## Summary
Summarize your PR. If it involves visual changes, include a screenshot
or gif.
Fixes various bugs introduced by this PR
https://github.com/elastic/kibana/pull/223936
Changes:
- Fix bug where esql_content_references (citations that open the ESQL
editor) were not working due to the discover plugin not getting imported
to the elastic_assistant plugin. This caused the assistant to crash.
- Fix bug where some buttons in the AI4Soc flavour were not linking to
the correct pages.
https://github.com/elastic/kibana/pull/223936#discussion_r2164506213
### How to test:
#### Verify ESQL citations work:
- Start Kibana
- Create a semantic index and index a document through the dev console:
```
PUT my-index-000001
{
"mappings": {
"properties": {
"description": {
"type": "semantic_text"
}
}
}
}
# Add a document to my-index
POST /my-index-000001/_doc
{
"id": "Security threats",
"title": "Stuxnet",
"description": "What Made It Special:
Stuxnet was the first known cyber weapon designed to cause physical destruction. It targeted the Iranian nuclear program by infecting uranium enrichment facilities and sabotaging centrifuges."
}
```
- Set up a knowledge base and a knowledge base index in
http://localhost:5601/app/management/kibana/securityAiAssistantManagement?tab=knowledge_base
<img width="678" alt="image"
src="https://github.com/user-attachments/assets/a267146e-7973-4723-8c1d-365b8729a28e"
/>
- Open the security AI assistant and ask "What is the Stuxnet computer
virus?"
- Check the response to see if it contains a citation, click on the
citation, and verify the ESQL editor opens.
* If you don't get a citation, ask "What is the Stuxnet computer virus?
Provide me the citation"
#### Verify Ai4Soc buttons in the Security AI assistant link to the
correct pages:
- Start AI4Soc flavor - Create the following file
`config/serverless.security.dev.yml` with this content:
```yml
xpack.securitySolutionServerless.productTypes:
[
{ product_line: 'ai_soc', product_tier: 'search_ai_lake' },
]
```
- Start serverless ES
```bash
node scripts/es serverless --projectType security --clean --kill
```
- Start serverless Kibana for security
```bash
node --no-experimental-require-module scripts/kibana --dev --serverless=security --no-base-path
```
- Open the security AI assistant
- Check that clicking on these buttons takes you to the respective pages
(KB settings
`/app/security/configurations/ai_settings?tab=knowledge_base` and AI
settings `/app/security/configurations/ai_settings` ):
<img width="690" alt="image"
src="https://github.com/user-attachments/assets/4e2728e9-8a13-4670-aef4-05b1bdb3fd57"
/>
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [X] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [X]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [X] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [X] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [X] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [X] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [X] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
> [!IMPORTANT]
> **Should be no user-facing changes!!!** The new layout work is behind
a feature flag!
> [!IMPORTANT]
> This bootstraps new grid layout for chrome using a feature flag. It
only works with classic nav and hack a lot of bugs and EUI-related
workarounds, but the overall code structure and approach can be reviewed
and merged to main.
## Summary
Part of [workspace
chrome](https://github.com/elastic/kibana-team/issues/1581 ) work. In
this PR we lay down the ground work for new grid layout that will power
Kibana's chrome. This is done by introducing **a feature flag** with
which Kibana can switch between "legacy-fixed" layout and new "grid"
layout.
Proper detailed figma link:
https://www.figma.com/design/10ca4AhnWDkyJklUDXnHg5/Sidebar?node-id=5192-259808&p=f&m=dev
kibana.yml:
```
feature_flags.overrides:
core.chrome.layoutType: 'grid'
```
For this, in-between `rendering_service` and `chrome_service` a new
`layout_service` was introduced the goal of which is to aggregate stuff
from chrome service and compose it together using the needed layout.
There are two implementations for `layout_service`:
- `LegacyFixedLayout` - old one, just code refactor, should still work
as in main
- `GridLayout`- new one, mostly works, but only for classic nav, for
now, and with bunch of hacks and bugs that we will resolve over time
The switch is in `rendering_service` based on a feature flag:
```tsx
const layout: LayoutService =
layoutType === 'grid'
? new GridLayout(renderCoreDeps)
: new LegacyFixedLayout(renderCoreDeps);
const Layout = layout.getComponent();
ReactDOM.render(
<KibanaRootContextProvider {...startServices} globalStyles={true}>
<Layout />
</KibanaRootContextProvider>,
targetDomElement
);`
```
To see the grid and new layout in action there is a helpful `debug` flag
that displays not yet used elements of new layout:
kibana.yml:
```
feature_flags.overrides:
core.chrome.layoutType: 'grid'
core.chrome.layoutDebug: true
```
https://github.com/user-attachments/assets/9e4ad1d9-ed23-41ab-b029-254f7511136d
### Other clean ups
- Migrate `.chrHeaderBadge__wrapper`, `. chrHeaderHelpMenu__version`,
`breadcrumbsWithExtensionContainer` to emotion on simplify global css of
chrome
- remove `getIsNavDrawerLocked` and related css since not used
- Small unzyme
### TODO
- [x] fix solution nav in management
- [x] make sure solution nav works with header
- [x] fix dashboard full screen mode
- [x] check discover eui grid full screen
- [x] check chromeless mode
- [x] Follow up on EUI related hacks
https://github.com/elastic/eui/issues/8820
- [ ] Misaligned console in search solution
- [ ] Miaaligned secondary nav in security solutions
- [ ] double scroll in discover push flyout
## How to review
1. Most importantly, we need to ensure that nothing is broken in the old
layout during the refactor. - Functional tests + visual/manual testing
2. Then for the new layout:
kibana.yml:
```
feature_flags.overrides:
core.chrome.layoutType: 'grid'
core.chrome.layoutDebug: true
```
- Check that it mostly works (some specific edge cases and bugs are
fine)
- Code-review: focus on the layout implementation split approach
## Summary
This PR contains the schema changes needed to support using `dtstart` in
task manager rrule schedules. This is meant for intermediate release and
then the changes will be used in this PR:
https://github.com/elastic/kibana/pull/224948
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
This PR removes `kbn/test-suites-serverless` as kbn reference for
osquery/cypress test-helper module in order to fix circular dependency I
faced in https://github.com/elastic/kibana/pull/225377
Since the main consumer of that `shared/lib/security` code is
`osquery/cypress` test module, I believe it is a resonable change in
order to unblock us relocating tests from `x-pack/test` dir.
Resolves https://github.com/elastic/kibana/issues/224987
## Summary
This test was failing the ES snapshot promotion pipeline. See in the
logs:
```
[00:04:15] │ proc [kbn-ui] [2025-06-26T17:44:06.841+00:00][WARN ][plugins.eventLog] invalid event logged: [kibana.user_api_key.managed_by]: definition for this key is missing; {"@timestamp":"2025-06-26T17:44:06.840Z","event":{"provider":"actions","action":"execute","kind":"action","start":"2025-06-26T17:44:06.762Z","end":"2025-06-26T17:44:06.840Z","duration":"78000000","outcome":"success"},"kibana":{"saved_objects":[{"rel":"primary","type":"action","id":"c4a64b3b-e5f5-4ffc-a58c-98584b6b5e59","type_id":"test.index-record","namespace":"space1"}],"space_ids":["space1"],"action":{"name":"My Connector","id":"c4a64b3b-e5f5-4ffc-a58c-98584b6b5e59","type_id":"test.index-record","execution":{"uuid":"ecbbf89f-729a-416c-a711-05b0a1e27de6","source":"http_request","usage":{"request_body_bytes":0}}},"user_api_key":{"managed_by":"elasticsearch","name":"test user managed key","id":"r1RWrZcB4HDiQQlB8SOM"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"9.1.0"},"user":{"name":"elastic"},"message":"action executed: test.index-record:c4a64b3b-e5f5-4ffc-a58c-98584b6b5e59: My Connector","ecs":{"version":"1.8.0"}}) {"service":{"node":{"roles":["ui"]}}}
```
So it looks like the `api_key` information now returns a `managed_by`
field which we were copying over to the event log but was not accepted
by the event log schema. Updated the code to only copy over the `name`
and `id` field to address this. Can open a followup issue to see if we
want to copy over the `managed_by` field.
Closes https://github.com/elastic/kibana/issues/208328
This change adds Playwright test for Ensemble e2e testing CI.
[🔒 Corresponding PR in Ensemble
repo](https://github.com/elastic/ensemble/pull/580)
[🔒 Successful CI
run](1561308352)
# How to test
1. Run Kibana locally
2. Adjust
`x-pack/solutions/observability/plugins/observability_onboarding/e2e/playwright/.env`
file if needed (see README in the same folder for more details)
3. Run the test:
```bash
npx playwright test -c ./x-pack/solutions/observability/plugins/observability_onboarding/e2e/playwright/playwright.config.ts --reporter list --headed x-pack/solutions/observability/plugins/observability_onboarding/e2e/playwright/stateful/firehose.spec.ts
```
4. The test will open the Firehose onboarding page and stop after
copying the CLI command snippet. When running on the CI, Ensemble would
take over by running the snippet on the CI instance. The Playwright test
at this point is just waiting for data to start coming in, to imitate
that without actually creating infrastructure on a real AWS account, you
can ingest a dummy document manually, for example:
```
# Adjust the @timestamp before executing
POST logs-aws.apigateway_logs-default/_doc
{
"@timestamp": "2025-06-13T13:32:01.000Z",
"some": 111,
"aws.kinesis.name": "Elastic-Cloudwatch"
}
```
5. After doing that, you should see Kibana UI update with detected data
and the Playwright should continue and finish successfully.
## 26/06 Edits
Following discussion with the team, made the following changes:
* Modified curl and request and response examples with more appropriate
examples
## 20/06 Edits
Following discussion with the team, made the following changes:
* Removed `query` parameter from the API, and therefore removed it from
docs
* Made API return OpenAI format by default
* Removed `unredactions` property from public API schema and removed it
from docs
## Summary
Closes https://github.com/elastic/obs-ai-assistant-team/issues/193
Add docs for chat/complete public API.
## Steps to view documentation
1. checkout branch
2. Install bump-cli if you don't already have it:
https://docs.bump.sh/help/continuous-integration/cli/
3. Go to kibana/oas_docs folder
4. Run `bump preview output/kibana.yaml` or `bump preview
output/kibana.serverless.yaml`
5. Go to the url given by the command (it takes a while to load). On the
side bar, click on Observability AI Assistant menu item and there you
can see the docs :)
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Resolves https://github.com/elastic/observability-dev/issues/4556.
This PR will amend the existing EBT `onPageReady` tracking for TTFCP
with some descriptions to help consumers of the telemetry data
understand the context around what we are tracking for this timing data.
Also exports the `Meta` type for re-use in a Synthetics-specific
implementation that needs to accept this parameter.
## Summary
Summarize your PR. If it involves visual changes include a screenshot or
gif.
These changes addresses the review comment from my previous PR
36ed6b38c1 (r2150081638)
Initially I broke up rendered component into multiple memoized
sub-sections. Reverting that back and adding tests coverage for the new
functionality - Case actions UI for the Attack Discovery rule type:
* Hidden `group by` component
* Hidden `time window` component
* Hidden `reopen case` component
* Disabled `template selector` component
* Tooltip explaining why we disabled the `template selector` component
## Summary
This PR reduces logging in the security solution plugin’s telemetry code
for production environments by reviewing existing logs and adjusting
their log levels.
- Deprecated a logging helper method and moved to standard
`logger.[debug|info|warn|error]` calls.
- Reviewed all the logging sentences to adjust the log level, remove the
non-useful ones, and improve messages.
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Alejandro Fernández Haro <afharo@gmail.com>
## Summary
Fixes: https://github.com/elastic/kibana/issues/190761
I've added a `handleKeyDown` to capture the `ESC` key press behavior.
1. First `ESC` finds any .euiFlyout and close it with`closeFlyout()`
from `useExpandableFlyoutApi()`, then stops.
2. Next `ESC` (when no flyout) clicks `openToggleRef.current`, toggling
the timeline modal closed.
https://github.com/user-attachments/assets/0e42f9e9-2694-429d-8a5a-df86aa671809
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Follow-up of https://github.com/elastic/kibana/pull/223367
Fix https://github.com/elastic/search-team/issues/10259
This PR introduce the concept of agent **mode**, and expose the "deep
research" agent as a mode instead of a tool.
## Examples
### Calling the Q/A (default) mode
```curl
POST kbn:/internal/onechat/chat
{
"nextMessage": "Find all info related to our work from home policy"
}
```
### Calling the researcher mode
```curl
POST kbn:/internal/onechat/chat
{
"mode": "researcher",
"nextMessage": "Find all info related to our work from home policy"
}
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
There's an issue where the `esArchiverLoad` migrates SO if any index
starting with `.kibana` is affected.
```
CypressError: `cy.task('esArchiverLoad')` failed with the following error:
> security_exception
Root causes:
security_exception: action [indices:admin/settings/update] is unauthorized for user [testing-internal] with effective roles [superuser] on restricted indices [.kibana_security_solution_1,.kibana_alerting_cases_1,.kibana_task_manager_1,.kibana_usage_counters_1,.kibana_1,.kibana_ingest_1,.kibana_analytics_1], this action is granted by the index privileges [manage,all]
```
This PR disables the test for MKI so it doesn't interfere with the
release, we'll work on a fix in a separate PR
Example MKI execution
https://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-investigations/builds/2889
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Implements a huggingface dataset loader for RAG evals - see
[x-pack/platform/packages/shared/kbn-ai-tools-cli/src/hf_dataset_loader/README.md](https://github.com/dgieselaar/kibana/blob/hf-dataset-loader/x-pack/platform/packages/shared/kbn-ai-tools-cli/src/hf_dataset_loader/README.md).
Additionally, a `@kbn/cache-cli` tool was added that allows tooling
authors to cache to disk (possibly remote storage later).
Used o3 for finding datasets on HuggingFace and doing an initial pass on
a line-by-line dataset processor ([see
conversation](https://chatgpt.com/share/6853e49a-e870-8000-9c65-f7a5a3a72af0))
Libraries added:
- `cache-manager`, `cache-manager-fs-hash`, `keyv`,
`@types/cache-manager-fs-hash`: caching libraries and plugins. could not
find any existing caching libraries in the repo.
- `@huggingface/hub`: api client for HF.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
This PR fixes [[ML] Change point detection: p-value tooltip is not
announced because lack of
focus](https://github.com/elastic/kibana/issues/216545) issue.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
While testing the ES|QL charts I realized that in case of an error in
the query, the hook goes into a loop and causes performance issues.
As the error is being reported we do not need to re-run the query to get
the results
For example if you create a control wrongly.
e.g.
1. Create a chart and add a control which will create an error:
<img width="508" alt="image"
src="https://github.com/user-attachments/assets/f2013d2c-e161-47bf-a3cb-d5033be9de59"
/>
2. Add to the control no-date fields. e.g. clientip
3. Check the editor is not going into a rendering loop
<img width="482" alt="image"
src="https://github.com/user-attachments/assets/cc541b68-b317-41ae-b4a6-87569466edd6"
/>
### Release notes
Fixes a performance issue in the Lens ES|QL charts in case of errors in
the query.
### Checklist
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
Main ticket ([Internal
link](https://github.com/elastic/security-team/issues/10142))
With these changes we make sure that we return attack discovery fields
reformatted to a nice markdown text. We already format discovery details
when we create a new Case and add markdown comment to it.
### To Test
1. Create attack discovery schedule
2. Add an action to the schedule (email, slack etc.)
3. Select `For each alert > Per rule run` action frequency
4. Update subject, body or other fields of the connector to include
discovery details through the context variables
5. Wait until the action is triggered and check the received message
### Example of the email connector fields
**Subject**:
```
{{context.attack.title}}
```
**Message**:
```
{{{context.attack.detailsMarkdown}}}
{{{context.attack.detailsUrl}}}
```
<img width="665" alt="Screenshot 2025-06-25 at 18 05 30"
src="https://github.com/user-attachments/assets/71b2e02b-0437-4486-a584-108bec4d477f"
/>
which will result in an email similar to this one
<img width="1125" alt="Screenshot 2025-06-25 at 17 54 32"
src="https://github.com/user-attachments/assets/fefe60f0-e560-4288-9ec8-d1d444feb950"
/>
## NOTES
The feature is hidden behind the feature flag (in `kibana.dev.yml`):
```
feature_flags.overrides:
securitySolution.attackDiscoveryAlertsEnabled: true
securitySolution.assistantAttackDiscoverySchedulingEnabled: true
```
## Summary
Part of https://github.com/elastic/kibana-team/issues/1503
This PR is mostly about moving tests from x-pack/test/
Before:
```
x-pack/test/
| - reporting_api_integration/
| - reporting_functional/
```
After:
```
x-pack/platform/test/
| - reporting_api_integration/
| - reporting_functional/
```
Few page objects, required by functional tests, were relocated as well
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
