## Summary
Resolves https://github.com/elastic/security-team/issues/10971.
This PR makes it so that on Cloud, agentless policies cannot move off of
the default managed Fleet Server host and ES output. This is done by:
- Explicitly writing `fleet_server_host_id` and `data_output_id` fields
to the agentless policy that is created when adding an agentless
integration
- On ECH, these are `fleet-default-fleet-server-host` and
`fleet-default-output` respectively
- On Serverless, these are `default-fleet-server` and
`es-default-output`
- During Fleet setup, agentless policies without these fields set up
correctly will be backfilled to the correct values
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Fixes an issue where `validate_pipelines.sh` could attempt to validate a
pipeline file that does not exist.
The check was looking for changed files comparing `elastic/kibana/main`
and the pull request branch, where an out of date pull request could
return a changed file that was not modified in the pr branch.
See
https://buildkite.com/elastic/kibana-pull-request/builds/295938#019668ee-99f0-409e-bd7d-466e6293e982
## Summary
This PR creates CRUD endpoints for search playgrounds. This will enable
us to make new pages for saved playgrounds that are shared in a space.
## Notes
Usages of `ALL_SAVED_OBJECT_INDICES` had to be updated to include
`ignore_unavailable` since a new index was added for search solution
saved objects, but these are not always registered when search plugins
are disabled. Because of this refresh and other calls using
`ALL_SAVED_OBJECT_INDICES` were failing when the new
`.kibana_search_solution` index did not exist.
### Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Gerard Soldevila <gerard.soldevila@elastic.co>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
During testing we discovered an issue related to the Assistant icon
displayed in the AI4DSOC alert summary page table.
The issue is related to the fact that the alert registers its context
with the assistant. When the assistant flyout is opened from the `Ask AI
assistant` button in the alert flyout, we have one flyout which means
one alert in the assistant. But with the Assistant icon shown on each
row of the table, we need to register context for each alert. That means
that x alert buttons equals to x alerts in the assistant.
This is how it translates in the UI:
Redesigning how the assistant context works is very involved and too
risky to do at such a late time.
This PR removes the Assistant button from the row actions, which solves
the issue:
https://github.com/user-attachments/assets/0fd94cc1-4fbd-4e70-9790-22e4913477ff
Also, @stephmilovic noticed that when the assistant is opened from a
different launch point than the suggested prompt, and the suggested
prompt is still in the DOM, its prompt context shows up empty:
<img width="600" alt="Screenshot 2025-04-24 at 11 41 23 AM"
src="https://github.com/user-attachments/assets/0ceb3ffc-72e5-425c-b550-9b8d5896f359"
/>
She resolved this by adding a check in the ContextPills component for
`description.length > 0`. This would be resolved by the on click issue,
so might be worth coming back to.
This change is visible in the second commit and stolen from [this
PR](https://github.com/elastic/kibana/pull/219144).
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
relates to https://github.com/elastic/security-team/issues/11973
## Summary
Updates the `NLPCleanupTask` added in
https://github.com/elastic/kibana/pull/175358 to behave the same as
`complete` for the new `search_ai_lake` tier as we don't want it
periodically running and cleaning up ELSER. The task will run once, and
disable itself if not in the correct tier.
An FTR test was also added to ensure expected behavior in the
`search_ai_lake` tier.
Note: we may want to update this task to still cleanup extraneous NLP
models that _are not_ ELSER, but this can be done in a future PR if
desired.
## Summary
This PR disabled the cell actions and the preview links on the Attack
discovery page for the AI4DSOC (searchLakeAI tier) effort.
For the first phase of AI4DSOC (at least for now) we do not have the
host, user, network... flyouts available, as the interactions between
those flyouts and the normal alert detail flyout are many.
Also, having the cell actions to filter in/out for example don't really
make sense at this time, as the other pages do not listen to these. It
would be confusing to the user to try to click on elements without any
actual actions being performed.
Before fix
https://github.com/user-attachments/assets/46be2f69-ad10-43a8-8c6b-7b56e231cf0b
After fix
https://github.com/user-attachments/assets/aeda65c1-f762-4696-b2fb-5837c6f06c54
## TODO
If the approach looks good to the @elastic/security-generative-ai team,
the following items needs to be done before merging:
- [ ] write unit tests
- [ ] create a ticket for the techdebt and link it in the code
### Checklist
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
Fixes https://github.com/elastic/kibana/issues/214564
This change prevents services only transmitting logs and metrics from
appearing in the service map.
A point of discussion:
With this change the service's 'focused service map' will be empty.
Should a placeholder node be added (no other nodes will be visible), or
should the service map for such services be hidden?
### Testing
I tested this by using a Otel-instrumented service with EDOT and
disabled all Trace exports. You'll see that without this change, that
service will appear in the service map, and with this change applied, it
will not.
I've created a new synthtrace scenario that will generate the necessary
data to verify this change.
run the `otel_logs_and_metrics_only.ts` scenario for synthtrace, and a
service, named `otel-metrics-and-logs-only`, will be available in the
services inventory, but it will not appear in the service map, or the
focused service map for the service.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary
Introduces a new `security_solution/gen_ai_evals.yml` BuildKite pipeline
for automatically running our Assistant and Attack Discovery evaluation
suites weekly.
### To Run Locally:
Ensure you are authenticated with vault for LLM + LangSmith creds:
> See [internal
docs](https://github.com/elastic/infra/blob/master/docs/vault/README.md#login-with-your-okta)
for setup/login instructions.
Fetch Connectors and LangSmith creds:
> [!NOTE]
> In discussion with @elastic/kibana-operations it was preferred to use
the ci-prod secrets vault, so we cannot self-manage the secrets. To test
this locally though, you can grab the secrets and follow the
instructions in this [paste
bin](https://p.elstc.co/paste/q7k+zYOc#PN0kasw11u2J0XWC2Ls5PMNWreKzKTpgWA1wtsPzeH+).
```
cd x-pack/test/security_solution_api_integration
node scripts/genai/vault/retrieve_secrets.js
```
Navigate to api integration directory, load the env vars, and start
server:
```
cd x-pack/test/security_solution_api_integration
export KIBANA_SECURITY_TESTING_AI_CONNECTORS=$(base64 -w 0 < scripts/genai/vault/connector_config.json) && export KIBANA_SECURITY_TESTING_LANGSMITH_KEY=$(base64 -w 0 < scripts/genai/vault/langsmith_key.txt)
yarn genai_evals:server:ess
```
Then in another terminal, load vars and run the tests:
```
cd x-pack/test/security_solution_api_integration
export KIBANA_SECURITY_TESTING_AI_CONNECTORS=$(base64 -w 0 < scripts/genai/vault/connector_config.json) && export KIBANA_SECURITY_TESTING_LANGSMITH_KEY=$(base64 -w 0 < scripts/genai/vault/langsmith_key.txt)
yarn genai_evals🏃ess
```
### To manually run on BuildKite:
Navigate to
[BuildKite](https://buildkite.com/elastic?filter=ftr-security-solution-gen-ai-evaluations)
and run `ftr-security-solution-gen-ai-evaluations` pipeline.
### To manually run on BuildKite for specific PR:
In `.buildkite/ftr_security_stateful_configs.yml`, temporarily move the
`genai/evaluations/trial_license_complete_tier/configs/ess.config.ts`
line down to the `enabled` section. Will see if we can do this without
requiring a commit. @elastic/kibana-operations is it possible to set a
buildkite env var that can be read in FTR tests when a specific GitHub
label is added to the PR? I.e. can I create a `SecurityGenAI:Run Evals`
label that when added will run this suite as part of the build?
> [!NOTE]
> Currently the connectors secrets only include `gpt-4o` and
`gpt-4o-mini`. Waiting on finalized list w/ credentials from @jamesspi
and @peluja1012 and then we can have ops update using the scripts
included in this PR.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Patryk Kopycinski <patryk.kopycinski@elastic.co>
## Summary
@gsoldevila noticed that we have the same FTR configs listed in
different manifest file. It means that we are running the same configs
multiple time and this PR fixes it.
PR update `scripts/check_ftr_configs.js` to check for duplicate entries
in manifests in advance and throw an error asking developer to remove
duplicates:
```
[kbn-test/check-config-duplicate-entries][~/github/kibana]$ node scripts/check_ftr_configs.js
ERROR Duplicate FTR config entries detected. Please remove the duplicates:
Config path: x-pack/test/api_integration/apis/logs_ui/config.ts
Found in manifests:
.buildkite/ftr_platform_stateful_configs.yml
.buildkite/ftr_oblt_stateful_configs.yml
Config path: x-pack/test/api_integration/apis/metrics_ui/config.ts
Found in manifests:
.buildkite/ftr_platform_stateful_configs.yml
.buildkite/ftr_oblt_stateful_configs.yml
...
```
Check verified in
[CI](https://buildkite.com/elastic/kibana-pull-request/builds/295779#019667cf-bff5-4ea0-b0f2-7044125fe08e)
fixes https://github.com/elastic/kibana/issues/216974
## Summary
Improve the environment combobox typing behaviour
### How to test
- Navigate to Service Inventory
- Interact with the Environment dropdown
- It will fetch from the server when: backspace is hit or when he text
typed can't be matched with any items from the options list
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: jennypavlova <jennypavlova94@gmail.com>
## Summary
With these changes we increase the attack discovery schedule rule
execution timeout to `30m`. The attack discovery generation can take a
while and the default `5m` on ESS and `1m` on Serverless does not give
much time to do complex AI work.
## NOTES
The feature is hidden behind the feature flag (in `kibana.dev.yml`):
```
feature_flags.overrides:
securitySolution.assistantAttackDiscoverySchedulingEnabled: true
```
resolves https://github.com/elastic/kibana/issues/218616
Adds kibana config `xpack.alerting.disabledRuleTypes: string[]`, which
can be used to "disable" specific rule types. The config is checked when
a rule type is registered, and if the rule type should be disabled, it
won't be added to the rule type registry and will log an INFO message
about the rule type being disabled.
## Summary
Closes#190218
This PR aims to fix the multiple requests produced when interacting with
the custom links flyout, using `memo` and `useMemo` from React to
prevent rerenders and redundant api calls.
https://github.com/user-attachments/assets/f8b058cd-dc02-41ef-8389-809a006b8eda
## How to test
1. Start Kibana and run any synthtrace scenario
2. Go to APM -> Settings -> Custom Links
3. Play with the inputs, the calls should be made once per field (if you
already requested service.name, it will be cached, regardless of which
input you are using)
## Summary
Similar to #217034, #217202 and #217467 this time applied to
`react-use`.
This is a slightly different approach than #217034 as we're caching here
only the most common/frequently used methods from the `react-use`
library and leaving the rest to be loaded within the specific plugin
chunks.
What this PR does it fundamentally:
* adds `7.x kb` to the shared bundle
* overall the startup bundle size shrinks about `3.5 kb`
* the async bundle size shrinks of about `350 kb` (mainly due to 3
imports which were targeting `react-use/lib`).
An alternative approach would be to just fix the async import strings in
there, but I thought to it was worth it to make the long step here.
Feedback appreciated.
## Summary
This PR fixes:
1. refreshing controls when the alert search bar is refreshed
2. the extra initial loading of the alert table in the alerts page
(related to https://github.com/elastic/kibana/issues/183412)
# Summary
Updated the tooltips for the headings of the table that shows gaps for a
rule as well as a missing tooltip in the rule monitoring tab. For the
detailed list of tooltips refer to the original issue #218345.
# How to test
Make sure you enable the following feature flag in your
`kibana.dev.yaml`:
`xpack.securitySolution.enableExperimental: [
'storeGapsInEventLogEnabled' ]`
Create a rule that runs very often (it could be 1s interval and no look
back). Then disable the rule to generate gaps.
Wait for a bit and enable the rule again.
You should see the gaps table when visiting the rule details page under
the `execution results` tab.
## Summary
This PR fixes#218867 by switching to the `host.network.*` gauges. This
also sets a consistent value in the DataForge config so we can get a
reliable value to calculate and compare the results.
## Summary
Addresses this `a11y` issue:
https://github.com/elastic/kibana/issues/205327
## Changes made:
- Suppress duplicate screen-reader announcements by adding the
`disableScreenReaderOutput` prop to the `EuiToolTip` wrapping the “Add
filter” button.
- Confirmed the `disableScreenReaderOutput` prop (introduced in EUI
v101.2.0) by consulting the official tooltip documentation:
https://eui.elastic.co/#/display/tooltip
**How to test:**
1. Navigate to `Security -> Explore -> Users page`.
2. Navigate to `add filter` button by pressing Tab key.
3. Check the button and tooltip announcement on a screen reader.
### Sample
https://github.com/user-attachments/assets/dd4528fd-9ee3-437e-953f-7fc15fdde7ac
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
