github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 17:59:23 -04:00
Code Issues Projects Releases Packages Wiki Activity
85542 commits 429 branches 496 tags 23 GiB
Commit graph

85542 commits

This branch
This branch
All branches
Author SHA1 Message Date
alex prozorov
eadcaaec78 update unit tests to cover all cases of filtering in the graph 2025-04-11 16:45:07 +03:00
alex prozorov
c29eea8f93 fix case when both kql and filters are set and when opening timeline from graph 2025-04-11 13:56:02 +03:00
alex prozorov
7be44d7d1f fix graph ftr test 2025-04-11 13:56:01 +03:00
alex prozorov
9551d840eb update logic when passing event.id kquery or filter when opening timeline from graph 2025-04-11 13:56:01 +03:00
Pierre Gayvallet
d9d9fba3d6
[workchat] add tracing configuration (#217825) 
## Summary

Allow enabling langsmith tracing via kibana config file

### Example

```yaml
xpack.workchatApp.tracing.langsmith:
  enabled: true
  apiKey: {API-KEY}
  project: {project-name}
```
 2025-04-11 08:11:27 +02:00
Kibana Machine
3068c83f9c
[api-docs] 2025-04-11 Daily api_docs build (#217934) 
Generated by
https://buildkite.com/elastic/kibana-api-docs-daily/builds/1039
 2025-04-11 08:05:00 +02:00
Lisa Cawley
3908dc8b29
[DOCS] Use new responseOps URLs in doc link service and APIs (#217601) 2025-04-10 17:18:12 -07:00
Lisa Cawley
388a6fcfbd
[DOCS] Fix path to images in connector docs (#217920) 2025-04-10 17:16:06 -07:00
Rodney Norris
0f79990912
refactor(search_playground): prep for saved playgrounds (#217251) 
## Summary

Renaming types and files as well as moving providers around to make
implmentating saved playground routes more straightforward. Naming
updates to reduce future confusion from generic names that didn't fit
when there are multiple providers etc.
 2025-04-11 01:20:09 +02:00
José Luis González
3485e52340
[Search][Query Rules] Rule sets filtering search (#217477) 
## Summary

Search filtering over the query rulesets table:

![CleanShot 2025-04-09 at 10 25
00@2x](https://github.com/user-attachments/assets/78be7842-f892-454d-a01e-50dee27bdf18)

[Jira ticket](https://elasticco.atlassian.net/browse/SEARCH-928)


### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

### Identify risks

Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.

Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.

- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
 2025-04-11 00:09:00 +02:00
Kibana Machine
51074fc9cc skip failing test suite (#217739) 2025-04-11 00:07:54 +02:00
Kibana Machine
4bc9524aad skip failing test suite (#144057) 2025-04-10 22:31:30 +02:00
Tiago Costa
4408a0c536
skip flaky suite (#214053) 2025-04-10 21:29:29 +01:00
Kibana Machine
cb55321ada skip failing test suite (#181977) 2025-04-10 22:28:26 +02:00
Tiago Costa
e7a04661f4
skip flaky suite (#217012) 2025-04-10 21:27:09 +01:00
Tiago Costa
bed0cb4462
skip flaky suite (#214862) 2025-04-10 21:25:39 +01:00
Alison Goryachev
8c8ccbb3ea
update codeowners file + add data_usage readme (#216486) 2025-04-10 21:35:36 +02:00
Nick Peihl
72d18d8b99
[Dashboards] Replace contentClient with getContentClient on DashboardStart server api (#217586) 
## Summary

Changes the DashboardStart server api to provide a getContentClient
function.

In https://github.com/elastic/kibana/pull/214788, we set the
`contentClient` returned from the content management register method
after start lifecycle of all plugins. This means the `contentClient`
returned from the `DashboardStart` contract was undefined. This PR
changes the start contract to provide a getContentClient function
instead.

Only one consumer was using the contentClient from DashboardStart and
this PR also updates that consumer.
 2025-04-10 14:52:38 -04:00
Kylie Meli
29628048e2
[Fleet] Add support for new siem security subcategory (#217873) 
## Summary

Adding the new sub-category for security: `siem`

<img width="1807" alt="Screenshot 2025-04-10 at 11 36 49 AM"
src="https://github.com/user-attachments/assets/30cbdacb-4bd8-4523-ae79-2f49f5c59856"
/>

---
Relates
- https://github.com/elastic/security-team/issues/12103
- https://github.com/elastic/package-registry/pull/1284
 2025-04-10 14:02:21 -04:00
Lisa Cawley
e00f013b62
[DOCS] Add minimal synthetic APIs (#214518) 
Co-authored-by: Colleen McGinnis <colleen.j.mcginnis@gmail.com>
 2025-04-10 19:26:49 +02:00
jennypavlova
7f0a625d66
[Synthtrace] Fix wrong url build in the Kibana client (#217678) 
Relates to #217529 
#216653
#216844

## Summary

The issue was introduced in the [PR
here](https://github.com/elastic/kibana/pull/212120/files#diff-34f8e7299930135fd708d98018fc6f4141d6e7c25df7e5fdb90f3472ad0e2948R36):
basically, the URL will look like: `
http:/user:pass@localhost:5620/api/fleet/epm/packages/apm?prerelease=false`
because `Path.join` will strip the `/` which is needed in this case -
this URL is also passed to `getFetchAgent`. This PR will fix this issue.
 2025-04-10 17:49:50 +02:00
Milosz Marcinkowski
23cbaa6d55
[APM][UI] Sort environment dropdown alphabetically (#217710) 
Closes #217814

### Summary

Sort environment list alphabetically.

|Before|After|
|-|-|
|<img width="1724" alt="Screenshot 2025-04-10 at 12 01 15"
src="https://github.com/user-attachments/assets/53f0b66d-146a-45d9-b4e3-25bde350a263"
/>|<img width="1722" alt="Screenshot 2025-04-10 at 11 58 27"
src="https://github.com/user-attachments/assets/91315d23-801c-4a16-8688-c43d60c389c8"
/>|
 2025-04-10 17:38:20 +02:00
Jill Guyonnet
79058c6529
[Fleet] Sync uninstalled integrations on remote clusters (#217144) 
## Summary

Closes https://github.com/elastic/kibana/issues/206556

This PR adds a setting to remote ES outputs for also uninstalling
integrations on remote clusters when integrations sync is enabled.

This new setting can be toggled in the UI with a new switch:

<img width="1728" alt="Screenshot 2025-04-09 at 11 53 43"
src="https://github.com/user-attachments/assets/34544aa9-28fd-4360-a32f-5031e3d4293f"
/>

### Testing

* Follow the steps in
https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/fleet/dev_docs/local_setup/remote_clusters_ccr.md
to set up two clusters with integrations syncing.
* Add some integrations in your main cluster and check that they are
also installed in the remote cluster.
* Disable uninstalling integrations on remote.
* Remove an integration in your main cluster and check that it is NOT
removed from the remote cluster.
* Enable uninstalling integrations on remote.
* Remove an integration in your main cluster and check that it is also
removed from the remote cluster.
* In your remote cluster, enroll an agent onto a policy that points to
at least 1 package policy of the installed integrations (cf. Docker
commands below if using dockerized fleet-server/agent).
* In your main cluster, uninstall the integration that is used by the
agent policy in the remote. This should cause the uninstall to fail into
the remote cluster.
* In your remote cluster, inspect the package SO of that integration
with `GET .kibana_ingest/_search?q=type:epm-packages`: the
`latest_uninstall_failed_attempts` field should be populated.

Docker command for running a fleet-server in your remote cluster:
```
docker run \
    -e ELASTICSEARCH_HOST=http://host.docker.internal:9500 \
    -e KIBANA_HOST=http://host.docker.internal:5701/<path> \
    -e KIBANA_USERNAME=elastic \
    -e KIBANA_PASSWORD=changeme \
    -e KIBANA_FLEET_SETUP=1 \
    -e FLEET_INSECURE=1 \
    -e FLEET_SERVER_ENABLE=1 \
    -e FLEET_SERVER_POLICY_ID=fleet-server-policy \
    -p 8220:8220 \
    --rm docker.elastic.co/beats/elastic-agent:9.0.0-SNAPSHOT
```

Docker command for enrolling an agent in your remote cluster:
```
docker run \
    -e ELASTICSEARCH_HOST=http://host.docker.internal:9500 \
    -e KIBANA_HOST=http://host.docker.internal:5701/<path> \
    -e FLEET_URL=https://host.docker.internal:8220 \
    -e FLEET_ENROLL=1 \
    -e FLEET_ENROLLMENT_TOKEN=<token> \
    -e FLEET_INSECURE=1 \
    --rm docker.elastic.co/beats/elastic-agent:9.0.0-SNAPSHOT
```

### Checklist

- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

### Identify risks

This feature is currently in development and behind the
`enableSyncIntegrationsOnRemote` feature flag.

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
 2025-04-10 08:36:15 -07:00
Nicolas Chaulet
0cf0e75c9c
[Fleet] Implement single actions in new installed integrations UI (#217584) 2025-04-10 11:33:22 -04:00
Philippe Oberti
5080c5facb
Alerty summary table flyout setup (#217421) 
## Summary

This PR is a follow up of [this previous
one](https://github.com/elastic/kibana/pull/216744) which was adding the
foundation for the alerts table on the AI for SOC alert summary page.
It focuses on adding the necessary boilerplate code for the alert
summary flyout implementation:
- add the row action cell component that displays the open flyout icon
as well as the logic to open the flyout
- add the boilerplate files for the new `ai_for_soc` panel
- make necessary changes to a few components within the
`document_details` folder that will be used in both flyouts
- implement the header for the flyout
- make sure the flyout history works with this new panel


https://github.com/user-attachments/assets/738268f5-795f-40c4-90d5-6b14f7d4de36

The alerts page alert details flyout remains unchanged, except for the
severity value at the very top, which is now displayed as an `EuiBadge`
instead of an `EuiHealth`. This guarantees consistency with the design
of the new AI for SOC flyout:
![Screenshot 2025-04-10 at 9 38
59 AM](https://github.com/user-attachments/assets/4b83280e-8cdb-4a01-8bc5-0fda3f735645)

## Notes

Follow PRs will tackle custom column titles, cell renderers, row
actions... for the table (wip
[here](https://github.com/elastic/kibana/pull/217124)).

Mocks for reference:
https://www.figma.com/design/DYs7j4GQdAhg7aWTLI4R69/AI4DSOC?node-id=3284-69401&p=f&m=dev

## How to test

This needs to be ran in Serverless:
- `yarn es serverless --projectType security`
- `yarn serverless-security --no-base-path`

You also need to enable the AI for SOC tier, by adding the following to
your `serverless.security.dev.yaml` file:
```
xpack.securitySolutionServerless.productTypes:
  [
    { product_line: 'ai_soc', product_tier: 'search_ai_lake' },
  ]
```

Use one of these Serverless users:
- `platform_engineer`
- `endpoint_operations_analyst`
- `endpoint_policy_manager`
- `admin`
- `system_indices_superuser`

Then:
- generate data: `yarn test:generate:serverless-dev`
- create 4 catch all rules, each with a name of a AI for SOC integration
(`google_secops`, `microsoft_sentinel`,, `sentinel_one` and
`crowdstrike`) => to do that you'll need to temporary comment the
`serverless.security.dev.yaml` config changes as the rules page is not
accessible in AI for SOC.
- change [this
line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts#L73)
to `installedPackages: availablePackages` to force having some packages
installed
- change [this
line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_integrations.ts#L63)
to `r.name === p.name` to make sure there will be matches between
integrations and rules

### Checklist

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

https://github.com/elastic/security-team/issues/11973
 2025-04-10 10:15:44 -05:00
Maryam Saeidi
a616a40f93
Update apm-rum packages (#217800) 
## Summary 

Updating apm-rum packages mostly to use this feature:
https://github.com/elastic/apm-agent-rum-js/pull/1594


Changes

|Package|Previous version|Current version|Change log
([PR](https://github.com/elastic/apm-agent-rum-js/pull/1599/files))|
|---|---|---|---|
|@elastic/apm-rum|^5.16.3|^5.17.0|add support for adding labels to
captured errors
([#1594](https://github.com/elastic/apm-agent-rum-js/pull/1594))|
|@elastic/apm-rum-core|^5.22.1|^5.23.0|add support for adding labels to
captured errors
([#1594](https://github.com/elastic/apm-agent-rum-js/pull/1594))|
|@elastic/apm-rum-react|^2.0.5|^2.0.6|version bump only for package
@elastic/apm-rum-react|
 2025-04-10 16:57:06 +02:00
Viduni Wickramarachchi
368d4bf5c5
[Obs AI Assistant] Fix navigating to the search connectors page (#217749) 
Closes https://github.com/elastic/kibana/issues/217748

## Summary

### Problem

Clicking on connectors in the Search connectors tab in the AI Assistant
settings navigates the user to a blank page.


https://github.com/user-attachments/assets/e369e539-cf75-4ea4-8cd0-343dbfbf9a33

This happens because `enterprise_search` URLs are deprecated and it's
renamed to `elasticsearch`.
Related to https://github.com/elastic/kibana/pull/202838

List of changed URLs -
https://github.com/elastic/search-team/issues/7961#issuecomment-2433029797

### Solution

Replace the URL path from `enterpriseSearch` to `elasticsearch`

After the fix:


https://github.com/user-attachments/assets/5ebad872-9a87-46b0-ad2f-83a8ff6e017e


### Checklist

- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
 2025-04-10 10:27:54 -04:00
Marco Liberati
ff0ba15eaa
[Dashboard] Fix page object getPanels method for new grid system (#217812) 
## Summary

@umbopepato made me notice that this method was always returning an
empty list of element.
That was due to the selector used was targeting the old grid system.
This PR fixes that using the right selector for the new grid system.

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
 2025-04-10 16:22:27 +02:00
Pierre Gayvallet
bc1124118c
[workchat] implement m1 chat design (#217465) 
## Summary

Implements the m1 design for the chat page and components

*Note: only covers the parts that are functionally present in the app
atm*

### Design demo


https://github.com/user-attachments/assets/16f64a51-16ad-45c5-9d4b-77c31598427a

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
 2025-04-10 16:05:15 +02:00
Viduni Wickramarachchi
c2596a1f61
[Obs AI Assistant] Remove semantic text feature flag (#217750) 
Closes https://github.com/elastic/kibana/issues/206827

## Summary

Semantic text was updated to a new format with
https://github.com/elastic/dev/issues/2936 to act like a normal text
field. This was under a feature flag, therefore we had to enforce the
new format by setting the feature flag
`index.mapping.semantic_text.use_legacy_format` to `false`.

With the merge of https://github.com/elastic/elasticsearch/pull/120813
the new semantic format is now the default behaviour. Therefore, this PR
removes the feature flag in our code.

## Querying the KB after removing the feature flag


https://github.com/user-attachments/assets/8f91bd5a-033a-47ec-9bed-3e2bdfe85627


### Checklist

- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
 2025-04-10 10:00:43 -04:00
Joe Reuter
3a5489bab3
🌊 Streams: Do not order component templates (#217820) 
By feedback from @LucaWintergerst we shouldn't sort the component
templates in the "advanced" tab since their order matters when applied.

This PR removes the sorting that's set on the table.
 2025-04-10 15:24:27 +02:00
Joe Reuter
de059eb516
🌊 Streams: Add experimental badge to nav entry (#217819) 
This PR adds the experimental badge to the nav entry for streams (if
enabled)

<img width="343" alt="Screenshot 2025-04-10 at 12 47 22"
src="https://github.com/user-attachments/assets/765e0dd2-6ebd-4516-b024-ec207fcea43f"
/>

We also render a tech preview badge in the classic observability sub
nav:
<img width="224" alt="Screenshot 2025-04-10 at 12 52 04"
src="https://github.com/user-attachments/assets/c51210c0-056e-4ead-97ee-891e3fb6851f"
/>

Important to note: we don't render a badge in the classic main nav since
it's not supported there:
<img width="257" alt="Screenshot 2025-04-10 at 12 52 29"
src="https://github.com/user-attachments/assets/5a1fb3c8-88dd-49c9-bade-82965f367e46"
/>
 2025-04-10 15:10:53 +02:00
Marco Antonio Ghiani
03ee308036
[Streams 🌊] Fix privileges issues on routing (#217793) 
## 📓 Summary

This work addresses the following issues on some stream management
pages:
- privileges...
- a user should still be able to reorder processors during a simulation,
even if doesn't have `manage` permissions to save it then.
- a user should be able to read an existing processor configuration,
even if doesn't have `manage` permissions to save it then.
- the "only simulate" routing tooltip was shown always, even when
creating a child stream is possible.
- a toast error was shown on streams re-ordering even if everything was
saved correctly:
<img width="2090" alt="Screenshot 2025-04-10 at 11 07 02"
src="https://github.com/user-attachments/assets/9838b2dd-3c0d-406f-a989-337a832d7131"
/>
 2025-04-10 15:08:25 +02:00
David Sánchez
08fc18b155
[Security Solution][Defend Workflows] Changes owner of osquery types (#217633) 
## Summary

Updates CODEOWNERS file to move osquery types ownership to Defend
Workflows team.
Copy of: https://github.com/elastic/kibana/pull/217111

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
 2025-04-10 14:59:15 +02:00
Cristina Amico
f87cf9c8b4
[Fleet] Add msi installer command for fleet server and agents (#217217) 
Closes https://github.com/elastic/kibana/issues/206629

## Summary

Added MSI windows commands for fleet server, managed agents and
standalone agents.
Docs about this type of install are
[here](https://www.elastic.co/guide/en/fleet/8.17/install-agent-msi.html)

### Testing
- Add a fleet server and verify that there is a new platform type
`Windows MSI`
- It should be available also for elastic agents, both managed and
standalone

<img width="793" alt="Screenshot 2025-04-04 at 16 34 04"
src="https://github.com/user-attachments/assets/59cf5ea8-566d-4488-9a56-8ec2e9a1f3de"
/>
<img width="764" alt="Screenshot 2025-04-04 at 16 45 00"
src="https://github.com/user-attachments/assets/0d0f9b51-0982-41a4-a32f-02a46b75e5a4"
/>
<img width="784" alt="Screenshot 2025-04-04 at 17 21 34"
src="https://github.com/user-attachments/assets/3dfd0c25-c9f8-47bf-bc3d-e9c9ff9c5417"
/>


### Checklist

- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
 2025-04-10 14:26:16 +02:00
Konrad Szwarc
827199b8a1
[EDR Workflows] Automatic Troubleshooting feedback (#217660) 
This PR adds a link to a survey users can take to provide feedback on
the insights feature. We're using `ela.st` shortened links, which also
allow us to monitor engagement.

The survey link should only be displayed once the user has received
results (insights). It should not be shown if the user hasn't performed
a scan yet or if no insights were returned.

When results are present

![Screenshot 2025-04-09 at 14 55
58](https://github.com/user-attachments/assets/b93c5aea-39e2-46f2-ab86-1043a48cdc90)

When no scan has been yet performed
![Screenshot 2025-04-09 at 12 25
14](https://github.com/user-attachments/assets/5c8dff42-8b6e-47e3-93a6-c5700a6c7086)

When no insights were generated
![Screenshot 2025-04-09 at 12 45
23](https://github.com/user-attachments/assets/d4658fe2-fd0e-443e-a063-a045948504cd)
 2025-04-10 13:22:56 +02:00
Ignacio Rivas
95f80dac20
[UA] Remove enterprise search related code (#217439) 2025-04-10 12:41:15 +02:00
Sergi Romeu
6190ca8c14
[A11y][APM] Improve aria-label for correlations (#217512) 
## Summary

Closes https://github.com/elastic/kibana/issues/194975

This PR improves the `aria-label` attributes in the latency correlations
page to add more context about the selected field.
 2025-04-10 11:52:11 +02:00
Georgiana-Andreea Onoleață
47726988dc
[ResponseOps][Cases]Fix table layout in the add to existing case modal (#217653) 
Closes https://github.com/elastic/kibana/issues/216582
## Summary

- increased column width to fit the `select` button


https://github.com/user-attachments/assets/64199991-c765-40e4-8d17-38cb6dfd16f6
 2025-04-10 12:32:28 +03:00
Joe Reuter
9924886236
Remove .swn file (#217795) 
This is a vim swap file I accidentally commited, let's get rid of it.
 2025-04-10 11:23:22 +02:00
Ievgen Sorokopud
fc11ca94f5
[Attack Discovery][Scheduling] Attack Discovery scheduling rule management (#12003) (#216656) 
## Summary

Main ticket ([Internal
link](https://github.com/elastic/security-team/issues/12003))

To allow users to schedule Attack Discovery generations, we will use
either [Alerting
Framework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html).
These changes add functionality to manage new alerts type - Attack
Discovery Schedule.

### Introduced endpoints

- **Create** AD scheduling rule route: `POST
/internal/elastic_assistant/attack_discovery/schedules`
- **Read/Get** AD scheduling rule by id route: `GET
/internal/elastic_assistant/attack_discovery/schedules/{id}`
- **Update** AD scheduling rule by id route: `PUT
/internal/elastic_assistant/attack_discovery/schedules/{id}`
- **Delete** AD scheduling rule by id route: `DELETE
/internal/elastic_assistant/attack_discovery/schedules/{id}`
- **Enable** AD scheduling rule by id route: `POST
/internal/elastic_assistant/attack_discovery/schedules/{id}/_enable`
- **Disable** AD scheduling rule by id route: `POST
/internal/elastic_assistant/attack_discovery/schedules/{id}/_disable`
- **Find** all existing AD scheduling rules route: `GET
/internal/elastic_assistant/attack_discovery/schedules/_find`

## NOTES

The feature is hidden behind the feature flag:

> xpack.securitySolution.enableExperimental:
['assistantAttackDiscoverySchedulingEnabled']

## cURL examples

<details>
  <summary>Create AD scheduling rule route</summary>

```curl
curl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules' \
--header 'kbn-xsrf: true' \
--header 'elastic-api-version: 1' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'Content-Type: application/json' \
--data '{
    "name": "Test Schedule",
    "schedule": {
        "interval": "10m"
    },
    "params": {
        "alertsIndexPattern": ".alerts-security.alerts-default",
        "apiConfig": {
            "connectorId": "gpt-4o",
            "actionTypeId": ".gen-ai"
        },
        "end": "now",
        "size": 100,
        "start": "now-24h"
    }
}'
```

</details>

<details>
  <summary>Read/Get AD scheduling rule by id route</summary>

```curl
curl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \
--header 'kbn-xsrf: true' \
--header 'elastic-api-version: 1' \
--header 'x-elastic-internal-origin: security-solution'
```

</details>

<details>
  <summary>Update AD scheduling rule by id route</summary>

```curl
curl --location --request PUT 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \
--header 'kbn-xsrf: true' \
--header 'elastic-api-version: 1' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'Content-Type: application/json' \
--data '{
    "name": "Test Schedule - Updated",
    "schedule": {
        "interval": "123m"
    },
    "params": {
        "alertsIndexPattern": ".alerts-security.alerts-default",
        "apiConfig": {
            "connectorId": "gpt-4o",
            "actionTypeId": ".gen-ai"
        },
        "end": "now",
        "size": 35,
        "start": "now-24h"
    },
    "actions": []
}'
```

</details>

<details>
  <summary>Delete AD scheduling rule by id route</summary>

```curl
curl --location --request DELETE 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \
--header 'kbn-xsrf: true' \
--header 'elastic-api-version: 1' \
--header 'x-elastic-internal-origin: security-solution'
```

</details>

<details>
  <summary>Enable AD scheduling rule by id route</summary>

```curl
curl --location --request POST 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}/_enable' \
--header 'kbn-xsrf: true' \
--header 'elastic-api-version: 1' \
--header 'x-elastic-internal-origin: security-solution'
```

</details>

<details>
  <summary>Disable AD scheduling rule by id route</summary>

```curl
curl --location --request POST 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}/_disable' \
--header 'kbn-xsrf: true' \
--header 'elastic-api-version: 1' \
--header 'x-elastic-internal-origin: security-solution'
```

</details>

<details>
  <summary>Find all existing AD scheduling rules route</summary>

```curl
curl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/_find' \
--header 'kbn-xsrf: true' \
--header 'elastic-api-version: 1' \
--header 'x-elastic-internal-origin: security-solution'
```

</details>

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
 2025-04-10 11:03:04 +02:00
Konrad Szwarc
387e2d95ec
[EDR Workflows] Extend Defend Insights telemetry events to include new fields. (#216967) 
This PR introduces a new event type,
`endpoint_workflow_insights_remediated_event`, and extends some of the
existing ones. The goal is to enable better monitoring of the **Defend
Insights** feature usage.

### Event Types

- **`defend_insight_success`** – Sent when the Scan button triggers an
API call and an insight is successfully created. This carries most of
the valuable data, such as result contents, duration, etc.
- **`endpoint_workflow_insights_remediated_event`** – Sent when a
Trusted App is added as a result of an insight, and that insight is
marked as remediated.
- **`defend_insight_error`** – Sent when insight generation fails and no
results are returned.

### Data sent to telemetry

**`defend_insight_error`**
```
actionTypeId   – Kibana connector type  
errorMessage   – Error message from ES/LLM  
model          – LLM model  
provider       – Model provider  
```

**`endpoint_workflow_insights_remediated_event`**
```
insightId      – The ID of the action that was sent to the endpoint (currently unused)  
```

**`defend_insight_success`**
```
actionTypeId        – Kibana connector type  
eventsContextCount  – Number of events sent as context to the LLM  
insightsGenerated   – Number of Defend insights generated  
durationMs          – Duration of the request in milliseconds  
model               – LLM model  
provider            – Model provider  
insightType         – Type of Defend insight (e.g., incompatible-antivirus)  
insightsDetails     – Details of the generated insights (e.g., ["ClamAV", "Avast"])  
```
 2025-04-10 10:37:20 +02:00
Gerard Soldevila
4ca5e062f7
SKA: Make src/test plugins part of platform (#217715) 
## Summary

This is needed by https://github.com/elastic/kibana/pull/216088, in
order to enable these plugins on CI for FTR tests.
 2025-04-10 10:33:31 +02:00
Robert Stelmach
8df83d2716
[Dataset Quality] Add 'source' and 'target' fields to 'Dataset Quality Navigated' event (#217575) 2025-04-10 10:13:46 +02:00
Stratoula Kalafateli
15d3e26678
[ES|QL] Allows editing values (#217780) 
## Summary

My refactor caused a bug, in editing the button wasn't active. This PR
is fixing it

<img width="1649" alt="image"
src="https://github.com/user-attachments/assets/4da7eace-8b44-49a6-b3a5-9908ce16b63b"
/>
 2025-04-10 10:10:46 +02:00
Philippe Oberti
579dbae6a1
[AI4DSOC] Alert summary table setup (#216744) 
## Summary

This PR adds the foundation for the table in the AI for SOC alerts
summary page.
These changes implement a new usage of the GroupedAlertTable component.
These are the functionalities implemented in this PR:
- default 3 options when opening the `Group alerts by` dropdown:
  - Integration: grouping by `signal.rule.id` field
  - Severity: grouping by `kibana.alert.severity`
  - Rule name: grouping by `kibana.alert.rule.name`
- we have custom group title renderer:
- for the group by Integration, we render the icon and the name of the
integration if found, or we fallback to the `signal.rule.id` value
  - for the others we use the same code as the default GroupedAlertTable
- we have custom group statistics:
  - for Integration we show severities, rules and alerts
  - for Severity we show integrations, rules and alerts
  - for Rules we show integrations, severities and alerts
- for everything else we show integrations, severities, rules and alerts

#### Here a video showing default grouping on the alert summary page


https://github.com/user-attachments/assets/43694969-8b43-4451-8f51-00622178ddf5

#### And another one showing custom fields and page refresh


https://github.com/user-attachments/assets/7b8d1047-4704-4149-a481-19721a381154

## Notes

Follow PRs will tackle custom column titles, cell renderers, row
actions... for the table (wip
[here](https://github.com/elastic/kibana/pull/217124)).

Mocks for reference:
https://www.figma.com/design/DYs7j4GQdAhg7aWTLI4R69/AI4DSOC?node-id=3284-69401&p=f&m=dev

## How to test

This needs to be ran in Serverless:
- `yarn es serverless --projectType security`
- `yarn serverless-security --no-base-path`

You also need to enable the AI for SOC tier, by adding the following to
your `serverless.security.dev.yaml` file:
```
xpack.securitySolutionServerless.productTypes:
  [
    { product_line: 'ai_soc', product_tier: 'search_ai_lake' },
  ]
```

Use one of these Serverless users:
- `platform_engineer`
- `endpoint_operations_analyst`
- `endpoint_policy_manager`
- `admin`
- `system_indices_superuser`

Then:
- generate data: `yarn test:generate:serverless-dev`
- create 4 catch all rules, each with a name of a AI for SOC integration
(`google_secops`, `microsoft_sentinel`,, `sentinel_one` and
`crowdstrike`)
- change [this
line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts#L73)
to `installedPackages: availablePackages` to force having some packages
installed
- change [this
line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_integrations.ts#L63)
to `r.name === p.name` to make sure there will be matches between
integrations and rules

### Checklist

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

https://github.com/elastic/security-team/issues/11973
 2025-04-10 08:52:14 +02:00
Kibana Machine
c2de4d02cf
[api-docs] 2025-04-10 Daily api_docs build (#217777) 
Generated by
https://buildkite.com/elastic/kibana-api-docs-daily/builds/1038
 2025-04-10 08:22:12 +02:00
Kibana Machine
cb0202e8c9 skip failing test suite (#217739) 2025-04-10 01:02:07 +02:00
Quynh Nguyen (Quinn)
e2f09452cc
[AI Assistant] Fix error creating an AI connector in Observability AI Assistant (#217740) 
## Summary

This PR fixes https://github.com/elastic/kibana/issues/207912, which
causes error when creating an AI connector in Observability AI Assistant

Before:

![image](https://github.com/user-attachments/assets/56b3eb49-28ec-4add-94c5-bf52f4291f4f)


After:


<img width="1150" alt="image"
src="https://github.com/user-attachments/assets/f53b2c35-3e6e-4e45-ba24-907e6b55cf03"
/>


https://github.com/user-attachments/assets/f3f96f75-577f-421c-aeb7-de4ce9d234e9


### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

### Identify risks

Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.

Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.

- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
 2025-04-09 15:54:30 -06:00
Dima Arnautov
70c817db22
Connectors: Filter inference connectors without existing endpoints (#217641) 
## Summary

Updated the `getAll` method in the actions client to exclude inference
connectors that lack inference endpoints.

### Checklist


- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
 2025-04-09 23:15:38 +02:00