img width=\"338\"
alt=\"image\"\r\nsrc=\"f31c1f9e-25f0-41ee-9e1c-a70171e41d29\">\r\n\r\n\r\nAfter:\r\n<img
width=\"555\"
alt=\"image\"\r\nsrc=\"8b462477-2dce-41bb-9592-f34b20634b84\">\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"1c75903f92b639e2dcffe76ed8b4ef4d6db3b70d"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/158594","number":158594,"mergeCommit":{"message":"[Security
Solution] getDataViewStateFromIndexFields was using wrong type as part
of a cast (#158594)\n\n## Summary\r\n\r\nFixes an issue with the field
browser where all types currently display\r\nas unkown, this was because
in a code path where a type cast happens, we\r\nwere using the wrong
type. To see this, remove the as unknown from the\r\ncast, and the
typescript compiler will show the problem:\r\n```\r\n'BrowserField' is
deprecated.ts(6385)\r\nindex.ts(70, 4): The declaration was marked as
deprecated here.\r\nConversion of type 'DataViewField' to type
'BrowserField' may be a mistake because neither type sufficiently
overlaps with the other. If this was intentional, convert the expression
to 'unknown' first.\r\n Type 'DataViewField' is missing the following
properties from type 'BrowserField': category, description, example,
fields, and 2 more.ts(2352)\r\n```\r\nDataViewField actually only has
spec and kbnFieldType properties, spec\r\nis of type FieldSpec which is
basically the same type as BrowserField,\r\nand has sufficient overlap
for the (still unsafe, but more safe than as\r\nunknown) cast to
occur.\r\n\r\nBefore:\r\n<img width=\"338\"
alt=\"image\"\r\nsrc=\"f31c1f9e-25f0-41ee-9e1c-a70171e41d29\">\r\n\r\n\r\nAfter:\r\n<img
width=\"555\"
alt=\"image\"\r\nsrc=\"8b462477-2dce-41bb-9592-f34b20634b84\">\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"1c75903f92b639e2dcffe76ed8b4ef4d6db3b70d"}},{"branch":"8.8","label":"v8.8.1","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Original outline: https://github.com/elastic/kibana/issues/138181
Issues outlining the objective of this pr:
https://github.com/elastic/kibana/issues/142903 and
https://github.com/elastic/kibana/issues/142907
#### Overview
Since the data views plugin was introduced, maintaining our own apis for
fetching sourcerer saved objects (data views) and additional types has
become cumbersome and inefficient. The data views plugin provides both
an efficient caching of data view saved objects and a unified interface
for creating ad-hoc data views (see the changes to the `useFetchIndex`
hook in this PR) so that our code can now rely on a single type of saved
object to interface with when fetching data.
This PR is another step towards replacing sourcerer with the data view
picker provided by kibana platform (which benefits users by maintaining
consistency around data source selection UX) and additionally provides
benefits to developers in the security solution by allowing us to reduce
state-management complexity in components that rely on old
`indexPattern` types or data view types.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Resolves https://github.com/elastic/kibana/issues/151697
## Summary
In a previous [PR](https://github.com/elastic/kibana/pull/145581) we
started installing a context-specific component templates, index
templates and concrete write indices for framework alerts as data when
the `xpack.alerting.enableFrameworkAlerts` config flag is set to true.
In that PR we used a different naming pattern than what is used by the
rule registry for those resources. In this PR, we are aligning the
naming of these resources with the rule registry and installing these
resources on alerting plugin setup when `enableFrameworkAlerts: true`.
If the flag is set to false, the rule registry will continue to handle
this resource installation.
In this PR we are doing the following:
* Registering all rules currently registered with the rule registry with
the alerting framework. This registration allows the alerting framework
to build context specific component templates. Because this PR only
addresses resource installation, rules will continue to be registered
with the rule registry.
* When `enableFrameworkAlerts: true`:
* The framework installs the context specific component template with
the following naming convention: `.alerts-{context}.alerts-mappings`.
This matches what the rule registry currently installs so the transition
should be seamless
* The framework installs the context specific index template for the
`default` space with the following name:
`.alerts-{context}.alerts-default-index-template`. Space awareness will
be addressed in a followup PR. This matches the current rule registry
naming.This index template will reference
(1) ECS component template (if `useEcs: true`),
(2) context-specific component template,
(3) legacy alert component template and
(4) framework component template
where the legacy alert component template + framework component template
= technical component template (from the rule registry).
* The framework creates or updates the concrete write index for the
`default` space with the naming convention:
`.internal.alerts-{context}.alerts-default-000001`. Space awareness will
be addressed in a followup PR. This matches the current rule registry
naming.
* The installation of the index template & write index differs from the
rule registry in that it occurs on alerting plugin start vs the first
rule run.
* We modified the rule registry resource installer to skip installation
of these resources when `enableFrameworkAlerts: true`. In addition, it
will wait for the alerting resource installation promise so if a rule
runs before its resources are fully initialized, it will wait for
initialization to complete before writing.
## To Verify
The following rule registry contexts are affected:
`observability.apm`
`observability.logs`
`observability.metrics`
`observability.slo`
`observability.uptime`
`security`
For each context, we should verify the following:
`Note that if your rule context references the ECS mappings, there may
be differences in those mappings between main and this branch depending
on whether you're running main with enableFrameworkAlerts true or false.
These differences are explained in the summary of this prior PR:
https://github.com/elastic/kibana/pull/150384 but essentially we're
aligning with the latest ECS fields. In the instructions, I suggest
running main with enableFrameworkAlerts: true to minimize the
differences caused by ECS changes`
**While running `main` with `enableFrameworkAlerts: true`:**
1. Get the context specific component template `GET
_component_template/.alerts-{context}.alerts-mappings`
2. Create rule for this context that creates an alert and then
3. Get the index template `GET
_index_template/.alerts-{context}.alerts-default-index-template`
4. Get the index mapping for the concrete index: `GET
.internal.alerts-{context}.alerts-default-000001/_mapping`
**While running this branch with `xpack.alerting.enableFrameworkAlerts:
true` (with a fresh ES instance):**
5. Get the context specific component template `GET
_component_template/.alerts-{context}.alerts-mappings`
6. Get the index template `GET
_index_template/.alerts-{context}.alerts-default-index-template`
7. Get the index mapping for the concrete index: `GET
.internal.alerts-{context}.alerts-default-000001/_mapping`
Note that you should not have to create a rule that generates alerts
before seeing these resources installed.
**Compare the component templates**
Compare 1 and 5. The difference should be:
* component template from this branch should have `_meta.managed: true`.
This is a flag indicating to the user that these templates are system
managed and should not be manually modified.
**Compare the index templates**
Compare 3 and 6. The differences should be:
* index template from this branch should have `managed: true` in the
`_meta` fields
* index template from this branch should not have a `priority` field.
This will be addressed in a followup PR
* index template from this branch should be composed of
`.alerts-legacy-alert-mappings` and `.alerts-framework-mappings` instead
of `.alerts-technical-mappings` but under the hood, these mappings are
equivalent.
**Compare the index mappings**
Compare 4 and 7. The difference should be:
* index mappings from this branch should have `_meta.managed: true`.
### Verify that installed resources templates work as expected
1. Run this branch on a fresh ES install with
`xpack.alerting.enableFrameworkAlerts: true`.
2. Create a rule in your context that generates alerts.
3. Verify that there are no errors during rule execution.
4. Verify that the alerts show up in your alerts table as expected.
5. (For detection rules only): Run this branch with
`xpack.alerting.enableFrameworkAlerts: true` and verify rules in a
non-default space continue to create resources on first rule run and run
as expected.
6. (For detection rules only): Run this branch with
`xpack.alerting.enableFrameworkAlerts: true` and verify rule preview
continue to work as expected
### Verify that installed resources templates work with existing rule
registry resources.
1. Run `main` or a previous version and create a rule in your context
that generates alerts.
2. Using the same ES data, switch to this branch with
`xpack.alerting.enableFrameworkAlerts: false` and verify Kibana starts
with no rule registry errors and the rule continues to run as expected.
3. Using the same ES data, switch to this branch with
`xpack.alerting.enableFrameworkAlerts: true` and verify Kibana starts
with no alerting or rule registry errors and the rule continues to run
as expected.
4. Verify the alerts show up on the alerts table as expected.
5. (For detection rules only): Run this branch with
`xpack.alerting.enableFrameworkAlerts: true` and verify rules in a
non-default space continue to create resources on first rule run and run
as expected.
6. (For detection rules only): Run this branch with
`xpack.alerting.enableFrameworkAlerts: true` and verify rule preview
continue to work as expected
---------
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary
This PR replaces the existing `Alert Table` used in Security solution &
cases with that of `triggers-actions-ui`.
Ideally, this PR does make any changes to the functionality of the
product and from user perspective. Nothing should Change.
‼️ Note for @elastic/security-threat-hunting-explore : This PR makes no
changes to the table used in Host/Users page.
## Things to test and changes
- @elastic/actionable-observability
- The changes in observability plugin are done to accommodate the
changes in the API of `triggers-actions-ui` alert table.
- Requesting you to do desk-testing this PR once by using Alert Table as
you do on the daily basis.
- @elastic/response-ops
- changes have been done in API as `security-solution` needed some
parameters/values to achieve the parity in the functionality as compared
to the current alert Table.
---------
Co-authored-by: Xavier Mouligneau <xavier.mouligneau@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Fixes https://github.com/elastic/kibana/issues/149344
This PR migrates all plugins to packages automatically. It does this
using `node scripts/lint_packages` to automatically migrate
`kibana.json` files to `kibana.jsonc` files. By doing this automatically
we can simplify many build and testing procedures to only support
packages, and not both "packages" and "synthetic packages" (basically
pointers to plugins).
The majority of changes are in operations related code, so we'll be
having operations review this before marking it ready for review. The
vast majority of the code owners are simply pinged because we deleted
all `kibana.json` files and replaced them with `kibana.jsonc` files, so
we plan on leaving the PR ready-for-review for about 24 hours before
merging (after feature freeze), assuming we don't have any blockers
(especially from @elastic/kibana-core since there are a few core
specific changes, though the majority were handled in #149370).
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Dearest Reviewers 👋
I've been working on this branch with @mistic and @tylersmalley and
we're really confident in these changes. Additionally, this changes code
in nearly every package in the repo so we don't plan to wait for reviews
to get in before merging this. If you'd like to have a concern
addressed, please feel free to leave a review, but assuming that nobody
raises a blocker in the next 24 hours we plan to merge this EOD pacific
tomorrow, 12/22.
We'll be paying close attention to any issues this causes after merging
and work on getting those fixed ASAP. 🚀
---
The operations team is not confident that we'll have the time to achieve
what we originally set out to accomplish by moving to Bazel with the
time and resources we have available. We have also bought ourselves some
headroom with improvements to babel-register, optimizer caching, and
typescript project structure.
In order to make sure we deliver packages as quickly as possible (many
teams really want them), with a usable and familiar developer
experience, this PR removes Bazel for building packages in favor of
using the same JIT transpilation we use for plugins.
Additionally, packages now use `kbn_references` (again, just copying the
dx from plugins to packages).
Because of the complex relationships between packages/plugins and in
order to prepare ourselves for automatic dependency detection tools we
plan to use in the future, this PR also introduces a "TS Project Linter"
which will validate that every tsconfig.json file meets a few
requirements:
1. the chain of base config files extended by each config includes
`tsconfig.base.json` and not `tsconfig.json`
1. the `include` config is used, and not `files`
2. the `exclude` config includes `target/**/*`
3. the `outDir` compiler option is specified as `target/types`
1. none of these compiler options are specified: `declaration`,
`declarationMap`, `emitDeclarationOnly`, `skipLibCheck`, `target`,
`paths`
4. all references to other packages/plugins use their pkg id, ie:
```js
// valid
{
"kbn_references": ["@kbn/core"]
}
// not valid
{
"kbn_references": [{ "path": "../../../src/core/tsconfig.json" }]
}
```
5. only packages/plugins which are imported somewhere in the ts code are
listed in `kbn_references`
This linter is not only validating all of the tsconfig.json files, but
it also will fix these config files to deal with just about any
violation that can be produced. Just run `node scripts/ts_project_linter
--fix` locally to apply these fixes, or let CI take care of
automatically fixing things and pushing the changes to your PR.
> **Example:** [`64e93e5`
(#146212)](64e93e5806)
When I merged main into my PR it included a change which removed the
`@kbn/core-injected-metadata-browser` package. After resolving the
conflicts I missed a few tsconfig files which included references to the
now removed package. The TS Project Linter identified that these
references were removed from the code and pushed a change to the PR to
remove them from the tsconfig.json files.
## No bazel? Does that mean no packages??
Nope! We're still doing packages but we're pretty sure now that we won't
be using Bazel to accomplish the 'distributed caching' and 'change-based
tasks' portions of the packages project.
This PR actually makes packages much easier to work with and will be
followed up with the bundling benefits described by the original
packages RFC. Then we'll work on documentation and advocacy for using
packages for any and all new code.
We're pretty confident that implementing distributed caching and
change-based tasks will be necessary in the future, but because of
recent improvements in the repo we think we can live without them for
**at least** a year.
## Wait, there are still BUILD.bazel files in the repo
Yes, there are still three webpack bundles which are built by Bazel: the
`@kbn/ui-shared-deps-npm` DLL, `@kbn/ui-shared-deps-src` externals, and
the `@kbn/monaco` workers. These three webpack bundles are still created
during bootstrap and remotely cached using bazel. The next phase of this
project is to figure out how to get the package bundling features
described in the RFC with the current optimizer, and we expect these
bundles to go away then. Until then any package that is used in those
three bundles still needs to have a BUILD.bazel file so that they can be
referenced by the remaining webpack builds.
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Resolves [#143152](https://github.com/elastic/kibana/issues/143152)
### Observability changes
This changes is a result of removal some types from `timelines` plugin:
- cleaned up timelines plugin related types,
- replaced `Pick<ActionProps,'data' | 'eventId' | 'ecsData' |
'setEventsDeleted' >` with the props which were actually used:
```
data: TimelineNonEcsData[];
ecsData: Ecs;
eventId: string;
```
In this PR we still have references to `@kbn/timelines-plugin`, which
needs to be changed later.
Threat Hunting team are going to think about replacing
`TimelineNonEcsData` with the other type definition (maybe
`NonEcsData`?) and moving `Ecs` type to the non `timelines` related
plugin/package.
### Security Solution changes
Before the current PR changes the components dependencies around `TGrid`
looked like the image below:
<img width="848" alt="Screen Shot 2022-11-29 at 6 16 14 AM"
src="https://user-images.githubusercontent.com/55110838/204663019-664431fb-f360-4a11-b395-6fa54c35dd6d.png">
After decomposition the `timelines` plugin hosted TGrid HOC and moving
all the data tables related sub-components to `security_solution` plugin
the new components architecture got the next shape:
<img width="842" alt="Screen Shot 2022-11-29 at 6 14 41 AM"
src="https://user-images.githubusercontent.com/55110838/204663068-40897f18-1485-4b59-a71b-ce09e660f7db.png">
`security_solution` plugin changes includes the next things:
- Moved some data table and actions types to
`x-pack/plugins/security_solution/common/types`, which is widely used
across the related components.
- Due to the movement of the data table with the store to from
`timeline` plugin to `security_solution` many test files which had the
reference to `tGridReducer` now cleaned up from the unnecessary logic:
```
- import { tGridReducer } from '@kbn/timelines-plugin/public';
```
and `TableState` references was replaced with the next changes:
```
- import type { TableState } from '@kbn/timelines-plugin/public';
+ import type { TableState } from '../common/store/data_table/types';
```
- Replaced `tGridActions` with `dataTableActions` name.
- Moved `control_columns` to `security_solution` common plugin
components: `RowCheckBox`, `HeaderCheckBox` and
`transformControlColumns`:
`RowActionComponent` moved from `timelines` plugin to
`x-pack/plugins/security_solution/public/common/components/control_columns/row_action`
without changes.
`transformControlColumns` moved from timelines plugin to
`x-pack/plugins/security_solution/public/common/components/control_columns/transform_control_columns.tsx`.
Removed not used property `hasAlertsCrudPermissions`, added unit test.
<img width="1222" alt="Screen Shot 2022-11-29 at 8 59 42 PM"
src="https://user-images.githubusercontent.com/55110838/204711499-9f90fee2-3c2f-4ff6-af28-c324ab1840d8.png">
- Many translation changes as a result of the owner plugin change:
```
- i18n.translate('xpack.timelines....', {
+ i18n.translate('xpack.securitySolution....', {
```
- Moved `useDraggableKeyboardWrapper` to security_solution, added reference to `useAddToTimeline`, by using timelines plugin with kibana services. Added unit tests.
<img width="1112" alt="Screen Shot 2022-11-30 at 9 06 42 AM" src="https://user-images.githubusercontent.com/55110838/204862298-bcd50a52-dbf7-480b-bf13-8e48d6835746.png">
- Replaced the next references:
```
- type: 'x-pack/timelines/t-grid/UPDATE_COLUMN_WIDTH',
+ type: 'x-pack/security_solution/data-table/UPDATE_COLUMN_WIDTH',
```
```
- type: 'x-pack/timelines/t-grid/REMOVE_COLUMN',
+ type: 'x-pack/security_solution/data-table/REMOVE_COLUMN',
```
- moved TGrid store previously hosted in timeline plugin to `security_solution` as `data_table` store:
<img width="1109" alt="Screen Shot 2022-11-29 at 9 24 08 PM" src="https://user-images.githubusercontent.com/55110838/204714668-257a9c50-d722-4a6d-9214-f3ef8a14d0d2.png">
- Migrated TGrid `BodyComponent` to `DataTableComponent`
`x-pack/plugins/security_solution/public/common/components/data_table/index.tsx`
Removed some unused properties: `hasAlertsCrudPermissions, appId, getRowRenderer, isEventViewer, tableView, totalSelectAllAlerts, trailingControlColumns`. Current DataTableComponent is a subset of the previous BodyComponent, which includes only table related functionality:
<img width="1028" alt="Screen Shot 2022-11-30 at 10 44 35 AM" src="https://user-images.githubusercontent.com/55110838/204882561-0950b9ce-5a9f-4bdb-b38f-6ff742fc3f92.png">
- Renamed `TimelineExpandedDetail` to `ExpandedDetail` to make the type more generic for usage.
- BulkActions related changes includes:
<img width="1288" alt="Screen Shot 2022-11-29 at 9 13 32 PM" src="https://user-images.githubusercontent.com/55110838/204713196-409f3d5e-f752-4fe9-9ae9-e752514cbf99.png">
`AlertBulkActionsComponent` moved from timelines plugin to `x-pack/plugins/security_solution/public/common/components/toolbar/bulk_actions/alert_bulk_actions.tsx`, just renaming changes.
Added `x-pack/plugins/security_solution/public/common/components/toolbar/bulk_actions/types.ts` to consolidate types
`useBulkActionItems` moved from timelines plugin to `x-pack/plugins/security_solution/public/common/components/toolbar/bulk_actions/use_bulk_action_items.tsx`. Changed links, renamed `AlertsStatus` to `AlertWorkflowStatus`, removed `in-progress` case handling.
`useUpdateAlertsStatus` moved from timelines plugin to `x-pack/plugins/security_solution/public/common/components/toolbar/bulk_actions/use_update_alerts.ts`. Cleaned up the code from handling Observability API.
- Updated `x-pack/plugins/security_solution/public/common/lib/kuery/index.ts` with the actual implementations of
```
convertKueryToDslFilter,
convertKueryToElasticSearchQuery,
convertToBuildEsQuery,
escapeKuery,
escapeQueryValue,
combineQueries,
```
instead of referencing timelines plugin.
- Moved `EventRenderedView` component to security_solution common components. Later planning to make it as a package.
- `EventsViewer` component became the stateful component which is responsible for the data representation managing. Some part from TGridIntegratedComponent and BodyComponent was merged under its logic:
<img width="1052" alt="Screen Shot 2022-11-30 at 6 22 22 PM" src="https://user-images.githubusercontent.com/55110838/204950708-a8875acd-eb62-4df5-8ac4-613a0a571de6.png">
<img width="242" alt="Screen Shot 2022-11-30 at 6 24 06 PM" src="https://user-images.githubusercontent.com/55110838/204950819-bca194a4-4309-4cb4-a2ba-0176e9fe6c65.png">
- Moved header actions to common components `x-pack/plugins/security_solution/public/common/components/header_actions`
- Renamed component `AlertCount` to `UnitCount`.
- Moved to `security_solution` configuration for `APM_USER_INTERACTIONS`
- changes `createStore` interface by using the direct reference to `dataTableReducer` instead of passing down it's value through the params.
### Timeline plugin changes
- cleaned up timeline plugin interface by removing:
```
getTGrid: <T extends TGridType = 'embedded'>(
props: GetTGridProps<T>
) => ReactElement<GetTGridProps<T>>;
// eslint-disable-next-line @typescript-eslint/no-explicit-any
getTGridReducer: () => any;
getUseDraggableKeyboardWrapper: () => (
props: UseDraggableKeyboardWrapperProps
) => UseDraggableKeyboardWrapper;
```
- renamed embedded store
```
- setTGridEmbeddedStore: (store: Store) => void;
+ setTimelineEmbeddedStore: (store: Store) => void;
```
- removed dependency to triggers_actions_ui plugin
- removed duplicated components and types with `security_solution`:
```
TruncatableText
SubtitleComponent
EventsCountComponent
PopoverRowItems
PagingControlComponent
FooterComponent
SortIndicator
SortNumber
RowRendererContainer
plainRowRenderer
getColumnRenderer
StatefulRowRenderer
getMappedNonEcsValue
InspectButtonComponent
TGridCellAction
useMountAppended
tgrid store
```
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
- Cretes new search strategy for getting index patterns in security
solution plugin that uses the internal ES user in order to retrieve
event filters fields without having extra index privileges.
- Adds new API endpoint for autocomplete suggestions that uses
unified_search plugin logic but using the internal ES user.
- Updates frontend code to use both approaches above in event filters
form.
- Adds new unit tests
### For maintainers
- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary
https://github.com/elastic/kibana/issues/145544 - Suppression icon
should show up in rule name even when
`kibana.alert.suppression.docs_count` column is not included in the
table
https://github.com/elastic/kibana/issues/145669 - Rule name cell popover
formatting
No issue - adds the rule name icon for rule preview table
`props.data` is the fetched columns, `props.ecsData` always has the
fields listed in `requiredFieldsForActions` so we can use
`kibana.alert.suppression.docs_count` even when that column is missing.
## Closing alerts from flyout effect only alerts related to this rule
Fix: https://github.com/elastic/kibana/issues/145675
For the exceptions component, we need to have `rule.rule_id` which
wasn't initially in the timeline response.
We can't safely use `rule.id`, it is [described
here](https://github.com/elastic/kibana/pull/120053).
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary
This pr adds a new parsing plugin to the EuiMarkdownEditor used in
security solution that enables users to create run time queries that can
be parameterized from alert data, or hard coded literal values. A count
of the matching events is displayed in a button that when clicked will
open the same event set in timeline. Markdown is expected to be in the
following format:
`!{insight{"description":"2 top level OR providers, 1 nested
AND","label":"test insight", "providers": [[{ "field": "event.id",
"value": "kibana.alert.original_event.id", "type": "parameter" }], [{
"field": "event.category", "value": "network", "type": "literal" },
{"field": "process.pid", "value": "process.pid", "type":
"parameter"}]]}}`
The 2d array is used to allow nested queries, the top level arrays are
OR'ed together, and the inner array AND'ed together:
<img width="438" alt="image"
src="https://user-images.githubusercontent.com/56408403/201940553-96ab3d39-48fa-404f-ab2e-8946b532567b.png">
Following a prefix of !insight, the configuration object takes optional
description and label strings, along with a 2 dimensional array called
"providers". This value corresponds to what are called data providers in
the timeline view,
and are arrays of filters with 3 fields, "field" which is the field name
for that part of the query clause, "value" which is the value to be
used, and "type" which is either "parameter" or "literal". Filters of
type parameter expect value to be the name of a field present in an
alert document, and will use the value in the underlying document if
found. If the field is not present for some reason, a wildcard is used.
If the markdown is rendered in a context not tied to a specific alert,
parameter fields are treated as a timeline template field.
<img width="632" alt="image"
src="https://user-images.githubusercontent.com/56408403/201940922-7114a75f-0430-4397-8384-59f4e960ec9c.png">
### Checklist
Delete any items that are not applicable to this PR.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] Any UI touched in this PR is usable by keyboard only (learn more
about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
## Summary
This PR adds support for an is one of operator allowing users to filter
multiple values for one field.
[Some investigation
](https://discuss.elastic.co/t/passing-multiple-values-in-kibana-add-filter-is-one-of/232694/2)by
@andrew-goldstein revealed that since the underlying engine uses Lucene,
we can add support for multiple values by using an OR query:
`kibana.alert.workflow_status: ("open" OR "closed" OR "acknowledged")`
is equivalent to
```
"terms": {
"kibana.alert.workflow_status": [ "open", "closed", "acknowledged"]
}
```
Where the former is usable in our `DataProviders` used by timeline and
other components that navigate a user to a pre-populated timeline.
As an enhancement to the timeline view, users can also use this `is one
of` operator by interacting with the `Add field` button and selecting
the new operator.
<img width="433" alt="image"
src="https://user-images.githubusercontent.com/28942857/193487154-769005b6-3e5a-40bf-9476-8dd3f3bcb8ee.png">
### Checklist
Delete any items that are not applicable to this PR.
- [X] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [X] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Known issues
This operator does not support timeline templates at this time so usage
there disables the ability for conversion to template field but a better
approach should be implemented to notify users.
https://github.com/elastic/kibana/issues/142437. For now I have added a
template message and prevented users from creating templates with this
operator:
<img width="374" alt="image"
src="https://user-images.githubusercontent.com/28942857/201157676-80017c6c-9f5b-4cd7-ba0b-ee2e43a884cb.png">
## Testing
Create a new timeline or visit an existing one.
Click 'Add field' button on Timeline in OR query section
add any field ( preferably one that can have many values- consider
`kibana.alerts.workflow_status` but this requires alerts.
Select the `is one of` or `is not one of operator`
Add or remove values in the value section.
Click save.
Co-authored-by: Kristof-Pierre Cummings <kristofpierre.cummings@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This PR contains fixes for the following issues:
#### # 1 Popover overlaps flyout
- https://github.com/elastic/kibana/issues/139280
- https://github.com/elastic/kibana/issues/128235
#### # 2 Popover persists after clicking filter out
- https://github.com/elastic/kibana/issues/115341
#### # 3 Popover persists after clicking a button outside of popover
- https://github.com/elastic/kibana/issues/118844
## Background
Previously, a cell's popover remains open after clicking an action. In
many cases we want the popover to close upon clicking on a cell action.
EUI team addressed this by adding a `closeCellPopover` to a `ref` API.
- https://github.com/elastic/eui/pull/5590
In T-grid, there are 2 types of cell actions:
- Default cell actions such as filter in, filter out, add to timeline
and copy. `closeCellPopover` is not used.
- Formatted fields that have more information in the form of flyouts
(host name, user name, ip, etc.)
`closeCellPopover` prop is passed but currently not working as expected.
This PR contains fixes for:
- Fixing `closeCellPopover` in T-grid body for formatted fields - fixes
# 1
- Adding `closeCellPopover` props in default cell actions - fixes # 2
and # 3
## # 1 - `closeCellPopover` in T-grid
`dataGridRef.current?.closeCellPopover` was added and intended to close
any open popovers when a cell action is clicked. However, because it is
a mutable object, it is not being monitored in `columnsWithCellActions`.
When the page is initially loaded, `dataGridRef.current` remain as null
and it does not update until the page re-renders and `dataGridRef`
becomes non-null.
- After: popover closes properly
https://user-images.githubusercontent.com/18648970/201202326-ec657f78-c425-46a6-9356-f6e9ef1ab798.mov
## # 2 & # 3 Add `closeCellPopover` to default cell actions
- After: upon opening the expansion popover, clicking any options and
the popover will disappear
https://user-images.githubusercontent.com/18648970/201417542-063c514b-5474-4676-a747-a9401627c5e8.mov
- After: upon opening the expansion popover, clicking any options
outside and the popover will disappear
https://user-images.githubusercontent.com/18648970/201417678-7cf0fefa-f4a7-4a70-9a10-76b248323639.mov
Note for UX: although QA only flagged `filter out` and `add to
timeline`, for consistency's sake, the expansion popover will disappear
after clicking any of the cell actions, which includes `filter in` and
`copy`.
## Summary
Addresses https://github.com/elastic/kibana/issues/130699
This PR implements alert throttling per rule execution for query and
saved query rules. The implementation is very similar in concept to
threshold rules. We allow users to pick one or more fields to group
source documents by and use a composite aggregation to collect documents
bucketed by those fields. We create 1 alert for each bucket based on the
first document in the bucket and add metadata to the alert that
represents how to retrieve the rest of the documents in the bucket.
The metadata fields are:
- `kibana.alert.suppression.terms`: `{field: string; value: Array<string
| number>}` An array of objects, each object represents one of the terms
used to group these alerts
- `kibana.alert.suppression.start`: `Date` The timestamp of the first
document in the bucket
- `kibana.alert.suppression.end`: `Date` The timestamp of the last
document in the bucket
- `kibana.alert.suppression.docs_count`: `number` The number of
suppressed alerts
There is one new rule parameter, currently implemented at the solution
level, to enable this feature: `alertSuppression.groupBy`: `string[]`.
Similar to threshold rules, the throttled query rules keep track of
created alerts in the rule state in order to filter out duplicate
documents in subsequent rule executions. When a throttled alert is
created, we store the bucket information including field names, values,
and end date in the rule state. Subsequent rule executions convert this
state into a filter that excludes documents that have already been
covered by existing alerts. This is necessary because consecutive rule
executions will typically query overlapping time ranges.
## Screenshots
### Rule Create/Edit With License
<details>
</details>
### Rule Details With License
<details>
</details>
### Rule Create, or Rule Edit of a rule without existing suppression
configuration, Without License
<details>
</details>
### Editing a rule that has existing suppression configuration, but
without the correct license, still allows changing the configuration (to
allow removing the params)
<details>
</details>
### Rule Details Without License
<details>
</details>
### Alerts table
<details>
</details>
### Known issues
- The layers icon in the rule name for suppressed alerts does not show
up in the rule preview table
Co-authored-by: Madi Caldwell <madison.caldwell@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
* Updated EUI to version 67.1.2. Updated instaces of ButtonColor from EUI to EuiButtonColor.
* Updated to EuiCard instances that utilize the betaBadgeProps object to return an empty string instead of undefined when the label is unavailable
* Removed two instances of the deprecated internetExplorerOnly() mixin
* Updated two instances of the ButtonColor import to EuiButtonColor as is was renamed in PR #6150
* Updated snapshots in Jest Test Suite #1 to account for EuiButton and EuiCard Emotion conversions. Updated snapshots for EuiTooltip as it now contains the new EuiToolTipAnchor component that replaced the tooltip anchor styles
* Updated snapshots in Jest Test Suite #2 to account forEuiButton, EuiDescriptionList, EuiButtonIcon, and EuiBadge Emotion conversions.
* Updated snapshots in Jest Test Suite #3 to account for EuiDescriptionList, EuiButton, and EuiBadge Emotion conversions. Updated snapshots for EuiTooltip as if now contains the new EuiTooltipAnchor component that replaced the tooltop anchor styles
* Updated snapshots in Jest Test Suite #4 to account for EuiButton Emotion conversion.
* Updated snapshots in Jest Test Suite #5 to account for EuiButton Emotion conversion.
* Updated snapshots in Jest Test Suite #8 to account for EuiButtonIcon and EuiButton Emotion conversions. Updated snapshots for EuiTooltip as it now contains the new EuiTooltipAnchor component that replaced the tooltip anchor styles.
* Updated snapshots in Jest Test Suite #9 to account for EuiFlyout and EuiButton Emotion conversions.
* Updated snapshots in Jest Test Suite #10 to account for EuiButton, EuiBadge, EuiButtonIcon, and EuiCard Emotion conversions. Updated snapshots for EuiToolTtip as it now contains the new EuiTooltipAnchor component that replaced the tooltip anchor styles
* Updated instances of EuiButtonIconColor to use EuiButtonIconProps['color'] as it was removed in PR #6150
* Updated tests that target EuiButton to simulate click events to target a generic button to prevent undefined click event errors
* Updated snapshots in Jest Test Suite #1 to account for EuiButton and EuiCard Emotion conversions
* Added the EuiFlyout mixins and variables to Lens Sass file as EuiFlyout has been converted to Emotion and the Sass styles are no longer available in EUI
* Added the EuiCallOutTypes variable to Step Progress Sass file as EuiCallOut has been converted to Emotion and the Sass styles are no longer available in EUI
* Updated snapshots in Jest Test Suite #2 to account for recent Emotion conversions.
Updated snapshots in server_status.test.tsx to render EuiBadge before checking the snapshots to reduce the snapshot churn caused by Emotion.
Updated tests that target EuiButton to simulate click events to target a generic button to prevent undefined click event errors
* [CI] Auto-commit changed files from 'node scripts/precommit_hook.js --ref HEAD~1..HEAD --fix'
* Added imports for the added flyout mixin. Removed references to EuiCallOut mixin as the component has been converted to Emotion and is no longer available for use.
* Updated unit tests and snapshots in Jest Test Suite #10.
Updated snaphshots to account for EuiBadge, EuiDescriptionList, EuiFlyout, and EuiCard Emotion conversions. Updated snapshots for EuiTooltip as it now contains the new EuiTooltipAnchor component that replaced the tooltip anchor styles.
Updated tests that target EuiButton to simulate click events to target a generic button element to prevent undefined click event errors
* Updated unit tests in Jest Test Suite #11 that target EuiButton to simulate click events to target a generic button to prevent undefined click event errors
* Updated unit tests in Jest Test Suite #12 by updating tests that target EuiButton to simulate click events. Instead, these tests now target a generic button element to prevent undefined click event errors
* Updated unit tests in Jest Test Suite #1 by updating tests that target EuiButton to simulate click events. Instead, these tests now target a generic button element to prevent undefined click event errors
* Updated unit tests in Jest Test Suite #2 by updating tests that use EuiButton to simulate click events. Instead, these test have been updated to target a button element to prevent undefined click event errors.
* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'
* Updated reference to mixins Sass file.
Updated snapshots for Jest Test Suite #5 to account for EuiButton Emotion conversion. Updated unit tests that target EuiButton to simulate click events. These tests have been updated to target a button element to prevent undefined click event errors
* Updated unit tests in Jest Test Suites 3, 7, 8, 13, and 14.
Updated snapshot to account for EuiButton Emotion conversion.
Updated tests that target EuiButton to simulate click events. These tests now target a generic button element to prevent undefined click event errors.
Updated a few snapshots by adding .render() before checking the snapshot. This will prevent large snapshots coming from recent Emotion conversions
* Updated snapshots in Jest Test Suite #10 to account for the recent EuiButton Emotion conversion
* Updated unit tests in Jest Test Suite #2 by editing tests that target EuiButton to simulate click events. These tests now target a button element in order to prevent undefinde click event errors
* Updated snapshots in Jest Test Suite #10 to account for EuiButton and EuiDescriptionList Emotion conversions
* Updated test cases in Jest Test Suites 3, 7, and 8. Updated snapshots to account for EuiButton and EuiPagination Emotion conversions.
Updated tests that target EuiButton to simulate click events. These tests now target a button element to prevent undefined click errors
* Updated test cases in Jest Test Suite 14. Updated snapshots to account for EuiButton Emotion conversion. Opted to use .render() when updating a few snapshots to reduce the large length of snapshots caused by Emotion
* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'
* Revised a change to betaBadgeProps to ensure that the label is available. If not, the value for the badge with be set to undefined.
* Resolved two linting errors
* Resolved two linting errors
* Updated Jest unit tests in various suites.
Updated snapshots to account for EuiButton Emotion conversion. Updated snapshots for EuiTooltip as it now contains the new EuiTooltipAnchor component that replaced the tooltip anchor styles.
* Updated EuiFlyout in query_flyout.tsx to remove the onClick function from maskProps as it is no longer available. Updated this flyout to use ownFocus and not to close when the overlay mask is clicked.
* Removed the use of EuiButtonIconColor in favor of EuiButtonIconProps['color']
* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'
* Updated Cypress test looking for strict equality on EuiPaginationButton class names to match a substring of the Emotion generated class name
* Removed unneeded debugging code. Updated snapshots for various test suites to account for the recent EuiButton Emotion conversion
* Updated a few EuiButton, EuiButtonEmpty, and EuiText components that set the color as ghost. The ghost color mode has been deprecated as of PR #6150. These components now are wrapped in EuiThemeProvider with a dark colorMode to create the previous ghost color.
* Resolved TS error with EuiCard betaBadgeProps
* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'
* Remove references to now-removed EuiFlyout CSS classes/vars
* Remove now-removed euiBadge className references
- Convert directly to EuiBadge instead of using CSS
- Remove confusing and now-possibly-irrelevant CSS badge overrides - left/right icons are now set via JSX and not via flex-direction
* Pre-emptively fix various euiOverlayMask CSS overrides
- this data attr isn't technically in yet but will be once https://github.com/elastic/eui/pull/6289 merges
- at the very least this isn't breaking any more than it currently already is!
* Update to v67.1.3
* v67.1.4
* Resolved test failing test case in Security/Manage/Blocklist. The test did not remove focus from the last combo box in the form, which didn't allow the disbaled attribute to be removed from the flyout submit button. I've updated the mock file for Blocklist to return focus to the first form element in the flyout to allow the disabled attribute to be removed.
* Updated snapshots to account for the recent EuiText Emotion conversion
* Fix Log's custom tooltips relying on EuiTooltip classNames that no longer exist
* Fix Vega vis custom tooltips relying on EuiTooltip classNames that no longer exist
- this one is trickier than Log's as it's not using React, so we need to use Emotion's Global to set a static className
* Convert remaining vega_vis.scss to Emotion
- as an example of how other global + non global styles could be handled in the future
* Fix references to removed `euiPaginationButton-isActive` className
- use aria-current attribute instead
* Added missing EuiFlyoutAnimation keyframes for EuiFlyout. This resolved test that failed because they used onAnimationEnd because the FlyoutAnimation could not be found.
* Reolved Jest Tests in suites 1 and 5. Updated snapshots to account for the recent EuiButton Emotion conversion. Updated snapshots for EuiToolTip as it now contains the new EuiToolTipAnchor component that replaced the tooltip anchor styles.
* iterate on rules_list.test.tsx
* bump eui to v67.1.5
* Updatde snapshots for jest test suites to account for the recent EuiButton, EuiOverlayMask, EuiTooltip, and EuiBadge Emotion conversions
* Resolved failing security test by updating the target element for CONNECTOR_TITLE. EuiCard has recently been converted to Emotion and the card title is no longer wrapper in a span.
* Resolved failing test case in Runtime Fields. The modify runtime field test was failing because the combobox responsbible for adding and updating scripts was not appearing. The textbox did not appear because the shared setFieldScript function targets and toggles the script textbox when opening the flyout. When a runtime field is being modified, the toggle is already active and using the shared function will trigger the toggle again (losing access to the script textbox).
Also resolved an issue that prevented the warning EuiCallout to appear when changing the type of a runtime field from its original type. Resolved this by adding an enter keypress at the end of setFieldType function to confirm the type selection, thus triggering the EuiCallout
* Resolved two tests that were failing in Lens. These test were failing because they were checking for equality in class names that no longer exist within EuiButtonGroup as it was recently converted to Emotion. These tests were updated to check for a substring of the new and longer class name
* Quick fix in test case failing because of misspelling in data-test-sub
* Updated snapshot for Jest test case as EuiButton as recently been converted to Emotion
* Removed console.log statement. Oops!
* Resolved a failing test case in Lens. They were failing because they were checking for equality in class names that no longer exist within EuiButtonGroup as it was recently converted to Emotion. These tests were updated to check for a substring of the new and longer class name.
Updated a Security test case by giving a target button the data-test-subj attribute for easier querying
* Removed reference to EuiFlyout mixin as it has been converted to Emotion. Updated the reference to an interal copy of EuiFlyout styles
* Corrected spelling error in EuiFlyout animation in Lens app
* Update EUI with latest backport
* Update button snapshots
* fix another button snapshot
* More snapshot fixes
* [EuiButton][Security] Fix button relying on now-removed `euiButton__text` CSS
- replace removed CSS with `eui-textTruncate` util instead
- combine/DRY out unnecessary span - was affecting min-width of truncation util
+ increase screenshot diff limit - this was smaller than updating the actual baseline screenshots for whatever reason (likely render diff between local and CI)
* Fix remaining Jest tests affected by Emotion conversions
- because Emotion creates its own wrapper, `.first()` can no longer be used - prefer `.last()` instead
* Fix Jest test affected by EuiButton Emotion conversion + removed modifier class
- targeting the native DOM node + filtering by disabled true/false gets us back to the 'correct' lengths
* Fix + improve flyout test
- `.last()` changes to account for EuiButton Emotion conversion is needed, but the last onClose assertion still fails due to us having modified inputs, and the confirm modal being displayed
- split test into two separate tests - one testing the onClose call, and the other testing the confirm modal
* derpin
* Skip rules_list Jest suite
* Update new EuiButton snapshot
* Upgraded EUI version to 67.1.7
* [EuiCard] Update snapshots
* [EuiPopover] Update snapshots
* [QA] Fix missing Vega warn/error message colors
;_;
* [CI] Auto-commit changed files from 'node scripts/generate codeowners'
* Fix Lens kbnToolbarButton regressions
- Caused by flattening of EUI button CSS specificity
- background-color was previously relying on isDisabled CSS specificity to override its #fff color
- `text` color modifier & `!important` is no longer needed and overrides Emotion CSS flatly
- isDisabled class is no longer needed - euiButton no longer sets `pointer-events: none` on disabled buttons (fixes tooltip bug in webkit as well)
* Backport EUI 67.1.8 fixes
* Update EuiCard snapshots
* Fix EuiModal form wrapper causing overflow issues
- see https://elastic.github.io/eui/#/layout/modal#forms-in-a-modal
* Workaround for `.kbnOverlayMountWrapper` mount point causing overflow issues
- not sure what all is using this modal service to be honest, but the wrapper is causing issues with the modal layout, this fixes overflow issues but will not fix any mask-image issues as a result
* more snapshot updates
* EuiButton - added textProps to EuiButton to prevent very long button names from spilling over outside of the container
* EuiButton - Update EuiButton related snapshots. Updated tests that target EuiButton directly to use a data-telementary-id for more specific element querying required by Emotion
* QA - Removed unnecessary comment in code
* Temporary fix for EuiCard[selectable][layout=horizontal] instances on security solutions' rule page
* Temporary fix for EuiCard[selectable][layout=horizontal] instances on osquery live query and canvas's datasource selector
* [CI] Auto-commit changed files from 'node scripts/precommit_hook.js --ref HEAD~1..HEAD --fix'
* Fix CSS specificity, where canvas's solutionToolbarButton's background-color now takes precedence over EuiButton's primary styles
* Removed update to search_marker_tooltip that removed the euiTooltip styles and replaced then with Emotion styling. Added EuiTooltip Sass styles for the component to rely on to test for a styling bug that is causing the tooltip and the tooltip arrow to be out of sync with each other.
* Lint Sass file
* Lint Sass file
* Removed overflow:hidden style from .vgaVis_view as it was causing euiScrollStyles not to present the scroll bars in Vega Vis
* Remove typo from EuiButton textProps object. 'className' should not have been included in the actual class name
* Revert tooltip Sass
This reverts commit 20e6ead571, a5cd2de901, and c605cbd7b9
* Fix Emotion tooltip arrows
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Constance Chen <constance.chen@elastic.co>
Co-authored-by: Chandler Prall <chandler.prall@elastic.co>
* [Security Solution] Fix missing title on inspect pop-up
* removed references to documentType
* removed references to documentType
* updated files post merge
* added default title to timelineActions.createTimeline calls
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* added break-word wrapper around toast that fires off when a filter is added to timeline
* renamed ToastAddSuccess to AddSuccessMessage and update it to accept children
* chore: remove `isQueryLoading`
`isQueryLoading` is the same as `loading` so we can remove the extra state and effect
* chore: document `isFirstUpdate`
By reading the source code, it wasn't clear why `isFirstUpdate` is necessary. I added a comment that explains why it's there. Also moved the effect closer to its dependencies.
* chore: remove `isFirstUpdate` in favor of showFullLoading
`showFullLoading` is the non-effect equivalent of `isFirstUpdate`
* chore: update comment
* chore: remove unnecessary comment
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [TIP] Add to timeline
- add button to all cells in the indicators table
- add button to a new actions column for the indicator flyout table
- add button to barchart legend
- create new providers (kibana context and security context) for unit tests and storybook
- change all Storybook console.log to window.alert to follow the EUI pattern
- fix broken Storybook indicator table story
https://github.com/elastic/security-team/issues/4557
* Remove External alert trend table and artifacts, and rename detection… (#136579)
* Remove External alert trend table and artifacts, and rename detections alert
* add test for SignasByCategory
* Update signals_by_category.test.tsx
* [CI] Auto-commit changed files from 'node scripts/precommit_hook.js --ref HEAD~1..HEAD --fix'
Co-authored-by: Kristof-Pierre Cummings <kristofpierre.cummings@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
* update event tab to show both alerts and events with toggle. (#136540)
* add test for SignasByCategory
* modify external_alerts_filter to be more efficient
* Update usage across explore views to only use EventsQueryTabBody
* remove unused files and code related to external alerts and move old alerts files to events_tab folder
* test fixes, and more removal of old usage
* update failing snapshots
* last bit of cleanup
* Fix type error
* fix type and translations issue
Co-authored-by: Kristof-Pierre Cummings <kristofpierre.cummings@elastic.co>
* translations fixed
* fix default stackBy value for alerts bug
* memoizations added
Co-authored-by: Kristof-Pierre Cummings <kristofpierre.cummings@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: semd <sergi.massaneda@elastic.co>
* [Timelines T-Grid] Changed formatting of the timeline data to parse all nested objects under the "kibana.alert.rule.parameters"
* Excluded some of the alert params fields from parsing, because this is expected by the design
* [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix'
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
