Fixes#218255 and #213784
## Summary
This PR fixes flaky test in Console responsible for opening
documentation with keyboard shortcut by checking if the opened tab
contains `www.elastic.co/docs`.
## Summary
In [this PR](https://github.com/elastic/kibana/pull/222827) we added
support of Cases action for Attack Discovery Schedules.
Now we would like to increase a "max opened cases" limit which defaults
to `5` right now and can be set maximum to `10`. In case with attack
discoveries it is highly expected to have more generated alerts and thus
we would like to bump the max number of opened cases to `20`.
## NOTES
The attack discovery scheduling and alerts history features are hidden
behind these feature flags (in `kibana.dev.yml`):
```
feature_flags.overrides:
securitySolution.attackDiscoveryAlertsEnabled: true
securitySolution.assistantAttackDiscoverySchedulingEnabled: true
```
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| docker.elastic.co/wolfi/chainguard-base-fips | digest | `d55453a` ->
`7f2cebd` |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOk9wZXJhdGlvbnMiLCJiYWNrcG9ydDpza2lwIiwiY2k6YnVpbGQtZG9ja2VyLWZpcHMiLCJyZWxlYXNlX25vdGU6c2tpcCJdfQ==-->
Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Jon <jon@elastic.co>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| docker.elastic.co/wolfi/chainguard-base | digest | `fdfd7f3` ->
`a02075b` |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOk9wZXJhdGlvbnMiLCJiYWNrcG9ydDpza2lwIiwicmVsZWFzZV9ub3RlOnNraXAiXX0=-->
Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Jon <jon@elastic.co>
Adds a `fromExternalVariant` helper function that unpacks external
variants (which are commonly used in Elasticsearch APIs) into a fully `{
type, value }` object.
## Notes
I used o3 to write the tests, including unit tests and type tests.
## Summary
- Fix the create of Event Filters, Blocklists, Endpoint Exceptions and
Host Isolation Exceptions so that an error is returned when space
awareness feature is enabled and the user does not have the Global
Artifact Management privilege.
> [!NOTE]
> Trusted Applications were already correctly validating this during
create of an artifact
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
This change remove `playwright-chromium` package from Kibana
dependencies.
* The package isn't used anywhere in the codebase
* The package conflicts with `@playwright/test` by installing the same
`playwright` executable which then misses a bunch of features, including
the `test` command
## Summary
With the new Claude 3.7 Elastic Managed LLM we're seeing an unhandled
error in Kibana playground. We can reproduce it by:
1. Indexing few but very large documents in Elasticsearch (10 docs, each
7mb)
2. Setting the docs to send setting as 10
3. Setting context to always query the index (I think there is some
function calling, not sure what happens under the hood but this worked
as I wanted to consistently).
Thread:
https://elastic.slack.com/archives/C08DT72KR6J/p1750686748616369?thread_ts=1750685837.561949&cid=C08DT72KR6J
We're not 100% sure this fixes the issue but we do know the model should be added.
### Checklist
Check the PR satisfies following conditions.
- [ ] Cannot reproduce the issue after the model entry is used on QA
environment
Reviewers should verify this PR satisfies this list as well.
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
No known risks
Fixes https://github.com/elastic/kibana/issues/224191
## Summary
Bugfix - Replace call to registry when deleting kibana assets for
packages of type "custom" and "bundled". Also replaced the call to
`fetchInfo.registry` on another code path to avoid errors in the same
situation -
- These calls are replaced with `getPackageInfo`, that has some internal
functionalities to decide when the packageInfo should be fetched from
the cache, ES or the registry.
- Added additional logging to the delete assets functions
### Testing
- Install a custom integration that has some assets (a dashboard for
instance)
- Uninstall it and check that the asset is correctly removed and there
are no errors:
<img width="1453" alt="Screenshot 2025-06-25 at 11 02 39"
src="https://github.com/user-attachments/assets/32fb07f3-2628-4e30-be92-16610043b3ae"
/>
### Checklist
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
This adds and enables the case id incrementer service ([design
doc](https://docs.google.com/document/d/1DZKTPl7UryYjpjVMNhIYbE82OADVOg93-d02f0ZQtUI/edit?tab=t.0#heading=h.6qjc4qynaeuo)).
In order not to stress bulk creation of cases, we're processing
incremental ids asynchronously, meaning they will not immediately appear
in the UI.
The feature is currently disabled by default to allow for testing in
additional environments after merging but can be enabled by setting
`xpack.cases.incrementalIdService.enabled=true` in `kibana(.dev).yml`.
Once the flag is enabled, actually rendering the IDs in the UI is
disabled by default (for now) and has to be enabled in the advanced
settings (`cases:incrementalIdDisplay:enabled`).
Cases can be found by their incremental ID by searching for
`#{incremental_case_id}` in the cases table.
### Screenshots
**Incremental ID in the case detail page**
<img width="1506" alt="Screenshot 2025-06-05 at 15 46 42"
src="https://github.com/user-attachments/assets/f51ae0cd-a2e8-48f7-a6db-05f9f1285e95"
/>
**Incremental ID in the cases table**
<img width="1240" alt="Screenshot 2025-06-05 at 20 32 32"
src="https://github.com/user-attachments/assets/619b3f12-1986-4bc7-b9e8-f7556d0c546c"
/>
**Searching for case by its incremental ID**
<img width="1239" alt="Screenshot 2025-06-05 at 20 33 36"
src="https://github.com/user-attachments/assets/771df512-7436-4aa0-88f9-ac3e1e161455"
/>
### Testing notes
<details>
<summary>Validation script</summary>
Use this script to investigate if there are duplicates or gaps:
```js
import * as fs from 'fs';
// Query to get all cases from all namespaces sorted by incremental_id
// GET .kibana_alerting_cases/_search?_source_excludes=*
// {
// "query": {
// "exists": {
// "field": "cases.incremental_id"
// }
// },
// "fields": [
// "cases.incremental_id",
// "cases.title",
// "namespaces"
// ],
// "from": 0,
// "size": 10000,
// "sort": [
// {
// "cases.incremental_id": {
// "order": "asc"
// }
// }
// ]
// }
// Put those results into `test.json` in the same directory
// You might need to add `"search_after": [40007]` in case you want to look at more than 10k cases.
// In that case, replace `[40007]` with whatever value the last item has in `"sort": [2102]`
// Concatenate hits if needed (10k per file)
const cases = [
JSON.parse(fs.readFileSync('./test.json')),
// JSON.parse(fs.readFileSync('./test1.json')),
// JSON.parse(fs.readFileSync('./test2.json')),
// JSON.parse(fs.readFileSync('./test3.json')),
// JSON.parse(fs.readFileSync('./test4.json')),
].reduce((allHits, currResult) => {
return allHits.concat(currResult.hits.hits);
}, []);
console.log(`Total amount of cases: ${cases.length}`);
// Groups cases but
const casesByNamespace = cases.reduce((acc, theCase) => {
const id = theCase._id;
const space = theCase.fields.namespaces[0];
const incrementalId = theCase.fields['cases.incremental_id'][0];
const title = theCase.fields['cases.title'][0];
const toStore = { id, incrementalId, title };
if (!acc[space]) {
acc[space] = new Map();
}
// check for duplicates
const spaceMap = acc[space];
if (!spaceMap.has(incrementalId)) {
acc[space].set(incrementalId, toStore);
} else {
const storedCase = spaceMap.get(incrementalId);
console.error(`
${storedCase.title} and ${toStore.title} have the same incremental id (${incrementalId})
`);
}
return acc;
}, {});
// find gaps in spaces
Object.keys(casesByNamespace).forEach((space) => {
const spaceHits = casesByNamespace[space];
const gaps = [];
spaceHits.forEach(({ incrementalId }, _, map) => {
const idBefore = incrementalId - 1;
if (incrementalId > 1 && !map.has(idBefore)) {
gaps.push(idBefore);
}
});
console.log(`space:${space} has ${spaceHits.size} cases and ${gaps.length} skipped ids`);
gaps.forEach((gap) => console.log(`id #${gap} is not assigned`));
});
```
</details>
- Enable the logger in your `kibana.dev.yml` (optional but helpful)
```
logging.loggers:
- name: plugins.cases.incremental_id_task
level: debug
```
- Change some of the timings in
`x-pack/platform/plugins/shared/cases/server/tasks/incremental_id/incremental_id_task_manager.ts`
- Set `timeout: '1m'`
- Set `CASES_INCREMENTAL_ID_SYNC_INTERVAL_DEFAULT_MINUTES = 1`
- Remove ```runAt: new Date(
new Date().getTime() +
CASES_INCREMENTAL_ID_SYNC_INTERVAL_DEFAULT_MINUTES * 60 * 1000
),```
- you can also set the timings to something lower in the seconds e.g.
`10s`
- Generate a bunch of cases with the generator script
`x-pack/platform/plugins/shared/cases/scripts/generate_cases.js`:
- `node scripts/generate_cases.js -c 1000 -o securitySolution
- Enable `cases:incrementalIdDisplay:enabled` in advanced settings
- Wait a couple minutes until the incrementer task ran
- Test that the ids show up and that the search works
### Research notes
- We ran a large-scale test with ~350k cases in a cloud env and can
report the following findings:
- The 10min timeout for the incremental id task makes sense. The task
was usually finished after around 8-9min (processing 1000 cases at a
time) which gives it some buffer even.
- While processing the first 50k cases, the service skipped 8 ids and no
duplicates have been assigned. This means it skipped `0.016%` ids which
is great.
- It's unclear when these skips happened though and we investigated the
first 50k cases for duplicate ids, just in case, and found no
duplicates.
- At no point did any of the error logs trigger, meaning the task is
running smoothly.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Michael Olorunnisola <michael.olorunnisola@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Fixes https://github.com/elastic/kibana/issues/223990
## Summary
This PR fixes the forward-compatibility test for index mode, which
failed because the index mode was added to Get Data Streams API in 8.19
and 9.1 (see https://github.com/elastic/elasticsearch/pull/122486), so
if Kibana 8.19 is run with Es 9.0, the index mode is always displayed as
"Standard" because Es doesn't return an index mode field.
In this PR, we separate all index mode-related tests into a separate
file, and only run it for Es versions 8.19 or 9.1+.
This was also fixed for functional tests in
https://github.com/elastic/kibana/pull/223129
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Adds a recommended query for the `CATEGORIZE` function in ES|QL.
Adds keyword highlighting for the patterns and the ability to open a new
Discover tab to filter for docs which match the selected pattern.
https://github.com/user-attachments/assets/9ed8c5b0-7e92-4cc8-88dd-cb7749b5ffd3
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Stratoula Kalafateli <efstratia.kalafateli@elastic.co>
## Summary
Multi space monitors !!
Fixes https://github.com/elastic/kibana/issues/164294
User will be able to choose in which space monitors will be available !!
<img width="1728" alt="image"
src="https://github.com/user-attachments/assets/f01ac226-ed54-4e96-b6f4-27f0134a9be5"
/>
### Technical
This is being done by registering another saved object type and for
existing monitors it will continue to work as right now but for newly
created monitors user will have ability to specify spaces or choose
multiple spaces or all.
### Testing
1. Create few monitors before this PR in multiple spaces
2. Create multiple monitors in multiple spaces after this PR
3. Make sure filtering, editing and deleting, creating works as expected
on both set of monitors
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Summarize your PR. If it involves visual changes include a screenshot or
gif.
Make it easier to debug topological plugin order errors by including the
exact cycle/s causing the issue in the error message:
Previous error message:
```
Error: Topological ordering of plugins did not complete, these plugins have cyclic or missing dependencies:
["discover","esql","canvas","crossClusterReplication","discoverEnhanced","indexLifecycleManagement","logstash","monitoring","observabilityAiAssistantManagement","remoteClusters","reporting","rollup","contentConnectors","dataQuality","datasetQuality","fleet","indexManagement","ml","osquery","streamsApp","apm","exploratoryView","infra","inventory","observability","observabilityAIAssistantApp","observabilityLogsExplorer","observabilityOnboarding","streamsAppWrapper","slo","synthetics","uptime","ux","enterpriseSearch","searchAssistant","searchIndices","searchInferenceEndpoints","searchPlayground","cloudSecurityPosture","elasticAssistant","securitySolution","securitySolutionEss"]
```
New error message tells you exactly where the cycle is:
```
Error: Topological ordering of plugins did not complete due to circular dependencies:
Detected circular dependencies:
discover -> elasticAssistant -> ml -> discover
Plugins with cyclic or missing dependencies: ["discover","esql","canvas","crossClusterReplication","discoverEnhanced","indexLifecycleManagement","logstash","monitoring","observabilityAiAssistantManagement","remoteClusters","reporting","rollup","contentConnectors","dataQuality","datasetQuality","fleet","indexManagement","ml","osquery","streamsApp","apm","exploratoryView","infra","inventory","observability","observabilityAIAssistantApp","observabilityLogsExplorer","observabilityOnboarding","streamsAppWrapper","slo","synthetics","uptime","ux","enterpriseSearch","searchAssistant","searchIndices","searchInferenceEndpoints","searchPlayground","cloudSecurityPosture","elasticAssistant","securitySolution","securitySolutionEss"]
```
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [X] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [X]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [X] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [X] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [X] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [X] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [X] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Jean-Louis Leysens <jeanlouis.leysens@elastic.co>
## Summary
Part of https://github.com/elastic/kibana-team/issues/1503
This PR is mostly about moving osquery cypress dir with
security-solution imports
```
x-pack/test/osquery_cypress
```
After:
```
x-pack/solutions/security/test/osquery_cypress
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Silences SASS module usage warnings around the deprecated `@import`
statements.
While the sass/scss owner teams are migrating these usages, the dev
server is clogged up with deprecation warnings. It's probably best to
disable it, because it's annoying to everyone and not necessarily to the
owners.
## [Attack discovery] Optionally update the `kibana.alert.workflow_status` of alerts associated with Attack discoveries
This PR introduces a new UI to optionally update the `kibana.alert.workflow_status` of alerts associated with Attack discoveries, as illustrated by the animated gif below:
Users may (optionally) update all alerts for a single attack discovery, or just update the discovery itself:
When multiple attack discoveries are selected, users may also (optionally) update the status of all their related alerts via the bulk action menu:
### Alert document enhancements
Attack discoveries generated via the Attack discovery page, and scheduled Attack discoveries (generated via the alerting framework), are persisted as alert documents.
To support the new UI, this PR populates Attack discovery alert documents with two additional (existing, but unused by Attack discovery) alert document fields:
1) `kibana.alert.start` - timestamp when Attack discoveries are created
2) `kibana.alert.workflow_status_updated_at` - timestamp when the `kibana.alert.workflow_status` was last updated
This PR introduces three new alert document fields to capture metadata about when alerts are updated. Attack discovery is the first implementation to use these new fields, however any consumer of the alerting framework may utilize them in the future:
1) `kibana.alert.updated_at` - timestamp when the alert was last updated
2) `kibana.alert.updated_by.user.id` - user id of the user that last updated the alert
3) `kibana.alert.updated_by.user.name` - user name of the user that last updated the alert
The three new alert fields above are updated when Attack discovery users update:
- The `kibana.alert.workflow_status` status of Attack discoveries
- The visibility (sharing) status of Attack discoveries (`kibana.alert.attack_discovery.users`)
The three new fields above were added to the [alert_field_map](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts) and [alert_schema](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/alert_schema.ts).
Using the `default` space as an example, the fields above may be observed in the `.adhoc.alerts-security.attack.discovery.alerts-default` data stream for Attack discoveries generated on the Attack discovery page, and scheduled discoveries for the same space are found in the `.alerts-security.attack.discovery.alerts-default` data stream.
### @timestamp updated when sharing status changes
To ensure newly-shared Attack discoveries are bumped to the top of search results, the `@timestamp` field is updated when the visibility (sharing) status of Attack discoveries (`kibana.alert.attack_discovery.users`) is updated.
(The original time an Attack discovery was generated is represented by the `kibana.alert.start` field, which is not mutated.)
### Visibility menu changes
This PR disables the visibility menu items for shared Attack discoveries, as illustrated by the screenshot below:
The disabled menu has a tooltip that reads:
```
The visibility of shared discoveries cannot be changed
```
Note: The internal Attack discovery bulk API still (intentionally) allows changes to the visibility of shared attack discoveries.
### `kibana.alert.workflow_status` added to default `Alerts` tab columns
The `kibana.alert.workflow_status` field was added to default `Alerts` tab columns, as illustrated by the screenshot below:
### Summary of field updates
The following table describes when fields are updated (via this PR):
| Field | Updated when | Description |
|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|
| `kibana.alert.start` | - Attack discoveries are created | timestamp when Attack discoveries are created |
| `kibana.alert.workflow_status_updated_at` | - Workflow status (`kibana.alert.workflow_status`) is updated | timestamp when `kibana.alert.workflow_status` was last updated |
| `kibana.alert.updated_at` | - Workflow status (`kibana.alert.workflow_status`) is updated<br>- Sharing status (`kibana.alert.attack_discovery.users`) is updated | timestamp when the alert was last updated |
| `kibana.alert.updated_by.user.id` | - Workflow status (`kibana.alert.workflow_status`) is updated<br>- Sharing status (`kibana.alert.attack_discovery.users`) is updated | user id of the user that last updated the alert |
| `kibana.alert.updated_by.user.name` | - Workflow status (`kibana.alert.workflow_status`) is updated<br>- Sharing status (`kibana.alert.attack_discovery.users`) is updated | user name of the user that last updated the alert |
| `@timestamp` | - Attack discoveries are created<br>- Sharing status (`kibana.alert.attack_discovery.users`) is updated | ECS [`@timestamp`](https://www.elastic.co/docs/reference/ecs/ecs-base#field-timestamp) field |
### Feature flags
The _required_ feature flag below is necessary to desk test with Ad hoc attack discoveries. The _recommended_ feature flag below enables testing with scheduled Attack discoveries.
### required: `securitySolution.attackDiscoveryAlertsEnabled`
Enable the required `securitySolution.attackDiscoveryAlertsEnabled` feature flag in `config/kibana.dev.yml`:
```yaml
feature_flags.overrides:
securitySolution.attackDiscoveryAlertsEnabled: true
```
### recommended: `securitySolution.assistantAttackDiscoverySchedulingEnabled: true`
Also enable the recommended `assistantAttackDiscoverySchedulingEnabled` feature flag in `config/kibana.dev.yml`:
```yaml
feature_flags.overrides:
securitySolution.attackDiscoveryAlertsEnabled: true
securitySolution.assistantAttackDiscoverySchedulingEnabled: true
```
