## Summary
Currently, `yarn kbn clean` nor `yarn kbn reset` won't remove cached ES
snapshot builds. This might cause issues for developers when switching
between branches with major changes. (see:
https://elastic.slack.com/archives/C5UDAFZQU/p1749628993034289)
This PR adds a softer and a harder clean to `clean` and `reset`
respectively.
## Summary
Resolves https://github.com/elastic/kibana/issues/212801
Removes already linked dashboards from the list of suggested dashboards
Also has the side effect of returning the linked dashboards from the
related dashboards api, which can be used to render the linked
dashboards list along with the suggested dashboards, rather than calling
a separate API from the client.
---------
Co-authored-by: Justin Kambic <jk@elastic.co>
## Summary
Main ticket ([Internal
link](https://github.com/elastic/security-team/issues/12484))
With these changes we switch from temporarily (while behind the feature
flag) used data stream `.alerts-security.attack.discovery.alerts-ad-hoc`
to a one created and setup by Alerting Framework
`.adhoc.alerts-security.attack.discovery.alerts`. This index used to
store "ad-hoc" attack discovery alerts generated by user manually and
initially visible only to that user with the option to share those
alerts to other people in the same organization.
There should be no visual changes, only the underlying index changed for
the manually generated attack discovery alerts.
**To test**:
1. Generate attack discovery via "Generate" button on Attack Discovery
page
2. Check generated alerts within the
`.adhoc.alerts-security.attack.discovery.alerts*` index
```
GET .adhoc.alerts-security.attack.discovery.alerts*/_search
```
## NOTES
The feature is hidden behind the feature flag (in `kibana.dev.yml`):
```
feature_flags.overrides:
securitySolution.attackDiscoveryAlertsEnabled: true
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
This PR fixes an issue with running our Security Assistant evals on CI
where the tests would finish and cleanup before the evaluations would
actually complete. There was no issue with actually running the
evaluations, they would finish without error, however since the tests
would complete beforehand, the required resources (alerts, kb docs,
elser, etc) would be cleaned up and the evaluations wouldn't pass.
The issue has been fixed by polling for evaluation completion before
letting the tests complete. This was accomplished by writing evaluation
results (`id`/`status`) to a new ephemeral index
`.kibana-elastic-ai-assistant-evaluations-default` with an ILM policy of
`1d`, and then updating the GET evaluation route to include a `results`
array that can be used to confirm the status of the evaluation.
Note: There is no impact to production deployments with these changes as
all evaluation routes are gated behind the evaluation feature flag,
which can be enabled by adding the below configuration to your
`kibana.dev.yml`:
```
xpack.securitySolution.enableExperimental:
- "assistantModelEvaluation"
```
---
## Results
[Successful
Build](https://buildkite.com/elastic/kibana-pull-request/builds/306787/summary/annotations?jid=019756d8-e32f-4366-be5c-0f766a7c2934)
with `33m16s` runtime
[ES|QL Generation
Regression](261dcc59-fbe7-4397-a662-ff94042f666c/compare?selectedSessions=3303dbd1-4b29-4e36-900e-fc17ccfc923b,0acddaab-badb-4830-b731-170a3c122fcb,b8c300dc-3947-4c47-96d0-e3224be44d59,ce88d37d-6083-41ed-bcc7-989a2efc9c33&baseline=3303dbd1-4b29-4e36-900e-fc17ccfc923b)
<p align="center">
<img width="800"
src="https://github.com/user-attachments/assets/45750385-56c1-424d-bdc7-19ef1e378416"
/>
</p>
[Alerts RAG Regression (Episodes
1-8)](bd5bba1d-97aa-4512-bce7-b09aa943c651/compare?selectedSessions=f99b3bc7-bebf-4338-8cc5-96cff42015ab,776083c7-733b-476f-9a2e-ab90f62ba95b,f2036996-be11-45af-ab48-ee407b417679,7c02109b-ff7e-4b7c-8273-937a269f8924&baseline=f99b3bc7-bebf-4338-8cc5-96cff42015ab)
> [!NOTE]
> Need to either update dataset's referenced output to match the more
verbose outputs of the tests, or to tune the evaluator prompt to be more
lax as this is incorrectly the impacting correctness value. Examples
needing updated:
>
> Example: #9e6e
> Example: #d33b
> Example: #e4c6
<p align="center">
<img width="800"
src="https://github.com/user-attachments/assets/61b8711a-f9bc-4b0b-93ce-cb9436864857"
/>
</p>
[Assistant Eval: Custom
Knowledge](2d5f7c18-4bf4-4cdb-97a1-16e39a865cab/compare?selectedSessions=589cbefa-893d-411e-86ea-cf2fe01d352e,4f0e797e-b6fa-4aa6-b707-3fd952d9eccb,75a78e49-0ae4-4edd-b6c5-35a1ea2cafa8,3b7bef1e-69e7-4692-b156-acf30992383d&baseline=589cbefa-893d-411e-86ea-cf2fe01d352e)
> [!NOTE]
> Quite a few failures here which seem to be stemming from either
mis-matches in anonymization values when referencing specific host names
(differing from example alerts used in tests vs data set generation), or
the [KBRetrival tool not even being
called](https://smith.langchain.com/public/d76c989e-f467-43a6-b606-c601e986d382/r).
<p align="center">
<img width="800"
src="https://github.com/user-attachments/assets/1a57efbc-8615-4209-9483-7aee69f2a622"
/>
</p>
[Eval AD: All
Scenarios](4690ee16-9df5-416c-8bf0-b62bc2f2aba9/compare?selectedSessions=2ca55bc8-7b26-4f4a-909d-5e86ceddc53d,3694531a-32e0-4216-b91b-9136e7523bbb,6daa7be3-6b9b-44d3-bac3-6ba6980accfd,ad741ca8-07bf-4bfe-ba85-6b271e9c3e34&baseline=2ca55bc8-7b26-4f4a-909d-5e86ceddc53d&textDisplayMode=compact&compare-experiment-tab=0)
<p align="center">
<img width="800"
src="https://github.com/user-attachments/assets/7e946207-290d-450f-a6ad-e679c8b60f0b"
/>
</p>
## Next Steps
* Need to improve the `Alerts RAG Regression (Episodes 1-8)` and
`Assistant Eval: Custom Knowledge` suites as correctness is being
impacted by a few factors: more verbose output from some models,
evaluator prompt, example alerts/anonymization mis-matching, or missed
tool calls
* Add telemetry for writing execution times and single correctness score
per model per suite
* Optionally write as console output/test artifact when running tests
* Output link to LangSmith results in console output
Closes https://github.com/elastic/observability-dev/issues/4445
EBT implementation: https://github.com/elastic/ebt/pull/57
## Summary
In this PR, we are adding `getTraceContext` to the `createAnalytics` in
order to include `trace.id` in the EBT events.
### ⚠️ Note
Some events might not have a `trace.id` due to not having an active
transaction at the moment of reporting the event. For those, we can
implement more sophisticated logic to keep track of transactions and use
the `trace.id` of the last one for the event (in a follow-up ticket, if
necessary).
### How to test
- Add `telemetry.localShipper: true` to the kibana config and create a
data view for `ebt-kibana-browser` index
- Check the `trace.id` in the events that are passed
---------
Co-authored-by: Alejandro Fernández Haro <alejandro.haro@elastic.co>
## Summary
Main ticket ([Internal
link](https://github.com/elastic/security-team/issues/10142))
With these changes we add a attack discovery alert details url. Same as
detection alerts it will be stored within the `kibana.alert.url` field.
The url uses the `server.publicBaseUrl` configuration from `kibana.yml`
file and if that config is not set the url will be `undefined`. This
config is set internally (in the
https://github.com/elastic/project-controller/tree/main) for
**serverless** projects ([internal
discussion](https://elastic.slack.com/archives/C054M7BU84Q/p1748539899308869)).
Also, to allow users to access the details link in case of the `for each
alert` action frequency from within the connector we added a new message
variable: `context.attack.detailsUrl`.
**To test**:
1. Set `server.publicBaseUrl` in `kibana.yml`
2. Generate attack discovery via schedule
3. Check generated alerts within the
`.alerts-security.attack.discovery.alerts*` index (specifically
`kibana.alert.url` field)
## NOTES
The feature is hidden behind the feature flag (in `kibana.dev.yml`):
```
feature_flags.overrides:
securitySolution.assistantAttackDiscoverySchedulingEnabled: true
```
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| @​types/base64-js | devDependencies | minor | [`^1.2.5` ->
`^1.5.0`](https://renovatebot.com/diffs/npm/@types%2fbase64-js/1.2.5/1.5.0)
|
| [base64-js](https://redirect.github.com/beatgammit/base64-js) |
dependencies | patch | [`^1.3.1` ->
`^1.5.1`](https://renovatebot.com/diffs/npm/base64-js/1.5.1/1.5.1) |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOlNoYXJlZFVYIiwiYmFja3BvcnQ6YWxsLW9wZW4iLCJyZWxlYXNlX25vdGU6c2tpcCJdfQ==-->
Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Tim Sullivan <tsullivan@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| @​types/lz-string | devDependencies | minor | [`^1.3.34` ->
`^1.5.0`](https://renovatebot.com/diffs/npm/@types%2flz-string/1.3.34/1.5.0)
|
| [lz-string](http://pieroxy.net/blog/pages/lz-string/index.html)
([source](https://redirect.github.com/pieroxy/lz-string)) | dependencies
| patch | [`^1.4.4` ->
`^1.5.0`](https://renovatebot.com/diffs/npm/lz-string/1.5.0/1.5.0) |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOlNoYXJlZFVYIiwiYmFja3BvcnQ6YWxsLW9wZW4iLCJyZWxlYXNlX25vdGU6c2tpcCJdfQ==-->
Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>
Co-authored-by: Tim Sullivan <tsullivan@users.noreply.github.com>
## 📓 Summary
When starting Kibana with CLI config overrides, the ones that looked up
for the tier and loaded the appropriate configuration file were not
wired, resulting in the override being ineffective.
This change fixes the behaviour, giving precedence to unknown CLI args
that might override the `pricing` configuration and correctly configure
Kibana.
## Summary
This PR introduces the **1chat MCP server** in Kibana, exposed at the
experimental `/api/mcp` endpoint behind a feature flag. It allows
external MCP clients (e.g. Claude Desktop, Cursor, OpenAI Agents) to
connect and use tools registered in the 1chat registry.
### MCP server
- Implements a **stateless** MCP server following the MCP spec
(Streamable HTTP transport).
- Supports **API key** and **basic auth** for authentication.
- Works with clients via:
- **Streamable HTTP** with auth header
- **STDIO** transport using `mcp-remote` proxy
- Endpoint under a feature flag `xpack.onechat.mcpServer.enabled`
- 1chat tools are scoped to the caller’s permissions, as determined by
the auth header.
### Other changes
- Implemented `KibanaMcpHttpTransport` (mcp http transport layer adapted
to Kibana Core primitives) + tests
### Local testing
Set ui setting: `onechat:mcpServer:enabled` to true
E.g. add this to Claude Desktop:
```
{
"mcpServers": {
"elastic": {
"command": "npx",
"args": [
"mcp-remote",
"https://{kbn}/api/mcp",
"--header",
"Authorization: ApiKey ${API_KEY}"
],
"env": {
"API_KEY": "..."
}
},
}
}
```
### Enable feature via API
```
POST kbn:/internal/kibana/settings/onechat:mcpServer:enabled
{"value": true}
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Updates policy protection notes to be space aware. Access to policy
protection notes is based on the agent policy's spaces.
Agent policy with access to spaces `default`, `foo`, and `bar`:
Note accessible from `foo` space:
Note accessible from `bar` space:
Note not accessible from `moo` space:
To test:
1) enable feature flags:
```
xpack.securitySolution.enableExperimental:
- endpointManagementSpaceAwarenessEnabled
xpack.fleet.enableExperimental:
- useSpaceAwareness
```
2) turn on fleet space awareness: `POST
/internal/fleet/enable_space_awareness`
3) Add at least 3 spaces (e.g., a, b, c)
4) Create an agent policy that is available in 2 of the 3 spaces (e.g.,
a, b) from step 3
5) Add Elastic Defend using the agent policy from step 4
6) Switch to one of the spaces that the agent policy is available in
from step 4 (e.g., a)
7) Add a policy protection note
8) Switch to the other space that the agent policy is available in from
step 4 (e.g., b)
9) Confirm that you can read the policy protection note from step 7
10) Switch to a space that the agent policy is not available in (e.g.,
c)
11) Confirm that you cannot access the policy protection note
(technically, you can't access the policy at all)
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Resolves https://github.com/elastic/kibana/issues/223008
### Summary
This PR enhances the good vs bad charts by filtering the clicked events
when redirecting to discover. When clicking on View Events, we keep the
default behaviour of showing the total events
For example, if the user clicks on the good events (resp. bad events)
bar, we will select the "good events" (resp. bad events) filter on
discover.
### Manual testing
- Run data forge
- Create some SLOs with and without groups
- Verify the good events bar redirects to discover with good events
filter enabled
- Verify the bad events bar redirects to discover with bad events filter
enabled
- Verify the "View Events" link redirects to discover with total events
filter enabled
## Summary
Part of https://github.com/elastic/kibana/issues/207852
II tested printed styles via exporting PDF and comparing.
I prioritized classes over overly complex emotion props.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Small fix on the way we are concatenating the 2 sources (local and ccs).
Previously if one of the sources was empty such as
```
{
indices: [],
data_streams: [],
aliases: []
}
```
would return wrongly empty extensions.
This PR updates the console definitions to match the latest ones from
the @elastic/elasticsearch-specification repo.
---------
Co-authored-by: Sonia Sanz Vivas <sonia.sanzvivas@elastic.co>
Because Data Set quality page does not currently work with CCS, logs
coming from remote cluster have dataset quality link hidden in the
flyout.
The fix would hide a Data Set Quality link for documents that are coming
from remote clusters
Fixes#211602
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Re-submit of https://github.com/elastic/kibana/pull/216352 as it has
merge conflicts and we don't have write permissions for Sandra's remote.
To test, add the following to your kibana.yml:
```
uiSettings:
overrides:
"observability:aiAssistantAnonymizationRules":
- id: "ner"
type: "ner"
enabled: true
- id: "beach"
type: "regex"
enabled: true
pattern: "sandy"
```
---------
Co-authored-by: Sandra Gonzales <sandra.gonzales@elastic.co>
Co-authored-by: Sandra G <neptunian@users.noreply.github.com>
## Summary
This PR fixes the wrong position of the Lens user messages caused by the
absolute positioning of their container within a `static` positioned
parent.
>An element with `position: absolute` is positioned relative to its
nearest positioned ancestor. A "positioned" ancestor has a position
value other than static (the default).
If no such ancestor exists, the element will be positioned relative to
the initial containing block, which is usually the <html> element.
The `LensEmbeddableComponent` root div was with a `position:static` by
default, causing the absolute positioned badge/user message icon to be
positioned in the nearest positioned ancestor.
Fix https://github.com/elastic/kibana/issues/189344
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[@types/moment-duration-format](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/moment-duration-format)
([source](https://redirect.github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/moment-duration-format))
| devDependencies | patch | [`^2.2.3` ->
`^2.2.6`](https://renovatebot.com/diffs/npm/@types%2fmoment-duration-format/2.2.3/2.2.6)
|
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [x] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjUuMSIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOktpYmFuYSBNYW5hZ2VtZW50IiwiVGVhbTpNb25pdG9yaW5nIiwiYmFja3BvcnQ6YWxsLW9wZW4iLCJyZWxlYXNlX25vdGU6c2tpcCJdfQ==-->
Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Matthew Kime <matt@mattki.me>
## Summary
It closes#222658
This PR add changes to the Asset Inventory Empty State component:
- Removed the integrations card grid
- Having an "Add integration" link that will go to the **Asset
Discovery** integration when it's available. (When the integration is
not available it redirects to the all "Integrations" page.
**Test Refactoring:**
- Updated `no_data_found.test.tsx` and `initializing.test.tsx` to use
the new mockUseAddIntegrationPath utility and type-safe mocking with
jest.Mock.
- Improved assertions for the "Add integration" link/button, checking
both href and disabled state for more accurate UI validation.
### Screenshot
**Before:**
<img width="1441" alt="image"
src="https://github.com/user-attachments/assets/a2e1bd86-2d67-4a5e-b191-d3d30205cff1"
/>
**After:**
<img width="1508" alt="image"
src="https://github.com/user-attachments/assets/99b312a3-59c7-47f8-9791-aea7334fff0f"
/>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [blurhash](https://blurha.sh/)
([source](https://redirect.github.com/woltapp/blurhash/tree/HEAD/TypeScript))
| dependencies | patch | [`^2.0.1` ->
`^2.0.5`](https://renovatebot.com/diffs/npm/blurhash/2.0.1/2.0.5) |
---
### Release Notes
<details>
<summary>woltapp/blurhash (blurhash)</summary>
###
[`v2.0.4`](4dc3378847...7179af6173)
[Compare
Source](4dc3378847...7179af6173)
###
[`v2.0.3`](483859d3ba...4dc3378847)
[Compare
Source](483859d3ba...4dc3378847)
###
[`v2.0.2`](b93ee19c66...483859d3ba)
[Compare
Source](b93ee19c66...483859d3ba)
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOlNoYXJlZFVYIiwiYmFja3BvcnQ6YWxsLW9wZW4iLCJyZWxlYXNlX25vdGU6c2tpcCJdfQ==-->
Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>
Co-authored-by: Tim Sullivan <tsullivan@users.noreply.github.com>
