## Summary
The formatter uses a tab size of 2 spaces. The editor should follow suit
so that it is easy to keep the formatting.
Also, the editor should keep the current indentation automatically.
https://github.com/user-attachments/assets/8c89b33a-2ba3-4332-a858-c5b8cb9c65dd
---------
Co-authored-by: Stratoula Kalafateli <efstratia.kalafateli@elastic.co>
It fixes an issue where adding the `Change Point Detection` embeddable
didn't work properly.
The bug was introduced in https://github.com/elastic/kibana/pull/197943
The main cause was the use of `<ChangePointDetectionContextProvider>`
which calls `timefilter.getActiveBounds()`. However, for
`getActiveBounds` to work, `this.isTimeRangeSelectorEnabled()` must
return true. By default, this is not the case within dashboards.
However, we do not actually need the `ChangePointDetectionContext`
inside the embeddable, so this PR removes its usage.
A functional test has been added to cover adding the Change Point
embeddable from the dashboards app. It's a very simple test that does
not verify the embeddable's functionality, but it could be improved in a
follow-up.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
* Removes manually maintained OAS for Core's `_export` and `_import`
Saved Object APIs
* seeks to remove some code duplication and move our OAS descriptions
closer to the code definitions.
## Summary
It closes https://github.com/elastic/kibana/issues/217079
- Update implementation as per the the Asset Inventory [Enable Users to
Search, Filter, and Group Assets within Asset Inventory acceptance
criteria](https://github.com/elastic/security-team/issues/10344):
- Set the default columns for the data table as it is specified in
- Update filter attributes
- Update implementation to match answers given in [this
epic](https://github.com/elastic/security-team/issues/11856):
- Hide 3-dots button on each data table row
- Remap bar chart fields to `entity.type` and `entity.sub_type`
### Checklist
- [x] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Risks
No risks whatsoever.
---------
Co-authored-by: Paulo Henrique <paulo.henrique@elastic.co>
In this PR, I'm changing the CODEOWNERS for reporting related modules.
While reviewing, ensure I haven't missed anything or moved a module that
should remain part of sharedux team.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Tim Sullivan <tsullivan@users.noreply.github.com>
Co-authored-by: Timothy Sullivan <tsullivan@elastic.co>
## Summary
This PR fixes an issue with the logic implemented in [this previous
PR](https://github.com/elastic/kibana/pull/215586):
_In the AI for SOC effort, each integration is bundled with a single
rule. This means that deselecting a source from the Source filter button
is equivalent to adding a filter to the search bar to exclude all alerts
with the kibana.alert.rule.name property having the value of that
integration._
The problem with the previous logic above is the value in the
`kibana.alert.rule.name` field can be overridden (see `Rule name
override
[here](https://www.elastic.co/guide/en/security/current/rules-ui-create.html)).
Therefore filtering alerts by this value does not guarantee that all the
alerts generated by the rule will be correctly filtered out.
The new logic uses the `rule.id` instead of the `rule.name`, which we
then use to filter using the `signal.rule.id` field instead of
`kibana.alert.rule.name`
### Example:
There are following 2 integrations installed:
```typescript
[
{
id: 'splunk',
name: 'splunk',
status: installationStatuses.Installed,
title: 'Splunk',
version: '',
},
{
id: 'google_secops',
name: 'google_secops',
status: installationStatuses.Installed,
title: 'Google SecOps',
version: '',
},
]
```
This means that - in theory - there are the following 2 rules installed
and running:
```typescript
[
{
related_integrations: [{ package: 'splunk' }],
id: 'splunk_rule_id',
},
{
related_integrations: [{ package: 'google_secops' }],
id: 'google_secops_rule_id',
},
]
```
In this case, the `Sources` button would show 2 entries, as follow:
```typescript
[
{
checked: 'on',
key: 'splunk_rule_id',
label: 'Splunk',
},
{
checked: 'on',
key: 'google_secops_rule_id',
label: 'Splunk',
},
]
```
This PR also fixes a small miss in [the prior
PR](https://github.com/elastic/kibana/pull/215585) that implemented the
KPI section, where I had forgotten to pass the KQL filters to the
charts.
#### Before
https://github.com/user-attachments/assets/77e583c6-718f-46d9-96b4-42ee9976161b
#### After
https://github.com/user-attachments/assets/50e8e541-5798-4906-b7cc-4f9756dbdefc
## How to test
This needs to be ran in Serverless:
- `yarn es serverless --projectType security`
- `yarn serverless-security --no-base-path`
You also need to enable the AI for SOC tier, by adding the following to
your `serverless.security.dev.yaml` file:
```
xpack.securitySolutionServerless.productTypes:
[
{ product_line: 'ai_soc', product_tier: 'search_ai_lake' },
]
```
Use one of these Serverless users:
- `platform_engineer`
- `endpoint_operations_analyst`
- `endpoint_policy_manager`
- `admin`
- `system_indices_superuser`
### Notes
- generate data: `yarn test:generate:serverless-dev`
- create 4 catch all rules, each with a name of a AI for SOC integration
(`google_secops`, `microsoft_sentinel`,, `sentinel_one` and
`crowdstrike`)
- change [this
line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts#L73)
to `installedPackages: availablePackages` to force having some packages
installed
- change [this
line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_integrations.ts#L63)
to `r.name === p.name` to make sure there will be matches between
integrations and rules
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
https://github.com/elastic/security-team/issues/11956
## Summary
```
TimeoutError: page.waitForSelector: Timeout 10000ms exceeded.
Call log:
- waiting for locator('[data-test-subj="globalLoadingIndicator-hidden"]')
at Object.waitForSelector (src/platform/packages/shared/kbn-scout/src/playwright/fixtures/test/scout_page/single_thread.ts:47:27)
at Page.waitForLoadingIndicatorHidden (src/platform/packages/shared/kbn-scout/src/playwright/fixtures/test/scout_page/single_thread.ts:91:27)
at x-pack/solutions/security/plugins/security_solution/ui_tests/parallel_tests/flyout/alert_details_url_sync.spec.ts:40:16
```
Failure rate before changes: 60%
<img width="487" alt="image"
src="https://github.com/user-attachments/assets/9331f973-9337-48cf-9131-c3acbf611d9c"
/>
For some reason specifically in serverless Security project loading
indicator is not hidden on page reload after 10 seconds.
To unblock Teams this PR changes tests to wait for
`detectionsAlertsPage` to be visible instead. The follow-up is to set
loading status directly in Alerting Table component and wait for
`alertsTable-loaded` data-test-subj in UI tests before interacting with
table.
Failure rate with changes: 0%
<img width="1592" alt="Screenshot 2025-04-04 at 17 08 32"
src="https://github.com/user-attachments/assets/c955ed94-bc92-4328-a3b5-0194806d31b1"
/>
## 📓 Summary
Closes https://github.com/elastic/streams-program/issues/101
These changes update the simulation to detected ignored fields and
mapping failures.
As these failures are detected simulating an ingestion, the
`_ingest/_simulate` API won't tell us which processor caused the
failure, but we can associate it to the document.
### Wired streams
- `agent.name` is mapped with `ignore_above: 4` to simulate short string
ignored fields
- `long_number` is mapped as `long`
I tried parsing a string into `agent.name` to simulate the
ignored_fields, and similarly I tried parsing a string into
`long_number` to simulate the mapping failure.
https://github.com/user-attachments/assets/09b604da-ae45-43a6-a30a-737061ff0f90
### Classic streams
Tried mapping a word into `nginx.error.connection_id` field which is
mapped as `long`
https://github.com/user-attachments/assets/e6a1d47d-3080-452c-896a-2074f2f0c920
## Summary
We used to log all parsing errors for diagnostic purposes when since
they were never expected to happen.
With
21845ad7a1
they became much more common, especially while editing queries, because
of ANTLR stack popping exceptions (see
https://github.com/elastic/elasticsearch/issues/119025).
We should stop logging them all to the console... it makes it look like
something is wrong.
Query to test with:
`FROM kibana_sample_data_*
| WHERE @timestamp != )`
## Summary
Resolves https://github.com/elastic/kibana/issues/207096
This continues the work in https://github.com/elastic/kibana/pull/213979
Sometimes ES returns a 200 response containing an error field when we
wait for the update mappings task. This case wasn't being handled. This
PR handles that case, when we find a `search_phase_execution_exception`
in the ES response we return a retryable error that sends us back to the
update mappings state. It does it for both migration algorithms, the
priority is ZDT but seemed like a nice to have in both.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Streamlines the UI of routing a bit:
* Move add button to the top right
* Pull enabled/disabled into separate row
* Only show a single line for streams not in edit mode
* Clearly label disabled
* Hide the drag handle by default and slide in on hover
Divergence from the design:
* Show preview of existing routing condition on select: This is tricky
for the same reason we can't do previews of changes to routing
conditions. I think we should stay away from it until we actually solved
this problem
* Show form in disabled state when a stream routing is disabled - we
don't retain the disabled condition in this situation and there isn't a
good place to put it. I think we should split that out, but I can see
how it makes sense so you can disable without having to type the
condition again. However, it's a bit of a harder change because it would
change the streams backend as well which I want to decouple from the
relatively forward UX change it is right now
When navigating to the details page of a classic stream for the first
time, it would show an error toast from the `/dashboards` endpoint. This
happened because there was a bug in `ensureStream` - it would throw if
the data stream has been found but there wouldn't be a streams
definition.
This PR fixes the bug and adds an integration test for it.
## Summary
### Fleet changes
- Fixed `GetPackagePoliciesRequest` (was missing `query` options
supported)
### Security Solution
This PR refactors the Policy Selection UI component - used mainly with
Artifact pages/forms - to remove the prior limitation of only displaying
the first 1,000 policies in the system. This new version of the
component is not connected to the API and allows a user to paginate
through the list of policies in the system, including being able to
search for policies while maintaining those that have been already
selected.
Some of the new features in this new component include:
- Page through list of available policies
- Search for policies (by default, it searches against `name`,
`description`, `policy_ids` and `package.name`)
- Ability to `select all` / `unselect all` policies currently displayed
- Ability to view the already selected list of policies
This PR moves the datepicker on the overview page into the chart panel
to claim some additional vertical screen space and to make it clearer
what the stats on top of the page mean:
<img width="1016" alt="Screenshot 2025-04-03 at 14 58 27"
src="https://github.com/user-attachments/assets/b0100a3e-e9c4-419e-9803-45558b8a0fad"
/>
It also refactors the code a bit and reduces prop drilling in some
areas.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Fixes: https://github.com/elastic/security-team/issues/12233
This PR simply adds a new `migration` index to store the migration data
with `migration_id` as the only property for now.
The APIs remain unchanged.
Below are the mapping for new index
`.kibana-siem-rule-migrations-migrations-default` based on the pattern
`..kibana-siem-rule-migrations-<indexAdapterId>-<spaceName>`
```
{
".kibana-siem-rule-migrations-migrations-default": {
"mappings": {
"dynamic": "false",
"_meta": {
"namespace": "default",
"kibana": {
"version": "9.1.0"
},
"managed": true
},
"properties": {
"created_at": {
"type": "date"
},
"created_by": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
}
}
```
Below is how a sample document looks like:
```json
{
"_index": ".kibana-siem-rule-migrations-migrations-default",
"_id": "C7oi15UBS6DCfB3qd4_l",
"_score": 1,
"_source": {
"created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0",
"created_at": "2025-03-27T10:25:15.232Z"
}
}
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
If a managed connector is used, show a icon with a tooltip to remind
them this costs money
<img width="436" alt="Screenshot 2025-04-02 at 17 00 56"
src="https://github.com/user-attachments/assets/495fa834-a0ec-4228-802e-ea2eee7678c5"
/>
I checked on serverless prod that the numbers we report on storage size
is identical with what `/app/management/data/data_usage` based on
auto-ops reports, with some caveats:
* We were using the eui number formatter which was configured to use
megabyte (MB, 1000^2) instead of mebibyte (MiB, 1024^2) - auto ops was
using mebibyte but still formatted the number as MB. I switched it over
to use mebibyte, so the numbers are the same now, but it's rendering
`MiB`. IMHO this is OK since it's more exact, but I wanted to call it
out
<img width="141" alt="Screenshot 2025-04-02 at 17 35 03"
src="https://github.com/user-attachments/assets/6145acfb-9a84-4ba0-81d0-a32718a5fff4"
/>
* On the overview page, the refresh button would not refresh the data
stream stats, which would cause a drift of the numbers over time. Fixed
that
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Currently, if you'd like to test something on Kibana's VM image, you'd
have to build a VM image to -qa, then rewrite all references to
`elastic-images-qa` for the PR jobs; once done with testing, we'd undo
the changes to `elastic-images-prod`.
This is a helpful tool for us to test with WIP VM images, we'd be able
to add a label to the PR, and it would automatically grab the QA images,
without any temporary commits.
Jobs in https://buildkite.com/elastic/kibana-pull-request/builds/289599
have ran with an elastic-qa image. ✅
## Summary
Part of https://github.com/elastic/kibana/issues/213877
This PR doent introduce a new feature. It is mostly a refactoring to
allow us to give a better UX when a user during creation changes the
variable name from ??value to ?value and vice versa. The biggest change
is that we move 2 components from the individual form (value,
identifier) to index as now they can be shared and they own the same
functionality regardless the control type.
It is required to move to the next step, the creation of controls by
just typing a questionmark
### Checklist
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Towards making AAD source of truth.
This PR creates a `trackedAlerts` object in the alertsClient and removes
the dependency on task state to fetch tracked alerts.
As fetching tracked alerts becomes a critical part, we throw an error
when it fails.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
This PR adds the integration section at the top of the alert summary
page. This section shows the installed AI for SOC integrations and an
`Add integration` button. Clicking on the button navigates to the
fleet's page.
In each integration card, we show the integration name, its logo as well
as the last activity time. This last activity value is retrieve as
follow:
- fetch all dataStreams (see [this api
documentation](https://www.elastic.co/docs/api/doc/kibana/operation/operation-get-fleet-data-streams))
- find all the dataStreams that are related to the installed
integrations (via the `package` property)
- from all the matching dataStreams, take the most recently updated (via
the `last_activity_ms` value
https://github.com/user-attachments/assets/7c67e629-e4d3-4ba2-b756-b9ba81e7a667
## How to test
This needs to be ran in Serverless:
- `yarn es serverless --projectType security`
- `yarn serverless-security --no-base-path`
You also need to enable the AI for SOC tier, by adding the following to
your `serverless.security.dev.yaml` file:
```
xpack.securitySolutionServerless.productTypes:
[
{ product_line: 'ai_soc', product_tier: 'search_ai_lake' },
]
```
Use one of these Serverless users:
- `platform_engineer`
- `endpoint_operations_analyst`
- `endpoint_policy_manager`
- `admin`
- `system_indices_superuser`
### Notes
You'll need to either have some AI for SOC integrations installed, or
more easily you can:
- change the `alert_summary.tsx` line `38` from `if
(installedPackages.length === 0) {` to `if (installedPackages.length >
0) {` to force the wrapper component to render
- update `42` of the same `alert_summary.tsx` file from `return <Wrapper
packages={installedPackages} />;` to `return <Wrapper
packages={availablePackages} />;` to be able to see some packages
Also you'll dataStreams if you want to be able to test the last activity
value. Easiest would probably be to mock the call return value following
[the
documentation](https://www.elastic.co/docs/api/doc/kibana/operation/operation-get-fleet-data-streams).
### Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
https://github.com/elastic/security-team/issues/11955
## Summary
Add safer parameters when deleting by queries, and make all delete by
queries async (wait = false).
In some cases, I've parallelized the calls
