## Summary
Adopted `BedrockChat` from `@langchain/community` package that adds
support for tools calling
https://js.langchain.com/v0.2/docs/integrations/chat/bedrock/
Adopted `ChatGoogleGenerativeAI ` from `@langchain/google-genai` package
that adds support for tools calling
https://js.langchain.com/v0.2/docs/integrations/chat/google_generativeai
Hidden behind FF:
`--xpack.securitySolution.enableExperimental=[assistantBedrockChat]`
As of this PR `integration_assistant` is still going to use
`ActionsClientSimpleChatModel`. After the FF will be enabled by default
we will switch `integration_assistant` to use new chat model.
Thank you @stephmilovic a ton 🙇
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Steph Milovic <stephanie.milovic@elastic.co>
Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
## Summary
#### Security Solution
- adds logic to the SentinelOne response actions client to check on the
status of `kill-process` actions in SentinelOne and writes response
document to ES if complete
#### Stack Connector changes to SentinelOne Connector
- Added new sub-action: `downloadRemoteScriptResults()`: returns a
`Stream` allowing the download of a SentinelOne task execution results
## Summary
Fix https://github.com/elastic/kibana/issues/65999
Change the `features` plugin's contract type names to follow our naming
convensions and to avoid needing to rename them during imports
(and yeah, I'm triggering a review from 30 teams again for a type
rename, just for the fun of it)
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
#### Security Solution changes:
- Adds new feature flag for `kill-process` operation against SentinelOne
hosts
- Adds support for `kill-process` to the existing api for `agent_type`
of `sentinel_one`
#### Stack Connectors changes:
The following changes were done to the SentinelOne connector:
- Added additional query param to the `getRemoteScripts()` sub-action
## Summary
*(Yeah, the title is pretty bad I apologize, I couldn't find something
sexy. OTOH, "sexy" and "logging" are usually antonyms, like "sport car"
and "fiat panda", or "server language" and "javascript")*
### 1. Provide a more developer-friendly alternative to
`Logger.isLevelEnabled`.
**With `isLevelEnabled`**
```ts
if(logger.isLevelEnabled('info')) {
const message = someExpensiveMessageProbablyBasedOnJsonStringifyOrSomething();
logger.info(message);
}
```
**With this PR:**
```ts
logger.info(() => someExpensiveMessageProbablyBasedOnJsonStringifyOrSomething());
```
### 2. Adapt calls to `log.debug` (arguably) costly to use this syntax
Aka any call relying on `JSON.stringify` or function calls.
I used the new syntax for those, except when the tests were too
complicated to fix or when the code did not allow it (e.g. untyped let
variables infered from return from assignations don't play well with
closures)
Part of https://github.com/elastic/kibana/issues/186574
Background: This PR serves as an example of a plugin migrating away from
depending on the Security plugin, which is a high priority effort for
the last release before 9.0. The Actions plugin uses the
`authc.getCurrentUser` method to attribute the current user to persisted
actions that are created in the system.
### Checklist
Delete any items that are not applicable to this PR.
- [X] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Resolves: #177059
This PR adds model versions for `action` and `action_task_params` saved
objects.
I also re-organised the schema and model version file structure in
alerting, task_manager and actions plugins.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Fixes#180255
## Summary
Adds API support and UI for CA and client-side SSL certificate
authentication to the Cases webhook connector.
<img width="977" alt="aux"
src="03495377-edfb-4f02-9fd1-3e0ca1d2b0fb">
This PR is to merge a feature branch into `main`.
This feature branch is composed of the following PRs:
- https://github.com/elastic/kibana/pull/183711
- https://github.com/elastic/kibana/pull/183919
- https://github.com/elastic/kibana/pull/184313
### How to test
@cnasikas kindly provided a node server that can be setup locally to
test the certificates against.
Ping me offline and i will send you the rar. You will need to configure
a connector of type `Cases Webhook connector`.
#### Configuring `Authentication`:
The project folder has two sets of keys, one for Alice and one for Bob.
The Alice keys should work and the Bob keys are expected to be
unauthorized.
- For `CRT and KEY File` use:
- `alice_cert.pem` and `alice_key.pem` respectively (or `bob_*`)
- For `PFX File` use:
- `alice.p12` or `bob.p12`.
- Toggle `Add certificate authority`.
- Select `Verification mode` to be `none`.
#### Configuring `Create case`:
Only the URL is relevant. It should be
`https://localhost:9999/authenticate`.
Everything else can have whatever values you want.
### Release Notes
The Cases webhook connector now supports SSL certificate authentication.
## Summary
This is a PR to add a new backend plugin (frontend will be done in
separate [PR](https://github.com/elastic/kibana/pull/184546)).
The purpose of the plugin is to provide a set of API routes that is used
to perform a variety of GenAI workflows to generate new integrations
based on provided inputs.
It reuses the existing GenAI connectors for its LLM communication, and
provides a set of API's to create ECS mapping, Categorization, Related
Fields and an API to generate the actual integration package zip, which
is forwarded to the UI component.
### Planned follow-up changes:
As the PR is getting way too large, some planned changes would be added
in much smaller follow-ups. This includes mostly more improved try/catch
for certain routes, adding debug/error log entries where relevant,
especially for the API endpoints themself, some more unit and end2end
tests.
- OpenAPI spec for the API will be handled in a separate PR
- All the missing unit tests will be added as a followup PR
### Testing
The `integration_assistant` plugin will be disabled by default while
it's being implemented so we can iterate and merge partial PRs without
interfering with the releases. This config will work as our feature
flag:
6aefd4ff7b/x-pack/plugins/integration_assistant/server/config.ts (L11-L13)
To test it add this to your _kibana.dev.yml_:
```
xpack.integration_assistant.enabled: true
```
### Checklist
Delete any items that are not applicable to this PR.
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to
identify risks that should be tested prior to the change/feature
release.
When forming the risk matrix, consider some of the following examples
and how they may potentially impact the change:
| Risk | Probability | Severity | Mitigation/Notes |
|---------------------------|-------------|----------|-------------------------|
| Multiple Spaces—unexpected behavior in non-default Kibana Space.
| Low | High | Integration tests will verify that all features are still
supported in non-default Kibana Space and when user switches between
spaces. |
| Multiple nodes—Elasticsearch polling might have race conditions
when multiple Kibana nodes are polling for the same tasks. | High | Low
| Tasks are idempotent, so executing them multiple times will not result
in logical error, but will degrade performance. To test for this case we
add plenty of unit tests around this logic and document manual testing
procedure. |
| Code should gracefully handle cases when feature X or plugin Y are
disabled. | Medium | High | Unit tests will verify that any feature flag
or plugin combination still results in our service operational. |
| [See more potential risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) |
### For maintainers
- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: Patryk Kopycinski <contact@patrykkopycinski.com>
Co-authored-by: Sergi Massaneda <sergi.massaneda@elastic.co>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Bharat Pasupula <saibharatchandra.pasupula@elastic.co>
Co-authored-by: Bharat Pasupula <123897612+bhapas@users.noreply.github.com>
## Summary
This PR adds support for additional fields for the ServiceNow ITSM and
SecOps connector. The additional fields will not be available to the
recovered action.
<img width="607" alt="Screenshot 2024-05-27 at 6 29 26 PM"
src="7d397d7b-2b0b-4399-8d3a-0725ad04a10d">
## Testing
Verify that:
1. Existing rules with ITSM and SecOps configured continue working as
expected.
2. Can create rules with an ITSM action and set some additional fields
supported by ITSM. You can find the available in the Elastic
transformation map inside ServiceNow.
3. The "additional fields" verification in the UI is working as
expected.
4. The "additional fields" are not shown when you set a recovered
action.
Fixes: https://github.com/elastic/kibana/issues/183609
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### For maintainers
- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Release notes
Pass any field to ServiceNow using the ServiceNow ITSM and SecOps
connectors with a JSON field called "additional fields".
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Per [the OAS docs](https://swagger.io/specification/), they have an info
object with a `summary` and `description` field. This PR refactors the
existing router `description` field to to OAS `summary` (that is how it
has been used) and introduces a "new" `description` field that will be
used for the longer form descriptions.
## Resources
* https://swagger.io/specification/
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: lcawl <lcawley@elastic.co>
Resolves: #183867
This PR sets schema validation errors in subaction framework as user
error.
## To validate:
- Create a connector with subaction. (e.g. IBM Resilient)
- Modify schema validation code to get it throw an error
```
action.schema.validate({...subActionParams, foo:'bar'});
```
- Create a rule with that connector. And let it run, there should be a
user error on /`api/task_manager/metrics` API
resolves https://github.com/elastic/response-ops-team/issues/198
## Summary
Ensures that connector execution doesn't occur for connectors that need a higher license than what is currently being used.
## To Verify
The basic idea is to create a > basic license connector in a trial license, and then downgrade the license to basic and see if that connector can still be run. Any connector besides server log and index can be used - those are the only connectors licensed for basic.
Start ES as follows to run with a trial license:
yarn es snapshot --license trial
Create a connector, and also create an alerting rule which uses the connector, and is arranged to always be active and alert on check intervals (not on status change). Ensure the connector runs when the alert is active, and that you can run it in "test" mode from the connector page.
Then go here, to change your license to basic:
http://localhost:5601/app/management/stack/license_management
You should now see the following sorts of messages logged by Kibana:
```
[ERROR][plugins.taskManager] Task actions:.email "a0df7b77-b6e5-461e-9699-178d6878f235" failed: Error: Action type .email is disabled because your basic license does not support it. Please upgrade your license.
[WARN ][plugins.alerting.index-threshold] Rule "c6780109-15b8-4816-ba96-266e4ddc482d" skipped scheduling action "gmail" because it is disabled
[ERROR][plugins.actions] Action 'gmail' failed: Action type .email is disabled because your basic license does not support it. Please upgrade your license.
```
When attenpting to "test" the connector, you should see the following result:
```
Test failed to run
The following error was found:
Forbidden
```
(we'll attempt to improve the message later as a follow-up)
---------
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Resolves https://github.com/elastic/kibana/issues/180419
## Summary
Updates action executor to use error source from errors thrown within
the connector type executor, defaulting to framework error if no error
source is specified.
## To Verify
Modify the server log connector to throw a user error:
```
--- a/x-pack/plugins/stack_connectors/server/connector_types/server_log/index.ts
+++ b/x-pack/plugins/stack_connectors/server/connector_types/server_log/index.ts
@@ -14,6 +14,7 @@ import type {
ActionTypeExecutorOptions as ConnectorTypeExecutorOptions,
ActionTypeExecutorResult as ConnectorTypeExecutorResult,
} from '@kbn/actions-plugin/server/types';
+import { createTaskRunError, TaskErrorSource } from '@kbn/task-manager-plugin/server';
import {
AlertingConnectorFeatureId,
UptimeConnectorFeatureId,
@@ -78,6 +79,7 @@ async function executor(
execOptions: ServerLogConnectorTypeExecutorOptions
): Promise<ConnectorTypeExecutorResult<void>> {
const { actionId, params, logger } = execOptions;
+ throw createTaskRunError(new Error('fail'), TaskErrorSource.USER);
const sanitizedMessage = withoutControlCharacters(params.message);
```
Create a rule that will trigger a server log action. Let the action run
and then check the metrics endpoint at
https://localhost:5601/api/task_manager/metrics?reset=false to see that
this error was captured as a user error.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Resolves https://github.com/elastic/kibana/issues/181850
## Summary
The Elasticsearch team is looking at limiting the usage of
`scripted_metric` within serverless, and this PR updates the telemetry
code that uses scripted_metric within the actions plugin.
### Checklist
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### To verify
The best way to verify this PR is to verify that the telemetry
functional tests pass. The data should be reported the same as it was
before this change.
Here are the list of fields that were calculated using
`scripted_metric`:
- count_total
- count_by_type
- count_gen_ai_provider_types
- count_active_total
- count_active_by_type
- count_actions_executions_per_day
- count_actions_executions_by_type_per_day
- count_actions_executions_failed_per_day
- count_actions_executions_failed_by_type_per_day
If you'd like to run the telemetry locally:
- Create a couple of rules with different actions
- Change actions telemetry task
[schedule](https://github.com/elastic/kibana/blob/main/x-pack/plugins/actions/server/usage/task.ts#L22)
interval 1 min
- Run [Telemetry usage payload
API](https://docs.elastic.dev/telemetry/collection/snapshot-telemetry#telemetry-usage-payload-api)
in your browser console to verify the telemetry data looks the same
## Summary
Fixes: https://github.com/elastic/kibana/issues/182391
## Framework changes
- Utils to construct basic header from username and password: [`fad6bde`
(#183162)](fad6bde6af),
[`b10d103`
(#183162)](b10d103bd9)
- Automatically convert `auth` to basic auth header in the sub-actions
framework: [`ee27353`
(#183162)](ee27353051)
- Automatically convert `auth` to basic auth header in axios utils:
[`94753a7`
(#183162)](94753a7342)
## Jira
Commit: [`c366163`
(#183162)](c366163486)
## All ServiceNow connectors
Commit: [`4324d93`
(#183162)](4324d931f7)
## IBM Resilient
IBM Resilient already uses the basic auth headers. PR
https://github.com/elastic/kibana/pull/180561 added this functionality.
The connector was manually tested when reviewing the PR.
In [`7d9edab`
(#183162)](7d9edabd6e)
I updated the connector to use the new util function.
## Webhook
Commit: [`1a62c77`
(#183162)](1a62c77d46)
## Cases webhook
Commit: [`104f881`
(#183162)](104f881251)
## xMatters
Commit: [`ea7be2b`
(#183162)](ea7be2bbee)
## Connectors that do not use the `axios` `auth` property
- D3Security
- Email
- Microsoft Teams
- OpenAI
- Opsgenie
- PagerDuty
- Sentinel One
- Slack
- Slack API
- Swimlane
- Tines
- Torq
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
### Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to
identify risks that should be tested prior to the change/feature
release.
When forming the risk matrix, consider some of the following examples
and how they may potentially impact the change:
| Risk | Probability | Severity | Mitigation/Notes |
|---------------------------|-------------|----------|-------------------------|
| Connectors not working correctly | Low | High | Unit test and manual
testing of all connectors affected |
### For maintainers
- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: “jeramysoucy” <jeramy.soucy@elastic.co>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Set a system user name when the request is fake. This is helpful to show
user information to the case created by the case action.
## Testing
1. Create a rule with a case action
2. In the created case verify that the `elastic/kibana` user is shown
and not the `Unknown` user
<img width="2297" alt="Screenshot 2024-04-22 at 10 37 46 PM"
src="abfcec4c-f2a4-4663-84e0-1816ada69167">
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### For maintainers
- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Bugs Fixed
1. The OpenAI `invokeAI` method did not properly handle `signal`
2. Bedrock did not have a `signal` implementation at all 😳
## Summary
In my [LangChain streaming
PR](https://github.com/elastic/kibana/pull/174126), I poorly implemented
a fix to stop the stream on the server when "Stop generating..." was hit
on the client. I did this by piping through an `AbortSignal` to
`invokeStream`/`invokeAsyncIterator` subactions. However, in the
`invokeAI` subaction I did not properly remove `signal` before
`JSON.strinigfy`ing the body, so the below error was happening in the
security non-streaming implementation. Additionally, for Bedrock I
somehow only implemented `signal` in part of the type and nothing else,
so token tracking would be off when Stop generating button is hit 🤦
<img width="1376" alt="Screenshot 2024-04-15 at 2 00 38 PM"
src="e57241d9-9fd2-4dd3-bb3a-72a7c61a3d4b">
## To test
1. Turn off streaming in the Security AI Assistant and select an OpenAI
connector (LangChain off)
3. Send a message
4. Ensure expected results (prior the above error would occur)
The test of the Bedrock connector will be harder to confirm. Where the
issue would show up would be subtle, in the token counter. Before I
implemented the signal in the Bedrock connector, if you ask Bedrock to
repeat a word 100 times with streaming enabled, and then hit "Stop
generating..." after 10 words, you would see a token count for
`completion_tokens` be equivalent to ~100 tokens as the full response
would have "streamed" on the server. After this bug fix, if you hit
"Stop generating..." after 10 words, you will see a token count for
`completion_tokens` be equivalent to ~15 tokens as it takes a second for
the `abort()` to reach the server. To be clear, this bug would not have
shown in persistent storage because we call abort in
`handleStreamStorage` ASAP instead of relying on axios to complete its
abort.
## Summary
Changes done in SentinelOne connector in support of Security Solution
`get-file` response action (forthcoming):
- Added `fetchAgentFiles()` sub-action
- Added `downloadAgentFile()` sub-action
- Added `getActivities()` sub-action
- Improved error messages for SentinelOne API failures
- Added `logger.debug()` to Sub-Actions connector `validateResponse()`
to output data that failed validation
## Summary
Creates a system connector that can call the observability ai assistant
to execute actions on behalf of user. The connector is tagged as tech
preview.
The connector can be triggered when an alert fires. Connector can be
configured with an initial message to the assistant which generates an
answer and triggers potential actions on the assistant side. The current
experimental scenario is to ask the assistant to generate a report of
the alert that fired (by initially providing some context in the first
message), recalling any information/potential resolutions of previous
occurrences stored in the knowledge base and also including other active
alerts that may be related. One last step that can be asked to the
assistant is to trigger an action, currently only sending the report (or
any other message) to a preconfigured slack webhook is supported.
## Testing
_Note: when asked to send a message to another connector (in our case
slack), we'll try to include a link to the generated conversation. It is
only possible to generate this link if
[server.publicBaseUrl](https://www.elastic.co/guide/en/kibana/current/settings.html#server-publicBaseUrl)
is correctly set in kibana settings._
- Create a slack webhook connector
- Get slack webhook. I can share one and invite you to the workspace, or
if you want to create one:
- create personal workspace at https://slack.com/signin#workspaces
- create an app for that workspace at https://api.slack.com/apps
- under Features > OAuth & Permissions > Scopes > Bot Token Scopes, add
`incoming-webhook` permission
- install the app
- webhook url is available under Features > Incoming Webhooks
- Create a rule that can be triggered with available documents and
attach observability AI assistant connector. (I use `Error Count
Threshold` and generate errors via `node scripts/synthtrace
many_errors.ts --live`)
- configure the connector with one genai connector and a message with
instructions. Example:
```
High error count alert has triggered. Execute the following steps:
- create a graph of the error count for the service impacted by the alert for the last 24h
- to help troubleshoot recall past occurrences of this alarm, also any other active alerts. Generate a report with all the found informations and send it to slack connector as a single message. Also include the link to this conversation in the report
```
- Track alert status and verify connector was executed. You should get a
slack notification sent by the assistant, and a new conversation will be
stored
TODO
- unit/integration tests - see
https://github.com/elastic/kibana/pull/168369 for reference
implementation
- documentation
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Dario Gieselaar <dario.gieselaar@elastic.co>
## Summary
Introduces a set of meta fields that will be used to track metadata lost
in how we currently use `joi` inside of `@kbn/config-schema`.
## Notes
* Related https://github.com/elastic/kibana/issues/180056
* Changes cherry-picked from
https://github.com/elastic/kibana/pull/156357
* Changes are not used for anything in this PR, they are intended to
enable our OAS generation scripts
## Summary
- Add connectors flyout to playground
- Add set up gen-ai panel
- Create feature connector id
- Use encrypted objects on the server
- Use management Locator for navigating to connectors management
- Pass dependencies to embeddable app
<img width="397" alt="image"
src="499797f9-1dfa-4806-a364-32d2533945cd">
<img width="1004" alt="image"
src="3171be7c-b3f7-4c8e-99ff-0d81c7b2b9c9">
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
