## Summary
- addresses https://github.com/elastic/kibana/issues/178176
- I ran test 400 times on flaky test runner, no failures. So this PR is
to unskip test. If it happen to fail again, we would need to look
further
- also refactored tests a bit, to remove duplicate one command tests
## Summary
This PR corrects an API we were able to create multi-agent action for
duplicate/non-existing agent ids. The changes in the PR fix that
1. by not including invalid agent ids (that do not have Elastic Defend
installed) and
2. adds a warning info in the action request comment so that the user is
aware of discarded agents
This action when errored shows multi agent action Host/Error grouping.
**Before** (notice the single `Hostname` above outputs)
You could do this:
```json5
POST /api/endpoint/action/suspend_process
{
"endpoint_ids": [
"1d793b46-7b6a-4dd4-a6b7-4c75718e04be",
"1d793b46-7b6a-4dd4-a6b7-4c75718e04be"
],
"parameters": {
"pid": "42424242"
}
}
```
and get a response that looked like (notice the duplicate agent ids in
`agents`)
```json5
{
"data": {
"id": "ff66dc36-5be9-4b12-a94f-09421baed8da",
"agentType": "endpoint",
"agents": [
"1d793b46-7b6a-4dd4-a6b7-4c75718e04be",
1d793b46-7b6a-4dd4-a6b7-4c75718e04be
],
"hosts": {
"1d793b46-7b6a-4dd4-a6b7-4c75718e04be": {
"name": "ashokaditya-dev-7131"
}
},
"command": "suspend-process",
"startedAt": "2024-06-28T13:56:40.524Z",
"isCompleted": false,
"wasSuccessful": false,
"isExpired": false,
"status": "pending",
"outputs": {},
"agentState": {
"1d793b46-7b6a-4dd4-a6b7-4c75718e04be": {
"isCompleted": false,
"wasSuccessful": false
}
},
"createdBy": "elastic",
"parameters": {
"pid": 4242424242
}
}
}
```
**after**
With this change when you try and send a request such as
```json5
POST /api/endpoint/action/suspend_process
{
"endpoint_ids": [
"1d793b46-7b6a-4dd4-a6b7-4c75718e04be",
"1d793b46-7b6a-4dd4-a6b7-4c75718e04be",
"no-dice"
]
,
"parameters": {
"pid": 4242424242
}
}
```
you get a response that looks like (notice neither the duplicate agent
id nor the invalid agent id in `agents`, also additional WARNING in the
`comment` field)
```json5
{
"data": {
"id": "9bf67816-4d58-4843-bc7a-776f6017b06b",
"agentType": "endpoint",
"agents": [
"1d793b46-7b6a-4dd4-a6b7-4c75718e04be"
],
"hosts": {
"1d793b46-7b6a-4dd4-a6b7-4c75718e04be": {
"name": "ashokaditya-dev-7131"
}
},
"command": "suspend-process",
"startedAt": "2024-06-28T15:13:20.138Z",
"isCompleted": false,
"wasSuccessful": false,
"isExpired": false,
"status": "pending",
"outputs": {},
"agentState": {
"1d793b46-7b6a-4dd4-a6b7-4c75718e04be": {
"isCompleted": false,
"wasSuccessful": false
}
},
"createdBy": "elastic",
"comment": "undefined; WARNING: The following agent ids are not valid: [\"no-dice\"] and would not be included in action request.",
"parameters": {
"pid": 4242424242
}
}
}
```
follow up of elastic/kibana/pull/186284
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to
identify risks that should be tested prior to the change/feature
release.
When forming the risk matrix, consider some of the following examples
and how they may potentially impact the change:
| Risk | Probability | Severity | Mitigation/Notes |
|---------------------------|-------------|----------|-------------------------|
| Multiple Spaces—unexpected behavior in non-default Kibana Space.
| Low | High | Integration tests will verify that all features are still
supported in non-default Kibana Space and when user switches between
spaces. |
| Multiple nodes—Elasticsearch polling might have race conditions
when multiple Kibana nodes are polling for the same tasks. | High | Low
| Tasks are idempotent, so executing them multiple times will not result
in logical error, but will degrade performance. To test for this case we
add plenty of unit tests around this logic and document manual testing
procedure. |
| Code should gracefully handle cases when feature X or plugin Y are
disabled. | Medium | High | Unit tests will verify that any feature flag
or plugin combination still results in our service operational. |
| [See more potential risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) |
### For maintainers
- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary
Resolves [#187097](https://github.com/elastic/kibana/issues/187097). Add
`max-width` to the flex item used for shimmying the left sidebar for
integration details content, so that there isn't a gap between the
integration icon and content.
<img width="1404" alt="image"
src="255278e1-a305-4d73-9673-06f2eed87cda">
<img width="1406" alt="image"
src="0556fc5f-6381-4926-8489-136b27ac4b99">
<img width="1406" alt="image"
src="e4db08e4-d2b3-4ba6-ae2a-58939504d469">
## Summary
Part of https://github.com/elastic/kibana/issues/186574
Background: This PR is an example of a plugin migrating away from
depending on the Security plugin, which is a high-priority effort for
the last release before 9.0. The Cases plugin uses authc.getCurrentUser
from the security plugin's start contract on the server side.
This PR migrates authc.getCurrentUser from the security plugin start
contract to the core security service.
Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
The assistant is not able to retrieve information from `elasticsearch`
function
c5ba41bd-3c24-4390-a9f6-f1bde0640b4c
After awaiting the response the assistant is sucessfully returning the
information
bbf45e80-79a8-4bad-b248-4ef37c7317b3
## Summary
The tests that are currently failing on the periodic pipeline are all
alert suppression-related.
After checking the screenshots we saw the same problem everywhere, we
were trying to add more than one field but we ended up having just one
that does not exist in the index.
The code used to fill the alert suppression dropdown is prone to be
flaky. this is because we were creating a single string by joining all
the options.
We made that piece more reliable by adding each option individually.
With the new approach we ensure that each option is treated separately
so the combobox can register each option as a distinct selection.
As part of this PR we are also fixing a tag that was not correctly added
to a test.
I modified the [current dashboard in
staging](f240fff6-fac9-491b-81d1-ac39006c5c94?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:now-15h,to:now)))
and now the metrics of Dataset quality are being reported.
<img width="2111" alt="image"
src="db073190-9a2b-43f1-a2ac-4ad61b740582">
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Part of https://github.com/elastic/kibana/issues/186574
Background: This PR is an example of a plugin migrating away from
depending on the Security plugin, which is a high-priority effort for
the last release before 9.0. The Reporting plugin uses
`authc.getCurrentUser` from the security plugin's start contract on the
server side.
This PR migrates `authc.getCurrentUser` from the security plugin start
contract to the core security service.
### Checklist
- [X] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Tim Sullivan <tsullivan@users.noreply.github.com>
## Summary
Summarize your PR. If it involves visual changes include a screenshot or
gif.
This PR add Automation Credentials buttons for GCP and AWS. UX copy will
be addressed in the [folllowing
ticket](https://github.com/elastic/kibana/issues/178858).
<img width="900" alt="image"
src="f7329fa7-ae48-4dc0-a7cf-a0a26d80ad6b">
For Agentless the CSPM AWS integrations, users will able to :
* click Launch Cloud Formation button for single account or organization
account which opens external link to Cloud Formation page.
* create a cloud formation stack that generates access keys.
We will use the Cloud Formation template url from the package info
`getTemplateUrlFromPackageInfo` exposed as common utility in fleet.
<img width="884" alt="image"
src="d5e5e7d2-21fe-44bc-88e7-908d29817dfb">
For Agentless the CSPM GCP integrations, users will able to click Launch
Cloud Shell button for single accounts or organization account. We get
the cloud shell template url from the package info
`getTemplateUrlFromPackageInfo`
## To test PR:
AWS
1. Log in as an admin in the management account of the AWS Organization
you want to onboard
2. Click the Launch CloudFormation button below.
3. (Optional) Change the Amazon region in the upper right corner to the
region you want to deploy your stack to
4. Tick the checkbox under capabilities in the opened CloudFormation
stack review form: I acknowledge that AWS CloudFormation might create
IAM resources.
5. Click Create stack.
6. Once stack status is CREATE_COMPLETE then click the Outputs tab
7. Copy Access Key Id and Secret Access Key then paste the credentials
below
Use: `eu-west-1` region to create stacks
GCP
1.Replace <PROJECT_ID> in the following command with your project ID
then copy the command
2. Click Launch Google Cloud Shell, then run the command
3. Check `Trust Repo` and click `CONFIRM` button
5. Paste and run command in the cloud shell terminal
Cloud Security team `gcloud config set project test-project-1-396010 &&
ORG_ID=693506308612 && ./deploy_service_account.sh`
5. Run 'cat KEY_FILE.json' to view the service account key. Copy and
paste it in the CSPM GCP integration.
Internal Team Developer Tips for testing :
- Look for `cloudshell_git_branch` in the url and change `8.XX` to
`main`.
- To run script, see command
[here](https://p.elstc.co/paste/XyJg0wW8#srnavdS0GZtxapNA1ZcNu9TddLpG+zWP-99KWWpIEnr)
-
Any question for GCP account issue reachout to @orouz
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## [Security Solution] [Attack discovery] Improves Attack discovery GPT-4o output
### Summary
This PR improves the output of Attack discoveries generated with `GPT-4o`, as illustrated by the _After_ screenshot below:
#### After
_Above: Attack discoveries generated via `GPT-4o` after the change in this branch_
#### Before
_Above: Attack discoveries generated via `GPT-4o` before the change in this branch_
### Desk testing
1) Generate (using `main`) Attack discoveries via `GPT-4o`, and a few other models, i.e. `Claude 3 Opus`, and `Claude 3.5 Sonnet`
2) Generate Attack discoveries for the same models using the PR branch
**Expected result**
- Significant improvement in the narrative and format of Attack discoveries generated by `GPT-4o`
- Similar / improved output from other models (no regressions)
## Summary
This PR fixed a preview rendering bug and made some improvements to the
preview navigation:
- If a preview is already opened, opening another preview should work
properly. `urlChangedAction` is now dispatching the last item in
`preview` array.
- Added checks to not append a preview if it was last added
- When state is stored in url (everywhere except rule preview), `Back`
action in preview utilizes the browser go back functionality. This
allows full synchronization between redux and url state.
- Keep the latest preview in url to avoid url length explosion
Note: in order to make the interaction smooth, the `Back` button is now
always present. When there is one preview open, clicking `Go back` will
close the preview.
**How to test**
- Enable feature flag `entityAlertPreviewEnabled`
- Generate some alerts, go to Alerts Page
- Expand detail on an alert, expand details, entities, clicking the host
and user names
4552c3d5-541b-4551-8188-fafaf6235c2c
## Summary
This pr is for server side changes to support a requested feature for
having notes outside of timelines. The changes are intended to be fully
backwards compatible, and mainly center around making timelineId
optional when creating a note. The note saved object will still have an
entry in the references array, just the id for the timeline saved object
type is an empty string. I did not see a way with how the saved object
client find function works to query for objects that have just an empty
reference array, so this probably works best. Note saved objects not
associated with a timeline are capped at 1000 for now, as the new api
that fetches all of the notes for an array of document ids does so via
saved object client search string, which is limited to 1024 terms, and
the api should support getting all notes in the worst case of 1 note
associated to 1 event. Also cases comments and attachments have a
similar limit, so seemed to make sense for this experimental feature.
The delete note api was also changed to support deleting either 1 note
by id, or an array of notes, additive only change.
Feature flagged (securitySolutionNotesEnabled in
xpack.securitySolution.enableExperimental) frontend making use of the
api changes:
### Checklist
Delete any items that are not applicable to this PR.
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
Part of https://github.com/elastic/kibana/issues/186574
Updates imports for types available from the core-security packages.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Part of https://github.com/elastic/kibana/issues/186574
Background: This PR serves as an example of a plugin migrating away from
depending on the Security plugin, which is a high priority effort for
the last release before 9.0. The Elastic Assistant plugin uses the
`authc.getCurrentUser` indirectly in several data clients in
`x-pack/plugins/elastic_assistant/server/routes/request_context_factory.ts`.
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Part of https://github.com/elastic/kibana/issues/186574
## Summary
This PR migrates the OSQuery Plugin's route handlers that consume
`authc.getCurrentUser` to use coreContext.security
Background: This PR serves as an example of a plugin migrating away from
depending on the Security plugin, which is a high priority effort for
the last release before 9.0.
### Checklist
Delete any items that are not applicable to this PR.
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
**Related to:** https://github.com/elastic/kibana/issues/174168
## Summary
Removes the `jsonPrebuiltRulesDiffingEnabled` and
`perFieldPrebuiltRulesDiffingEnabled` feature flags that have been
expired. See details in the code.
Fixes
<img width="600" alt="Screenshot 2024-06-27 at 2 47 07 PM"
src="44d0162c-ae6f-4995-a780-711ff59727a8">
### test steps
* in cloud 7.17. instance, create legacy input control visualization and
export saved object
* in local instance, import legacy input control vis
* create new dashboard and add legacy input control vis
* Open console and ensure no warnings are displayed when `deprecated`
badge is displayed
---------
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Fixes autocomplete in kuery bar for uptime/synthetics fields !!
Also added tags into documents !!
### Before
uptime/synthetics field names never appeared in kql query bar on alerts
<img width="1728" alt="image"
src="e471567b-951d-4ad0-9d3a-78a5168b7a91">
### After
Typing fields name will show suggestions
<img width="1725" alt="image"
src="da453f0d-1956-4703-a371-842139bd7d4c">
## Summary
- Fixes the UI for failed automated response actions so that it does
remain "stuck" in `pending` and instead shows the errors that were
encountered
> [!NOTE]
> This bug was knowingly introduced just earlier today, but the fix was
not yet know at that time. The underlying root cause will take much
longer to address (requires a refactor of how the automated response
actions are retrieved from the server), thus this PR provides a
**temporary** fix that ensures the UI continues to work as it did
before.
## Summary
This PR updates existing API integration & Functional tests to run with
a user with a **minimum** user privileges.
**Reference**: [Instance access roles and privileges for
Serverless](https://www.elastic.co/docs/current/serverless/general/assign-user-roles#elasticsearch)
document for Elasticsearch
Tested changes from this PR against cloud QA deployment with different
user privileges.
Add links to Dataset Quality in the following places:
1. "Data sets" link on Logs Explorer nav header (on both Serverless and
Stateful)
2. "Data Set Quality" side nav menu item under Stack Management -> Data
(Stateful)
3. "Data Set Quality" card under Management -> Data (Serverless)
On Logs Explorer - Stateful
On Logs Explorer - Serverless
Stack Management - Stateful
Stack Management - Serverless
---------
Co-authored-by: Yngrid Coello <yngrid.coello@elastic.co>
## Summary
- Adds information about the integration associated with an agent type,
which informs the user which EDR vendor is being used to execute the
response action. The following views were updated:
- Response console
- Alert Isolation flyout panel headers
> [!NOTE]
> The host isolation flyout that is displayed from the Endpoint list
page was not updated to show this information about the integration.
Thats because from the Endpoint list, a user only sees hosts that are
running the Elastic Defend integration, thus there is not need to show
the indicator.
Fixes#180441
This PR fixes the URL navigation by first calculating the initial state
and initializing both the URL and state container with the default
value, then starting the sync process. (Special thanks to @Dosant )
87d1a542-d070-4d32-bcd4-aa1565e96acb
This PR also fixes the back navigation from the Alerts page to the Hosts
view, this was the bug:
a18b3ec0-b59b-441f-9d1c-65de2d3f19d0
### 🧪 How to test
**Please check the possible navigation scenarios related to the alerts
page and its filters carefully**.
- Go to the alerts page by clicking on the right-hand side menu and
navigate back
- Go to the alerts page, change a filter/time range, and navigate back
- On the alerts page, use brush functionality on the alert summary
widget and navigate back
- Also, please test the scenarios mentioned in this
[PR](https://github.com/elastic/kibana/pull/162312)
#### Known issue
If the time range is changed, the back navigation does not work
properly. We have a similar case in APM, so I created a separate ticket
for it: https://github.com/elastic/kibana/issues/186303
