When setting the `canViewMlNodes`, we were assuming a serverless
environment based on whether all ML features (ad, dfa, nlp) were
enabled. When this was originally implemented no serverless project had
all three features enabled.
Since then the security project has
[changed](https://github.com/elastic/kibana/pull/175358) to include all
three features.
This PR add an explicit check for serverless and disables
`canViewMlNodes` if it is true.
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Another follow up to https://github.com/elastic/kibana/pull/212694
- Removes `alertWithSuppression` from `sharedParams` since it's already
available on `services`
- Updates the type of `services` throughout DE executor logic to
properly represent that it has `alertWithSuppression`
- Removes `experimentalFeatures` as a param from functions that no
longer need it
- Converts `bulkCreate` from a factory to a const function
- Converts `enrichAlerts` from a factory to a const function - but
enrichment logic is still passed to the persistence functions as a
function. Now it's just one layer of factories instead of two.
- Renames types related to `enrichAlerts` to match the function
names/responsibilities better
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Fix Unable to switch between Risk Contributions and Insights on host
details flyout.
**Pre Conditions**
1. Alerts should be available on Kibana.
2. Entity Risk Score must be enabled.
**Steps**
1. Navigate to a page where the flyout is available.
3. For any Entity, open details flyout
4. Expand Details flyout (left panel).
5. Observe that the user cannot switch between `Risk Contributions` and
`Insights` tabs.
**Expected Result**
The user should be able to switch between `Risk Contributions` and
`Insights` tabs.
**Screen Recording**
https://github.com/user-attachments/assets/3aae6291-5b5b-49a4-83c2-ac657e4e9524
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
These Stories were missed in [Upgrade to Storybook 8
(#195148)](https://github.com/elastic/kibana/pull/195148) and should be
migrated to the same format as other stories for consistency and to make
future migrations easier. They technically work in SB8, I forgot to run
the migration script again later on while working on the original PR.
The changes have already been backported to #214680 and #214681
## Summary
Part of https://github.com/elastic/kibana/issues/195418
This removes the final deprecated property from the command definitions:
the signature.
Most of the work was moving validation logic out of the generic paths
into command-specific validation methods. This exercise confirmed the
fact that many of the properties on the command signatures were added to
support something in one or two commands and did not apply to the vast
majority. Now, it is clearer what code applies to what commands.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Enables the SIEM Migrations feature in serverless. The experimental flag
will be cleaned later.
> [!NOTE]
To release this feature as planned (Friday 28th March 2025), this PR
needs to merge between Monday **24** and Thursday **27**
### Screenshot
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Fixes#210253
This PR adds an `aria-label` with the same content as the tooltip to
solve the "Button must have a discernible text" A11y critical issue.
## How to test
1. Download the [axe
devtools](https://chromewebstore.google.com/detail/axe-devtools-web-accessib/lhdoppojpmngadmnindnejefpokejbdd)
2. Enable ECO feature flag
3. Go into service inventory and run the scanner from axe devtools
4. You should see a critical error
5. Checkout this branch
6. Error should be solved
---------
Co-authored-by: Carlos Crespo <crespocarlos@users.noreply.github.com>
## Summary
This PR adds a rule gaps histogram that shows users how many rules had
gaps at any given time. They will also be able to see how many gaps have
been filled and how many are being filled.
See the images below which show what the dashboard looks like today, and
what it looks like after these changes.
## How was this tested?
I ran a script to create 100 rules with gaps, then I made the changes in
the dashboard JSON file and called the `POST
/internal/detection_engine/health/_setup` endpoint to apply them in my
local version of Kibana.
### Before
### After
## Summary
This PR fixes the issue where clicking the refresh button, the risk
score panel throws errors, and the table displays no data.
The root cause was that the `refetchAll` callback did not include
`refetchEngineStatus`, which is responsible for refreshing the risk
engine status. As a result, the risk engine status
`hasEngineBeenInstalled` could become stale, leading to incorrect
behavior.
### Reproduce bug
(as per [#12017](https://github.com/elastic/security-team/issues/12017))
**Preconditions**
Kibana started with user and host data
Alerts created
Enable risk engine
To Reproduce
**Steps to reproduce the behavior:**
Open the page and press refresh
Expected behavior
All panels should refresh
### Screenshots: Fixed Version
The bug appeared only on the static time options - "Today" and "This
Week". Fixed for both, confirmed working for the other options.
https://github.com/user-attachments/assets/bf2866cf-4e16-466f-8686-0c1b0bf5e7cb
## Summary
Right now we return a 404 anytime that the data we're looking for on the
`screenshot_ref` route is not satisfactory. We do an io-ts check on the
data before returning. It's possible that that data will fail the check,
and we'd return a 404 anyway. This isn't a very accurate reflection of
what's happening on the server, and could indicate a problem with the
user's data.
Instead, we first check if the data returned from Elasticsearch is
`null`, and if it is we return a 404. Otherwise, we compute the type
check like normal and return the result. In the case where the data
fails the type check, we instead return a 500 and include the malformed
data in the server response.
Co-authored-by: Faisal Kanout <faisal.kanout@elastic.co>
## Summary
This PR changes the privilege's actions merging logic for the composable
and deprecated Kibana features. The change makes it possible to have any
number of composable and deprecated features chained by `replaceBy`,
`composedOf`, or a combination of the two.
Under the hood, the privileges factory sorts all deprecated and
composable privileges using Kahn's algorithm for topological sorting,
similar to what is used to sort Kibana plugin dependencies. This allows
us to not only detect cyclical dependencies but also sort privileges in
the proper order depending on their dependency chain.
The use cases addressed by this change are best illustrated by the
`actions should respect composedOf when specified with replaceBy at the
privilege` test in `privileges.test.ts`.
## Summary
Fixes#210258
This PR adds an `aria-label` with the same content as the title to solve
the "Button must have a discernible text" A11y critical issue.
## How to test
1. Download the [axe
devtools](https://chromewebstore.google.com/detail/axe-devtools-web-accessib/lhdoppojpmngadmnindnejefpokejbdd)
2. Go into a service overview and run the scanner from axe devtools
3. You should see a critical error
4. Checkout this branch
5. Error should be solved
Closes#215134
Using `helm upgrade --install` lets the user run the helm command
multiple times to, for example, upgrade to the new version after a stack
release.
## How to test
1. Run Kibana and navigate to the K8S OTel onboarding flow
2. Execute snippets provided by the flow
3. Copy only the `helm upgrade --install ...` part of the second snippet
and execute it again
4. Make sure the command succeeds
Co-authored-by: Joe Reuter <johannes.reuter@elastic.co>
Adds a type and color for `Executable` flamegraph nodes.
The new type will be used by [this
change](https://github.com/elastic/elasticsearch/pull/119115) in the ES
profiling plugin (the required code change from grouping by process name
to grouping by executable name needs tbd).
## Summary
With #212397 we added 2 tests for Discover app (loading `/app/discover`)
to track:
- js bundles loaded on page
- perf metrics like CPU time, Layout time and Script time fetched with
CDP Performance Domain API
While the first test for bundles _didn't report any failures_, second
test to validate Perf metrics fails periodically:
https://buildkite.com/elastic/kibana-on-merge-unsupported-ftrs/builds/34729#0195a4de-6cd5-4d1e-be11-5d02be6de2b0
```
Error: CPU time (seconds) usage during page navigation should not exceed 1.5 seconds
expect(received).toBeLessThan(expected)
Expected: < 1.5
Received: 1.591343
```
https://buildkite.com/elastic/kibana-on-merge-unsupported-ftrs/builds/34877
```
Error: Additional time spent executing JS scripts should not exceed 0.5 second
expect(received).toBeLessThan(expected)
Expected: < 0.5
Received: 0.601434
```
https://buildkite.com/elastic/kibana-on-merge-unsupported-ftrs/builds/34899
```
Error: Total layout computation time should not exceed 0.06 second
expect(received).toBeLessThan(expected)
Expected: < 0.06
Received: 0.061723
```
https://buildkite.com/elastic/kibana-on-merge-unsupported-ftrs/builds/34912#0195adb8-4536-42b7-ab4d-524535fdad9a
```
Error: Additional time spent executing JS scripts should not exceed 0.5 second
expect(received).toBeLessThan(expected)
Expected: < 0.5
Received: 0.561259
```
It was worth an experiment, but due to flakiness we decided to keep only
bundles limits validation for now and see if it is stable in the long
run.
If Data-Discovery team has interest in collecting Perf metrics without
strict validation in PRs, we can discuss the options. Alternatively we
can wait for Scout GA and you can deep dive into your own performance
testing with Playwright/CDP.
## Summary
I refactored the flapping code on ON week in PR
https://github.com/elastic/kibana/pull/213825 , and I removed an
optimization for removing recovered alerts from the task state that we
don't need to track for flapping. This PR adds it back.
### Checklist
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### To verify
1. Create an rule let it be active for a little and then let it recover.
2. Verify that once the flapping array doesn't have any `true` values
changes
## Summary
Fixes https://github.com/elastic/kibana/issues/213324
For some reason this PR https://github.com/elastic/kibana/pull/213928
didn't catch that the changes make the test fail. This PR fixes it.
After this, we'll be able to backport the original PR.
(The pattern of using `data-attr-field` is already used in Discover so I
think it's a good opportunity to align)
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Nick Partridge <nicholas.partridge@elastic.co>
## [Security Solution] [Attack discovery] Prompt updates
This PR contains updates to the following Attack discovery prompts:
- `attackDiscoveryPrompt`
- `continuePrompt`
- `refinePrompt`
Thank you @mgarzon for these improvements!
## Summary
This PR continues and finalizes the pre-work done in
https://github.com/elastic/kibana/pull/214889. Once this PR is merged,
the actual alert summary page content implementation will begin. We need
a dataView to be created before being able to fetch any data. The
`wrapper.tsx` component creates a dataView.
- While the dataView is being created, a loading skeleton mimicking the
future layout of the alert summary page is rendered.
- If the dataView fails to be correctly created (meaning if it comes
back undefined or without an id) we show an error message.
- If the dataView is correctly created, we continue to the alert summary
page (currently just a div)
https://github.com/user-attachments/assets/f1c8f63e-30a0-4186-94b6-f18a18a89218
## How to test
This needs to be ran in Serverless:
- `yarn es serverless --projectType security`
- `yarn serverless-security --no-base-path`
You also need to enable the AI for SOC tier, by adding the following to
your `serverless.security.dev.yaml` file:
```
xpack.securitySolutionServerless.productTypes:
[
{ product_line: 'ai_soc', product_tier: 'search_ai_lake' },
]
```
Use one of these Serverless users:
- `platform_engineer`
- `endpoint_operations_analyst`
- `endpoint_policy_manager`
- `admin`
- `system_indices_superuser`
### Notes
You'll need to either have some AI for SOC integrations installed, or
more easily you can change the `alert_summary.tsx` line 38 from `if
(installedPackages.length === 0) {` to `if (installedPackages.length >
0) {` to force the wrapper component to render.
### Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Closes#215229
## Summary
This PR adds the `USER_AGENT_VERSION` missing field to the
`optionalFields` query fields
## Testing
- Find a trace with user agent version (on the edge oblt we have it for
`elastic-co-frontend` for example)
- Go to the transaction tab (in case of `elastic-co-frontend` click on
`/blog/:id`)
If the user agent version is available it should be visible in the trace
summary:
<img width="1155" alt="image"
src="https://github.com/user-attachments/assets/75b7e331-44d0-4d1c-8060-815c269e23c9"
/>
Resolves https://github.com/elastic/kibana/issues/202564
## Summary
The test is testing for the number of alerts generated assuming the AAD
rule runs 3 times (2 alerts per run). It looks like sometimes, the rule
only runs twice before the telemetry is collected so this updates the
test to verify the number of alerts based on the number of times the
rule ran.
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
We've done a lot of UA changes against 8.18 and 8.x but we did not port
them to `main`. The reason we did not do the active development against
`main` is because UA is disabled on main and we need those features in
8.last not on `9.0` initially. This port is to keep the codebase
consistent and to be able to use these new UA features in the future
post `9.0`.
Any issues that that are caused from this port we should wrap them in a
config and disabled them on main and enable this new flag on `8.x`.
What is being ported?
- [x] Upgrade assistant plugin
(`x-pack/platform/plugins/private/upgrade_assistant`)
- [x] Integration test changes
(`x-pack/test/upgrade_assistant_integration`)
- [x] new UA doc links
(`src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts`)
- [x] localization files sync
(`x-pack/platform/plugins/private/translations/translations/*.json`)
- [x] Unfreeze is no longer supported after `8.x`. So removed it from
data streams readonly migration step and throw an error for regular
indices migration.
Closes https://github.com/elastic/kibana/issues/210490
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
### Authz API migration for unauthorized routes
This PR migrates last unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)
### **Before migration:**
```ts
router.get({
path: '/api/path',
...
}, handler);
```
### **After migration:**
```ts
router.get({
path: '/api/path',
security: {
authz: {
enabled: false,
reason: 'This route is opted out from authorization because ...',
},
},
...
}, handler);
```
## Summary
Skips the basic license cases list view test since it is expecting the
cases list to not to be present for a basic/essentials tier license, but
the FIPS pipeline always runs with a platinum license override.
## Summary
Relates https://github.com/elastic/kibana/issues/206244
Adding `custom_assets` to `fleet-synced-integrations` index, including
all component templates and ingest pipelines that has suffix `@custom`
and belong to a package.
In a follow up pr will add logic to read and install the custom assets
on the remote cluster.
To verify:
- enable feature flag `enableSyncIntegrationsOnRemote`
- add a remote es output with `sync_integrations` enabled
```
xpack.fleet.outputs:
- name: 'Preconfiged remote output'
type: 'remote_elasticsearch'
id: 'remote-output2'
hosts: ["http://192.168.64.1:9200"]
sync_integrations: true
kibana_url: "http://localhost:5601"
secrets:
service_token: token
kibana_api_key: key
```
- visit Fleet UI to let setup run that creates
`fleet-synced-integrations` index
- add system integration and create a custom component template and
ingest pipeline
- wait 5m for the async task to run
- verify that the `fleet-synced-integrations` index contains the custom
assets populated
- delete one of the assets or uninstall the package
- wait 5m for the task to run again
- verify that the assets are marked with `is_deleted:true` and has a
`deleted_at` field set
```
GET fleet-synced-integrations/_search
{
"_index": "fleet-synced-integrations",
"_id": "fleet-synced-integrations",
"_score": 1,
"_source": {
"remote_es_hosts": [
{
"hosts": [
"http://192.168.64.1:9200"
],
"name": "Preconfiged remote output",
"sync_integrations": true
}
],
"integrations": [
{
"package_version": "1.67.3",
"updated_at": "2025-03-20T07:17:55.143Z",
"package_name": "system"
}
],
"custom_assets": {
"component_template:logs-system.auth@custom": {
"type": "component_template",
"name": "logs-system.auth@custom",
"package_name": "system",
"package_version": "1.67.3",
"is_deleted": false,
"template": {
"mappings": {
"properties": {
"new_field": {
"type": "text"
}
}
}
}
},
"ingest_pipeline:logs-system.auth@custom": {
"pipeline": {
"processors": [
{
"user_agent": {
"field": "user_agent"
}
}
],
"version": 1
},
"package_version": "1.67.3",
"is_deleted": false,
"name": "logs-system.auth@custom",
"package_name": "system",
"type": "ingest_pipeline"
}
},
"custom_assets_error": {}
}
}
```
<img width="1296" alt="image"
src="https://github.com/user-attachments/assets/35503453-ab4a-4649-a889-27dd188e3d55"
/>
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
