## Summary
This PR fixes the issue of navigation link behaviour not updating after
first click/update.
## Testing Steps
1. Kibana - 8.18
2. Generate some data using data generator and alerts.
3. Enable Risk Score
4. Go to Security -> Alerts
5. Open Host Flyout of a host with risk score
6. Click alert/risk summary link, then click the other one and observe
the tab on the left and content change in response ✅
### Screen Recordings
#### Host Selected
https://github.com/user-attachments/assets/ac071adc-8255-496e-956b-cf727191cbe3
#### User Selected
https://github.com/user-attachments/assets/ab10a640-964d-457f-9ff3-198c19641889
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This PR ensures that errors encountered during insight creation are
properly propagated to the UI, specifically to the endpoint insights
component. I opted for a UI-only approach because I believe these
creation errors shouldn’t be returned as API responses. Instead, we
should rely on the already stored insight status and potential
failureReason.
Additionally, I’ve updated the Cypress tests to no longer explicitly
include feature flags for this functionality, as the feature flag has
now been enabled.
https://github.com/user-attachments/assets/11f7f601-931f-41a0-a02c-e961b4424d1e
Close#185032
## Summary
An Observability AI Assistant connector is available to be set as action
for Observability rules. When an alert is triggered, a conversation with
the AI assistant will be created sending the initial prompt set by the
user in the rule action. The conversation is then stored and can be
retrieved from the AI Assistant interface. the action is triggered on
any status change of the alert (active, recovered, untracked), creating
a new conversation for each of them using the same initial prompt which
may not be suitable for the 3 cases.
Improvement
The user is able to choose in when the action should be run (active,
recovered, untracked, all),. That would allow the user to specify more
than one AI Assistant action, with a different and more suitable prompt
in each case.
https://github.com/user-attachments/assets/69463fa0-de5e-441c-8e99-a888e076f311
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Sandra G <neptunian@users.noreply.github.com>
## Add refresh for event log, when we fill gap
As we update gaps, and don't wait for refresh in UI we can have
inconsistent state:
- Go to gap table
- Click fill gap, wait for api response
- Then we refetch gaps, but because we don't wait for refresh we get old
gaps and action "Fill gap" still remain in the table
In this PR we introduce index refresh, which only happens when user make
an action to fill gap
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
We started out with streams having an id, but we switched that to `name`
at some point. However, some places would still use `id` which bothered
me.
This PR switches all occurrences to `name` - Kibana and Elasticearch
assets still have "id"s, but streams are all names.
## Summary
This PR resolves https://github.com/elastic/kibana/issues/201882 by
making sure that EUI palette functions are called during component
re-renders in Security Solution.
### Testing
Please verify if visualizations are displayed properly.
Running Kibana with the Borealis theme
In order to run Kibana with Borealis, you'll need to do the following:
Set the following in kibana.dev.yml:
`uiSettings.experimental.themeSwitcherEnabled: true`
Run Kibana with the following environment variable set:
`KBN_OPTIMIZER_THEMES="borealislight,borealisdark,v8light,v8dark" yarn
start`
This will expose a toggle under Stack Management > Advanced Settings >
Theme version, which you can use to toggle between Amsterdam and
Borealis.
I couldn't verify if this builds correctly, as I couldn't quickly whip
up a dev environment locally that could build this. Is there a preview
built by the CI?
---------
Co-authored-by: Stratoula Kalafateli <efstratia.kalafateli@elastic.co>
Part of https://github.com/elastic/kibana/issues/194171
PR removes all async imports run during uptime plugin setup and start
methods. This causes page load bundle size to increase and accurately
reflect its true size.
### Test instructions
* Start kibana locally
* Open network tab in browser
* Open home page. Verify `uptime.chunk` are not loaded. The screen shots
show the behavior in main where `uptime.chunk` are loaded on home page
<img width="600" alt="Screenshot 2025-02-05 at 9 06 56 AM"
src="https://github.com/user-attachments/assets/14218b85-3814-4e3c-9c04-bd73cf6c4dbd"
/>
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Part of https://github.com/elastic/kibana/issues/194171
PR removes all async imports run during searchNavigation plugin setup
and start methods.
### Test instructions
* Start kibana locally
* Open network tab in browser
* Open home page. Verify `searchNavigation.chunk` are not loaded. The
screen shots show the behavior in main where `searchNavigation.chunk`
are loaded on home page
<img width="600" alt="Screenshot 2025-02-05 at 9 20 21 AM"
src="https://github.com/user-attachments/assets/e718e18e-de6e-4c1e-ba28-af713440459c"
/>
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
The configuration shown on Fleet -> Logstash output isn't up to date
that some of them are removed.
This PR updates obsoleted configuration(s) to align with recent Logstash
9.0 configs.
### Author's checklist
- [ ] This needs to be backported to 9.0 Kibana branch
- [ ] and would be good to trigger BC
## Summary
fix https://github.com/elastic/kibana/issues/208728
This PR improves breadcrumb extension point for adding starring next to
a dashboard breadcrumb https://github.com/elastic/kibana/issues/200315:
- Fix breadcrumb extension didn't render in solution nav
- Support multiple extensions (search sessions are deprecated and need
to be enabled with kibana.yml flag, but we still need to support both UI
elements)
- Improve DX to unmount the extension
To test:
- Add `data.search.sessions.enabled: true` and see that search session
UI appears in solution nav.
- To test multiple, add more extensions by using
`chrome.setBreadcrumbsAppendExtension`, e.g. in
`src/platform/plugins/shared/data/public/search/search_service.ts` .
This actually gonna be used in
https://github.com/elastic/kibana/issues/200315
fixes [#209996](https://github.com/elastic/kibana/issues/209996)
## Summary
Fix the `inventory-view` schema. The wrong schema was causing an error
when trying to create/update a saved view on Infra Inventory UI
### How to test
- Run on dev tools the request below, it should return a 400 containing
the message: `"[attributes.legend.steps]: Value must be equal to or
lower than [18].: Bad Request"`
```
POST kbn:/api/saved_objects/inventory-view
{
"attributes": {
"metric": {
"type": "cpuV2"
},
"sort": {
"by": "name",
"direction": "desc"
},
"groupBy": [],
"nodeType": "host",
"view": "map",
"customOptions": [],
"customMetrics": [],
"boundsOverride": {
"max": 1,
"min": 0
},
"autoBounds": true,
"accountId": "",
"region": "",
"time": 1738848614746,
"autoReload": false,
"filterQuery": {
"expression": "",
"kind": "kuery"
},
"legend": {
"palette": "cool",
"steps": 20,
"reverseColors": false
},
"timelineOpen": false,
"name": "sss"
}
}
```
- Navigate to Infra > Inventory
- Create a new saved view
## Summary
This issue predominantly tries to improve the situation around fetching
and showing samples. Some of the discussion can be seen here:
https://github.com/elastic/streams-program/issues/37#issuecomment-2605288052
We have several issues - runtime fields are expensive (but needed if
fields aren't mapped), we are susceptible to timeouts depending on
amount of data and timerange, getting exact document counts (for match /
not matched counts) is expensive etc.
After speaking with Joe we decided it might be worth trying out async
search, as this alleviates some of these issues. E.g. the ability to
load and show partial results without trying to communicate this through
our API, or have to provide a potentially confusing UI around timeouts /
running to exhaustion options / toggles.
Realistically we only fetch 100 examples, but we might need to scan many
documents to gather that set of documents, I'm not 100% sure how often
we'll actually hit partial results here, but it seems more robust than
worrying about timeouts.
For the matching counts I just couldn't see a way to get an accurate
count without something expensive (e.g. `track_total_hits`) so I've
tried to use an "approximate match rate" based on a random sample, that
random sample is then filtered to the condition to see what approximate
percent matched. One note: aggregations don't seem to return partial
results (which makes sense I guess), you get the interval polling
requests, but won't get a result until the end. I did wonder if you
could do something smart with `track_total_hits` and aggs to "stream"
partial counts, I found a Slack thread saying don't do this 😅⚠️ ~I'm not 100% sure what I'm missing here but I have seen the filter
sub aggregation come back with a doc_count that is higher than the
random sample.~
~[From the
docs](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-random-sampler-aggregation.html#random-sampler-inner-workings)
I understand "If a query is provided, a document is returned if it is
matched by the query and if the document is in the random sampling. The
sampling is not done over the matched documents." but I don't see why
that affects the sub aggregation under the random sample.~
~I hit this when playing with the `probability` setting, not sure if I'm
missing something stupid.~
[Solved](https://github.com/elastic/kibana/pull/209095#discussion_r1940567855)
Overall, this does seem to work well. I've used this against ~250k and
~2.5million documents, and whilst (depending on time range / runtime
fields) it can still be slow, it seems to provide a better experience
than hitting our API and holding the open connection. Obviously it comes
with the downsides of sitting on the client (not really sure it's a con,
these are platform services) and not using the standard
`streamsRepositoryClient`.
## Other changes
- The core changes here are in the `use_async_sample` hook, and where
that's consumed.
- Runtime fields are not generated for fields that are mapped.
- I've also refactored the routing index page so that components / hooks
live in their own files (this makes the diff look bigger than it is)
- Refactored some logic around preview panel / preview panel
illustration so that the two branches of logic / conditionals now become
one.
## Followups
- I haven't changed enrichment to use this or removed the actual API
route as I figured this would need discussion first to see if we want to
use this.
## 📓 Summary
Fix failing fields simulation on the schema editor. This happened
because the strict excessive keys check on the zod validation for the
API request caught extra parameters used client-side on the Schema
Editor, removing those properties fixed the issue.
## Summary
Fixes https://github.com/elastic/kibana-team/issues/1442
This PR replaces a poorly performing regular expression with a constant
time string manipulation approach.
Context:
The regex is used to remove all references from a string when a user
copies a message from the assistant and when conversation history is
passed to the LLM e.g.
```
"The sky is blue{reference(1234)} and the grass is green{reference(4321)}" -> "The sky is blue and the grass is green"
```
Changes:
- Replace the regular expression inside of `removeContentReferences()`
- Add tests to verify new logic is correct.
- Fix a bug in the contentReference markdown parser that was found by
@andrew-goldstein
[here](https://github.com/elastic/kibana/pull/209314/files#r1943198510)
- For alerts page citations, add a filter for open and acknowledge
alerts within the last 24 hours
[here](https://github.com/elastic/kibana/pull/209314/files#diff-f17fbe7edfe72943fecbe5ddd8dca6c024a48fe4f90bf4f66650cef16091b769R36)
### How to test new regex:
One of the changes in this PR improves the performance of a regex. In
real life, no one has ever reached any performance issues with this
regex's and I don't think it is realistically possible to reach that
limit without other things breaking (i.e. the message sent to/returned
by the assistant would need to be so large that it would exceed the
context window). Therefore, all we can test is that the functionality
still works as expected after this change.
- Enable the feature flag
```yaml
# kibana.dev.yml
xpack.securitySolution.enableExperimental: ['contentReferencesEnabled']
```
- Open the security assistant
- Ask the assistant a question about your alerts or a document in your
KB. The assistant response should contain citations.
- Copy the response to the clipboard using the copy button.
<img width="785" alt="image"
src="https://github.com/user-attachments/assets/edded3a3-8cb9-40a8-918e-a9718e7afc22"
/>
- Your clipboard should contain the response without any citations
### How to test the alerts page filter
- Ask a question about your open alerts and make sure a citation is
returned.
- Click on the citation
- Verify a new tab is opened and the alerts page is visible with a
filter for open and acknowledge alerts and there is a now-24h time
window filter.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [X] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [X]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [X] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [X] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [X] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [X] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [X] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This PR updates the logic for determining whether an Insight has already
been addressed by Trusted Apps. While we’ve been querying Trusted Apps
based on the Insight’s reported path and, for Windows and macOS, the
signature, this approach had a limitation: it didn’t account for cases
where a matching Trusted App existed but was assigned to a policy
unrelated to the endpoint where the Insight was generated.
To address this, we’ve extended the query to include an additional
filter for the specific policy ID associated with the endpoint, as well
as any global policies (policy:all).
https://github.com/user-attachments/assets/96470d0b-b7ea-4f59-af0a-e865ad7fd22c
This PR fixes an issue where the Signer was not properly propagated
during Trusted Apps creation from Insights. With these changes, we
expect process.Ext.code_signature on Windows to be an array (ESS, ESS
Cloud) containing signatures, or a single object (Serverless). On macOS,
it will continue to be an object.
Please refer to the corresponding GitHub issue for the recordings.
## Summary
This PR removes the `isDraggable` prop throughout Security Solution.
Unless I'm mistaken, this property isn't necessary anymore, as we do not
use those draggable elements anymore. From what I could see, we had its
value set to `false` everywhere.
This lead to a lot of files impacted, but most of them have only a
couple of lines changed. In some files though, removing the
`isDraggable` prop allowed to remove more code than became obsolete.
**No UI changes should have been introduced in this PR!**
### What this PR does
- removes `isDraggable` everywhere
- performs the extra small cleanup when obvious
- updates all corresponding unit e2e and tests
### What this PR does
- rename files or component names to limit the already extensive impact
of the code change
This PR switch the endpoint used for the `chat_completion` task type to
`_stream`. Only the URL changes, the request and response format stay
the same. The `_stream` URL was introduced a couple verisons ago and is
the preferred route for interacting with `chat_completion`.
### Testing
Setup a pre-configured connector for security. Add this to your
`config/kibana.dev.yml`
```
xpack.actions.preconfigured:
my-inference-open-ai:
name: Inference Preconfig Jon
actionTypeId: .inference
exposeConfig: true
config:
provider: 'openai'
taskType: 'chat_completion'
inferenceId: 'openai-chat_completion-123'
providerConfig:
rate_limit:
requests_per_minute: 80000
model_id: 'gpt-4o'
url: https://api.openai.com/v1/chat/completions
secrets:
providerSecrets:
api_key: '<api key>'
```
Then via the Connectors page, create an AI connector with the inference
endpoint id set to `openai-chat_completion-123`
https://github.com/user-attachments/assets/29d56d58-cd96-432f-9d13-460446d204a1
## Summary
This PR renames the `enterprise_search` config path from
`enterpriseSearch` to `xpack.search`. This is to migrate away from
customer facing usage of enterprise search and align with other search
plugin config paths like `xpack.serverless.search`.
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
