## Summary
Another follow up to https://github.com/elastic/kibana/pull/212694
- Removes `alertWithSuppression` from `sharedParams` since it's already
available on `services`
- Updates the type of `services` throughout DE executor logic to
properly represent that it has `alertWithSuppression`
- Removes `experimentalFeatures` as a param from functions that no
longer need it
- Converts `bulkCreate` from a factory to a const function
- Converts `enrichAlerts` from a factory to a const function - but
enrichment logic is still passed to the persistence functions as a
function. Now it's just one layer of factories instead of two.
- Renames types related to `enrichAlerts` to match the function
names/responsibilities better
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Fix Unable to switch between Risk Contributions and Insights on host
details flyout.
**Pre Conditions**
1. Alerts should be available on Kibana.
2. Entity Risk Score must be enabled.
**Steps**
1. Navigate to a page where the flyout is available.
3. For any Entity, open details flyout
4. Expand Details flyout (left panel).
5. Observe that the user cannot switch between `Risk Contributions` and
`Insights` tabs.
**Expected Result**
The user should be able to switch between `Risk Contributions` and
`Insights` tabs.
**Screen Recording**
https://github.com/user-attachments/assets/3aae6291-5b5b-49a4-83c2-ac657e4e9524
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
These Stories were missed in [Upgrade to Storybook 8
(#195148)](https://github.com/elastic/kibana/pull/195148) and should be
migrated to the same format as other stories for consistency and to make
future migrations easier. They technically work in SB8, I forgot to run
the migration script again later on while working on the original PR.
The changes have already been backported to #214680 and #214681
## Summary
Fixes#210253
This PR adds an `aria-label` with the same content as the tooltip to
solve the "Button must have a discernible text" A11y critical issue.
## How to test
1. Download the [axe
devtools](https://chromewebstore.google.com/detail/axe-devtools-web-accessib/lhdoppojpmngadmnindnejefpokejbdd)
2. Enable ECO feature flag
3. Go into service inventory and run the scanner from axe devtools
4. You should see a critical error
5. Checkout this branch
6. Error should be solved
---------
Co-authored-by: Carlos Crespo <crespocarlos@users.noreply.github.com>
## Summary
This PR adds a rule gaps histogram that shows users how many rules had
gaps at any given time. They will also be able to see how many gaps have
been filled and how many are being filled.
See the images below which show what the dashboard looks like today, and
what it looks like after these changes.
## How was this tested?
I ran a script to create 100 rules with gaps, then I made the changes in
the dashboard JSON file and called the `POST
/internal/detection_engine/health/_setup` endpoint to apply them in my
local version of Kibana.
### Before
### After
## Summary
This PR fixes the issue where clicking the refresh button, the risk
score panel throws errors, and the table displays no data.
The root cause was that the `refetchAll` callback did not include
`refetchEngineStatus`, which is responsible for refreshing the risk
engine status. As a result, the risk engine status
`hasEngineBeenInstalled` could become stale, leading to incorrect
behavior.
### Reproduce bug
(as per [#12017](https://github.com/elastic/security-team/issues/12017))
**Preconditions**
Kibana started with user and host data
Alerts created
Enable risk engine
To Reproduce
**Steps to reproduce the behavior:**
Open the page and press refresh
Expected behavior
All panels should refresh
### Screenshots: Fixed Version
The bug appeared only on the static time options - "Today" and "This
Week". Fixed for both, confirmed working for the other options.
https://github.com/user-attachments/assets/bf2866cf-4e16-466f-8686-0c1b0bf5e7cb
## Summary
Right now we return a 404 anytime that the data we're looking for on the
`screenshot_ref` route is not satisfactory. We do an io-ts check on the
data before returning. It's possible that that data will fail the check,
and we'd return a 404 anyway. This isn't a very accurate reflection of
what's happening on the server, and could indicate a problem with the
user's data.
Instead, we first check if the data returned from Elasticsearch is
`null`, and if it is we return a 404. Otherwise, we compute the type
check like normal and return the result. In the case where the data
fails the type check, we instead return a 500 and include the malformed
data in the server response.
Co-authored-by: Faisal Kanout <faisal.kanout@elastic.co>
## Summary
Fixes#210258
This PR adds an `aria-label` with the same content as the title to solve
the "Button must have a discernible text" A11y critical issue.
## How to test
1. Download the [axe
devtools](https://chromewebstore.google.com/detail/axe-devtools-web-accessib/lhdoppojpmngadmnindnejefpokejbdd)
2. Go into a service overview and run the scanner from axe devtools
3. You should see a critical error
4. Checkout this branch
5. Error should be solved
Closes#215134
Using `helm upgrade --install` lets the user run the helm command
multiple times to, for example, upgrade to the new version after a stack
release.
## How to test
1. Run Kibana and navigate to the K8S OTel onboarding flow
2. Execute snippets provided by the flow
3. Copy only the `helm upgrade --install ...` part of the second snippet
and execute it again
4. Make sure the command succeeds
Co-authored-by: Joe Reuter <johannes.reuter@elastic.co>
Adds a type and color for `Executable` flamegraph nodes.
The new type will be used by [this
change](https://github.com/elastic/elasticsearch/pull/119115) in the ES
profiling plugin (the required code change from grouping by process name
to grouping by executable name needs tbd).
## [Security Solution] [Attack discovery] Prompt updates
This PR contains updates to the following Attack discovery prompts:
- `attackDiscoveryPrompt`
- `continuePrompt`
- `refinePrompt`
Thank you @mgarzon for these improvements!
## Summary
This PR continues and finalizes the pre-work done in
https://github.com/elastic/kibana/pull/214889. Once this PR is merged,
the actual alert summary page content implementation will begin. We need
a dataView to be created before being able to fetch any data. The
`wrapper.tsx` component creates a dataView.
- While the dataView is being created, a loading skeleton mimicking the
future layout of the alert summary page is rendered.
- If the dataView fails to be correctly created (meaning if it comes
back undefined or without an id) we show an error message.
- If the dataView is correctly created, we continue to the alert summary
page (currently just a div)
https://github.com/user-attachments/assets/f1c8f63e-30a0-4186-94b6-f18a18a89218
## How to test
This needs to be ran in Serverless:
- `yarn es serverless --projectType security`
- `yarn serverless-security --no-base-path`
You also need to enable the AI for SOC tier, by adding the following to
your `serverless.security.dev.yaml` file:
```
xpack.securitySolutionServerless.productTypes:
[
{ product_line: 'ai_soc', product_tier: 'search_ai_lake' },
]
```
Use one of these Serverless users:
- `platform_engineer`
- `endpoint_operations_analyst`
- `endpoint_policy_manager`
- `admin`
- `system_indices_superuser`
### Notes
You'll need to either have some AI for SOC integrations installed, or
more easily you can change the `alert_summary.tsx` line 38 from `if
(installedPackages.length === 0) {` to `if (installedPackages.length >
0) {` to force the wrapper component to render.
### Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Closes#215229
## Summary
This PR adds the `USER_AGENT_VERSION` missing field to the
`optionalFields` query fields
## Testing
- Find a trace with user agent version (on the edge oblt we have it for
`elastic-co-frontend` for example)
- Go to the transaction tab (in case of `elastic-co-frontend` click on
`/blog/:id`)
If the user agent version is available it should be visible in the trace
summary:
<img width="1155" alt="image"
src="https://github.com/user-attachments/assets/75b7e331-44d0-4d1c-8060-815c269e23c9"
/>
## Summary
Add a new telemetry task to the security solution plugin to collect
ingest pipeline stats. The new task runs once a day, calls the
`_nodes/stats/ingest` API, and sends an EBT event with the following
information:
```js
export interface NodeIngestPipelinesStats {
name: string;
totals: Totals;
pipelines: Pipeline[];
}
export interface Pipeline {
name: string;
totals: Totals;
processors: Processor[];
}
export interface Processor {
name: string;
totals: Totals;
}
export interface Totals {
count: number;
time_in_millis: number;
current: number;
failed: number;
}
```
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
8.17 PR - https://github.com/elastic/kibana/pull/215474
Part of https://github.com/elastic/security-team/issues/12176
Unskiped:
### `use_list_artifact.test.tsx`
Path
`.../plugins/security_solution/public/management/hooks/artifacts/use_list_artifact.test.tsx`
Closes https://github.com/elastic/kibana/issues/196724
Commit 438553a1d1
Reason for unskipping: Couldn't recreate failure locally. Increased
timeout from 1000 to 5000 ms.
### `actions_log_users_filter.test.tsx`
Path
`.../plugins/security_solution/public/management/components/endpoint_response_actions_list/components/actions_log_users_filter.test.tsx`
Closes https://github.com/elastic/kibana/issues/193554https://github.com/elastic/kibana/issues/193092
Commit ca7b971683de03fd5448fb3910e738
Reason for unskipping: wrapped expects in waitFor since they are
awaiting for state change. Increased the delay between keystrokes when
typing. Increased the timeout of tests since locally they are bordering
5s executions.
### `bad_argument.test.tsx`
Path
`.../plugins/security_solution/public/management/components/console/components/bad_argument.test.tsx`
Closes https://github.com/elastic/kibana/issues/193093
Commit 6959cd2e3f
Reason for unskipping: wrapped expects in waitFor since they are
awaiting for state change. Increased timeout to 10s.
### `use_get_endpoint_details.test.ts`
Path
`.../plugins/security_solution/public/management/hooks/endpoint/use_get_endpoint_details.test.ts`
Closes https://github.com/elastic/kibana/issues/192435
Commit 3ba10029b6
Reason for unskipping: increased timeout of waitFor for
renderReactQueryHook to 5s since locally it was bordering 3 seconds
## Summary
Closes https://github.com/elastic/kibana/issues/210298
In this PR we are adding the initial structure for the
@kibana/scout-security package, note that this is not ready to be used
and any new test using this package, is not going to be executed as part
of the regular pipelines, meaning, you are not going to add coverage to
the application.
@kibana/scout-security package is a test package that extends @kbn/scout
with test helpers specifically designed to test Security Solution
functionalities in Kibana. All tests under Security plugins should only
import from @kbn/scout-security, not from @kbn/scout.
This PR is a POC to start testing development by providing custom
Playwright fixtures, page objects, and utilities tailored for
Security-related testing scenarios.
Things to follow-up:
- CustomQueryRule interface is already declared in
`x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts`
as `QueryRuleCreateProps`
- DETECTION_ENGINE_RULES_URL and DETECTION_ENGINE_RULES_BULK_ACTION are
already declared in `@kbn/security-solution-plugin/common/constants`
It would be great if all of that is extracted from the plugin to a
package so it can be reused instead of having to duplicate the code.
Until the package is not ready to be used and has not been introduced to
the different teams, appex-qa and myself will be the owners of it to
make sure that best practices are followed
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Dzmitry Lemechko <dzmitry.lemechko@elastic.co>
## Summary
The PR updates the implementation to fetch data from the Risk Engine
Saved Object instead of storing and reusing it from LocalStorage.
This change ensures that settings are applied globally rather than being
limited to the browser’s LocalStorage. Since the Saved Object holds the
most up-to-date information, it is now used to update the "Date" and the
toggle for "including closed alerts for risk scoring" across all web
browsers.
### Normal and Incognito Mode :
https://github.com/user-attachments/assets/7638c88b-ff9e-4d42-9944-e55b53e33518
### Default space vs custom space :
https://github.com/user-attachments/assets/46bb35c7-3cd9-4b97-9f1c-90ec4ef1241a
## Testing Steps
### Verify Initial Values
1. Open the Entity Risk Score web page where the settings are applied.
2. Ensure that the date picker and toggle for "including closed alerts"
reflect the values stored in the Risk Engine Saved Object rather than
LocalStorage.
3. Modify and Save changes,
- Change the date range in the date picker.
- Toggle the "Include Closed Alerts" switch.
### Page Refresh Test
- Refresh the page and confirm that the modified values persist, fetched
correctly from the Risk Engine Saved Object.
### Cross-Browser Test
- Open the same web page in a different browser or incognito mode.
- Verify that the settings are consistent and correctly loaded from the
Risk Engine Saved
Object.
### Expected Outcome
The settings should persist after a page refresh or across different
browsers.
The latest values should always be pulled from the Risk Engine Saved
Object.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary
Provides the Cases service to the detection engine alerts table. The
missing services caused the cases actions to disappear from the bulk
actions menu.
## Verification steps
1. Create Security rules that fire alerts
2. Visit the Security > Alerts page
3. Select one or more alert rows from the table
4. Open the `Selected X alerts` bulk action menu
5. Check that the cases bulk actions are available
## Release Notes
Fixes a regression that caused the cases actions to disappear from the
detections engine alerts table bulk actions menu.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary
This PR is the setting the foundations for the AI for SOC Alert summary
page. It has very little UI, instead it focuses on the following:
- add routing for the `alert_summary` page
- fetches the integrations, filters them to only keep the ones related
to AI for SOC, then decides what to render depending on if some AI for
SOC packages have been installed or not
The PR also makes a small change to the `SecurityRoutePageWrapper`
component, to allow us to redirect to the Security Solution HomePage
instead of the NoPrivilegesPage. While this might not be a long term
solution, it is the easiest path forward. In the future, AI for SOC will
most likely be its own plugin (leaving outside of Security Solution)
hence this will not be needed anymore.
Here's the basic behavior of the Alert summary page:
- The `Landing page` will be shown if none of the hardcoded AI for SOC
packages are installed (these values are hardcoded as we currently do
not have a way to filter integrations for the AI for SOC ones only):
- splunk // doesnt yet exist
- google_secops
- microsoft_sentinel
- sentinel_one
- crowdstrike
- The `Wrapper` component will only be shown if you have at least one of
the above AI for SOC packages installed.
### Very limited UI added in this PR
| Loading integrations | No installed packages | Some installed packages
|
| ------------- | ------------- | ------------- |
| 
| 
| 
|
### Notes
We need to remove the section at the top of the page that currently
shows the `Add integrations` button. A follow PR will take care of that.
[This](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/app/home/index.tsx#L54)
is where that bar is being added. We will have to find a way to not show
that for the AI for SOC tier.
## How to test
This needs to be ran in Serverless:
- `yarn es serverless --projectType security`
- `yarn serverless-security --no-base-path`
You also need to enable the AI for SOC tier, by adding the following to
your `serverless.security.dev.yaml` file:
```
xpack.securitySolutionServerless.productTypes:
[
{ product_line: 'ai_soc', product_tier: 'search_ai_lake' },
]
```
The Alert summary navigation will NOT be shown for the following
Serverless users: `viewer`, `t1_analyst`.
and `t2_analyst`. For those, the navigation entry is not present, and
navigating to the url directly will automatically re-route to the
Security home page.
Currently, retrieving the integrations (via the `fleet/epm/packages`
endpoint) is also unauthorized for the following users: `editor`,
`t3_analyst`, `threat_intelligence_analyst`, `rule_author`,
`soc_manager` and `detections_admin`.
This means that the only users that can be currently used to test this
PR are:
- `platform_engineer`
- `endpoint_operations_analyst`
- `endpoint_policy_manager`
- `admin`
- `system_indices_superuser`
### Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Will help close https://github.com/elastic/security-team/issues/11954 as
well as https://github.com/elastic/security-team/issues/11979.
## Summary
Some of the text in the Synthetics README is 6+ years old, which is
older than Synthetics itself. We need to try to keep these instructions
up to date a bit more as they are intended to be useful to inexperienced
contributors.
## Summary
Fixes#215106
This PR removes `service.environment` as a required field for
`getTopDependencySpans` endpoint.
It was not used at all, so it can be safely removed without adapting the
UI.
## Summary
When the data view refresh API or task was executed, it was overwriting
the engine's additional `indexPattern`.
This PR updates the code to support `indexPattern` and ensures the user
has privileges for all indices.
I extracted the merge function to add deduplicate logic.
### How to reproduce it?
* Create an entity store using the indexPatterns param
* Call refresh dataview API (`POST
kbn:api/entity_store/engines/apply_dataview_indices`)
* It will apply the dataview and ignore the indexPatterns param
After the fix, we should be able to update the indexPatterns param, and
the task that refreshes the index pattern should pick up the change
properly.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
The intent is to have a centralised place to store the list of Kibana
solutions and serverless project types.
To that end, this PR creates a `@kbn/projects-solutions-groups` package.
It also adds the new solution type `'chat'`.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
The code changes in this PR ensure that the transform ID is limited to
36 characters when creating or updating the transform for risk-score.
This adjustment aligns with ES constraint on transform ID length.
## Test Steps
1. Create a new namespace with a very long name. Ex :
`namespace_that_stretches_farther_than_the_universe_and_beyond_like_buzz`
🚀
2. Enable the Risk Score in the new namespace. It should successfully
get enabled.
3. Check the transform that was created (using dev tools)
```
GET _transform/risk_score_latest_transform_*?filter_path=transforms.id,transforms._meta.space_id
```
Output
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: Mark Hopkin <mark.hopkin@elastic.co>
# Purpose
This change introduces new validations that ensure no loss of data is
possible if a user accidentally sets the Security Entity Store enrich
policy execution interval to a value that “doesn’t play nicely” with the
lookback period value.
The specific logic (greater than or equal to half the value) was chosen
to not only ensure no loss of data, but also provide extra resiliency in
case of a failed enrich policy execution.
(Note that this is not considered a breaking change, as the parameters
are not yet available on any version of Elastic, including Serverless.)
# How to test
1. Load appropriate entity log data to your Kibana instance (for
example, using the
[security-documents-generator](https://github.com/elastic/security-documents-generator))
2. Navigate to the Developer console
3. Attempt to enable the Entity Store via the /enable or /init routes
(examples below), and pass in values that are expected to error. For
example, “lookbackPeriod”: “24h” and “enrichPolicyExecutionInterval”:
“24h” should fail, because of the validation logic
4. Expect results similar to those shown below, specifically a 400
error, or else a success message
<img width="1902" alt="Screenshot 2025-02-27 at 12 57 45 AM"
src="https://github.com/user-attachments/assets/a7f4b0fb-9899-4e00-a0ae-d172245bd506"
/>
<img width="1909" alt="Screenshot 2025-02-27 at 12 58 06 AM"
src="https://github.com/user-attachments/assets/372acde2-9d7b-4c75-8596-af8374088f79"
/>
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
