If a managed connector is used, show a icon with a tooltip to remind
them this costs money
<img width="436" alt="Screenshot 2025-04-02 at 17 00 56"
src="https://github.com/user-attachments/assets/495fa834-a0ec-4228-802e-ea2eee7678c5"
/>
I checked on serverless prod that the numbers we report on storage size
is identical with what `/app/management/data/data_usage` based on
auto-ops reports, with some caveats:
* We were using the eui number formatter which was configured to use
megabyte (MB, 1000^2) instead of mebibyte (MiB, 1024^2) - auto ops was
using mebibyte but still formatted the number as MB. I switched it over
to use mebibyte, so the numbers are the same now, but it's rendering
`MiB`. IMHO this is OK since it's more exact, but I wanted to call it
out
<img width="141" alt="Screenshot 2025-04-02 at 17 35 03"
src="https://github.com/user-attachments/assets/6145acfb-9a84-4ba0-81d0-a32718a5fff4"
/>
* On the overview page, the refresh button would not refresh the data
stream stats, which would cause a drift of the numbers over time. Fixed
that
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Towards making AAD source of truth.
This PR creates a `trackedAlerts` object in the alertsClient and removes
the dependency on task state to fetch tracked alerts.
As fetching tracked alerts becomes a critical part, we throw an error
when it fails.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
This PR adds the integration section at the top of the alert summary
page. This section shows the installed AI for SOC integrations and an
`Add integration` button. Clicking on the button navigates to the
fleet's page.
In each integration card, we show the integration name, its logo as well
as the last activity time. This last activity value is retrieve as
follow:
- fetch all dataStreams (see [this api
documentation](https://www.elastic.co/docs/api/doc/kibana/operation/operation-get-fleet-data-streams))
- find all the dataStreams that are related to the installed
integrations (via the `package` property)
- from all the matching dataStreams, take the most recently updated (via
the `last_activity_ms` value
https://github.com/user-attachments/assets/7c67e629-e4d3-4ba2-b756-b9ba81e7a667
## How to test
This needs to be ran in Serverless:
- `yarn es serverless --projectType security`
- `yarn serverless-security --no-base-path`
You also need to enable the AI for SOC tier, by adding the following to
your `serverless.security.dev.yaml` file:
```
xpack.securitySolutionServerless.productTypes:
[
{ product_line: 'ai_soc', product_tier: 'search_ai_lake' },
]
```
Use one of these Serverless users:
- `platform_engineer`
- `endpoint_operations_analyst`
- `endpoint_policy_manager`
- `admin`
- `system_indices_superuser`
### Notes
You'll need to either have some AI for SOC integrations installed, or
more easily you can:
- change the `alert_summary.tsx` line `38` from `if
(installedPackages.length === 0) {` to `if (installedPackages.length >
0) {` to force the wrapper component to render
- update `42` of the same `alert_summary.tsx` file from `return <Wrapper
packages={installedPackages} />;` to `return <Wrapper
packages={availablePackages} />;` to be able to see some packages
Also you'll dataStreams if you want to be able to test the last activity
value. Easiest would probably be to mock the call return value following
[the
documentation](https://www.elastic.co/docs/api/doc/kibana/operation/operation-get-fleet-data-streams).
### Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
https://github.com/elastic/security-team/issues/11955
## Summary
Add safer parameters when deleting by queries, and make all delete by
queries async (wait = false).
In some cases, I've parallelized the calls
## Summary
Upgrading the ES client to v9.0.0-alpha.4 to test the changes mentioned
in https://github.com/elastic/elasticsearch-js/issues/2584
This new version introduces some type changes, most notably, the
`FieldValue` is `string | number | boolean | null | undefined` instead
of `any`, leading to some new type checks to be implemented (like on
aggregation results `bucket.key`, `search_after`, and `sort` options).
On top of that, it adds the new behavior where unknown properties are
placed in the `body` (when the request has a body). If they must be in
as a query parameter, they should be placed under the `querystring`
option.
cc @JoshMock
TODO:
- [x] Stabilize the type errors
- [x] Address all the query parameters that are now placed in the body
(by wrapping them inside the option `querystring: {}`)
I will address `// @ts-expect-error elasticsearch@9.0.0
https://github.com/elastic/elasticsearch-js/issues/2584` in a separate
PR to reduce noise.
Related https://github.com/elastic/kibana/pull/208776
## Summary
#### Lists plugin
- Minor change to the service that generates the summary counts to
ensure `filter` can be overwritten by server-side extension points
#### Security Solution
The following change was done in support of Endpoint space awareness
(currently behind feature flag
`endpointManagementSpaceAwarenessEnabled`)
- Updates the artifacts Summary API (`/api/exception_lists/summary`) to
ensure that it only counts artifacts that are accessible in active space
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
This PR fixes some wonky request handling for particular cases. In some
cases, when the page updates with some new criteria/filters, requests
that were being managed by `ManagedTable` would fire at least twice,
with the first one getting aborted and then resent. This PR removes that
behaviour by not storing the dependent data in a `renderedItems` state
and instead depending directly on the request data itself and storing
instead the indices of the rendered items. This removes the edge-case
where `renderedItems` would cause the affected requests from firing
multiple times, due to object equality not being the same for the
rendered items array between renders.
Closes#216144
## How to test
* Go to Observability -> Applications -> Service Inventory
* Select a service with more than one environment
* Go to Errors tab and open the browser dev tools
* Change the environment on the service to update the errors tab
**Expected behaviour**: The `detailed_statistics` request should only
fire once, both on page load and on update (such as changing the service
environment).
This should apply to the Service Inventory page as well, and anything
making use of the `TransactionsTable` component.
## Summary
Resolves [#205102](https://github.com/elastic/kibana/issues/205102).
This PR makes Fleet support having multiple values for secrets, i.e.
integrations with variables such as:
```yml
- name: connection_string
title: Connection String
type: password
secret: true
multi: true
```
When a package policy has a multi-value secret, the variable containing
references to secrets will be saved with `ids: string[]`:
```js
"connection_string": {
"type": "password",
"value": {
"ids": [
"c9A385UBLd_jDJtMILH5",
"ddA385UBLd_jDJtMILH5"
],
"isSecretRef": true
}
}
```
There is no change for secrets with single values, the reference will
still be saved with `id: string`. There is also no change to the
`secret_references` block.
The policy editor will display the multi-value secrets like this when
creating:
<img width="747" alt="image"
src="https://github.com/user-attachments/assets/1c7128b7-3716-43ec-86a8-16778d4cf30e"
/>
And when editing/replacing:
<img width="750" alt="image"
src="https://github.com/user-attachments/assets/296bed1f-d9f4-49af-a810-c23b42d77139"
/>
## Testing
1. Download and upload test package
[azure-1.20.5-next.zip](https://github.com/user-attachments/files/19574682/azure-1.20.5-next.zip),
which modifies `connection_string` to be multi-value secret and updates
associated agent handlebars templates
- You may get an error about integration name not found, I'm not sure
what that error is, but the package will still be uploaded
2. Test adding the above version of Azure package policy with multiple
connection strings
3. Check that the agent yaml compiles correctly
4. Test editing, deleting the policies etc
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary
This PR makes changes to the GroupedAlertTable code to support a
behavior in the AI for the SOC Alert summary page that the current code
cannot.
In the new Alert summary page (see
[mocks](https://www.figma.com/design/DYs7j4GQdAhg7aWTLI4R69/AI4DSOC?node-id=3284-69401&p=f&m=dev))
there are a few customization that we need to be able to do:
- we need a different set of default groups to be shown in the dropdown
- we need to be able to customize the title shown in the EuiAccordion in
a way that would conflict with the current implementation
- we need to also customize the group statistics shown in the
EuiAccordion
### Challenge
The current implementation within the GroupedAlertTable was not allowing
full customization.
- while the default groups could be changed, it was done via if/else
conditions, using the `tableId` to know where the table was being used.
This isn't a clean way to do this. The component shouldn't be aware of
where it's being used...
- regarding the title and group statistics, these were hardcoded and not
customizable. While I could also have added if/else conditions to
support the Alert summary page different behavior, this would only have
built more tech debt...
### Approach
Instead of continuing adding more if/else conditions, the approach in
the PR adds 3 new props to the GroupedAlertTable:
- `accordionButtonContent` allows to customize how the EuiAccordion
`buttonContent` (title) is rendered
- `accordionExtraActionGroupStats` allows to customize how the
EuiAccordion `extraAction` (statistics) are rendered. This actually
consists of 2 sub properties:
- `renderer` which will drive the UI
- aggregations which will be used to fetch the data
- `defaultGroupingOptions` allows to customize the default values in the
dropdown
### Notes
**_The 3 places where the GroupedAlertTable is used have been updated to
use the same default values. Their behavior should be unchanged. A
follow up PR will implement the Alert summary variation._**
In the new state, any new usage of the alerts table with no default
values will provide the following behavior:
- the EuiAccordion `buttonContent` will use [the default
component](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-grouping/src/components/accordion_panel/index.tsx#L33)
from the `kbn-grouping` package
- the EuiAccordion `extraAction` will display only the number of alerts
within the group
- the default options in the `Group alerts by` dropdown will be `None`
and `Custom field`
https://github.com/user-attachments/assets/57563735-78ee-455f-aab6-806028aec713https://github.com/user-attachments/assets/0659c74e-b4a0-4051-8fb7-25457424c06b
### Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Will help https://github.com/elastic/security-team/issues/11973
Related to https://github.com/elastic/kibana/pull/216399
PR
* updates `useStateFromPublishingSubject` to require `subject`, thus,
removing complexities of setting up subscription when `subject` is
optionally provided.
* Updates `useStateFromPublishingSubject` to setup subscription with
`useMemo` to avoid timing issues.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Some users using the security AI assistant through the API may want to
disable content references (aka citations) programmatically. This PR
allows users to disable content references using the
`content_references_disabled` query arg in the following routes:
- POST
/internal/elastic_assistant/actions/connector/gpt4oAzure/_execute?content_references_disabled=true
- POST
/api/security_ai_assistant/chat/complete?content_references_disabled=true
## How to test:
Bellow are 2 example curl requests (with
content_references_disabled=true). When executed, you will notice that
the response stream does not contain the string `{reference(...)}`
anywhere. If you remove the query arg, the reference will be visible.
####
/internal/elastic_assistant/actions/connector/gpt4oAzure/_execute?content_references_disabled=true
```curl
curl --location 'http://localhost:5601/internal/elastic_assistant/actions/connector/gpt4oAzure/_execute?content_references_disabled=true' \
--header 'Accept: */*' \
--header 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
--header 'Connection: keep-alive' \
--header 'Content-Type: application/json' \
--header 'Origin: http://localhost:5601' \
--header 'Referer: http://localhost:5601/app/security/dashboards?sourcerer=(default:(id:security-solution-default,selectedPatterns:!()))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)' \
--header 'Sec-Fetch-Dest: empty' \
--header 'Sec-Fetch-Mode: cors' \
--header 'Sec-Fetch-Site: same-origin' \
--header 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36' \
--header 'elastic-api-version: 1' \
--header 'kbn-build-number: 9007199254740991' \
--header 'kbn-version: 9.1.0' \
--header 'sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"' \
--header 'sec-ch-ua-mobile: ?0' \
--header 'sec-ch-ua-platform: "macOS"' \
--header 'x-elastic-internal-origin: Kibana' \
--header 'x-kbn-context: %7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Fdashboards%22%2C%22page%22%3A%22list%22%7D' \
--header 'Authorization: Basic ZWxhc3RpYzpjaGFuZ2VtZQ==' \
--data '{
"subAction": "invokeStream",
"actionTypeId": ".gen-ai",
"replacements": {},
"message": "What is elastic security? Include citations",
"screenContext": {
"timeZone": "Asia/Calcutta"
},
"alertsIndexPattern": ".alerts-security.alerts-default",
"size": 100
}'
```
####
/api/security_ai_assistant/chat/complete?content_references_disabled=true
```curl
curl --location 'http://localhost:5601/api/security_ai_assistant/chat/complete?content_references_disabled=true' \
--header 'Content-Type: application/json' \
--header 'Accept: application/octet-stream' \
--header 'kbn-xsrf: 123' \
--header 'Authorization: Basic ZWxhc3RpYzpjaGFuZ2VtZQ==' \
--data '{
"messages": [
{
"role": "user",
"content": "what is semantic text in esql. Include references to the product documentation"
}
],
"persist": false,
"connectorId": "gpt4oAzure",
"isStream": false
}'
```
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [x] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
This PR improves waiting for Alerts table to be loaded.
Relying on the first alert might cause flakiness in the future test
cases, I changed the rule name to be unique for test run and search
alert based on its rule name, not the first row.
If the alert is missing or it has a wrong name, the test will fail with
clear message:
```
Error: Alert with rule 'xys' is not displayed
Timed out 10000ms waiting for expect(locator).toBeVisible()
Locator: locator('div.euiDataGridRow').filter({ hasText: 'xys' })
Expected: visible
Received: <element(s) not found>
Call log:
- Alert with rule 'xys' is not displayed with timeout 10000ms
- waiting for locator('div.euiDataGridRow').filter({ hasText: 'xys' })
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## 📓 Summary
These changes update the samples filters available during a processors
simulation.
Although this is a temporary update before we get a more complete
filtering experience, it improve filtering the docs by the simulation
status.
https://github.com/user-attachments/assets/a5c4c22a-6833-4744-bee5-e90a2ac1a389
## Summary
Currently, our `requiredPrivileges` structure supports `allRequired` and
`anyRequired` for defining authorization logic. However, there is [a
need to
support](https://github.com/elastic/kibana/pull/205335#issuecomment-2569275302)
more complex scenarios as `(privilege1 AND privilege2) OR (privilege3
AND privilege4)`
To achieve `anyRequired` has been extended to allow defining multiple
AND conditions evaluated with OR logic:
```ts
security: {
authz: {
requiredPrivileges: [{
anyRequired: [
{ allOf: ['privilege1', 'privilege2'] },
{ allOf: ['privilege3', 'privilege4'] }
]
}
]
}
}
```
`allRequired` now also supports scenarios `(privilege1 OR privilege2)
AND (privilege3 OR privilege4)`
```ts
security: {
authz: {
requiredPrivileges: [{
allRequired: [
{ anyOf: ['privilege1', 'privilege2'] },
{ anyOf: ['privilege3', 'privilege4'] }
]
}
]
}
}
```
> [!IMPORTANT]
> We expect to have unique privileges in `anyOf` or `allOf` conditions,
assuming that most complex conditions can be simplified by boolean
algebra laws (OR/AND distributive etc).
### Checklist
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
__Closes: https://github.com/elastic/kibana/issues/210977__
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
this PR aims to reduce flakiness in metering.cy.ts test.
- fix on constant fail: a small change was needed for metering tests: to
not expect https connection by the dummy telemetry server
- improvement against flakiness: the test tends to fail if metering task
is performed while mock heartbeats are being indexed, therefore the task
interval has been increased from 1 minute to 3 minutes. on CI it takes
less than 2 minutes to start up Kibana and index the heartbeats, so with
3 minutes we should be okay for a while.
flaky runner: 100%
https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/8114
- all jobs were done in 8-9 minutes, which shows that they succeeded the
first time, without the internal retry mechanism.
> [!important]
> ~45c0a33d88 needs to be reverted before
merging~
closes: https://github.com/elastic/kibana/issues/187083
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
## Summary
Collection type was set with `agent.type` which conflicts on stack and
metricbeat monitorings (same `metricbeat` value). For the stack
monitoring, elastic-agent internally utilizes filebat or metricbeat.
This change hard codes the `collection_types` corresponding on each
monitoring type to categorize monitoring type correctly.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- ~~[ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~
- ~~[ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials~~
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- ~~[ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~
- ~~[ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.~~
- ~~[ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed~~
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
- [ ]
### Example data
- when stack monitoring
```
{
"clusterUuid": "WKhHGcv8Rt6nHwKRmKDdAw",
"stats": {
"collectionSource": "monitoring",
"cacheDetails": {
"updatedAt": "2025-03-31T23:07:32.154Z",
"fetchedAt": "2025-03-31T23:07:33.349Z"
},
"cluster_name": "logstash",
"timestamp": "2025-03-31T23:07:32Z",
"version": "9.1.0",
"cluster_uuid": "WKhHGcv8Rt6nHwKRmKDdAw",
"stack_stats": {
"logstash": {
"versions": [
{
"version": "9.1.0",
"count": 1
}
],
"count": 1,
"cluster_stats": {
"pipelines": {
"count": 1,
"batch_size_total": 125,
"batch_size_max": 125,
"batch_size_min": 125,
"batch_size_avg": 125,
"workers_total": 10,
"workers_max": 10,
"workers_min": 10,
"workers_avg": 10,
"sources": {
"file": true
}
},
"plugins": [
{
"name": "logstash-input-heartbeat",
"count": 1
},
{
"name": "logstash-filter-ruby",
"count": 1
},
{
"name": "logstash-filter-mutate",
"count": 1
},
{
"name": "logstash-output-stdout",
"count": 1
}
],
"monitoringClusterUuid": "WKhHGcv8Rt6nHwKRmKDdAw",
"collection_types": {
"agent": 1
},
"queues": {
"memory": 1
}
}
}
},
"cluster_stats": {}
}
}
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Resolves: https://github.com/elastic/kibana/issues/190661
This PR allows tasks to be ran scoped as the current user. It
accomplishes this by creating an API when the user schedules this task.
It will then persist the API key in the task instance which allows the
task handler to have access to the user's privileges.
To test:
1. Run `yarn start --run-examples`
2. Navigate to
`http://localhost:5601/app/triggersActionsUiExample/task_manager_with_api_key`
3. Click on `Schedule Task 1 and 2`, this will schedule a mock test that
is defined in
`x-pack/platform/plugins/shared/alerting/server/plugin.ts`, which prints
out the task instance and the scoped clients.
4. Click on `Remove` to cancel the task, which then cleans up and
invalidates the API keys.
5. Reschedule the 2 tasks and click on `Remove All Tasks` which will
bulk remove tasks and invalidate API keys.
Limitation of this approach:
- Because we depend on a request, this would mean every schedule that is
tied to a user needs to be triggered using a request. (Unless we have a
way of generating an API key without using the request).
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This updates the Knowledge base test utils and adds test for index asset
creation.
### `setupKnowledgeBase`
#### Before
```
await importTinyElserModel(ml);
await setupKnowledgeBase(observabilityAIAssistantAPIClient);
await waitForKnowledgeBaseReady({ observabilityAIAssistantAPIClient, log, retry });
```
#### After
```
await setupKnowledgeBase(getService);
```
### `deleteKnowledgeBaseModel`
#### Before
```
await deleteKnowledgeBaseModel(ml);
await deleteInferenceEndpoint({ es });
```
#### Before
```
await deleteKnowledgeBaseModel(getService);
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Viduni Wickramarachchi <viduni.ushanka@gmail.com>
## Summary
Main ticket ([Internal
link](https://github.com/elastic/security-team/issues/12004))
We are working on a new AI Assistant feature which will allow users to
schedule Attack Discovery generation. It will also allow users to setup
actions. The plan is to use alerting framework for that and create a new
rule type with executor handler. One thing which is missing right now is
the `actionsClient` (to get access and use AI connectors) within the
executor context.
With these changes, we expose `actionsClient` within the
`RuleExecutorOptions` for Attack Discovery Schedule rule type.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Closes https://github.com/elastic/streams-program/issues/38.
- Adds configuration driven support for processors
- Adds support for the following processors:
- Geoip
- KV
- Rename
- Set
- URL Decode
- User agent
## Notes
- `if` is now conditional as not all processors support a condition
- With `set` you can either have a `value` OR a `copy_from`. To avoid
types, form, and validation complexity for now I've just allowed the use
of `value`.
- I didn't add `extract_device` to the user agent configuration as it's
Beta.
## Future improvements
- We could add configuration for the grok, dissect, and date processors
too. This would align things so that each processor has things "in one
place". We could extend the field types available to provide a `custom`
type, this would allow those processors to return a React component for
their specialised fields / UI (still driven by `react-hook-form` under
the hood). Overall the code footprint would decrease.
- A couple of types can possibly be refined but I wanted to try and get
this open before the Milestone 2 deadline.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Resolves: https://github.com/elastic/kibana/issues/145266
* Allows SSL configuration to be disabled for Fleet agent logstash
output
* Adds an SSL toggle in the logstash output form.
* On is the default state of the form
* When off:
* Authentication form section is removed
* Logstash input config has SSL related fields removed
* Submitting update removes SSL fields and related SSL secrets in output
config
* Shows a call out to proceed with caution
## Summary
This PR replaces the Sourcerer component with the data view picker from
discover app, if the feature flag is enabled.
<img width="600" alt="Screenshot 2025-04-02 at 09 46 21"
src="https://github.com/user-attachments/assets/7ec35bf5-12dc-4e72-9292-4a734034806f"
/>
**Until we add relevant hooks on the target page that has the global
header, this will only be a cometic change.**
Don't expect data view changes made in the picker to be applied just
yet.
### Testing
Add the following feature flag to your configuration:
```xpack.securitySolution.enableExperimental: ['newDataViewPickerEnabled']```
and navigate to a page with global header, eg. alerts.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
### Identify risks
We should still show the original sourcerer if the flag is not enabled
