## Summary
This PR pulls the latest changes from the Elasticsearch's ES|QL
documentation updates the ESQL docs. It also adds new ES|QL docs for:
- KQL
- TO_DATE_NANOS
Test results:
```
Model gpt-4o scored 27.700000000000003 out of 30
-------------------------------------------
-------------------------------------------
Model gpt-4o scores per category
- category: ES|QL commands and functions usage - scored 12 out of 13
- category: ES|QL query generation - scored 12.200000000000003 out of 13
- category: SPL to ESQL - scored 3.5 out of 4
-------------------------------------------
Model gpt-4o scored 25.300000000000004 out of 30
-------------------------------------------
-------------------------------------------
Model gpt-4o scores per category
- category: ES|QL commands and functions usage - scored 10.3 out of 13
- category: ES|QL query generation - scored 11.500000000000002 out of 13
- category: SPL to ESQL - scored 3.5 out of 4
-------------------------------------------
-------------------------------------------
Model gpt-4o scored 26.300000000000004 out of 30
-------------------------------------------
-------------------------------------------
Model gpt-4o scores per category
- category: ES|QL commands and functions usage - scored 10.8 out of 13
- category: ES|QL query generation - scored 11.700000000000003 out of 13
- category: SPL to ESQL - scored 3.8 out of 4
Model gpt-4o scored 27.500000000000004 out of 30
-------------------------------------------
-------------------------------------------
Model gpt-4o scores per category
- category: ES|QL commands and functions usage - scored 12 out of 13
- category: ES|QL query generation - scored 11.700000000000003 out of 13
- category: SPL to ESQL - scored 3.8 out of 4
```
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
# Overview
Adds the initial privileged users table within the Privileged user
monitoring page.
Currently, this table shows:
- The user's risk score
- The user's asset criticality
- The data source that determined the privileged user
- The number of alerts associated with that privileged user in the
specified time range, along with its distribution
<img width="1310" alt="Screenshot 2025-06-24 at 3 41 17 PM"
src="https://github.com/user-attachments/assets/4093892d-896c-4ba9-a585-ad955f5661b7"
/>
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
disables features under Application for serverless-essentials.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
This PR moves the `chart_settings_popover` and `field_selections` to
`~security_solution/public/detections/components/alerts_kpis` since they
are used exclusively by the KPI charts. These were left out in the
original folder reorg effort in
https://github.com/elastic/kibana/pull/189234
### Checklist
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary
The `isSampleDataSetInstalled` function had an inefficient code pattern.
It uses `testSubjects.find()`, which has a 10 second default timeout.
When the sample data card doesn't exist, this call waits for 10 seconds
before failing, which slows down the `retry.waitFor` loop (20 second
timeout) in `addSampleDataSet` and tended to cause the entire test to
time out.
Closes https://github.com/elastic/kibana/issues/220053
## Summary
The PR adds code for displaying the visualisations for key insights
panel of Privileged user monitoring dashboard.
It comprises of 6 tiles.
1. Active Privileged Users
2. Alerts Triggered
3. Anomalies Detected
4. Granted Rights
5. Account Switches
6. Authentications
All the tiles have been created using the Lens visualisation for ease of
use and also to streamline visualisations across the security solution.
Screenshots :
Privileged User Monitoring Dashboard
Lens visualisation for a tile :
### Adding Data for desk testing :
1. On the `main` branch of "The Data Yeeter"
(https://github.com/elastic/security-documents-generator/), run `yarn
start privileged_access_detection`. This primarily adds data for
anomalies.
2. Then on the same `main` branch, run `yarn start
privileged_user_monitoring`. This will add data for the privileged user
index
3. On the dev console execute the following :
```
POST kbn:/api/entity_analytics/monitoring/engine/init
POST kbn:/api/entity_analytics/monitoring/users
{
"user": {"name": "john.smith"}
}
POST kbn:/api/entity_analytics/monitoring/users
{
"user": {"name": "stacy_armstrong"}
}
POST kbn:/api/entity_analytics/monitoring/users
{
"user": {"name": "john_smith"}
}
POST kbn:/api/entity_analytics/monitoring/users
{
"user": {"name": "randy.carlisle"}
}
POST kbn:/api/entity_analytics/monitoring/users
{
"user": {"name": "root"}
}
```
### Testing Steps :
1. Enable privilegedUserMonitoring feature flag.
2. Navigate to entity_analytics/privileged_user_monitoring page
3. Click on "Go to Dashboards" on the top left corner.
4. You will be able to see the tiles with name and number.
5. Click on the three dots when cursor is hovered over the tile and
click on Inspect to check the query executed, click on More -> Open in
Lens to check if the tile opens up fine in the lens visualiastion link.
6. Check the data view in the lens visualisation. For anomalies, the
data view should be `.ml-anomalies-*`. For other it would either be
`.alerts-*` or `logs-*`.
### Not part of this PR :
1. The trendline on the tile did not work as i am yet to figure out a
way, if it exists, to show a trendline with ES|QL query as it works fine
with KQL queries but similar lens attribites do not function.
2. Load testing where the local environment does not have much data to
show.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: jaredburgettelastic <jared.burgett@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Resolves https://github.com/elastic/kibana/issues/212091
## Summary
Updates alerting snapshot telemetry to capture data about number of
backfill executions and gap durations from the event log index.
## To Verify
1. Reduce the cadence of the usage collector task
```
--- a/x-pack/platform/plugins/shared/alerting/server/usage/task.ts
+++ b/x-pack/platform/plugins/shared/alerting/server/usage/task.ts
@@ -31,7 +31,7 @@ import { MAINTENANCE_WINDOW_SAVED_OBJECT_TYPE } from '../../common';
export const TELEMETRY_TASK_TYPE = 'alerting_telemetry';
export const TASK_ID = `Alerting-${TELEMETRY_TASK_TYPE}`;
-export const SCHEDULE: IntervalSchedule = { interval: '1d' };
+export const SCHEDULE: IntervalSchedule = { interval: '5m' };
```
2. Enable the gap detection feature flag
```
--- a/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts
+++ b/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts
@@ -191,7 +191,7 @@ export const allowedExperimentalValues = Object.freeze({
/**
* Enables the storing of gaps in the event log
*/
- storeGapsInEventLogEnabled: false,
+ storeGapsInEventLogEnabled: true,
```
3. Start Kibana and create a detection rule and let it run once.
4. Stop Kibana for a period of time (at least 3 times the rule
interval).
5. Restart Kibana and navigate to
`https://localhost:5601/app/security/rules/id/<ruleId>`. Under the
`Execution Results` tab, you should see a section for `Gaps` and `Manual
runs`. When the rule runs again, you should see an entry under `Gaps`
with an action to `Fill gaps`. Click the action to fill the gaps.
<img width="2250" alt="Screenshot 2025-05-29 at 5 41 24 PM"
src="https://github.com/user-attachments/assets/a08455d0-8c54-4170-831b-3dedf6932fe7"
/>
6. Verify that the next time the usage collection task runs, you should
see data for backfill executions and gaps. You can see this in the Dev
Console using
```
POST kbn:/internal/telemetry/clusters/_stats?apiVersion=2
{ "unencrypted": true, "refreshCache": true }
```
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Fixes https://github.com/elastic/security-team/issues/8934
Summarize your PR. If it involves visual changes include a screenshot or
gif.
This PR enables the Security AI assistant to be used globally - i.e. if
you are outside of the security solution (e.g. Discover), the Security
Assistant can still be opened.
Changes:
- A public module has been added to the elastic-assistant plugin
(previously it was a server-side-only plugin).
- The vast majority of the assistant (flyout and nav bar) has been moved
into the new elastic-assistantpublic plugin.
- Comment actions & message augmentations remain within the
security-solution.
- A new public plugin was created called elastic-assistant-shared state.
This plugin is used to share state between the elastic-assistant public
plugin and other plugins (e.g. security-solution).
- For example, the security solution registers comment actions in the
elastic-assistant-shared-state plugin. The elastic-assistant public
plugin then reads the comment actions from
elastic-assistant-shared-state and renders them in the assistant flyout.
### Considerations:
- Currently, the Security AI assistant is being displayed everywhere
except the observability solution (see implementation
[here](https://github.com/elastic/kibana/pull/223936/files#diff-5dd1ea91c2d5d242203cc58ee59ec283116e5e739ed82bae4e2cd78af322150c)).
This is only for testing while the PR is in review. We plan to add a
setting to the stack management that allows the user to configure where
they would like the assistant to be shown. This will be changed before
the PR is merged.
## How to test
Feel free to use the cloud and serverless deployments created by the CI
pipeline for testing. Credentials can be found on Buildkite.
### Verify that the Security AI assistant works as expected within the
security solution
Expected there to be no changes in how the security AI assistant works
within the Security Solution. Please do some exploratory testing to make
sure nothing has changed.
Start the branch locally and go to http://localhost:5601/app/security/
Things to test:
- Does the assistant open?
- Can I send an alert to the assistant from the alerts page?
- Does the assistant display code blocks correctly?
- Does the assistant display ESQL correctly (can I view the ESQL in the
timeline)?
- Do assistant messages have the correct comment actions? Do the comment
actions work?
- Are conversations displayed correctly?
- Do citations work?
- Does the assistant work in serverless? Does the assistant work as
expected in AI4SOC?
- Do quick prompts work?
- Can you select a system prompt for a new convo?
- Can you send alerts to the Security AI assistant?
- AI assistant in a space that has Security disabled.
- Does attack discovery work?
AI assistant open in Discover app:
<img width="1841" alt="image"
src="https://github.com/user-attachments/assets/0a13a100-d192-4fa4-b395-0951452e14c2"
/>
AI assistant in Security solution:
<img width="1841" alt="image"
src="https://github.com/user-attachments/assets/7ed38f37-79de-41a7-a80f-8b96147bfdf6"
/>
### Verify the Security AI assistant works in Discover (or anywhere
outside of the Security solution)?
Head over to http://localhost:5601/app/discover. Note that some
functionality is removed when using the AI assistant outside of
security:
- Only the "copy" comment action appears on messages.
- Code block augmentations (i.e. the button that opens ESQL inside of
the timeline) don't appear.
Things to test:
- Does the security AI assistant button appear in the nav bar?
- Can you open the security AI assistant?
- Are you able to send messages?
- Are conversations appearing as expected?
- Can you close the assistant?
- Do citations work?
- Can you switch to a different solution while the assistant is open?
Security AI assistant open in AI4SOC Discover:
<img width="1841" alt="image"
src="https://github.com/user-attachments/assets/36537b9b-e945-459e-ac13-43e9444e92b7"
/>
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [X] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [X]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [X] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [X] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [X] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [X] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [X] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
With these changes we add Case Action support to Attack Discovery
Schedule rule types.
Attack discovery alerts act differently from SIEM alerts and include the
reference to list of SIEM alerts that led to the attack - described
within the attack discovery alert document. Thus, we would like to
attach referenced SIEM alerts instead of the attack alert document
itself to the created Case. Also, as part of the Case creation we would
like to be able to add a comment generated by LLM that describes steps
and nuance of the discovery.
## NOTES
The attack discovery scheduling feature is hidden behind the feature
flag (in `kibana.dev.yml`):
```
feature_flags.overrides:
securitySolution.attackDiscoveryAlertsEnabled: true
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Christos Nasikas <xristosnasikas@gmail.com>
Fixed some issues found with the privileged access detection heatmap.
- Fixed an issue when multiple joined results per user come back from
privileged access detection anomalies "top users" query.
- Fixed an emotion CSS issue where I imported the wrong module
## Summary
- Implements traversal of `source` node children (string literals), like
`a` and `b` in `FROM a:b`. Before `a` and `b` would not be traversed.
- Implements traversal of `order` nodes, like `field DESC` in `FROM a |
SORT field DESC`. Before the `field DESC` would be skipped.
- Adds tests, which verify that all nodes in the query are traversed by
the `Walker`, see `walker_all_nodes.test.ts`.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
This PR introduces a new Search Home page.
Currently, the homepage experience differs across Classic nav, Solution
nav, and Serverless. Our goal is to unify these into a consistent,
foundational experience that we can iterate on to create a more
personalized and customizable homepage for Elasticsearch users.
The new page includes:
- An option to connect to Elasticsearch
- File upload and sample dataset ingestion
- Entry points to explore Elastic’s AI Search capabilities
- Quick access to Observability and Security solutions
- Links to Search Labs, Python notebooks, and Elasticsearch
documentation
https://github.com/user-attachments/assets/7b1b5330-59b4-43b7-aa5b-000fcd2654e2
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Lisa Cawley <lcawley@elastic.co>
Co-authored-by: Rodney Norris <rodney@tattdcodemonkey.com>
## Summary
This closes#224982
Asset Inventory relies on the `entity.id` field as a unique identifier
for visualizations, grouping, filtering, and flyout functionality.
Currently, documents missing this field are included in the results,
leading to noise, broken interactions, and misleading asset entries.
This PR implements filtering within the Asset Inventory fetchers and UI
components to ensure that only valid documents with `entity.id` are
processed and displayed.
### Screenshot
**Before**
Unexpected behaviour in the Inventory page due to empty `user.name`
<img width="2162" alt="Image"
src="https://github.com/user-attachments/assets/18131bfc-c05e-4165-ab86-fea03b0a1c49"
/>
**After:**
<img width="1985" alt="image"
src="https://github.com/user-attachments/assets/0a3ca7de-b237-4d97-b62c-6fbd665e8cc5"
/>
Closes https://github.com/elastic/kibana/issues/224084
This improves the knowledge base retrieval by rewriting the user prompt
before querying Elasticsearch. The LLM is asked to rewrite the prompt
taking into account screen description and conversation history. We then
use the LLM-generated prompt as the search query.
Other changes:
- Remove `screenContext` from being used verbatim as ES query. This was
causing noise and leading to bad results
- Take conversation history into account: with query rewriting, the LLM
has access to the entire conversation history. This context will be
embedded into the generated prompt along side screen context
---------
Co-authored-by: Viduni Wickramarachchi <viduni.ushanka@gmail.com>
## Summary
Updates `security-ai-prompts` README to include instructions on how to
update kibana/integrations
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Fixes https://github.com/elastic/kibana/issues/222575
## Summary
Ensure package policy names are unique when moving across spaces. The
check applies to any integration (not only Defend) but it's only applied
when moving a policy from a space to another, not when creating a new
policy)
### Testing
- Ensure to have space awareness enabled
- In `default` space, create an agent policy and add a package policy to
it with name `defend1`
- In a second space `space1`, create an agent policy and add a package
policy to it with same name `defend1`
- Try to update the settings of this agent policy changing the space to
'default' - you should get an error `an integration policy with name
"defend" already exists. Please rename it or choose a different name."
### Checklist
Check the PR satisfies following conditions.
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
# Overview
This pull request enables the Security Entity Analytics Privileged user
monitoring feature. This feature has many accompanying PRs, that have
until now been kept behind an experimental feature flag. The feature is
currently slated to ship as a Technical Preview.
Instead of removing the feature flag, we will be allowing for a
"disabled" version of the experimental flag, which allows this feature
to remain disabled in Serverless, until fully tested during the 9.1
release cycle. Disabling in Serverless is accomplished via setting the
configuration to disabled in the `config/serverless.security.yml` file.
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
This PR adds a management page to the current privmon dashboard to
facilitate adding data sources *after* the initial onboarding flow
---------
Co-authored-by: jaredburgettelastic <jared.burgett@elastic.co>
Co-authored-by: Pablo Machado <pablo.nevesmachado@elastic.co>
## Summary
- Implements the flyout to schedule reports
- Adds a Schedules table to the Stack Management > Reporting page to
view schedules
- Updates the Reports table to show information about scheduled reports
<details>
<summary>
## Verification steps
</summary>
### 🐞 Happy Path
- Add the following configuration to your Kibana config file
```
notifications.connectors.default.email: gmail
xpack.actions.preconfigured:
gmail:
name: 'email: my gmail'
actionTypeId: '.email'
````
- Log in as an admin user or user with Reporting privileges and a
license != `basic`
- If you don't have data in Kibana, navigate to Home > Try sample data
and activate a sample data set
- Create a Dashboard or Discover session
- Open the ⬇️ (Export) menu in the toolbar
- Click `Schedule export`
- Schedule reports with different combinations of file name, export
type, recurrence schedule and email notification settings
- Navigate to Stack Management > Reporting
- Check that the scheduled reports match the displayed items in the
Reports and Schedules tabs (⚠️ some jobs might not have started because
of the recurrence rule so you might not find the reports immediately)
### ⚡️ Edge Cases
Missing default notifications email connector
- Start Kibana without the default email connector from point n.1 of the
happy path
- When trying to schedule a report, the flyout should show a callout
informing the user about the missing email connector
Unmet prerequisites
- Start ES with any of the following flags: `-E
xpack.security.enabled=false` or `-E
xpack.security.authc.api_key.enabled=false`
- The `Schedule export` button should not appear in the Export menu
Unsupported license
- Log in as a user with a basic license or without capabilities to
generate reports
- The `Schedule export` button should not appear in the Export menu
Users without `Manage Scheduled Reports` privilege
- Create a role with sufficient privileges to access and export any
object type (Dashboards, Discover, ...), do not grant the `Manage
Scheduled Reports` privilege (under `Stack Management`)
- Create a user with this role, _without an email address_
- Open the Schedule export flyout
- Check that the `Send by email` field is disabled, showing a hint about
the user profile missing an email address
- Add an email address to the user (for the changes to take effect you
might have to renew the session, logging back in)
- Check that the `Send by email` toggle is now enabled
- Check that when toggling email notifications on, the `To` field is
disabled and precompiled with the user's email address
Flyout form validation
- `File name` should be required
- `To` should not allow to insert invalid email addresses
- `To` should not allow to insert unallowed email addresses (not in
allowlist)
- Recurrence subform should show presets based on the current datetime
### ❌ Failure Cases
</details>
<details>
<summary>
## Known issues
</summary>
- PDF print option is not displayed in readOnly mode
- Console error due to `compressed` attribute wrongly forwarded by
form-hook-lib to DOM element (this is likely a form lib issue):
<img width="916" alt="image"
src="https://github.com/user-attachments/assets/09d20ba9-8781-46d6-bcfa-862d8a4cbf90"
/>
- Email validation errors accumulate instead of replacing the previous
one (again looks like a fom lib issue):
https://github.com/user-attachments/assets/f2dc7a46-a3a9-465d-b8a1-3187b200f9b9
</details>
<details>
<summary>
## Screenshots
</summary>
Health API error:
<img height="500" alt="Screenshot 2025-05-31 at 10 48 40"
src="https://github.com/user-attachments/assets/dd069597-971c-489f-9c07-eb5edfd7bede"
/>
Health API loading state:
<img height="500" alt="Screenshot 2025-05-31 at 10 49 04"
src="https://github.com/user-attachments/assets/27d95bf3-bf7d-42c7-9a40-2826f38aa837"
/>
Health API success with some missing prerequisites:
<img width="449" alt="Screenshot 2025-06-17 at 16 59 57"
src="https://github.com/user-attachments/assets/c44afa97-70ff-4618-8b73-41b816514459"
/>
Form validation:
<img height="500" alt="image"
src="https://github.com/user-attachments/assets/a8d4cae1-2819-4f71-a911-9300a6cf81f8"
/>
Success toast:
<img width="480" alt="image"
src="https://github.com/user-attachments/assets/a87c3af5-dbb0-40e8-915a-fc9d7e1d97f2"
/>
Failure toast:
<img width="518" alt="image"
src="https://github.com/user-attachments/assets/908f9dea-b5cb-4da9-b4a5-76e313837f18"
/>
Print format toggle:
<img width="502" alt="image"
src="https://github.com/user-attachments/assets/602f3ab9-07ef-4689-a305-dc1b2b5495cd"
/>
Missing notifications email connector callout:
<img width="499" alt="image"
src="https://github.com/user-attachments/assets/fe4997a5-75e6-4450-85e5-7d853049e085"
/>
User without `Manage Scheduled Reports` privilege and without email
address in profile
<img width="492" alt="Screenshot 2025-06-23 at 14 51 07"
src="https://github.com/user-attachments/assets/e0867b7b-3358-4cf0-8adf-c141a1ded76f"
/>
User without `Manage Scheduled Reports` privilege with email address in
profile
<img width="498" alt="image"
src="https://github.com/user-attachments/assets/c45a0c31-cac7-4acb-b068-b3cfc02aac68"
/>
</details>
## Release Notes
Added the ability to schedule reports with a recurring schedule and view
previously scheduled reports
## References
Closes#216321Closes#216322
### Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Eyo O. Eyo <7893459+eokoneyo@users.noreply.github.com>
Co-authored-by: Janki Salvi <117571355+js-jankisalvi@users.noreply.github.com>
Co-authored-by: Janki Salvi <jankigaurav.salvi@elastic.co>
## Summary
Updates the logic around the test cases generator to allow for adding
cases to additional environments
example to test:
```
yarn generate:cases -c 1000 -o securitySolution
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
# Summary
This PR introduces support for populating the Privileged Users index
from custom data sources (Elasticsearch indices) by querying Privileged
User Monitoring Saved Objects from a Kibana task.
[Related Issue](https://github.com/elastic/security-team/issues/12289)
[Figma
Breakdown](https://www.figma.com/board/yBr1pBDGu4JqNxb5ZrULtk/MonEntitySourceSyncTask?node-id=0-1&p=f&t=q52ABMD5MLX0uGj1-0)
Working from the _"Synchronize Privileged User index based on configured
Entity Sources"_ section, to the right.
### ✅ Implemented
• Registered the temporary type and mappings
• Created a Descriptor Client that saves it via soClient.create()
• Called Descriptor Client create method from PrivMon initialisation.
* Testing above default Saved Object creation within PrivMon
Initialisation
* Update the entity_analytics:monitoring:privileges:engine task to:
* Read all Saved objects of index type
* query user.name values from given indexPattern
* Apply any filters or matchers defined in the Saved Object
* Insert matched user.names into
.entity_analytics.monitoring.users-<space> with source type index.
* Cleanup logic:
* Target pattern does not exist, log warning and continue task
* Failures will be caught and do not interrupt task loop
* Remove previously stored user.names with source type index, that are
no longer present.
* Component Testing
### 🚧 Wish List
* Pull out sync functions from privilege monitoring data client into
their own sync service class / similar
* * Currently in the data client, they should not be on this layer.
* Update GET and DELETE methods with dynamic id's for monitoring data
client as per [this
ticket](https://github.com/elastic/security-team/issues/12851)
# How to Test
- Pull branch into local machine
- Security experimental flag enable: 'privilegeMonitoringEnabled'
- Start up ElasticSearch and Kibana
**1. Optional - create the default index, this should just skip if you
don't make it.**
```
POST entity_analytics.privileged_monitoring/_doc
{
"user": {
"name": "default name"
}
}
```
**2. Create test index/ indicies**
```
POST tatooine-/_bulk
{ "index": {} }
{ "user": { "name": "Luke Skywalker" } }
{ "index": {} }
{ "user": { "name": "Leia Organa" } }
{ "index": {} }
{ "user": { "name": "Han Solo" } }
{ "index": {} }
{ "user": { "name": "Chewbacca" } }
{ "index": {} }
{ "user": { "name": "Obi-Wan Kenobi" } }
{ "index": {} }
{ "user": { "name": "Yoda" } }
{ "index": {} }
{ "user": { "name": "R2-D2" } }
{ "index": {} }
{ "user": { "name": "C-3PO" } }
{ "index": {} }
{ "user": { "name": "Darth Vader" } }
```
**3. Register Monitoring Entity Source Saved Objects**
```
POST kbn:/api/entity_analytics/monitoring/entity_source
{
"type": "index",
"name": "StarWars",
"managed": true,
"indexPattern": "tatooine-",
"enabled": true,
"matchers": [
{
"fields": ["user.role"],
"values": ["admin"]
}
],
"filter": {}
}
```
**- OPTIONAL: You can check what is in the monitoring entity_source
SO:**
```
GET kbn:/api/entity_analytics/monitoring/entity_source/list
```
**4. Initialise monitoring engine:**
```
POST kbn:/api/entity_analytics/monitoring/engine/init {}
```
**5. Verify Users in Monitoring Index**
- Check the list of synced user, should include:
- - The created users
- - The default user (if you created it)
```
GET kbn:/api/entity_analytics/monitoring/users/list
```
**e.g. output:**
```
[
{
"id": "FkMJoZcB7muj1aiwb_eQ",
"user": {
"name": "C-3PO",
"is_privileged": true
},
"labels": {
"sources": [
"index"
],
"source_indices": [
"tatooine-"
],
}
},
{
"id": "F0MJoZcB7muj1aiwb_eQ",
"user": {
"name": "Chewbacca",
"is_privileged": true
},
"labels": {
"sources": [
"index"
],
"source_indices": [
"tatooine-"
],
}
},
// ... more here
```
## Testing: Removing Stale Users
The engine should soft delete users from the internal index if they no
longer appear in the synced sources - e.g. label as
monitoring.privileged_users: "not_monitored"
**Example:**
- Delete users in index:
```
POST tatooine-/_delete_by_query
{
"query": {
"terms": {
"user.name.keyword": ["Chewbacca", "Han Solo"]
}
}
}
```
- re-run engine init
```
POST kbn:/api/entity_analytics/monitoring/engine/init
{}
```
-Fetch the updated user list:
```
GET kbn:/api/entity_analytics/monitoring/users/list
```
You should now only see both Chewbacca and Han Solo are no longer
privileged:
```
// ..
{
"id": "GUMJoZcB7muj1aiwb_eQ",
"user": {
"name": "Han Solo"
"is_privileged": false
},
"labels": {
"sources": [],
"source_indices": [],
}
}
]
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This PR adds guidelines for designing Kibana HTTP APIs that are
terraform-provider developer friendly.
fix https://github.com/elastic/kibana/issues/224643
## Summary
Kibana doesn't have specific guidelines for designing HTTP APIs. With
increasing constraints, it's time to document what was previously tribal
knowledge.
Elasticsearch is far further along this road, and other teams have
compiled their own.
This document serves as guidelines to designing _public_ HTTP APIs that
are suitable for managing with Terraform.
## How to test this (recommended for easier reading)
- pull this PR
- setup
[`docs.elastic.dev`](https://docs.elastic.dev/docs/local-dev-docs-setup)
locally
- run `yarn dev` from `docs.elastic.dev`
- review the docs live!
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
---------
Co-authored-by: florent-leborgne <florent.leborgne@elastic.co>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Closes https://github.com/elastic/kibana/issues/224294
### External team reviewers
@elastic/kibana-presentation team is working on "Dashboards as code"
project where we provide a human readable CRUD API for dashboards. Part
of this work is aligning dashboard client code with the shape of
dashboard server api. As such, we are changing the shape of `panels`
from a Map to an Array - to directly consume what is being returned from
the dashboard server api.
### PR Overview
The goal of this PR is to update dashboard client-side state `panels`
type to match the type from dashboard server api. The dashboard server
api returns panels as an Array, while the dashboard client-side logic is
expecting panels to be a Map keyed by panel id.
This type change required the following changes:
* Refactored dashboard client code to receive panels as an array and
return panels as an array. Biggest work is in layout_manager
`deserializeState` and `serializeState` methods.
* Remove `convertPanelsArrayToPanelSectionMaps` from
`loadDashboardState`. `convertPanelsArrayToPanelSectionMaps` performed 2
tasks
1) Convert panels array to map. This is no longer needed as now
dashboard client code accepts panels in its native shape from the
dashboard server api.
2) Move `id` and `title` fields into embeddable state. This is no longer
needed as now dashboard server api does this transform before sending
the dashboard to the client.
* Remove `convertPanelSectionMapsToPanelsArray` from
`getSerializedState`. `convertPanelSectionMapsToPanelsArray` performed 2
tasks.
1) Convert panels map into panels array. This is no longer needed as now
panels is provided to `getSerializedState` in the shape required for the
dashboard server api.
2) Lift `id` and `title` fields from into top level panel state. This is
no longer needed as all embeddable state should remain under
`panelConfig`.
* Remove a bunch of code in `dashboard/common` as now the client and
server are do not need to depend on shared logic as the client is much
simpler and no longer needs to transform the server response. Much of
this shared logic was copied into server saved object migrations in
https://github.com/elastic/kibana/pull/223980 but can now be removed
from common since its no longer used in the client.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Issue: https://github.com/elastic/kibana/issues/216631
This PR adds a new priority called `normalLongRunning` that is slightly
lower than the normal task priority. This priority is applied to the
`attack-discovery` rule type. Unit and E2E tests are also added to
verify that the new priority is working as intended.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Closes https://github.com/elastic/kibana/issues/217508,
https://github.com/elastic/kibana/issues/217510,
https://github.com/elastic/kibana/issues/217521
This pull request introduces significant updates to the ML anomaly
detection utilities and components. The changes focus on improving
theme-aware severity color handling, refining severity thresholds, and
deprecating legacy severity-related utilities.
## New Anomalies filtering UX and Influencers badges:
<img width="1361" alt="image"
src="https://github.com/user-attachments/assets/0f7e0aa3-310f-4f59-95aa-f74c576d0f91"
/>
## New Single Metric Viewer base colors
<img width="929" alt="image"
src="https://github.com/user-attachments/assets/9b3e33cf-23b4-4163-b274-f911ef9321e4"
/>
### Theme-aware severity color handling:
* Added `useSeverityColor` hook and `getThemeResolvedSeverityColor`
utility to provide theme-aware severity colors, replacing legacy fixed
colors. These utilities ensure better integration with the EUI theme.
`x-pack/platform/packages/shared/ml/anomaly_utils/use_severity_color.ts`
* Deprecated legacy severity color constants (`ML_SEVERITY_COLORS`) and
methods (`getSeverityColor`) in favor of theme-aware alternatives.
`x-pack/platform/packages/shared/ml/anomaly_utils/severity_colors.ts`
`x-pack/platform/packages/shared/ml/anomaly_utils/get_severity_color.ts`
### Severity thresholds and ramp:
* Removed the legacy `ML_SEVERITY_COLOR_RAMP` constant and introduced
`getMlSeverityColorRampValue` utility to dynamically generate
theme-aware severity ramps.
`x-pack/platform/packages/shared/ml/anomaly_utils/severity_ramp.ts`
### Type and interface updates:
* Introduced a new `SeverityThreshold` type to represent severity
ranges, replacing the previous numeric severity representation in
`ExplorerAppState`.
`x-pack/platform/plugins/shared/ml/common/types/anomalies.ts`
`x-pack/platform/plugins/shared/ml/common/types/locator.ts`
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Resolves
https://github.com/elastic/streams-program/issues/206?issue=elastic%7Cstreams-program%7C317
This PR introduces a new Advanced Settings for enabling streams
significant events. It is disabled by default.
This PR also registers the rule regardless of the settings.
Using an Advanced Settings makes it easier for internal customers to
toggle the feature on serverless.
<img width="1495" alt="Screenshot 2025-06-17 at 11 15 11 AM"
src="https://github.com/user-attachments/assets/27023c52-20a9-476f-9dfd-d3b8b3f03e94"
/>
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Dario Gieselaar <dario.gieselaar@elastic.co>
This pull request updates the `.github/CODEOWNERS` file to revise
ownership assignments for several configuration files related to
serverless setups. The changes primarily involve adding or modifying
team ownership for specific files.
Ownership updates:
* Added ownership for `@elastic/kibana-security` to
`config/serverless.*.yml`, ensuring broader coverage for serverless
configuration files.
* Updated ownership for `config/serverless.oblt.complete.yml` and
`config/serverless.oblt.logs_essentials.yml` to include
`@elastic/kibana-security` alongside existing teams.
## Summary
Added a check that will prevent dispatches when either id or fallbacks
patterns are not provided.
The only thing I am not sure about is some kind of warning, we need to
log it somehow probably.
Closes https://github.com/elastic/kibana/issues/223156
## Testing
Flip the flag: `xpack.securitySolution.enableExperimental:
['newDataViewPickerEnabled']`
then try to investigate alert in timeline.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
