## Summary
Resolves https://github.com/elastic/observability-dev/issues/4556.
This PR will amend the existing EBT `onPageReady` tracking for TTFCP
with some descriptions to help consumers of the telemetry data
understand the context around what we are tracking for this timing data.
Also exports the `Meta` type for re-use in a Synthetics-specific
implementation that needs to accept this parameter.
## Summary
PDF, PNG and ES|QL CSV reports all use a relative date range based on
`now` so when we generate recurring exports, we override `now` with a
`forceNow` parameter. Non ES|QL CSV reports use a `SearchSource` with a
fixed time range, even when a relative time range is set in Discover.
This PR updates the CSV search source report generation to override the
fixed time range for recurring scheduled exports.
## To Verify
- create a dataview (trying creating one using a field other than
`@timestamp` as the time field)
- populate the dataview with some data
- schedule a CSV export and verify that the eventual CSV report has data
in the correct time range
- may be faster to schedule via the API to get a report generated
faster.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Summarize your PR. If it involves visual changes include a screenshot or
gif.
These changes addresses the review comment from my previous PR
36ed6b38c1 (r2150081638)
Initially I broke up rendered component into multiple memoized
sub-sections. Reverting that back and adding tests coverage for the new
functionality - Case actions UI for the Attack Discovery rule type:
* Hidden `group by` component
* Hidden `time window` component
* Hidden `reopen case` component
* Disabled `template selector` component
* Tooltip explaining why we disabled the `template selector` component
## Summary
This PR reduces logging in the security solution plugin’s telemetry code
for production environments by reviewing existing logs and adjusting
their log levels.
- Deprecated a logging helper method and moved to standard
`logger.[debug|info|warn|error]` calls.
- Reviewed all the logging sentences to adjust the log level, remove the
non-useful ones, and improve messages.
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Alejandro Fernández Haro <afharo@gmail.com>
## Summary
Fixes: https://github.com/elastic/kibana/issues/190761
I've added a `handleKeyDown` to capture the `ESC` key press behavior.
1. First `ESC` finds any .euiFlyout and close it with`closeFlyout()`
from `useExpandableFlyoutApi()`, then stops.
2. Next `ESC` (when no flyout) clicks `openToggleRef.current`, toggling
the timeline modal closed.
https://github.com/user-attachments/assets/0e42f9e9-2694-429d-8a5a-df86aa671809
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Follow-up of https://github.com/elastic/kibana/pull/223367
Fix https://github.com/elastic/search-team/issues/10259
This PR introduce the concept of agent **mode**, and expose the "deep
research" agent as a mode instead of a tool.
## Examples
### Calling the Q/A (default) mode
```curl
POST kbn:/internal/onechat/chat
{
"nextMessage": "Find all info related to our work from home policy"
}
```
### Calling the researcher mode
```curl
POST kbn:/internal/onechat/chat
{
"mode": "researcher",
"nextMessage": "Find all info related to our work from home policy"
}
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
There's an issue where the `esArchiverLoad` migrates SO if any index
starting with `.kibana` is affected.
```
CypressError: `cy.task('esArchiverLoad')` failed with the following error:
> security_exception
Root causes:
security_exception: action [indices:admin/settings/update] is unauthorized for user [testing-internal] with effective roles [superuser] on restricted indices [.kibana_security_solution_1,.kibana_alerting_cases_1,.kibana_task_manager_1,.kibana_usage_counters_1,.kibana_1,.kibana_ingest_1,.kibana_analytics_1], this action is granted by the index privileges [manage,all]
```
This PR disables the test for MKI so it doesn't interfere with the
release, we'll work on a fix in a separate PR
Example MKI execution
https://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-investigations/builds/2889
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Implements a huggingface dataset loader for RAG evals - see
[x-pack/platform/packages/shared/kbn-ai-tools-cli/src/hf_dataset_loader/README.md](https://github.com/dgieselaar/kibana/blob/hf-dataset-loader/x-pack/platform/packages/shared/kbn-ai-tools-cli/src/hf_dataset_loader/README.md).
Additionally, a `@kbn/cache-cli` tool was added that allows tooling
authors to cache to disk (possibly remote storage later).
Used o3 for finding datasets on HuggingFace and doing an initial pass on
a line-by-line dataset processor ([see
conversation](https://chatgpt.com/share/6853e49a-e870-8000-9c65-f7a5a3a72af0))
Libraries added:
- `cache-manager`, `cache-manager-fs-hash`, `keyv`,
`@types/cache-manager-fs-hash`: caching libraries and plugins. could not
find any existing caching libraries in the repo.
- `@huggingface/hub`: api client for HF.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Simplifies the function to extract the categorize function field. The
unit tests we had pass for the new implementation so I am sure we don't
introduce new bugs
## Summary
This PR fixes [[ML] Change point detection: p-value tooltip is not
announced because lack of
focus](https://github.com/elastic/kibana/issues/216545) issue.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
While testing the ES|QL charts I realized that in case of an error in
the query, the hook goes into a loop and causes performance issues.
As the error is being reported we do not need to re-run the query to get
the results
For example if you create a control wrongly.
e.g.
1. Create a chart and add a control which will create an error:
<img width="508" alt="image"
src="https://github.com/user-attachments/assets/f2013d2c-e161-47bf-a3cb-d5033be9de59"
/>
2. Add to the control no-date fields. e.g. clientip
3. Check the editor is not going into a rendering loop
<img width="482" alt="image"
src="https://github.com/user-attachments/assets/cc541b68-b317-41ae-b4a6-87569466edd6"
/>
### Release notes
Fixes a performance issue in the Lens ES|QL charts in case of errors in
the query.
### Checklist
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
The Obs-ux-infra_services team identified a useful addition to the PR
checklist we'd like to add to help remind contributors to apply
backports to the appropriate branches per the guideline document.
## Summary
Main ticket ([Internal
link](https://github.com/elastic/security-team/issues/10142))
With these changes we make sure that we return attack discovery fields
reformatted to a nice markdown text. We already format discovery details
when we create a new Case and add markdown comment to it.
### To Test
1. Create attack discovery schedule
2. Add an action to the schedule (email, slack etc.)
3. Select `For each alert > Per rule run` action frequency
4. Update subject, body or other fields of the connector to include
discovery details through the context variables
5. Wait until the action is triggered and check the received message
### Example of the email connector fields
**Subject**:
```
{{context.attack.title}}
```
**Message**:
```
{{{context.attack.detailsMarkdown}}}
{{{context.attack.detailsUrl}}}
```
<img width="665" alt="Screenshot 2025-06-25 at 18 05 30"
src="https://github.com/user-attachments/assets/71b2e02b-0437-4486-a584-108bec4d477f"
/>
which will result in an email similar to this one
<img width="1125" alt="Screenshot 2025-06-25 at 17 54 32"
src="https://github.com/user-attachments/assets/fefe60f0-e560-4288-9ec8-d1d444feb950"
/>
## NOTES
The feature is hidden behind the feature flag (in `kibana.dev.yml`):
```
feature_flags.overrides:
securitySolution.attackDiscoveryAlertsEnabled: true
securitySolution.assistantAttackDiscoverySchedulingEnabled: true
```
## Summary
Part of https://github.com/elastic/kibana-team/issues/1503
This PR is mostly about moving tests from x-pack/test/
Before:
```
x-pack/test/
| - reporting_api_integration/
| - reporting_functional/
```
After:
```
x-pack/platform/test/
| - reporting_api_integration/
| - reporting_functional/
```
Few page objects, required by functional tests, were relocated as well
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Closes https://github.com/elastic/kibana/issues/218433
This change adds more descriptive error messages inside telemetry events
in the auto detect onboarding flow. The extended error message be shown
to the user as well.
* New telemetry event for the case when user is not running the script
as `root`
* If Agent fails to download, bot the original error from `curl` and the
download URL will be logged
* If Agent fails to extract, error message from `tar` command will be
logged
* If Agent fails to install, error message from `elastic-agent install`
command will be logged
* Error response from the integrations install endpoint will be logged
Example telemetry event:
Example terminal output:
## How to test
In order to simulate errors for all scenarios, you going to need to
modify the `auto_detect.sh` script to make it intentionally fail, like
adding extra character to the EA download URL. You can modify it
directly in the source if you're running Kibana locally, or you can
modify it after it was downloaded and before running it.
To test just one use-case without the script manipulations, you can
modify the EA download URL inside the code snippet provided by Kibana.
**Whatever way you choose, still go though the flow and make sure the
successful path works as expected.**
You can check the telemetry events emitted from the flow on [the staging
telemetry
cluster](https://telemetry-v2-staging.elastic.dev/s/observability-ux/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:now-24h%2Fh,to:now))&_a=(columns:!(),dataSource:(dataViewId:b4befdd3-9a15-40c2-be4d-3ac1084d6182,type:dataView),filters:!(),interval:auto,query:(language:kuery,query:'event_type%20:%20%22observability_onboarding%22'),sort:!(!('@timestamp',desc)))),
but keep in mind that events delivered there with a delay of a couple of
hours 😢
---------
Co-authored-by: Joe Reuter <johannes.reuter@elastic.co>
## Summary
Bug description (also the bug video below):
The bug occurred in the Customize Panel Editor, where the
PanelTitle—even when matching the defaultTitle from the central Saved
Object—was not always properly synchronized with that object. This led
to situations where the title was incorrectly stored as a custom
override, breaking the link to the saved object. There were two specific
cases where this happened:
Adding a panel from the library, then opening Customize Panel and
clicking Apply without making changes
After adding a panel from the library, the user opens the Customize
Panel Editor via the settings icon. Without making any changes to the
title, they exit the editor by clicking the Apply button instead of the
close icon. This causes the defaultTitle to be unnecessarily written
into the title field of the API object, which then treats it as a custom
title—breaking future synchronization with the saved object.
Resetting the title to default after a change
The user changes the panel title in the Customize Panel Editor and
clicks Apply. Later, they reopen the editor and click Reset to default.
This correctly restores the title from the central saved object, but it
is again written into the title field of the API object. Although the
value matches the current defaultTitle, it is now treated as custom. If
the central title changes later, the panel title will no longer
update—breaking synchronization again.
Fix:
The logic was updated to correctly detect when the panel title matches
the defaultTitle. In such cases, it clears the title field in the API
(by setting it to undefined) to indicate that the panel should inherit
the title from the saved object. This ensures proper synchronization:
any future updates to the saved object's title will be reflected
automatically in the panel.
Closes#188858
Below the bug video:
https://github.com/user-attachments/assets/f784679c-8eaa-47b4-942d-e3802faee076
## Summary
The bug: A field with the expected name `user.name.keyword` but with the
wrong mapping was returned.
How to fix it? `fieldCaps` was returning unmapped mixed with mapped
fields. This change forces the API to return the `fields` property with
a list of all indices matching `user.name.keyword`.
More information on [this
slack](https://elastic.slack.com/archives/C0D8ST60Y/p1750661564933609) 🧵
### How to test it?
* Create an index with the correct mapping
```
PUT /test-index1
{
"mappings": {
"properties": {
"user.name.keyword": {
"type": "text"
}
}
}
}
```
* Create an index with the wrong mapping
```
PUT /test-index2
{
"mappings": {
"properties": {
"user.name.keyword": {
"type": "text"
}
}
}
}
```
* Go to the manage data sources page
* Only `test-index1` should be returned
