## Summary
This PR addresses the issue where currently only some of our API does
Auth check. All of our API should be doing this. Furthermore we are
adding new API FTR to cover this scenario as well
Notes:
Currently Benchmark related API FTR is blocked by
https://github.com/elastic/kibana/issues/188059
## Summary
- Adds the `kill-process` command to Response Console for SentinelOne
hosts
- Note that in order to access this command, the
`responseActionsSentinelOneKillProcessEnabled` feature flag must be
enabled
> [!IMPORTANT]
> When entered, the response action will be sent to SentinelOne's system
for execution, but the response action will remain in `pending` in
Kibana for now. A follow up PR will introduce the necessary logic for
completing the aciton and displaying the results
## Summary
In this PR Security Gen AI related APIs are changed from internal to
public.
Conversations APIs:
- POST/PUT/GET/DELETE
`"/api/security_ai_assistant/current_user/conversations/{id}"`
- GET `"/api/security_ai_assistant/current_user/conversations/_find"`
Prompts APIs:
- POST `"/api/security_ai_assistant/prompts/_bulk_action"`
- GET `"/api/security_ai_assistant/current_user/conversations/_find"`
Anonymization APIs:
- POST `"/api/security_ai_assistant/anonymization_fields/_bulk_action"`
- GET `"/api/security_ai_assistant/anonymization_fields/_find"`
# Summary
Fixes below bugs based on feedback from @paulewing.
## Event Details Toggle in Notes
@paulewing requested to remove the event toggle
|Before|After|
|---|---|
||
|
## Notes Flyout remains open when switching tabs
|Before|After|
|---|---|
|<video
src="4228d2d6-c2ad-40dc-9e6c-ec049f834e8f"
/>|<video
src="0e010c22-4539-4428-9b1b-3b323a9f491c"
/>|
## Notes Flyout should be resizable
As shown in above video, notes flyout is now resizable.
By only grouping on `entity.id` we should be able to remove duplicates
in the latest indices.
This PR also removes the values found for `entity.identityFields` and
replaces it with a list of those field names.
This PR also lifts the values for the identity fields to the root of the
document.
This PR removes the `displayName` from the historical documents.
### How to test
Source data:
```
PUT index_a
{
"mappings": {
"properties": {
"a": {
"type": "keyword"
},
"@timestamp": {
"type": "date"
}
}
}
}
PUT index_b
{
"mappings": {
"properties": {
"b": {
"type": "keyword"
},
"@timestamp": {
"type": "date"
}
}
}
}
POST index_a/_doc
{
"a": "same",
"@timestamp": "2024-07-05T12:33:06.162Z"
}
POST index_b/_doc
{
"b": "same",
"@timestamp": "2024-07-05T12:33:06.162Z"
}
```
Entity definition:
```
POST kbn:/internal/api/entities/definition
{
"id": "bucket_key",
"name": "Bucket key",
"type": "service",
"indexPatterns": [
"index_*"
],
"timestampField": "@timestamp",
"lookback": "5m",
"identityFields": [
{
"field": "a",
"optional": true
},
{
"field": "b",
"optional": true
}
],
"displayNameTemplate": "{{a}}{{b}}",
"history": {
"timestampField": "@timestamp",
"interval": "5m"
}
}
```
### Change in the format of the resulting documents
```
"identityFields": {
"a": null,
"b": "same"
},
```
=>
```
"identityFields": [
"a",
"b"
],
```
Two minor fixes for the k8s onboarding:
- Make the troubleshooting link point to the whole page instead of the
Kubernetes section which is for now is not very relevant
- Remove `fill` from the copy button after we start monitoring data
## Summary
Pending work from: https://github.com/elastic/kibana/pull/186615
- The previous implementation to create `PrebuiltRuleAsset` with some
RuleResponse fields ommited from it had the disadvantage of being built
with a discriminated union where all rule types had to be re-listed. If
a new type was added, then it would have required manually adding the
type to that union as well, which would have been surely forgotten.
- This replaces that schema construction to use a Zod transform which
simply eliminates the omitted fields using a Zod transform.
### For maintainers
- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary
https://github.com/elastic/kibana/pull/177263 changed the way
`telemetry-prebuilt-rule-alerts` get data from elastic, but it changed
the index used to run the queries. This PR fixes it using the proper
index.
**Addresses:** https://github.com/elastic/kibana/issues/183661
## Summary
This PR adds missing OpenAPI specs for the following Detections API endpoints available in both Serverless and ESS
- `POST /api/detection_engine/rules/preview`
and the following API endpoints available in ESS only
- `GET /api/detection_engine/privileges`
- `POST /api/detection_engine/rules/_bulk_delete`
**Resolves: https://github.com/elastic/kibana/issues/187975**
## Summary
When upgrading or re-installing a package, all saved objects from a
previous package are loaded into memory using `bulkResolve`. This
creates unnecessary memory pressure for packages containing thousands of
saved objects, like the `security_detection_engine` package.
To mitigate that, we are now skipping saved object resolution for
packages known to be installed in `8.x`.
While testing locally on a package containing ~5000 detection rules, I
observed a significant drop in memory usage, from 1.17GB to 1.05GB at
peak.
**Before:**
**After:**
### Summary
When doing configuration of an OpenTelemetry agent, most of the
environment variables are provided with only the value, but the auth
headers one is using quotes.
When using a shell script or YAML to set environment variables, the
value has to be quoted due to spaces, but it's not always the case, for
example when setting an environment variable in Windows.
Also, removing the quotes makes it consistent with other environment
variable values.
### Screenshot before
Implements support for the Gemini connector:
- Adds the `.gemini` connector type id to the allowlisted connectors
- Create an adapter for the Gemini connector type that formats and
parses requests/responses in the format of Gemini on Vertex
What's still missing:
- Native function calling. We use simulated function calling for now.
There are some changes in the function schemas to prepare for this
(Gemini blows up when there are dots in property names).
- E2E tests. The Gemini connector always calls out to an external
endpoint, which causes the call to fail because we cannot hardcode
actual credentials.
## Summary
Resolves https://github.com/elastic/kibana/issues/178528.
Some packages declare `constant_keyword` type fields without an explicit
value. This causes ES to fill in the value in the mappings using the
first ingested value.
When upgrading this type of package & field after the value has already
been populated in this way, the mappings update fail due to pushing a
`null` value into an existing value, triggering unnecessary rollovers.
This PR fixes that by filling in the empty values from the existing
mappings.
## Test
1. On an empty cluster, turn on debug logs
2. Set up Fleet Server policy and Fleet Server agent
3. Force install old version of Elastic Agent integration, v1.19.2:
```
POST kbn:/api/fleet/epm/packages/elastic_agent/1.19.2
{
"force": true
}
```
4. Create a new empty policy, **deselect system and agent monitoring**
(otherwise the integration will be upgraded, we do not want this yet)
5. Manually add Elastic Agent integration v1.19.2 to the new policy
6. Edit the policy to enable logs and metrics monitoring
7. Enroll agent into the policy, confirm that monitoring logs and
metrics are being ingested and that a value exists for `event.dataset`
mapping for the logs:
```
GET logs-elastic_agent*/_mappings
```
```
"dataset": {
"type": "constant_keyword",
"value": "elastic_agent"
}
```
9. Upgrade Elastic Agent integration to v1.20.0 (note we are not
upgrading to the newest versions, 2.0+, because these **are** expected
to trigger rollovers for some data streams):
```
POST kbn:/api/fleet/epm/packages/elastic_agent/1.20.0
{
"force": true
}
```
10. Confirm in Kibana logs that no rollovers triggered during the
upgrade
11. Confirm that there is still only 1 backing index for monitoring
logs:
```
GET logs-elastic_agent*
```
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
Fixes https://github.com/elastic/security-team/issues/9646
The embedded discover's `update` mechanism has changed and the `grid`
and `hideChart` properties keep changing on initial sync, causing the
timeline show as `changed` when it actually didn't. These two properties
are not important to actually determine the changed state of timeline
and we can therefore ignore them.
## Summary
Fixes https://github.com/elastic/kibana/issues/187333
## Testing behaviour:
Issue 1: verify similar behaviour from API as well.
1. Create a template
2. Add new toggle custom field with default value as true
3. Go to create case, See that new toggle custom field has value: true
4. Select recently created template
5. Toggle custom field new custom field with it's default value
Issue 2: verify similar behaviour from API as well.
1. Create a text custom field with default value
2. Create a template
3. Set text custom field value to empty
4. Save template
5. Go to create case
6. Select recently created template
7. See that text custom field value is updated as per template's custom
field value
## Summary
unskip tests that were skipped because of Agent vs Fleet server version
mismatch
looks like the temporary issue is fixed, so this PR unskips the tests,
while trying to find a long-term solution in the meanwhile
closes#187932closes#170373closes#168284closes#168340closes#173464closes#172326
## Summary
This PR limits the number of characters that can be input into the
global search bar. The character limit can be specified with the config
value `xpack.global_search_bar.input_max_limit` with a default of
`1000`. When an input that exceeds the configured character limit is
provided a descriptive visual notice is displayed to the user.
## Visual
<img width="662" alt="Screenshot 2024-07-04 at 19 28 39"
src="cf30f589-fe65-40a9-b9c8-ce0f235d206e">
## How to test
- run the following command below in the browser console, which would
create a string that exceeds the configured default search character
limit and copy it to your clipboard
```ts
copy(Array.from(new Array(1001)).reduce((acc) => acc+'a', ''))
```
- open up kibana, simply paste the value that should exist in your
clipboard in the global search input field and you should be presented
with a result similar to the image above.
---------
Co-authored-by: Eyo Okon Eyo <eyo.eyo@elastic.co>
Closes: https://github.com/elastic/observability-dev/issues/3687
## Description
The synthetics monitors include thumbnail screenshots that open a larger
preview window. These thumbnails must take keyboard focus, manage the
`Enter` and `Space` keypresses to open the modal, and return focus to
the originating thumbnail when the modal is closed. Screenshots attached
below.
### Steps to recreate
1. Open the
[Synthetics](https://keep-serverless-fyzdg-f07c50.kb.eu-west-1.aws.qa.elastic.cloud/app/synthetics)
view
2. Create a monitor if none exist
3. Click on that monitor and navigate to the [full monitor
detail](8b88e937-f917-4f12-9325-8ab005cffea5?locationId=us_central_qa)
view
4. Click on a thumbnail and verify the modal opens
5. Press `ESC` or the Close "X" and then press `TAB` to verify focus is
not on the thumbnail
### What was changed?:
1. Added `tabIndex=0` was for ScreenshotImage for handle keyboard
navigation
2. `ScreenshotImage` API was sightly changed: `onMouseEnter` ->
`onFocus`; `onMouseLeave` -> `onBlur`
### Screen:
a68df4b0-71c7-47ec-add7-41536027613c
Closes: https://github.com/elastic/observability-dev/issues/3651
# Description
Observability has a lot of icons that are used for controls and table
row actions. These icons often have the same aria-label repeated across
rows. While this meets the letter of SC 1.3.1: Info and Relationships,
the repeated generic labels do not usually answer question what users
are editing, or what users are deleting. We want to provide clear labels
for each row to make the implicit relationships sighted users depend on,
explicit for screen reader users.
# Steps to repeat
1. Open the Inventory view
2. Turn on a screen reader
3. Traverse through the tables in screenshots
4. Verify the buttons do not describe what test run or document you're
taking action on
# What was changed?:
1. `title`, `arial-label` attributes were updated for `EuiButtonIcon`'s
# Screen:
<img width="1546" alt="image"
src="fedc7756-d077-4a6e-bd80-af49b69b541c">
<img width="1546" alt="image"
src="ec0364c8-8fe5-448d-9a4d-c5f2b19a171d">
Add managed meta property to entity definition resources. a flag will
show up in the corresponding UIs
## Summary
Summarize your PR. If it involves visual changes include a screenshot or
gif.
This PR:
1. Fixes the ellipsis of the row cells when the row renderers are
enabled
2. Re-enables the row height toggle being able to change the height of
the custom grid body row
3. Aligns the icons and row text to the top of the row, how the default
table behaves
9c68cbdd-d288-43c7-9b2d-6a5f6dad7e6b
## Summary
- Fixes `useAlertResponseActionsSupport()` hook so that the OS platform
is retrieved from the alert's `host.os.type`
- Note: tests already exist to validate this, however, the mocks were
also incorrectly typed. Those are now corrected as well.
## Summary
Closes https://github.com/elastic/kibana/issues/187933
Closes https://github.com/elastic/kibana/issues/186845
Fixed missing policy filter when checking if Fleet Servers met minimum
version to enable secrets storage.
The integration tests cover now a case where there are no fleet servers
but there are agents with minimum version, to verify that the query
filters them out.
Manual verification is hard because you can't enroll an agent without
enrolling FS with at least the same version.
It could be done by manually creating docs in `.fleet-agents`.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
Related to https://github.com/elastic/security-docs/issues/5489. We had
a few places where we incorrectly link to the legacy
user/host risk scoring docs.
In deleting the links I found we had two `RiskSummary` components which
components which I have renamed `RiskSummaryPanel` and
`FlyoutRiskSummary` to make life easier.
<img width="770" alt="Screenshot 2024-07-04 at 15 47 14"
src="20e26a15-4975-4165-9c56-bb328c508bee">
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
This makes semantic text work with non-root level reference fields. It
also correctly adds copy_to to existing copy_to fields instead of
replacing them, and streamlines a lot of the code.
To test these changes:
- Create an index
- Go to the index mappings page at
`app/management/data/index_management/indices/index_details?{yourIndexName}=blah&tab=mappings`
- Add an object field with a text field inside
- Add a semantic text field referencing that text field
- If you're on a Macbook, create a new inference endpoint with the model
`.elser_model_2` instead of using the default inference endpoint.
- Add a second semantic text field referencing that text field
- Save your mappings
- Use JSON view to verify that the newly created text field contains a
`copy_to` field referencing both newly created semantic text fields
- Verify that the newly created semantic text fields are also in the
JSON view
### Checklist
Delete any items that are not applicable to this PR.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] Any UI touched in this PR is usable by keyboard only (learn more
about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
- [x] Any UI touched in this PR does not create any new axe failures
(run axe in browser:
[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),
[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))
- [x] This renders correctly on smaller devices using a responsive
layout. (You can test this [in your
browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))
- [x] This was checked for [cross-browser
compatibility](https://www.elastic.co/support/matrix#matrix_browsers)
## Summary
## Unified Timeline
### Before
### After
## Old Timeline
### Before
### After
## Row Renderers
### Before
### After
## Stripes patterns in row renderer
Notice the color changes to grow for the same row when `Row Renderer` is
switched.
### Before
### After
## Summary
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Fixes#167663
## Summary
Fixes the creation of extra empty page at pagination of 5 rows
### Video
cdac6a22-f239-4b70-b40c-93fc727418a6
Co-authored-by: Julien Lind <julien.lind@elastic.co>
Fixes: https://github.com/elastic/kibana/issues/180393
## Summary
Handles specific fields in `/upgrade/_review` endpoint upgrade workflow,
as described in https://github.com/elastic/kibana/issues/180393.
Achieves this with two mechanisms:
1. Removing fields from the `PrebuiltRuleAsset` schema, which excludes
the field from the diff calculation completely.
2. Manually removing the diff calculation for certain fields, by
excluding them from
`/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_rule.ts`
Also, refactors a part of the codebase from its prior usage of `io-ts`
schema types to use autogenerated Zod types.
With this refactor, most of the
`x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema_legacy`
could be deleted. Unluckily some of the types manually created there are
still used in some complex types elsewhere, so I added a note to that
file indicating that those should be migrated to Zod, so that the legacy
folder can finally be deleted.
### Checklist
Delete any items that are not applicable to this PR.
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
### For maintainers
- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>
Closes: https://github.com/elastic/observability-dev/issues/3640
# Description
Observability has a lot of icons that are used for controls and table
row actions. These icons often have the same aria-label repeated across
rows. While this meets the letter of SC 1.3.1: Info and Relationships,
the repeated generic labels do not usually answer question what users
are editing, or what users are deleting. We want to provide clear labels
for each row to make the implicit relationships sighted users depend on,
explicit for screen reader users.
# What was changed?:
1. `aria-label` attribute was updated for `CasesTable` -> `ActionColumn`
# Screen
<img width="1546" alt="image"
src="014f613f-91b6-4bbb-a8f0-04a4e30ff3ba">
