## Summary
This adds basic Lens CRUD api routes using the Content Management
system.
| Operation | URI |
|--------|--------|
| Create | `POST api/lens/visualizations` |
| Get | `GET api/lens/visualizations/{id}` |
| Search | `GET api/lens/visualizations?query=test` |
| Update | `PUT api/lens/visualizations/{id}` |
| Delete | `DELETE api/lens/visualizations/{id}` |
### Changes to Lens Content Management
The custom `update` method uses `soClient.create` under the hood for
reasons (i.e. #160116). However, doing this acts as an update or create
method with the provided `id`. I changed this behavior so now any update
where the id is not found will return a `404` error.
Closes#221941Closes#221942 - OpenAPI docs auto generate from route schema
### Testing
You can testing this locally in kibana dev console like so...
```
GET kbn:/api/lens/visualizations/<id>?apiVersion=1
```
> The `apiVersion` query param is needed to test `internal` api routes.
## Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Marco Vettorello <marco.vettorello@elastic.co>
## Summary
Endpoint Exception ALL privilege got lost, because the original
migration (PR: https://github.com/elastic/kibana/pull/219566) did this:
- for `siem:ALL` or `siemV2:ALL`:
- it adds the new `global_artifact_management_all`, because `siemVX` all
meant that user can write Endpoint Exceptions
- and: it changed `siemVX:ALL` to `siemVX:MINIMAL_ALL`, in order to
enabled the sub-features toggle, so it is visible to the user that they
are granted a new sub-privilege
and the issue: Endpoint Exceptions are not included in
`siemVX:MINIMAL_ALL`, and thanks to this the user lost their access to
Endpoint Exceptions.
this PR solves this issue.
### visualization
with this change, the `siem/siemV2:ALL` -> `siemV3` migration graph now
looks like this:
```mermaid
flowchart LR
classDef serverless stroke:blue,stroke-dasharray: 5 5
subgraph siemV2[siem/siemV2]
all1[all]
end
subgraph siemV3
subgraph minall2[minimal_all]
g1[global_artifact_management_all]
eea["`endpoint_exceptions_all
(only serverless)`"]:::serverless
end
end
all1 -->|keep access to the included Endpoint Exceptions ALL| g1
all1 -->|enable sub-feature toggle| minall2
all1 -->|keep access to EE ALL, as it WAS included in ALL. only serverless| eea
linkStyle 2 stroke:#00f,color:blue
```
see the previous ones here:
https://github.com/elastic/kibana/pull/219566
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
Part of https://github.com/elastic/kibana-team/issues/1503
This PR is mostly about moving tests from
x-pack/test/cases_api_integration and updating related imports
Before:
```
x-pack/test/
| - cases_api_integration/
```
After:
```
x-pack/platform/test/
| - cases_api_integration/
x-pack/solutions/security/test/
| - cases_api_integration/
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
- Part of #213293
- Adds infrastructure for a new pipeline: `kibana / renovate helper`
- The pipeline and scripts are currently a no-op and will be finalized
and tested in a follow up PR against the provisioned pipeline.
## Plan
The goal is to automatically run a script when Renovate opens a PR to
dedupe and perform any other actions, then trigger the Kibana PR
pipeline. This can also be performed by commenting `buildkite run
renovate helper` in the instances where the PR has been rebased by
Renovate.
Additionally, this pipeline will trigger the Kibana PR pipeline
automatically for Renovate PRs when the commit author is not Renovate
bot. Currently a developer has to comment every time they want CI to run
on Renovate PRs. This will improve DX when merging upstream, debugging
the dep upgrade and auto-commits by `kibanamachine`.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Adapted cypress tests to:
- Run cypress tests within the Threat Hunting Investigations team bundle
in the CI.
- Fixed failing onboarding test.
- Added test cases for migration rename functionality to the onboarding
test.
## Screenshots
Fixes#218255 and #213784
## Summary
This PR fixes flaky test in Console responsible for opening
documentation with keyboard shortcut by checking if the opened tab
contains `www.elastic.co/docs`.
## Summary
In [this PR](https://github.com/elastic/kibana/pull/222827) we added
support of Cases action for Attack Discovery Schedules.
Now we would like to increase a "max opened cases" limit which defaults
to `5` right now and can be set maximum to `10`. In case with attack
discoveries it is highly expected to have more generated alerts and thus
we would like to bump the max number of opened cases to `20`.
## NOTES
The attack discovery scheduling and alerts history features are hidden
behind these feature flags (in `kibana.dev.yml`):
```
feature_flags.overrides:
securitySolution.attackDiscoveryAlertsEnabled: true
securitySolution.assistantAttackDiscoverySchedulingEnabled: true
```
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| docker.elastic.co/wolfi/chainguard-base-fips | digest | `d55453a` ->
`7f2cebd` |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOk9wZXJhdGlvbnMiLCJiYWNrcG9ydDpza2lwIiwiY2k6YnVpbGQtZG9ja2VyLWZpcHMiLCJyZWxlYXNlX25vdGU6c2tpcCJdfQ==-->
Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Jon <jon@elastic.co>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| docker.elastic.co/wolfi/chainguard-base | digest | `fdfd7f3` ->
`a02075b` |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOk9wZXJhdGlvbnMiLCJiYWNrcG9ydDpza2lwIiwicmVsZWFzZV9ub3RlOnNraXAiXX0=-->
Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Jon <jon@elastic.co>
Adds a `fromExternalVariant` helper function that unpacks external
variants (which are commonly used in Elasticsearch APIs) into a fully `{
type, value }` object.
## Notes
I used o3 to write the tests, including unit tests and type tests.
## Summary
- Fix the create of Event Filters, Blocklists, Endpoint Exceptions and
Host Isolation Exceptions so that an error is returned when space
awareness feature is enabled and the user does not have the Global
Artifact Management privilege.
> [!NOTE]
> Trusted Applications were already correctly validating this during
create of an artifact
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
This change remove `playwright-chromium` package from Kibana
dependencies.
* The package isn't used anywhere in the codebase
* The package conflicts with `@playwright/test` by installing the same
`playwright` executable which then misses a bunch of features, including
the `test` command
## Summary
With the new Claude 3.7 Elastic Managed LLM we're seeing an unhandled
error in Kibana playground. We can reproduce it by:
1. Indexing few but very large documents in Elasticsearch (10 docs, each
7mb)
2. Setting the docs to send setting as 10
3. Setting context to always query the index (I think there is some
function calling, not sure what happens under the hood but this worked
as I wanted to consistently).
Thread:
https://elastic.slack.com/archives/C08DT72KR6J/p1750686748616369?thread_ts=1750685837.561949&cid=C08DT72KR6J
We're not 100% sure this fixes the issue but we do know the model should be added.
### Checklist
Check the PR satisfies following conditions.
- [ ] Cannot reproduce the issue after the model entry is used on QA
environment
Reviewers should verify this PR satisfies this list as well.
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
No known risks
Fixes https://github.com/elastic/kibana/issues/224191
## Summary
Bugfix - Replace call to registry when deleting kibana assets for
packages of type "custom" and "bundled". Also replaced the call to
`fetchInfo.registry` on another code path to avoid errors in the same
situation -
- These calls are replaced with `getPackageInfo`, that has some internal
functionalities to decide when the packageInfo should be fetched from
the cache, ES or the registry.
- Added additional logging to the delete assets functions
### Testing
- Install a custom integration that has some assets (a dashboard for
instance)
- Uninstall it and check that the asset is correctly removed and there
are no errors:
<img width="1453" alt="Screenshot 2025-06-25 at 11 02 39"
src="https://github.com/user-attachments/assets/32fb07f3-2628-4e30-be92-16610043b3ae"
/>
### Checklist
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
This adds and enables the case id incrementer service ([design
doc](https://docs.google.com/document/d/1DZKTPl7UryYjpjVMNhIYbE82OADVOg93-d02f0ZQtUI/edit?tab=t.0#heading=h.6qjc4qynaeuo)).
In order not to stress bulk creation of cases, we're processing
incremental ids asynchronously, meaning they will not immediately appear
in the UI.
The feature is currently disabled by default to allow for testing in
additional environments after merging but can be enabled by setting
`xpack.cases.incrementalIdService.enabled=true` in `kibana(.dev).yml`.
Once the flag is enabled, actually rendering the IDs in the UI is
disabled by default (for now) and has to be enabled in the advanced
settings (`cases:incrementalIdDisplay:enabled`).
Cases can be found by their incremental ID by searching for
`#{incremental_case_id}` in the cases table.
### Screenshots
**Incremental ID in the case detail page**
<img width="1506" alt="Screenshot 2025-06-05 at 15 46 42"
src="https://github.com/user-attachments/assets/f51ae0cd-a2e8-48f7-a6db-05f9f1285e95"
/>
**Incremental ID in the cases table**
<img width="1240" alt="Screenshot 2025-06-05 at 20 32 32"
src="https://github.com/user-attachments/assets/619b3f12-1986-4bc7-b9e8-f7556d0c546c"
/>
**Searching for case by its incremental ID**
<img width="1239" alt="Screenshot 2025-06-05 at 20 33 36"
src="https://github.com/user-attachments/assets/771df512-7436-4aa0-88f9-ac3e1e161455"
/>
### Testing notes
<details>
<summary>Validation script</summary>
Use this script to investigate if there are duplicates or gaps:
```js
import * as fs from 'fs';
// Query to get all cases from all namespaces sorted by incremental_id
// GET .kibana_alerting_cases/_search?_source_excludes=*
// {
// "query": {
// "exists": {
// "field": "cases.incremental_id"
// }
// },
// "fields": [
// "cases.incremental_id",
// "cases.title",
// "namespaces"
// ],
// "from": 0,
// "size": 10000,
// "sort": [
// {
// "cases.incremental_id": {
// "order": "asc"
// }
// }
// ]
// }
// Put those results into `test.json` in the same directory
// You might need to add `"search_after": [40007]` in case you want to look at more than 10k cases.
// In that case, replace `[40007]` with whatever value the last item has in `"sort": [2102]`
// Concatenate hits if needed (10k per file)
const cases = [
JSON.parse(fs.readFileSync('./test.json')),
// JSON.parse(fs.readFileSync('./test1.json')),
// JSON.parse(fs.readFileSync('./test2.json')),
// JSON.parse(fs.readFileSync('./test3.json')),
// JSON.parse(fs.readFileSync('./test4.json')),
].reduce((allHits, currResult) => {
return allHits.concat(currResult.hits.hits);
}, []);
console.log(`Total amount of cases: ${cases.length}`);
// Groups cases but
const casesByNamespace = cases.reduce((acc, theCase) => {
const id = theCase._id;
const space = theCase.fields.namespaces[0];
const incrementalId = theCase.fields['cases.incremental_id'][0];
const title = theCase.fields['cases.title'][0];
const toStore = { id, incrementalId, title };
if (!acc[space]) {
acc[space] = new Map();
}
// check for duplicates
const spaceMap = acc[space];
if (!spaceMap.has(incrementalId)) {
acc[space].set(incrementalId, toStore);
} else {
const storedCase = spaceMap.get(incrementalId);
console.error(`
${storedCase.title} and ${toStore.title} have the same incremental id (${incrementalId})
`);
}
return acc;
}, {});
// find gaps in spaces
Object.keys(casesByNamespace).forEach((space) => {
const spaceHits = casesByNamespace[space];
const gaps = [];
spaceHits.forEach(({ incrementalId }, _, map) => {
const idBefore = incrementalId - 1;
if (incrementalId > 1 && !map.has(idBefore)) {
gaps.push(idBefore);
}
});
console.log(`space:${space} has ${spaceHits.size} cases and ${gaps.length} skipped ids`);
gaps.forEach((gap) => console.log(`id #${gap} is not assigned`));
});
```
</details>
- Enable the logger in your `kibana.dev.yml` (optional but helpful)
```
logging.loggers:
- name: plugins.cases.incremental_id_task
level: debug
```
- Change some of the timings in
`x-pack/platform/plugins/shared/cases/server/tasks/incremental_id/incremental_id_task_manager.ts`
- Set `timeout: '1m'`
- Set `CASES_INCREMENTAL_ID_SYNC_INTERVAL_DEFAULT_MINUTES = 1`
- Remove ```runAt: new Date(
new Date().getTime() +
CASES_INCREMENTAL_ID_SYNC_INTERVAL_DEFAULT_MINUTES * 60 * 1000
),```
- you can also set the timings to something lower in the seconds e.g.
`10s`
- Generate a bunch of cases with the generator script
`x-pack/platform/plugins/shared/cases/scripts/generate_cases.js`:
- `node scripts/generate_cases.js -c 1000 -o securitySolution
- Enable `cases:incrementalIdDisplay:enabled` in advanced settings
- Wait a couple minutes until the incrementer task ran
- Test that the ids show up and that the search works
### Research notes
- We ran a large-scale test with ~350k cases in a cloud env and can
report the following findings:
- The 10min timeout for the incremental id task makes sense. The task
was usually finished after around 8-9min (processing 1000 cases at a
time) which gives it some buffer even.
- While processing the first 50k cases, the service skipped 8 ids and no
duplicates have been assigned. This means it skipped `0.016%` ids which
is great.
- It's unclear when these skips happened though and we investigated the
first 50k cases for duplicate ids, just in case, and found no
duplicates.
- At no point did any of the error logs trigger, meaning the task is
running smoothly.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Michael Olorunnisola <michael.olorunnisola@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Fixes https://github.com/elastic/kibana/issues/223990
## Summary
This PR fixes the forward-compatibility test for index mode, which
failed because the index mode was added to Get Data Streams API in 8.19
and 9.1 (see https://github.com/elastic/elasticsearch/pull/122486), so
if Kibana 8.19 is run with Es 9.0, the index mode is always displayed as
"Standard" because Es doesn't return an index mode field.
In this PR, we separate all index mode-related tests into a separate
file, and only run it for Es versions 8.19 or 9.1+.
This was also fixed for functional tests in
https://github.com/elastic/kibana/pull/223129
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Adds a recommended query for the `CATEGORIZE` function in ES|QL.
Adds keyword highlighting for the patterns and the ability to open a new
Discover tab to filter for docs which match the selected pattern.
https://github.com/user-attachments/assets/9ed8c5b0-7e92-4cc8-88dd-cb7749b5ffd3
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Stratoula Kalafateli <efstratia.kalafateli@elastic.co>
## Summary
Multi space monitors !!
Fixes https://github.com/elastic/kibana/issues/164294
User will be able to choose in which space monitors will be available !!
<img width="1728" alt="image"
src="https://github.com/user-attachments/assets/f01ac226-ed54-4e96-b6f4-27f0134a9be5"
/>
### Technical
This is being done by registering another saved object type and for
existing monitors it will continue to work as right now but for newly
created monitors user will have ability to specify spaces or choose
multiple spaces or all.
### Testing
1. Create few monitors before this PR in multiple spaces
2. Create multiple monitors in multiple spaces after this PR
3. Make sure filtering, editing and deleting, creating works as expected
on both set of monitors
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Summarize your PR. If it involves visual changes include a screenshot or
gif.
Make it easier to debug topological plugin order errors by including the
exact cycle/s causing the issue in the error message:
Previous error message:
```
Error: Topological ordering of plugins did not complete, these plugins have cyclic or missing dependencies:
["discover","esql","canvas","crossClusterReplication","discoverEnhanced","indexLifecycleManagement","logstash","monitoring","observabilityAiAssistantManagement","remoteClusters","reporting","rollup","contentConnectors","dataQuality","datasetQuality","fleet","indexManagement","ml","osquery","streamsApp","apm","exploratoryView","infra","inventory","observability","observabilityAIAssistantApp","observabilityLogsExplorer","observabilityOnboarding","streamsAppWrapper","slo","synthetics","uptime","ux","enterpriseSearch","searchAssistant","searchIndices","searchInferenceEndpoints","searchPlayground","cloudSecurityPosture","elasticAssistant","securitySolution","securitySolutionEss"]
```
New error message tells you exactly where the cycle is:
```
Error: Topological ordering of plugins did not complete due to circular dependencies:
Detected circular dependencies:
discover -> elasticAssistant -> ml -> discover
Plugins with cyclic or missing dependencies: ["discover","esql","canvas","crossClusterReplication","discoverEnhanced","indexLifecycleManagement","logstash","monitoring","observabilityAiAssistantManagement","remoteClusters","reporting","rollup","contentConnectors","dataQuality","datasetQuality","fleet","indexManagement","ml","osquery","streamsApp","apm","exploratoryView","infra","inventory","observability","observabilityAIAssistantApp","observabilityLogsExplorer","observabilityOnboarding","streamsAppWrapper","slo","synthetics","uptime","ux","enterpriseSearch","searchAssistant","searchIndices","searchInferenceEndpoints","searchPlayground","cloudSecurityPosture","elasticAssistant","securitySolution","securitySolutionEss"]
```
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [X] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [X]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [X] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [X] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [X] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [X] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [X] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Jean-Louis Leysens <jeanlouis.leysens@elastic.co>
## Summary
Part of https://github.com/elastic/kibana-team/issues/1503
This PR is mostly about moving osquery cypress dir with
security-solution imports
```
x-pack/test/osquery_cypress
```
After:
```
x-pack/solutions/security/test/osquery_cypress
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Silences SASS module usage warnings around the deprecated `@import`
statements.
While the sass/scss owner teams are migrating these usages, the dev
server is clogged up with deprecation warnings. It's probably best to
disable it, because it's annoying to everyone and not necessarily to the
owners.
