## Summary
Closes https://github.com/elastic/kibana/issues/206556
This PR adds a setting to remote ES outputs for also uninstalling
integrations on remote clusters when integrations sync is enabled.
This new setting can be toggled in the UI with a new switch:
<img width="1728" alt="Screenshot 2025-04-09 at 11 53 43"
src="https://github.com/user-attachments/assets/34544aa9-28fd-4360-a32f-5031e3d4293f"
/>
### Testing
* Follow the steps in
https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/fleet/dev_docs/local_setup/remote_clusters_ccr.md
to set up two clusters with integrations syncing.
* Add some integrations in your main cluster and check that they are
also installed in the remote cluster.
* Disable uninstalling integrations on remote.
* Remove an integration in your main cluster and check that it is NOT
removed from the remote cluster.
* Enable uninstalling integrations on remote.
* Remove an integration in your main cluster and check that it is also
removed from the remote cluster.
* In your remote cluster, enroll an agent onto a policy that points to
at least 1 package policy of the installed integrations (cf. Docker
commands below if using dockerized fleet-server/agent).
* In your main cluster, uninstall the integration that is used by the
agent policy in the remote. This should cause the uninstall to fail into
the remote cluster.
* In your remote cluster, inspect the package SO of that integration
with `GET .kibana_ingest/_search?q=type:epm-packages`: the
`latest_uninstall_failed_attempts` field should be populated.
Docker command for running a fleet-server in your remote cluster:
```
docker run \
-e ELASTICSEARCH_HOST=http://host.docker.internal:9500 \
-e KIBANA_HOST=http://host.docker.internal:5701/<path> \
-e KIBANA_USERNAME=elastic \
-e KIBANA_PASSWORD=changeme \
-e KIBANA_FLEET_SETUP=1 \
-e FLEET_INSECURE=1 \
-e FLEET_SERVER_ENABLE=1 \
-e FLEET_SERVER_POLICY_ID=fleet-server-policy \
-p 8220:8220 \
--rm docker.elastic.co/beats/elastic-agent:9.0.0-SNAPSHOT
```
Docker command for enrolling an agent in your remote cluster:
```
docker run \
-e ELASTICSEARCH_HOST=http://host.docker.internal:9500 \
-e KIBANA_HOST=http://host.docker.internal:5701/<path> \
-e FLEET_URL=https://host.docker.internal:8220 \
-e FLEET_ENROLL=1 \
-e FLEET_ENROLLMENT_TOKEN=<token> \
-e FLEET_INSECURE=1 \
--rm docker.elastic.co/beats/elastic-agent:9.0.0-SNAPSHOT
```
### Checklist
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
This feature is currently in development and behind the
`enableSyncIntegrationsOnRemote` feature flag.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Implements the m1 design for the chat page and components
*Note: only covers the parts that are functionally present in the app
atm*
### Design demo
https://github.com/user-attachments/assets/16f64a51-16ad-45c5-9d4b-77c31598427a
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
By feedback from @LucaWintergerst we shouldn't sort the component
templates in the "advanced" tab since their order matters when applied.
This PR removes the sorting that's set on the table.
## 📓 Summary
This work addresses the following issues on some stream management
pages:
- privileges...
- a user should still be able to reorder processors during a simulation,
even if doesn't have `manage` permissions to save it then.
- a user should be able to read an existing processor configuration,
even if doesn't have `manage` permissions to save it then.
- the "only simulate" routing tooltip was shown always, even when
creating a child stream is possible.
- a toast error was shown on streams re-ordering even if everything was
saved correctly:
<img width="2090" alt="Screenshot 2025-04-10 at 11 07 02"
src="https://github.com/user-attachments/assets/9838b2dd-3c0d-406f-a989-337a832d7131"
/>
## Summary
Closes https://github.com/elastic/kibana/issues/194975
This PR improves the `aria-label` attributes in the latency correlations
page to add more context about the selected field.
This PR introduces a new event type,
`endpoint_workflow_insights_remediated_event`, and extends some of the
existing ones. The goal is to enable better monitoring of the **Defend
Insights** feature usage.
### Event Types
- **`defend_insight_success`** – Sent when the Scan button triggers an
API call and an insight is successfully created. This carries most of
the valuable data, such as result contents, duration, etc.
- **`endpoint_workflow_insights_remediated_event`** – Sent when a
Trusted App is added as a result of an insight, and that insight is
marked as remediated.
- **`defend_insight_error`** – Sent when insight generation fails and no
results are returned.
### Data sent to telemetry
**`defend_insight_error`**
```
actionTypeId – Kibana connector type
errorMessage – Error message from ES/LLM
model – LLM model
provider – Model provider
```
**`endpoint_workflow_insights_remediated_event`**
```
insightId – The ID of the action that was sent to the endpoint (currently unused)
```
**`defend_insight_success`**
```
actionTypeId – Kibana connector type
eventsContextCount – Number of events sent as context to the LLM
insightsGenerated – Number of Defend insights generated
durationMs – Duration of the request in milliseconds
model – LLM model
provider – Model provider
insightType – Type of Defend insight (e.g., incompatible-antivirus)
insightsDetails – Details of the generated insights (e.g., ["ClamAV", "Avast"])
```
## Summary
This API was returning a 500 error because the saved object type did not
exist. To avoid that, if the saved object type cannot be found, we will
return a "Not Found" response instead.
<img width="798" alt="image"
src="https://github.com/user-attachments/assets/9ef78e59-4253-401b-9f29-52c3b1563884"
/>
### Checklist
Check the PR satisfies following conditions.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Fixes error message when attempting to preview an index template which
is used by a data stream.
When previewing a saved index template, a index template name and index
pattern were provided. If the index pattern didn't match data streams
that relied on the index template (and they never did) an error would be
shown. As it turns out, supplying the index pattern was entirely
unnecessary. This PR simply removes the index pattern from the api call
and adds a test to make sure that preview functionality works when index
templates match data streams.
Follow up to https://github.com/elastic/kibana/pull/195174
Closes https://github.com/elastic/kibana/issues/212781
**Resolves: https://github.com/elastic/security-docs/issues/3019**
## Summary
In this PR I am improving documentation for the bulk_actions endpoint.
The focus is on improving descriptions of parameters and providing
examples for all important situations, especially setting / adding
actions.
# Testing
1. cd x-pack/solutions/security/plugins/security_solution
2. yarn openapi:bundle:detections
3. Take the bundled file
(docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml)
and load it into bump.sh console to see the changes.
4. Compare the changes with the [Legacy
documentation](https://www.elastic.co/guide/en/security/current/rule-api-overview.html)
You can also use this [link](https://bump.sh/jkelas/doc/kibana_wip/)
where I deployed the generated bundled doc.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
In this PR, we use dataViewLazy, which avoids calling _field_caps API
(this logic was introduced in this
[PR](https://github.com/elastic/kibana/pull/183694)).
#### Questions
1. Do we need to call _field_caps API in the log threshold rule
executor? If yes, in which scenario?
No, we don't need to call _field_caps API in rule execution.
2. How to fix the type issues since DataViewLazy misses some fields that
exist in the DataView type.
We decided to use DataViewLazy everywhere on the server side but convert
it to an actual DataView on the client side due to the need for the
fields.
||Screenshot|
|---|---|
|Create||
|createDataViewLazy||
### 🧪 How to test
- Enable APM locally
```
elastic.apm.active: true
elastic.apm.transactionSampleRate: 1.0
elastic.apm.environment: username
```
- Create a log threshold rule and check its execution in
[traces](https://kibana-cloud-apm.elastic.dev/app/apm/traces?rangeFrom=now-15m&rangeTo=now)
filtered for your `username` as the environment. There should be one
with your rule name:
The timing for `_field_caps` would be more if you replace the
`createDataViewLazy` with the `create` function.
---------
Co-authored-by: Faisal Kanout <faisal.kanout@elastic.co>
## Summary
Part of Epic: https://github.com/elastic/kibana-team/issues/1439
Requires: https://github.com/elastic/kibana/issues/212903
Changes:
1. Moves the Solution Side Nav away from the "four squares" design
pattern: where clicking the item label opens a landing page and the item
icon opens the secondary nav panel. This was a custom component
implemented in the Kibana package, not part of the EUI
`EuiCollapsibleNavBeta` component.
2. Changes some usage of `@emotion/css` to `@emotion/react` for better
developer experience
### Screenshots
<details><summary>Before</summary>
</details>
<details><summary>After</summary>
</details>
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] This design pattern was only used in Security Solution. There is a
small risk of regression issues in Security Solution navigation. This
was mitigated by manual testing during development.
The link to all indices of a data stream from the streams UI didn't work
properly because `includeHiddenIndices` wasn't set properly.
To fix it and prevent it breaking in another place, I moved the logic to
the locator itself
## Summary
Closes [#209791](https://github.com/elastic/kibana/issues/209791)
Closes [#204378](https://github.com/elastic/kibana/issues/204378)
### Improve Knowledge Base Installation and Inference Endpoint
Management
#### Enhancements
- The **"Install Knowledge Base"** button is only shown when there is no
inference endpoint. If the inference endpoint creation fails, an error
notification is displayed.
- When an inference endpoint **exists and is ready**, no buttons or
messages are shown.
- If the installation was in progress and **succeeded**, a success
message is displayed.
- If an inference endpoint is present, users can **inspect the state of
the model deployment** to diagnose issues.
- When an inference endpoint exists but has an **error**, users can
retry the installation.
#### Inspection & Troubleshooting
Users can inspect the inference endpoint's deployment status, including:
- **Model is deploying**
- **No ML node available**
- **Insufficient memory available**
https://github.com/user-attachments/assets/03a91120-173c-4dc9-b6f2-59a8c8c8defb
### Suggested Improvements
- Display **autoscaling information** for better resource insights.
- Show **ML node details** to help users understand the infrastructure.
- Allow users to **install, deploy, and stop the model** directly from
the inspection popup.
These changes enhance visibility, troubleshooting, and control over
inference endpoint deployment. 🚀
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
## Summary
This PR adds the structure for workchat FTR tests and adds a few initial
tests as an example.
### Details about initially added tests
New test directories:
- `x-pack/test_serverless/api_integration/test_suites/chat`
- load a few common tests (that run on all project types)
- run `platform` security tests (taken over from `search` project type)
- `x-pack/test_serverless/functional/services/svl_chat_navigation.ts`
- load the `home page` common test
- run a simple navigation test, using the `svlChatNavigation` service
that has been introduced as an example
Note that these tests mostly serve as examples to prove things are
actually running and will have to be adjusted / removed / extended over
time. The purpose of this PR is NOT to add proper test coverage.
Closes#213469
---------
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
