## Summary
Summarize your PR. If it involves visual changes, include a screenshot
or gif.
Fixes various bugs introduced by this PR
https://github.com/elastic/kibana/pull/223936
Changes:
- Fix bug where esql_content_references (citations that open the ESQL
editor) were not working due to the discover plugin not getting imported
to the elastic_assistant plugin. This caused the assistant to crash.
- Fix bug where some buttons in the AI4Soc flavour were not linking to
the correct pages.
https://github.com/elastic/kibana/pull/223936#discussion_r2164506213
### How to test:
#### Verify ESQL citations work:
- Start Kibana
- Create a semantic index and index a document through the dev console:
```
PUT my-index-000001
{
"mappings": {
"properties": {
"description": {
"type": "semantic_text"
}
}
}
}
# Add a document to my-index
POST /my-index-000001/_doc
{
"id": "Security threats",
"title": "Stuxnet",
"description": "What Made It Special:
Stuxnet was the first known cyber weapon designed to cause physical destruction. It targeted the Iranian nuclear program by infecting uranium enrichment facilities and sabotaging centrifuges."
}
```
- Set up a knowledge base and a knowledge base index in
http://localhost:5601/app/management/kibana/securityAiAssistantManagement?tab=knowledge_base
<img width="678" alt="image"
src="https://github.com/user-attachments/assets/a267146e-7973-4723-8c1d-365b8729a28e"
/>
- Open the security AI assistant and ask "What is the Stuxnet computer
virus?"
- Check the response to see if it contains a citation, click on the
citation, and verify the ESQL editor opens.
* If you don't get a citation, ask "What is the Stuxnet computer virus?
Provide me the citation"
#### Verify Ai4Soc buttons in the Security AI assistant link to the
correct pages:
- Start AI4Soc flavor - Create the following file
`config/serverless.security.dev.yml` with this content:
```yml
xpack.securitySolutionServerless.productTypes:
[
{ product_line: 'ai_soc', product_tier: 'search_ai_lake' },
]
```
- Start serverless ES
```bash
node scripts/es serverless --projectType security --clean --kill
```
- Start serverless Kibana for security
```bash
node --no-experimental-require-module scripts/kibana --dev --serverless=security --no-base-path
```
- Open the security AI assistant
- Check that clicking on these buttons takes you to the respective pages
(KB settings
`/app/security/configurations/ai_settings?tab=knowledge_base` and AI
settings `/app/security/configurations/ai_settings` ):
<img width="690" alt="image"
src="https://github.com/user-attachments/assets/4e2728e9-8a13-4670-aef4-05b1bdb3fd57"
/>
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [X] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [X]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [X] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [X] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [X] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [X] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [X] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
> [!IMPORTANT]
> **Should be no user-facing changes!!!** The new layout work is behind
a feature flag!
> [!IMPORTANT]
> This bootstraps new grid layout for chrome using a feature flag. It
only works with classic nav and hack a lot of bugs and EUI-related
workarounds, but the overall code structure and approach can be reviewed
and merged to main.
## Summary
Part of [workspace
chrome](https://github.com/elastic/kibana-team/issues/1581 ) work. In
this PR we lay down the ground work for new grid layout that will power
Kibana's chrome. This is done by introducing **a feature flag** with
which Kibana can switch between "legacy-fixed" layout and new "grid"
layout.
Proper detailed figma link:
https://www.figma.com/design/10ca4AhnWDkyJklUDXnHg5/Sidebar?node-id=5192-259808&p=f&m=dev
kibana.yml:
```
feature_flags.overrides:
core.chrome.layoutType: 'grid'
```
For this, in-between `rendering_service` and `chrome_service` a new
`layout_service` was introduced the goal of which is to aggregate stuff
from chrome service and compose it together using the needed layout.
There are two implementations for `layout_service`:
- `LegacyFixedLayout` - old one, just code refactor, should still work
as in main
- `GridLayout`- new one, mostly works, but only for classic nav, for
now, and with bunch of hacks and bugs that we will resolve over time
The switch is in `rendering_service` based on a feature flag:
```tsx
const layout: LayoutService =
layoutType === 'grid'
? new GridLayout(renderCoreDeps)
: new LegacyFixedLayout(renderCoreDeps);
const Layout = layout.getComponent();
ReactDOM.render(
<KibanaRootContextProvider {...startServices} globalStyles={true}>
<Layout />
</KibanaRootContextProvider>,
targetDomElement
);`
```
To see the grid and new layout in action there is a helpful `debug` flag
that displays not yet used elements of new layout:
kibana.yml:
```
feature_flags.overrides:
core.chrome.layoutType: 'grid'
core.chrome.layoutDebug: true
```
https://github.com/user-attachments/assets/9e4ad1d9-ed23-41ab-b029-254f7511136d
### Other clean ups
- Migrate `.chrHeaderBadge__wrapper`, `. chrHeaderHelpMenu__version`,
`breadcrumbsWithExtensionContainer` to emotion on simplify global css of
chrome
- remove `getIsNavDrawerLocked` and related css since not used
- Small unzyme
### TODO
- [x] fix solution nav in management
- [x] make sure solution nav works with header
- [x] fix dashboard full screen mode
- [x] check discover eui grid full screen
- [x] check chromeless mode
- [x] Follow up on EUI related hacks
https://github.com/elastic/eui/issues/8820
- [ ] Misaligned console in search solution
- [ ] Miaaligned secondary nav in security solutions
- [ ] double scroll in discover push flyout
## How to review
1. Most importantly, we need to ensure that nothing is broken in the old
layout during the refactor. - Functional tests + visual/manual testing
2. Then for the new layout:
kibana.yml:
```
feature_flags.overrides:
core.chrome.layoutType: 'grid'
core.chrome.layoutDebug: true
```
- Check that it mostly works (some specific edge cases and bugs are
fine)
- Code-review: focus on the layout implementation split approach
## Summary
This PR contains the schema changes needed to support using `dtstart` in
task manager rrule schedules. This is meant for intermediate release and
then the changes will be used in this PR:
https://github.com/elastic/kibana/pull/224948
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
This PR removes `kbn/test-suites-serverless` as kbn reference for
osquery/cypress test-helper module in order to fix circular dependency I
faced in https://github.com/elastic/kibana/pull/225377
Since the main consumer of that `shared/lib/security` code is
`osquery/cypress` test module, I believe it is a resonable change in
order to unblock us relocating tests from `x-pack/test` dir.
Resolves https://github.com/elastic/kibana/issues/224987
## Summary
This test was failing the ES snapshot promotion pipeline. See in the
logs:
```
[00:04:15] │ proc [kbn-ui] [2025-06-26T17:44:06.841+00:00][WARN ][plugins.eventLog] invalid event logged: [kibana.user_api_key.managed_by]: definition for this key is missing; {"@timestamp":"2025-06-26T17:44:06.840Z","event":{"provider":"actions","action":"execute","kind":"action","start":"2025-06-26T17:44:06.762Z","end":"2025-06-26T17:44:06.840Z","duration":"78000000","outcome":"success"},"kibana":{"saved_objects":[{"rel":"primary","type":"action","id":"c4a64b3b-e5f5-4ffc-a58c-98584b6b5e59","type_id":"test.index-record","namespace":"space1"}],"space_ids":["space1"],"action":{"name":"My Connector","id":"c4a64b3b-e5f5-4ffc-a58c-98584b6b5e59","type_id":"test.index-record","execution":{"uuid":"ecbbf89f-729a-416c-a711-05b0a1e27de6","source":"http_request","usage":{"request_body_bytes":0}}},"user_api_key":{"managed_by":"elasticsearch","name":"test user managed key","id":"r1RWrZcB4HDiQQlB8SOM"},"server_uuid":"5b2de169-2785-441b-ae8c-186a1936b17d","version":"9.1.0"},"user":{"name":"elastic"},"message":"action executed: test.index-record:c4a64b3b-e5f5-4ffc-a58c-98584b6b5e59: My Connector","ecs":{"version":"1.8.0"}}) {"service":{"node":{"roles":["ui"]}}}
```
So it looks like the `api_key` information now returns a `managed_by`
field which we were copying over to the event log but was not accepted
by the event log schema. Updated the code to only copy over the `name`
and `id` field to address this. Can open a followup issue to see if we
want to copy over the `managed_by` field.
Closes https://github.com/elastic/kibana/issues/208328
This change adds Playwright test for Ensemble e2e testing CI.
[🔒 Corresponding PR in Ensemble
repo](https://github.com/elastic/ensemble/pull/580)
[🔒 Successful CI
run](1561308352)
# How to test
1. Run Kibana locally
2. Adjust
`x-pack/solutions/observability/plugins/observability_onboarding/e2e/playwright/.env`
file if needed (see README in the same folder for more details)
3. Run the test:
```bash
npx playwright test -c ./x-pack/solutions/observability/plugins/observability_onboarding/e2e/playwright/playwright.config.ts --reporter list --headed x-pack/solutions/observability/plugins/observability_onboarding/e2e/playwright/stateful/firehose.spec.ts
```
4. The test will open the Firehose onboarding page and stop after
copying the CLI command snippet. When running on the CI, Ensemble would
take over by running the snippet on the CI instance. The Playwright test
at this point is just waiting for data to start coming in, to imitate
that without actually creating infrastructure on a real AWS account, you
can ingest a dummy document manually, for example:
```
# Adjust the @timestamp before executing
POST logs-aws.apigateway_logs-default/_doc
{
"@timestamp": "2025-06-13T13:32:01.000Z",
"some": 111,
"aws.kinesis.name": "Elastic-Cloudwatch"
}
```
5. After doing that, you should see Kibana UI update with detected data
and the Playwright should continue and finish successfully.
## 26/06 Edits
Following discussion with the team, made the following changes:
* Modified curl and request and response examples with more appropriate
examples
## 20/06 Edits
Following discussion with the team, made the following changes:
* Removed `query` parameter from the API, and therefore removed it from
docs
* Made API return OpenAI format by default
* Removed `unredactions` property from public API schema and removed it
from docs
## Summary
Closes https://github.com/elastic/obs-ai-assistant-team/issues/193
Add docs for chat/complete public API.
## Steps to view documentation
1. checkout branch
2. Install bump-cli if you don't already have it:
https://docs.bump.sh/help/continuous-integration/cli/
3. Go to kibana/oas_docs folder
4. Run `bump preview output/kibana.yaml` or `bump preview
output/kibana.serverless.yaml`
5. Go to the url given by the command (it takes a while to load). On the
side bar, click on Observability AI Assistant menu item and there you
can see the docs :)
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Resolves https://github.com/elastic/observability-dev/issues/4556.
This PR will amend the existing EBT `onPageReady` tracking for TTFCP
with some descriptions to help consumers of the telemetry data
understand the context around what we are tracking for this timing data.
Also exports the `Meta` type for re-use in a Synthetics-specific
implementation that needs to accept this parameter.
## Summary
PDF, PNG and ES|QL CSV reports all use a relative date range based on
`now` so when we generate recurring exports, we override `now` with a
`forceNow` parameter. Non ES|QL CSV reports use a `SearchSource` with a
fixed time range, even when a relative time range is set in Discover.
This PR updates the CSV search source report generation to override the
fixed time range for recurring scheduled exports.
## To Verify
- create a dataview (trying creating one using a field other than
`@timestamp` as the time field)
- populate the dataview with some data
- schedule a CSV export and verify that the eventual CSV report has data
in the correct time range
- may be faster to schedule via the API to get a report generated
faster.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Summarize your PR. If it involves visual changes include a screenshot or
gif.
These changes addresses the review comment from my previous PR
36ed6b38c1 (r2150081638)
Initially I broke up rendered component into multiple memoized
sub-sections. Reverting that back and adding tests coverage for the new
functionality - Case actions UI for the Attack Discovery rule type:
* Hidden `group by` component
* Hidden `time window` component
* Hidden `reopen case` component
* Disabled `template selector` component
* Tooltip explaining why we disabled the `template selector` component
## Summary
This PR reduces logging in the security solution plugin’s telemetry code
for production environments by reviewing existing logs and adjusting
their log levels.
- Deprecated a logging helper method and moved to standard
`logger.[debug|info|warn|error]` calls.
- Reviewed all the logging sentences to adjust the log level, remove the
non-useful ones, and improve messages.
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Alejandro Fernández Haro <afharo@gmail.com>
## Summary
Fixes: https://github.com/elastic/kibana/issues/190761
I've added a `handleKeyDown` to capture the `ESC` key press behavior.
1. First `ESC` finds any .euiFlyout and close it with`closeFlyout()`
from `useExpandableFlyoutApi()`, then stops.
2. Next `ESC` (when no flyout) clicks `openToggleRef.current`, toggling
the timeline modal closed.
https://github.com/user-attachments/assets/0e42f9e9-2694-429d-8a5a-df86aa671809
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Follow-up of https://github.com/elastic/kibana/pull/223367
Fix https://github.com/elastic/search-team/issues/10259
This PR introduce the concept of agent **mode**, and expose the "deep
research" agent as a mode instead of a tool.
## Examples
### Calling the Q/A (default) mode
```curl
POST kbn:/internal/onechat/chat
{
"nextMessage": "Find all info related to our work from home policy"
}
```
### Calling the researcher mode
```curl
POST kbn:/internal/onechat/chat
{
"mode": "researcher",
"nextMessage": "Find all info related to our work from home policy"
}
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
There's an issue where the `esArchiverLoad` migrates SO if any index
starting with `.kibana` is affected.
```
CypressError: `cy.task('esArchiverLoad')` failed with the following error:
> security_exception
Root causes:
security_exception: action [indices:admin/settings/update] is unauthorized for user [testing-internal] with effective roles [superuser] on restricted indices [.kibana_security_solution_1,.kibana_alerting_cases_1,.kibana_task_manager_1,.kibana_usage_counters_1,.kibana_1,.kibana_ingest_1,.kibana_analytics_1], this action is granted by the index privileges [manage,all]
```
This PR disables the test for MKI so it doesn't interfere with the
release, we'll work on a fix in a separate PR
Example MKI execution
https://buildkite.com/elastic/kibana-serverless-security-solution-quality-gate-investigations/builds/2889
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Implements a huggingface dataset loader for RAG evals - see
[x-pack/platform/packages/shared/kbn-ai-tools-cli/src/hf_dataset_loader/README.md](https://github.com/dgieselaar/kibana/blob/hf-dataset-loader/x-pack/platform/packages/shared/kbn-ai-tools-cli/src/hf_dataset_loader/README.md).
Additionally, a `@kbn/cache-cli` tool was added that allows tooling
authors to cache to disk (possibly remote storage later).
Used o3 for finding datasets on HuggingFace and doing an initial pass on
a line-by-line dataset processor ([see
conversation](https://chatgpt.com/share/6853e49a-e870-8000-9c65-f7a5a3a72af0))
Libraries added:
- `cache-manager`, `cache-manager-fs-hash`, `keyv`,
`@types/cache-manager-fs-hash`: caching libraries and plugins. could not
find any existing caching libraries in the repo.
- `@huggingface/hub`: api client for HF.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Simplifies the function to extract the categorize function field. The
unit tests we had pass for the new implementation so I am sure we don't
introduce new bugs
## Summary
This PR fixes [[ML] Change point detection: p-value tooltip is not
announced because lack of
focus](https://github.com/elastic/kibana/issues/216545) issue.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
While testing the ES|QL charts I realized that in case of an error in
the query, the hook goes into a loop and causes performance issues.
As the error is being reported we do not need to re-run the query to get
the results
For example if you create a control wrongly.
e.g.
1. Create a chart and add a control which will create an error:
<img width="508" alt="image"
src="https://github.com/user-attachments/assets/f2013d2c-e161-47bf-a3cb-d5033be9de59"
/>
2. Add to the control no-date fields. e.g. clientip
3. Check the editor is not going into a rendering loop
<img width="482" alt="image"
src="https://github.com/user-attachments/assets/cc541b68-b317-41ae-b4a6-87569466edd6"
/>
### Release notes
Fixes a performance issue in the Lens ES|QL charts in case of errors in
the query.
### Checklist
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
The Obs-ux-infra_services team identified a useful addition to the PR
checklist we'd like to add to help remind contributors to apply
backports to the appropriate branches per the guideline document.
## Summary
Main ticket ([Internal
link](https://github.com/elastic/security-team/issues/10142))
With these changes we make sure that we return attack discovery fields
reformatted to a nice markdown text. We already format discovery details
when we create a new Case and add markdown comment to it.
### To Test
1. Create attack discovery schedule
2. Add an action to the schedule (email, slack etc.)
3. Select `For each alert > Per rule run` action frequency
4. Update subject, body or other fields of the connector to include
discovery details through the context variables
5. Wait until the action is triggered and check the received message
### Example of the email connector fields
**Subject**:
```
{{context.attack.title}}
```
**Message**:
```
{{{context.attack.detailsMarkdown}}}
{{{context.attack.detailsUrl}}}
```
<img width="665" alt="Screenshot 2025-06-25 at 18 05 30"
src="https://github.com/user-attachments/assets/71b2e02b-0437-4486-a584-108bec4d477f"
/>
which will result in an email similar to this one
<img width="1125" alt="Screenshot 2025-06-25 at 17 54 32"
src="https://github.com/user-attachments/assets/fefe60f0-e560-4288-9ec8-d1d444feb950"
/>
## NOTES
The feature is hidden behind the feature flag (in `kibana.dev.yml`):
```
feature_flags.overrides:
securitySolution.attackDiscoveryAlertsEnabled: true
securitySolution.assistantAttackDiscoverySchedulingEnabled: true
```
## Summary
Part of https://github.com/elastic/kibana-team/issues/1503
This PR is mostly about moving tests from x-pack/test/
Before:
```
x-pack/test/
| - reporting_api_integration/
| - reporting_functional/
```
After:
```
x-pack/platform/test/
| - reporting_api_integration/
| - reporting_functional/
```
Few page objects, required by functional tests, were relocated as well
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Closes https://github.com/elastic/kibana/issues/218433
This change adds more descriptive error messages inside telemetry events
in the auto detect onboarding flow. The extended error message be shown
to the user as well.
* New telemetry event for the case when user is not running the script
as `root`
* If Agent fails to download, bot the original error from `curl` and the
download URL will be logged
* If Agent fails to extract, error message from `tar` command will be
logged
* If Agent fails to install, error message from `elastic-agent install`
command will be logged
* Error response from the integrations install endpoint will be logged
Example telemetry event:
Example terminal output:
## How to test
In order to simulate errors for all scenarios, you going to need to
modify the `auto_detect.sh` script to make it intentionally fail, like
adding extra character to the EA download URL. You can modify it
directly in the source if you're running Kibana locally, or you can
modify it after it was downloaded and before running it.
To test just one use-case without the script manipulations, you can
modify the EA download URL inside the code snippet provided by Kibana.
**Whatever way you choose, still go though the flow and make sure the
successful path works as expected.**
You can check the telemetry events emitted from the flow on [the staging
telemetry
cluster](https://telemetry-v2-staging.elastic.dev/s/observability-ux/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:60000),time:(from:now-24h%2Fh,to:now))&_a=(columns:!(),dataSource:(dataViewId:b4befdd3-9a15-40c2-be4d-3ac1084d6182,type:dataView),filters:!(),interval:auto,query:(language:kuery,query:'event_type%20:%20%22observability_onboarding%22'),sort:!(!('@timestamp',desc)))),
but keep in mind that events delivered there with a delay of a couple of
hours 😢
---------
Co-authored-by: Joe Reuter <johannes.reuter@elastic.co>
## Summary
Bug description (also the bug video below):
The bug occurred in the Customize Panel Editor, where the
PanelTitle—even when matching the defaultTitle from the central Saved
Object—was not always properly synchronized with that object. This led
to situations where the title was incorrectly stored as a custom
override, breaking the link to the saved object. There were two specific
cases where this happened:
Adding a panel from the library, then opening Customize Panel and
clicking Apply without making changes
After adding a panel from the library, the user opens the Customize
Panel Editor via the settings icon. Without making any changes to the
title, they exit the editor by clicking the Apply button instead of the
close icon. This causes the defaultTitle to be unnecessarily written
into the title field of the API object, which then treats it as a custom
title—breaking future synchronization with the saved object.
Resetting the title to default after a change
The user changes the panel title in the Customize Panel Editor and
clicks Apply. Later, they reopen the editor and click Reset to default.
This correctly restores the title from the central saved object, but it
is again written into the title field of the API object. Although the
value matches the current defaultTitle, it is now treated as custom. If
the central title changes later, the panel title will no longer
update—breaking synchronization again.
Fix:
The logic was updated to correctly detect when the panel title matches
the defaultTitle. In such cases, it clears the title field in the API
(by setting it to undefined) to indicate that the panel should inherit
the title from the saved object. This ensures proper synchronization:
any future updates to the saved object's title will be reflected
automatically in the panel.
Closes#188858
Below the bug video:
https://github.com/user-attachments/assets/f784679c-8eaa-47b4-942d-e3802faee076
## Summary
The bug: A field with the expected name `user.name.keyword` but with the
wrong mapping was returned.
How to fix it? `fieldCaps` was returning unmapped mixed with mapped
fields. This change forces the API to return the `fields` property with
a list of all indices matching `user.name.keyword`.
More information on [this
slack](https://elastic.slack.com/archives/C0D8ST60Y/p1750661564933609) 🧵
### How to test it?
* Create an index with the correct mapping
```
PUT /test-index1
{
"mappings": {
"properties": {
"user.name.keyword": {
"type": "text"
}
}
}
}
```
* Create an index with the wrong mapping
```
PUT /test-index2
{
"mappings": {
"properties": {
"user.name.keyword": {
"type": "text"
}
}
}
}
```
* Go to the manage data sources page
* Only `test-index1` should be returned
## Summary
Fix the FORK removal logic to insert the branch in the correct position
when only one FORK branch is valid.
### How to reproduce it
* Start empty kibana
* Generate data with resolve_generator `node
x-pack/solutions/security/plugins/security_solution/scripts/endpoint/resolver_generator.js`
* Go to "Privileged user monitoring" page and add some privileged users
* On the Dashboard page, scroll down to "Privileged user activity" and
click the "Authentications" tab
* It should display "No results found" instead of an error
### Before fix
### After fix
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
Coming from the conversation from here:
https://github.com/elastic/kibana/pull/225339#discussion_r2167248942 and
a proposal from @akowalska622, we noticed that the useMemoCss doesn't
catch the keys of the css object. This fixes it.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Skips the Dataset Quality API integration test suite which
depends on reading Failure Store index privileges. Because when this
test suite runs in Kibana 8.19 against ES 9.0 in a forward compatibility
test runs, it raises the error:
```bash
[00:04:43] │ proc [kibana] [2025-06-25T05:40:33.223+00:00][WARN ][http.server.kbn-internal-api-restricted] Access to uri [/internal/dataset_quality/data_streams/logs-synth.fs-default/details] with method [get] is deprecated {"service":{"node":{"roles":["background_tasks","ui"]}}}
[00:04:43] │ proc [kibana] [2025-06-25T05:40:33.252+00:00][ERROR][plugins.datasetQuality] illegal_argument_exception
[00:04:43] │ proc [kibana] Root causes:
[00:04:43] │ proc [kibana] illegal_argument_exception: unknown index privilege [read_failure_store]. a privilege must be either one of the predefined fixed indices privileges [all,auto_configure,create,create_doc,create_index,cross_cluster_replication,cross_cluster_replication_internal,delete,delete_index,index,maintenance,manage,manage_data_stream_lifecycle,manage_follow_index,manage_ilm,manage_leader_index,monitor,none,read,read_cross_cluster,view_index_metadata,write] or a pattern over one of the available index actions {"service":{"node":{"roles":["background_tasks","ui"]}}}
[00:04:43] │ proc [kibana] [2025-06-25T05:40:33.291+00:00][WARN ][http.server.kbn-internal-api-restricted] Access to uri [/internal/dataset_quality/data_streams/logs-synth.no-default/details] with method [get] is deprecated {"service":{"node":{"roles":["background_tasks","ui"]}}}
[00:04:43] │ proc [kibana] [2025-06-25T05:40:33.305+00:00][ERROR][plugins.datasetQuality] illegal_argument_exception
```
This happens because the test accesses endpoint
`data_stream/{index}/details` which inquire user's index privileges
including `read_failure_store`, which is not available in **ES 9.0** as
`ES 9.0` does not support Failure Store.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## 📓 Summary
Closes https://github.com/elastic/observability-dev/issues/4511
Apply the following restrictions based on the serverless project tier:
- Grok patterns suggestions (only available on complete tier)
- Restrict suggestions API
- Restrict UI control to generate suggestions
- Date formats suggestions (only available on complete tier)
- Restrict suggestions API
- Restrict UI control to generate suggestions
- Restrict autocomplete
- Significant events (only available on complete tier)
- Restrict read API
- Last restrictions to be applied when [[Streams] Significant events
view](https://github.com/elastic/kibana/pull/220197#top) is merged.
**N.B.** All the above restrictions are only applied to Serverless
Observability projects on the Logs Essentials tier.
## 🧪 How To Test
* Modify `config/serverless.oblt.dev.yml` to include:
```yaml
pricing.tiers.products:
- name: observability
tier: logs_essentials
```
* Run Kibana locally
* In a stream detail view, go to management and try creating a grok
processor or a date one.
* It should NOT display the patterns generation button, nor it should
autocomplete the date processor formats and show its generate button.
Additionally, switch back to `tier: complete` in
`config/serverless.oblt.dev.yml` and make sure that ML/AI assisted flows
look as usual.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [diff](https://redirect.github.com/kpdecker/jsdiff) | dependencies |
patch | [`^8.0.1` ->
`^8.0.2`](https://renovatebot.com/diffs/npm/diff/8.0.1/8.0.2) |
---
### Release Notes
<details>
<summary>kpdecker/jsdiff (diff)</summary>
###
[`v8.0.2`](https://redirect.github.com/kpdecker/jsdiff/blob/HEAD/release-notes.md#802)
[Compare
Source](https://redirect.github.com/kpdecker/jsdiff/compare/v8.0.1...v8.0.2)
- [#​616](https://redirect.github.com/kpdecker/jsdiff/pull/616)
**Restored compatibility of `diffSentences` with old Safari versions.**
This was broken in 8.0.0 by the introduction of a regex with a
[lookbehind
assertion](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Lookbehind_assertion);
these weren't supported in Safari prior to version 16.4.
- [#​612](https://redirect.github.com/kpdecker/jsdiff/pull/612)
**Improved tree shakeability** by marking the built CJS and ESM packages
with `sideEffects: false`.
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOkRhdGFEaXNjb3ZlcnkiLCJiYWNrcG9ydDphbGwtb3BlbiIsInJlbGVhc2Vfbm90ZTpza2lwIl19-->
Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Davis McPhee <davis.mcphee@elastic.co>
## Summary
This PR splits out a separate class from `DiscoverEBTManager` called
`ScopedDiscoverEBTManager`, similar to #216488, in order to better
support EBT tracking across tabs.
The profiles tracking in EBT events is a bit convoluted, and ideally
we'd be able to fully isolate the scoped managers, but our use of the
global EBT context observable makes that infeasible since it's a
singleton. If we simply updated the profiles in the EBT context when
switching tabs, it could result in the wrong profiles being tracked for
events fired asynchronously, e.g.:
- Starting from tab A, create a new tab B.
- Switch to tab B (which updates the EBT context with tab B's profiles)
and trigger a long running search.
- While the search is still running, switch back to tab A (updating the
EBT context back to tab A's profiles).
- Tab B's search completes while tab A is active, and the EBT context
for tab B's `discoverFetchAll` event incorrectly contains tab A's
profiles, since they were set when switching back to tab A.
This is solved by keeping track of the active scoped manager in the root
EBT manager, and temporarily updating the EBT context profiles when
firing events from inactive tabs, which seems to be reliable to prevent
leaking across tabs from my testing.
Since I'm using the same "scoped" service approach used for context
awareness across tabs, I've removed the dedicated
`ScopedProfilesManagerProvider` and replaced it with a general purpose
`ScopedServicesProvider` that can be used for all of these types of
services.
Unfortunately while Git recognized that certain files were just moved
and modified (e.g. `discover_ebt_manager.test.ts`), GitHub is displaying
them as entirely new files. To make it easier to review the actual file
changes, open the "Changes from X commits" dropdown and select from the
first commit to "Update unit tests", which will correctly display the
changes before the files were moved (they weren't modified after this
commit).
Resolves#223943.
### Checklist
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Closes https://github.com/elastic/kibana/issues/225344https://github.com/elastic/kibana/pull/223149 moved dynamic action
injection/extraction from dashboard to embeddables.
https://github.com/elastic/kibana/pull/223149 muffed the implementation
for the lens embeddable and failed to spread dynamicActionsState and
dynamicActionsReferences into serialized state for by-value panels.
This PR resolve the issue by spreading dynamicActionsState and
dynamicActionsReferences with lens state for by-value panels.
After applying fix, dashboard saved object should contain drilldown
reference and enhancements state should no longer contain hard coded
`dashboardId`.
```
{
"attributes": {
"panelsJSON": "[{\"type\":\"lens\",\"embeddableConfig\":{\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"63700c7c-13e2-4aa2-8a58-7d2c19c42b34\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Go to Dashboard\",\"config\":{\"openInNewTab\":false,\"useCurrentDateRange\":true,\"useCurrentFilters\":true}}}]}},\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"filters\":[],\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"90943e30-9a47-11e8-b64d-95841ca0b247\",\"name\":\"indexpattern-datasource-layer-5374d213-dba0-47d7-b4f2-9226d08a35cc\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"Linear\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"5374d213-dba0-47d7-b4f2-9226d08a35cc\",\"accessors\":[\"d1180bfd-63e2-437e-a027-faa0face26ff\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"colorMapping\":{\"assignments\":[],\"specialAssignments\":[{\"rules\":[{\"type\":\"other\"}],\"color\":{\"type\":\"loop\"},\"touched\":false}],\"paletteId\":\"default\",\"colorMode\":{\"type\":\"categorical\"}},\"xAccessor\":\"dc975f9c-772f-4fc1-bc1e-70339f2c5906\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5374d213-dba0-47d7-b4f2-9226d08a35cc\":{\"columns\":{\"dc975f9c-772f-4fc1-bc1e-70339f2c5906\":{\"label\":\"Top 5 values of machine.os.keyword\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"machine.os.keyword\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"d1180bfd-63e2-437e-a027-faa0face26ff\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"d1180bfd-63e2-437e-a027-faa0face26ff\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"dc975f9c-772f-4fc1-bc1e-70339f2c5906\",\"d1180bfd-63e2-437e-a027-faa0face26ff\"],\"incompleteColumns\":{},\"sampling\":1}}},\"indexpattern\":{\"layers\":{}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}}},\"panelIndex\":\"74c07c77-979f-4fd9-8b07-889f4a93f9e0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":24,\"h\":15,\"i\":\"74c07c77-979f-4fd9-8b07-889f4a93f9e0\"}}]",
},
"references": [
{
"type": "index-pattern",
"id": "90943e30-9a47-11e8-b64d-95841ca0b247",
"name": "74c07c77-979f-4fd9-8b07-889f4a93f9e0:indexpattern-datasource-layer-5374d213-dba0-47d7-b4f2-9226d08a35cc"
},
{
"name": "74c07c77-979f-4fd9-8b07-889f4a93f9e0:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:63700c7c-13e2-4aa2-8a58-7d2c19c42b34:dashboardId",
"type": "dashboard",
"id": "edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b"
}
],
}
```
## Summary
This adds basic Lens CRUD api routes using the Content Management
system.
| Operation | URI |
|--------|--------|
| Create | `POST api/lens/visualizations` |
| Get | `GET api/lens/visualizations/{id}` |
| Search | `GET api/lens/visualizations?query=test` |
| Update | `PUT api/lens/visualizations/{id}` |
| Delete | `DELETE api/lens/visualizations/{id}` |
### Changes to Lens Content Management
The custom `update` method uses `soClient.create` under the hood for
reasons (i.e. #160116). However, doing this acts as an update or create
method with the provided `id`. I changed this behavior so now any update
where the id is not found will return a `404` error.
Closes#221941Closes#221942 - OpenAPI docs auto generate from route schema
### Testing
You can testing this locally in kibana dev console like so...
```
GET kbn:/api/lens/visualizations/<id>?apiVersion=1
```
> The `apiVersion` query param is needed to test `internal` api routes.
## Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Marco Vettorello <marco.vettorello@elastic.co>
## Summary
Endpoint Exception ALL privilege got lost, because the original
migration (PR: https://github.com/elastic/kibana/pull/219566) did this:
- for `siem:ALL` or `siemV2:ALL`:
- it adds the new `global_artifact_management_all`, because `siemVX` all
meant that user can write Endpoint Exceptions
- and: it changed `siemVX:ALL` to `siemVX:MINIMAL_ALL`, in order to
enabled the sub-features toggle, so it is visible to the user that they
are granted a new sub-privilege
and the issue: Endpoint Exceptions are not included in
`siemVX:MINIMAL_ALL`, and thanks to this the user lost their access to
Endpoint Exceptions.
this PR solves this issue.
### visualization
with this change, the `siem/siemV2:ALL` -> `siemV3` migration graph now
looks like this:
```mermaid
flowchart LR
classDef serverless stroke:blue,stroke-dasharray: 5 5
subgraph siemV2[siem/siemV2]
all1[all]
end
subgraph siemV3
subgraph minall2[minimal_all]
g1[global_artifact_management_all]
eea["`endpoint_exceptions_all
(only serverless)`"]:::serverless
end
end
all1 -->|keep access to the included Endpoint Exceptions ALL| g1
all1 -->|enable sub-feature toggle| minall2
all1 -->|keep access to EE ALL, as it WAS included in ALL. only serverless| eea
linkStyle 2 stroke:#00f,color:blue
```
see the previous ones here:
https://github.com/elastic/kibana/pull/219566
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
Part of https://github.com/elastic/kibana-team/issues/1503
This PR is mostly about moving tests from
x-pack/test/cases_api_integration and updating related imports
Before:
```
x-pack/test/
| - cases_api_integration/
```
After:
```
x-pack/platform/test/
| - cases_api_integration/
x-pack/solutions/security/test/
| - cases_api_integration/
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
- Part of #213293
- Adds infrastructure for a new pipeline: `kibana / renovate helper`
- The pipeline and scripts are currently a no-op and will be finalized
and tested in a follow up PR against the provisioned pipeline.
## Plan
The goal is to automatically run a script when Renovate opens a PR to
dedupe and perform any other actions, then trigger the Kibana PR
pipeline. This can also be performed by commenting `buildkite run
renovate helper` in the instances where the PR has been rebased by
Renovate.
Additionally, this pipeline will trigger the Kibana PR pipeline
automatically for Renovate PRs when the commit author is not Renovate
bot. Currently a developer has to comment every time they want CI to run
on Renovate PRs. This will improve DX when merging upstream, debugging
the dep upgrade and auto-commits by `kibanamachine`.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Adapted cypress tests to:
- Run cypress tests within the Threat Hunting Investigations team bundle
in the CI.
- Fixed failing onboarding test.
- Added test cases for migration rename functionality to the onboarding
test.
## Screenshots
Fixes#218255 and #213784
## Summary
This PR fixes flaky test in Console responsible for opening
documentation with keyboard shortcut by checking if the opened tab
contains `www.elastic.co/docs`.
## Summary
In [this PR](https://github.com/elastic/kibana/pull/222827) we added
support of Cases action for Attack Discovery Schedules.
Now we would like to increase a "max opened cases" limit which defaults
to `5` right now and can be set maximum to `10`. In case with attack
discoveries it is highly expected to have more generated alerts and thus
we would like to bump the max number of opened cases to `20`.
## NOTES
The attack discovery scheduling and alerts history features are hidden
behind these feature flags (in `kibana.dev.yml`):
```
feature_flags.overrides:
securitySolution.attackDiscoveryAlertsEnabled: true
securitySolution.assistantAttackDiscoverySchedulingEnabled: true
```
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| docker.elastic.co/wolfi/chainguard-base-fips | digest | `d55453a` ->
`7f2cebd` |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOk9wZXJhdGlvbnMiLCJiYWNrcG9ydDpza2lwIiwiY2k6YnVpbGQtZG9ja2VyLWZpcHMiLCJyZWxlYXNlX25vdGU6c2tpcCJdfQ==-->
Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Jon <jon@elastic.co>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| docker.elastic.co/wolfi/chainguard-base | digest | `fdfd7f3` ->
`a02075b` |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMDcuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOk9wZXJhdGlvbnMiLCJiYWNrcG9ydDpza2lwIiwicmVsZWFzZV9ub3RlOnNraXAiXX0=-->
Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Jon <jon@elastic.co>
Adds a `fromExternalVariant` helper function that unpacks external
variants (which are commonly used in Elasticsearch APIs) into a fully `{
type, value }` object.
## Notes
I used o3 to write the tests, including unit tests and type tests.
## Summary
- Fix the create of Event Filters, Blocklists, Endpoint Exceptions and
Host Isolation Exceptions so that an error is returned when space
awareness feature is enabled and the user does not have the Global
Artifact Management privilege.
> [!NOTE]
> Trusted Applications were already correctly validating this during
create of an artifact
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
This change remove `playwright-chromium` package from Kibana
dependencies.
* The package isn't used anywhere in the codebase
* The package conflicts with `@playwright/test` by installing the same
`playwright` executable which then misses a bunch of features, including
the `test` command
## Summary
With the new Claude 3.7 Elastic Managed LLM we're seeing an unhandled
error in Kibana playground. We can reproduce it by:
1. Indexing few but very large documents in Elasticsearch (10 docs, each
7mb)
2. Setting the docs to send setting as 10
3. Setting context to always query the index (I think there is some
function calling, not sure what happens under the hood but this worked
as I wanted to consistently).
Thread:
https://elastic.slack.com/archives/C08DT72KR6J/p1750686748616369?thread_ts=1750685837.561949&cid=C08DT72KR6J
We're not 100% sure this fixes the issue but we do know the model should be added.
### Checklist
Check the PR satisfies following conditions.
- [ ] Cannot reproduce the issue after the model entry is used on QA
environment
Reviewers should verify this PR satisfies this list as well.
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
No known risks
Fixes https://github.com/elastic/kibana/issues/224191
## Summary
Bugfix - Replace call to registry when deleting kibana assets for
packages of type "custom" and "bundled". Also replaced the call to
`fetchInfo.registry` on another code path to avoid errors in the same
situation -
- These calls are replaced with `getPackageInfo`, that has some internal
functionalities to decide when the packageInfo should be fetched from
the cache, ES or the registry.
- Added additional logging to the delete assets functions
### Testing
- Install a custom integration that has some assets (a dashboard for
instance)
- Uninstall it and check that the asset is correctly removed and there
are no errors:
<img width="1453" alt="Screenshot 2025-06-25 at 11 02 39"
src="https://github.com/user-attachments/assets/32fb07f3-2628-4e30-be92-16610043b3ae"
/>
### Checklist
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
This adds and enables the case id incrementer service ([design
doc](https://docs.google.com/document/d/1DZKTPl7UryYjpjVMNhIYbE82OADVOg93-d02f0ZQtUI/edit?tab=t.0#heading=h.6qjc4qynaeuo)).
In order not to stress bulk creation of cases, we're processing
incremental ids asynchronously, meaning they will not immediately appear
in the UI.
The feature is currently disabled by default to allow for testing in
additional environments after merging but can be enabled by setting
`xpack.cases.incrementalIdService.enabled=true` in `kibana(.dev).yml`.
Once the flag is enabled, actually rendering the IDs in the UI is
disabled by default (for now) and has to be enabled in the advanced
settings (`cases:incrementalIdDisplay:enabled`).
Cases can be found by their incremental ID by searching for
`#{incremental_case_id}` in the cases table.
### Screenshots
**Incremental ID in the case detail page**
<img width="1506" alt="Screenshot 2025-06-05 at 15 46 42"
src="https://github.com/user-attachments/assets/f51ae0cd-a2e8-48f7-a6db-05f9f1285e95"
/>
**Incremental ID in the cases table**
<img width="1240" alt="Screenshot 2025-06-05 at 20 32 32"
src="https://github.com/user-attachments/assets/619b3f12-1986-4bc7-b9e8-f7556d0c546c"
/>
**Searching for case by its incremental ID**
<img width="1239" alt="Screenshot 2025-06-05 at 20 33 36"
src="https://github.com/user-attachments/assets/771df512-7436-4aa0-88f9-ac3e1e161455"
/>
### Testing notes
<details>
<summary>Validation script</summary>
Use this script to investigate if there are duplicates or gaps:
```js
import * as fs from 'fs';
// Query to get all cases from all namespaces sorted by incremental_id
// GET .kibana_alerting_cases/_search?_source_excludes=*
// {
// "query": {
// "exists": {
// "field": "cases.incremental_id"
// }
// },
// "fields": [
// "cases.incremental_id",
// "cases.title",
// "namespaces"
// ],
// "from": 0,
// "size": 10000,
// "sort": [
// {
// "cases.incremental_id": {
// "order": "asc"
// }
// }
// ]
// }
// Put those results into `test.json` in the same directory
// You might need to add `"search_after": [40007]` in case you want to look at more than 10k cases.
// In that case, replace `[40007]` with whatever value the last item has in `"sort": [2102]`
// Concatenate hits if needed (10k per file)
const cases = [
JSON.parse(fs.readFileSync('./test.json')),
// JSON.parse(fs.readFileSync('./test1.json')),
// JSON.parse(fs.readFileSync('./test2.json')),
// JSON.parse(fs.readFileSync('./test3.json')),
// JSON.parse(fs.readFileSync('./test4.json')),
].reduce((allHits, currResult) => {
return allHits.concat(currResult.hits.hits);
}, []);
console.log(`Total amount of cases: ${cases.length}`);
// Groups cases but
const casesByNamespace = cases.reduce((acc, theCase) => {
const id = theCase._id;
const space = theCase.fields.namespaces[0];
const incrementalId = theCase.fields['cases.incremental_id'][0];
const title = theCase.fields['cases.title'][0];
const toStore = { id, incrementalId, title };
if (!acc[space]) {
acc[space] = new Map();
}
// check for duplicates
const spaceMap = acc[space];
if (!spaceMap.has(incrementalId)) {
acc[space].set(incrementalId, toStore);
} else {
const storedCase = spaceMap.get(incrementalId);
console.error(`
${storedCase.title} and ${toStore.title} have the same incremental id (${incrementalId})
`);
}
return acc;
}, {});
// find gaps in spaces
Object.keys(casesByNamespace).forEach((space) => {
const spaceHits = casesByNamespace[space];
const gaps = [];
spaceHits.forEach(({ incrementalId }, _, map) => {
const idBefore = incrementalId - 1;
if (incrementalId > 1 && !map.has(idBefore)) {
gaps.push(idBefore);
}
});
console.log(`space:${space} has ${spaceHits.size} cases and ${gaps.length} skipped ids`);
gaps.forEach((gap) => console.log(`id #${gap} is not assigned`));
});
```
</details>
- Enable the logger in your `kibana.dev.yml` (optional but helpful)
```
logging.loggers:
- name: plugins.cases.incremental_id_task
level: debug
```
- Change some of the timings in
`x-pack/platform/plugins/shared/cases/server/tasks/incremental_id/incremental_id_task_manager.ts`
- Set `timeout: '1m'`
- Set `CASES_INCREMENTAL_ID_SYNC_INTERVAL_DEFAULT_MINUTES = 1`
- Remove ```runAt: new Date(
new Date().getTime() +
CASES_INCREMENTAL_ID_SYNC_INTERVAL_DEFAULT_MINUTES * 60 * 1000
),```
- you can also set the timings to something lower in the seconds e.g.
`10s`
- Generate a bunch of cases with the generator script
`x-pack/platform/plugins/shared/cases/scripts/generate_cases.js`:
- `node scripts/generate_cases.js -c 1000 -o securitySolution
- Enable `cases:incrementalIdDisplay:enabled` in advanced settings
- Wait a couple minutes until the incrementer task ran
- Test that the ids show up and that the search works
### Research notes
- We ran a large-scale test with ~350k cases in a cloud env and can
report the following findings:
- The 10min timeout for the incremental id task makes sense. The task
was usually finished after around 8-9min (processing 1000 cases at a
time) which gives it some buffer even.
- While processing the first 50k cases, the service skipped 8 ids and no
duplicates have been assigned. This means it skipped `0.016%` ids which
is great.
- It's unclear when these skips happened though and we investigated the
first 50k cases for duplicate ids, just in case, and found no
duplicates.
- At no point did any of the error logs trigger, meaning the task is
running smoothly.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Michael Olorunnisola <michael.olorunnisola@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Fixes https://github.com/elastic/kibana/issues/223990
## Summary
This PR fixes the forward-compatibility test for index mode, which
failed because the index mode was added to Get Data Streams API in 8.19
and 9.1 (see https://github.com/elastic/elasticsearch/pull/122486), so
if Kibana 8.19 is run with Es 9.0, the index mode is always displayed as
"Standard" because Es doesn't return an index mode field.
In this PR, we separate all index mode-related tests into a separate
file, and only run it for Es versions 8.19 or 9.1+.
This was also fixed for functional tests in
https://github.com/elastic/kibana/pull/223129
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Adds a recommended query for the `CATEGORIZE` function in ES|QL.
Adds keyword highlighting for the patterns and the ability to open a new
Discover tab to filter for docs which match the selected pattern.
https://github.com/user-attachments/assets/9ed8c5b0-7e92-4cc8-88dd-cb7749b5ffd3
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Stratoula Kalafateli <efstratia.kalafateli@elastic.co>
## Summary
Multi space monitors !!
Fixes https://github.com/elastic/kibana/issues/164294
User will be able to choose in which space monitors will be available !!
<img width="1728" alt="image"
src="https://github.com/user-attachments/assets/f01ac226-ed54-4e96-b6f4-27f0134a9be5"
/>
### Technical
This is being done by registering another saved object type and for
existing monitors it will continue to work as right now but for newly
created monitors user will have ability to specify spaces or choose
multiple spaces or all.
### Testing
1. Create few monitors before this PR in multiple spaces
2. Create multiple monitors in multiple spaces after this PR
3. Make sure filtering, editing and deleting, creating works as expected
on both set of monitors
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Summarize your PR. If it involves visual changes include a screenshot or
gif.
Make it easier to debug topological plugin order errors by including the
exact cycle/s causing the issue in the error message:
Previous error message:
```
Error: Topological ordering of plugins did not complete, these plugins have cyclic or missing dependencies:
["discover","esql","canvas","crossClusterReplication","discoverEnhanced","indexLifecycleManagement","logstash","monitoring","observabilityAiAssistantManagement","remoteClusters","reporting","rollup","contentConnectors","dataQuality","datasetQuality","fleet","indexManagement","ml","osquery","streamsApp","apm","exploratoryView","infra","inventory","observability","observabilityAIAssistantApp","observabilityLogsExplorer","observabilityOnboarding","streamsAppWrapper","slo","synthetics","uptime","ux","enterpriseSearch","searchAssistant","searchIndices","searchInferenceEndpoints","searchPlayground","cloudSecurityPosture","elasticAssistant","securitySolution","securitySolutionEss"]
```
New error message tells you exactly where the cycle is:
```
Error: Topological ordering of plugins did not complete due to circular dependencies:
Detected circular dependencies:
discover -> elasticAssistant -> ml -> discover
Plugins with cyclic or missing dependencies: ["discover","esql","canvas","crossClusterReplication","discoverEnhanced","indexLifecycleManagement","logstash","monitoring","observabilityAiAssistantManagement","remoteClusters","reporting","rollup","contentConnectors","dataQuality","datasetQuality","fleet","indexManagement","ml","osquery","streamsApp","apm","exploratoryView","infra","inventory","observability","observabilityAIAssistantApp","observabilityLogsExplorer","observabilityOnboarding","streamsAppWrapper","slo","synthetics","uptime","ux","enterpriseSearch","searchAssistant","searchIndices","searchInferenceEndpoints","searchPlayground","cloudSecurityPosture","elasticAssistant","securitySolution","securitySolutionEss"]
```
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [X] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [X]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [X] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [X] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [X] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [X] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [X] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Jean-Louis Leysens <jeanlouis.leysens@elastic.co>
## Summary
Part of https://github.com/elastic/kibana-team/issues/1503
This PR is mostly about moving osquery cypress dir with
security-solution imports
```
x-pack/test/osquery_cypress
```
After:
```
x-pack/solutions/security/test/osquery_cypress
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Silences SASS module usage warnings around the deprecated `@import`
statements.
While the sass/scss owner teams are migrating these usages, the dev
server is clogged up with deprecation warnings. It's probably best to
disable it, because it's annoying to everyone and not necessarily to the
owners.
## [Attack discovery] Optionally update the `kibana.alert.workflow_status` of alerts associated with Attack discoveries
This PR introduces a new UI to optionally update the `kibana.alert.workflow_status` of alerts associated with Attack discoveries, as illustrated by the animated gif below:
Users may (optionally) update all alerts for a single attack discovery, or just update the discovery itself:
When multiple attack discoveries are selected, users may also (optionally) update the status of all their related alerts via the bulk action menu:
### Alert document enhancements
Attack discoveries generated via the Attack discovery page, and scheduled Attack discoveries (generated via the alerting framework), are persisted as alert documents.
To support the new UI, this PR populates Attack discovery alert documents with two additional (existing, but unused by Attack discovery) alert document fields:
1) `kibana.alert.start` - timestamp when Attack discoveries are created
2) `kibana.alert.workflow_status_updated_at` - timestamp when the `kibana.alert.workflow_status` was last updated
This PR introduces three new alert document fields to capture metadata about when alerts are updated. Attack discovery is the first implementation to use these new fields, however any consumer of the alerting framework may utilize them in the future:
1) `kibana.alert.updated_at` - timestamp when the alert was last updated
2) `kibana.alert.updated_by.user.id` - user id of the user that last updated the alert
3) `kibana.alert.updated_by.user.name` - user name of the user that last updated the alert
The three new alert fields above are updated when Attack discovery users update:
- The `kibana.alert.workflow_status` status of Attack discoveries
- The visibility (sharing) status of Attack discoveries (`kibana.alert.attack_discovery.users`)
The three new fields above were added to the [alert_field_map](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts) and [alert_schema](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/alert_schema.ts).
Using the `default` space as an example, the fields above may be observed in the `.adhoc.alerts-security.attack.discovery.alerts-default` data stream for Attack discoveries generated on the Attack discovery page, and scheduled discoveries for the same space are found in the `.alerts-security.attack.discovery.alerts-default` data stream.
### @timestamp updated when sharing status changes
To ensure newly-shared Attack discoveries are bumped to the top of search results, the `@timestamp` field is updated when the visibility (sharing) status of Attack discoveries (`kibana.alert.attack_discovery.users`) is updated.
(The original time an Attack discovery was generated is represented by the `kibana.alert.start` field, which is not mutated.)
### Visibility menu changes
This PR disables the visibility menu items for shared Attack discoveries, as illustrated by the screenshot below:
The disabled menu has a tooltip that reads:
```
The visibility of shared discoveries cannot be changed
```
Note: The internal Attack discovery bulk API still (intentionally) allows changes to the visibility of shared attack discoveries.
### `kibana.alert.workflow_status` added to default `Alerts` tab columns
The `kibana.alert.workflow_status` field was added to default `Alerts` tab columns, as illustrated by the screenshot below:
### Summary of field updates
The following table describes when fields are updated (via this PR):
| Field | Updated when | Description |
|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|
| `kibana.alert.start` | - Attack discoveries are created | timestamp when Attack discoveries are created |
| `kibana.alert.workflow_status_updated_at` | - Workflow status (`kibana.alert.workflow_status`) is updated | timestamp when `kibana.alert.workflow_status` was last updated |
| `kibana.alert.updated_at` | - Workflow status (`kibana.alert.workflow_status`) is updated<br>- Sharing status (`kibana.alert.attack_discovery.users`) is updated | timestamp when the alert was last updated |
| `kibana.alert.updated_by.user.id` | - Workflow status (`kibana.alert.workflow_status`) is updated<br>- Sharing status (`kibana.alert.attack_discovery.users`) is updated | user id of the user that last updated the alert |
| `kibana.alert.updated_by.user.name` | - Workflow status (`kibana.alert.workflow_status`) is updated<br>- Sharing status (`kibana.alert.attack_discovery.users`) is updated | user name of the user that last updated the alert |
| `@timestamp` | - Attack discoveries are created<br>- Sharing status (`kibana.alert.attack_discovery.users`) is updated | ECS [`@timestamp`](https://www.elastic.co/docs/reference/ecs/ecs-base#field-timestamp) field |
### Feature flags
The _required_ feature flag below is necessary to desk test with Ad hoc attack discoveries. The _recommended_ feature flag below enables testing with scheduled Attack discoveries.
### required: `securitySolution.attackDiscoveryAlertsEnabled`
Enable the required `securitySolution.attackDiscoveryAlertsEnabled` feature flag in `config/kibana.dev.yml`:
```yaml
feature_flags.overrides:
securitySolution.attackDiscoveryAlertsEnabled: true
```
### recommended: `securitySolution.assistantAttackDiscoverySchedulingEnabled: true`
Also enable the recommended `assistantAttackDiscoverySchedulingEnabled` feature flag in `config/kibana.dev.yml`:
```yaml
feature_flags.overrides:
securitySolution.attackDiscoveryAlertsEnabled: true
securitySolution.assistantAttackDiscoverySchedulingEnabled: true
```
## Summary
This PR pulls the latest changes from the Elasticsearch's ES|QL
documentation updates the ESQL docs. It also adds new ES|QL docs for:
- KQL
- TO_DATE_NANOS
Test results:
```
Model gpt-4o scored 27.700000000000003 out of 30
-------------------------------------------
-------------------------------------------
Model gpt-4o scores per category
- category: ES|QL commands and functions usage - scored 12 out of 13
- category: ES|QL query generation - scored 12.200000000000003 out of 13
- category: SPL to ESQL - scored 3.5 out of 4
-------------------------------------------
Model gpt-4o scored 25.300000000000004 out of 30
-------------------------------------------
-------------------------------------------
Model gpt-4o scores per category
- category: ES|QL commands and functions usage - scored 10.3 out of 13
- category: ES|QL query generation - scored 11.500000000000002 out of 13
- category: SPL to ESQL - scored 3.5 out of 4
-------------------------------------------
-------------------------------------------
Model gpt-4o scored 26.300000000000004 out of 30
-------------------------------------------
-------------------------------------------
Model gpt-4o scores per category
- category: ES|QL commands and functions usage - scored 10.8 out of 13
- category: ES|QL query generation - scored 11.700000000000003 out of 13
- category: SPL to ESQL - scored 3.8 out of 4
Model gpt-4o scored 27.500000000000004 out of 30
-------------------------------------------
-------------------------------------------
Model gpt-4o scores per category
- category: ES|QL commands and functions usage - scored 12 out of 13
- category: ES|QL query generation - scored 11.700000000000003 out of 13
- category: SPL to ESQL - scored 3.8 out of 4
```
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
# Overview
Adds the initial privileged users table within the Privileged user
monitoring page.
Currently, this table shows:
- The user's risk score
- The user's asset criticality
- The data source that determined the privileged user
- The number of alerts associated with that privileged user in the
specified time range, along with its distribution
<img width="1310" alt="Screenshot 2025-06-24 at 3 41 17 PM"
src="https://github.com/user-attachments/assets/4093892d-896c-4ba9-a585-ad955f5661b7"
/>
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
disables features under Application for serverless-essentials.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
This PR moves the `chart_settings_popover` and `field_selections` to
`~security_solution/public/detections/components/alerts_kpis` since they
are used exclusively by the KPI charts. These were left out in the
original folder reorg effort in
https://github.com/elastic/kibana/pull/189234
### Checklist
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary
The `isSampleDataSetInstalled` function had an inefficient code pattern.
It uses `testSubjects.find()`, which has a 10 second default timeout.
When the sample data card doesn't exist, this call waits for 10 seconds
before failing, which slows down the `retry.waitFor` loop (20 second
timeout) in `addSampleDataSet` and tended to cause the entire test to
time out.
Closes https://github.com/elastic/kibana/issues/220053
## Summary
The PR adds code for displaying the visualisations for key insights
panel of Privileged user monitoring dashboard.
It comprises of 6 tiles.
1. Active Privileged Users
2. Alerts Triggered
3. Anomalies Detected
4. Granted Rights
5. Account Switches
6. Authentications
All the tiles have been created using the Lens visualisation for ease of
use and also to streamline visualisations across the security solution.
Screenshots :
Privileged User Monitoring Dashboard
Lens visualisation for a tile :
### Adding Data for desk testing :
1. On the `main` branch of "The Data Yeeter"
(https://github.com/elastic/security-documents-generator/), run `yarn
start privileged_access_detection`. This primarily adds data for
anomalies.
2. Then on the same `main` branch, run `yarn start
privileged_user_monitoring`. This will add data for the privileged user
index
3. On the dev console execute the following :
```
POST kbn:/api/entity_analytics/monitoring/engine/init
POST kbn:/api/entity_analytics/monitoring/users
{
"user": {"name": "john.smith"}
}
POST kbn:/api/entity_analytics/monitoring/users
{
"user": {"name": "stacy_armstrong"}
}
POST kbn:/api/entity_analytics/monitoring/users
{
"user": {"name": "john_smith"}
}
POST kbn:/api/entity_analytics/monitoring/users
{
"user": {"name": "randy.carlisle"}
}
POST kbn:/api/entity_analytics/monitoring/users
{
"user": {"name": "root"}
}
```
### Testing Steps :
1. Enable privilegedUserMonitoring feature flag.
2. Navigate to entity_analytics/privileged_user_monitoring page
3. Click on "Go to Dashboards" on the top left corner.
4. You will be able to see the tiles with name and number.
5. Click on the three dots when cursor is hovered over the tile and
click on Inspect to check the query executed, click on More -> Open in
Lens to check if the tile opens up fine in the lens visualiastion link.
6. Check the data view in the lens visualisation. For anomalies, the
data view should be `.ml-anomalies-*`. For other it would either be
`.alerts-*` or `logs-*`.
### Not part of this PR :
1. The trendline on the tile did not work as i am yet to figure out a
way, if it exists, to show a trendline with ES|QL query as it works fine
with KQL queries but similar lens attribites do not function.
2. Load testing where the local environment does not have much data to
show.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: jaredburgettelastic <jared.burgett@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Resolves https://github.com/elastic/kibana/issues/212091
## Summary
Updates alerting snapshot telemetry to capture data about number of
backfill executions and gap durations from the event log index.
## To Verify
1. Reduce the cadence of the usage collector task
```
--- a/x-pack/platform/plugins/shared/alerting/server/usage/task.ts
+++ b/x-pack/platform/plugins/shared/alerting/server/usage/task.ts
@@ -31,7 +31,7 @@ import { MAINTENANCE_WINDOW_SAVED_OBJECT_TYPE } from '../../common';
export const TELEMETRY_TASK_TYPE = 'alerting_telemetry';
export const TASK_ID = `Alerting-${TELEMETRY_TASK_TYPE}`;
-export const SCHEDULE: IntervalSchedule = { interval: '1d' };
+export const SCHEDULE: IntervalSchedule = { interval: '5m' };
```
2. Enable the gap detection feature flag
```
--- a/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts
+++ b/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts
@@ -191,7 +191,7 @@ export const allowedExperimentalValues = Object.freeze({
/**
* Enables the storing of gaps in the event log
*/
- storeGapsInEventLogEnabled: false,
+ storeGapsInEventLogEnabled: true,
```
3. Start Kibana and create a detection rule and let it run once.
4. Stop Kibana for a period of time (at least 3 times the rule
interval).
5. Restart Kibana and navigate to
`https://localhost:5601/app/security/rules/id/<ruleId>`. Under the
`Execution Results` tab, you should see a section for `Gaps` and `Manual
runs`. When the rule runs again, you should see an entry under `Gaps`
with an action to `Fill gaps`. Click the action to fill the gaps.
<img width="2250" alt="Screenshot 2025-05-29 at 5 41 24 PM"
src="https://github.com/user-attachments/assets/a08455d0-8c54-4170-831b-3dedf6932fe7"
/>
6. Verify that the next time the usage collection task runs, you should
see data for backfill executions and gaps. You can see this in the Dev
Console using
```
POST kbn:/internal/telemetry/clusters/_stats?apiVersion=2
{ "unencrypted": true, "refreshCache": true }
```
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Fixes https://github.com/elastic/security-team/issues/8934
Summarize your PR. If it involves visual changes include a screenshot or
gif.
This PR enables the Security AI assistant to be used globally - i.e. if
you are outside of the security solution (e.g. Discover), the Security
Assistant can still be opened.
Changes:
- A public module has been added to the elastic-assistant plugin
(previously it was a server-side-only plugin).
- The vast majority of the assistant (flyout and nav bar) has been moved
into the new elastic-assistantpublic plugin.
- Comment actions & message augmentations remain within the
security-solution.
- A new public plugin was created called elastic-assistant-shared state.
This plugin is used to share state between the elastic-assistant public
plugin and other plugins (e.g. security-solution).
- For example, the security solution registers comment actions in the
elastic-assistant-shared-state plugin. The elastic-assistant public
plugin then reads the comment actions from
elastic-assistant-shared-state and renders them in the assistant flyout.
### Considerations:
- Currently, the Security AI assistant is being displayed everywhere
except the observability solution (see implementation
[here](https://github.com/elastic/kibana/pull/223936/files#diff-5dd1ea91c2d5d242203cc58ee59ec283116e5e739ed82bae4e2cd78af322150c)).
This is only for testing while the PR is in review. We plan to add a
setting to the stack management that allows the user to configure where
they would like the assistant to be shown. This will be changed before
the PR is merged.
## How to test
Feel free to use the cloud and serverless deployments created by the CI
pipeline for testing. Credentials can be found on Buildkite.
### Verify that the Security AI assistant works as expected within the
security solution
Expected there to be no changes in how the security AI assistant works
within the Security Solution. Please do some exploratory testing to make
sure nothing has changed.
Start the branch locally and go to http://localhost:5601/app/security/
Things to test:
- Does the assistant open?
- Can I send an alert to the assistant from the alerts page?
- Does the assistant display code blocks correctly?
- Does the assistant display ESQL correctly (can I view the ESQL in the
timeline)?
- Do assistant messages have the correct comment actions? Do the comment
actions work?
- Are conversations displayed correctly?
- Do citations work?
- Does the assistant work in serverless? Does the assistant work as
expected in AI4SOC?
- Do quick prompts work?
- Can you select a system prompt for a new convo?
- Can you send alerts to the Security AI assistant?
- AI assistant in a space that has Security disabled.
- Does attack discovery work?
AI assistant open in Discover app:
<img width="1841" alt="image"
src="https://github.com/user-attachments/assets/0a13a100-d192-4fa4-b395-0951452e14c2"
/>
AI assistant in Security solution:
<img width="1841" alt="image"
src="https://github.com/user-attachments/assets/7ed38f37-79de-41a7-a80f-8b96147bfdf6"
/>
### Verify the Security AI assistant works in Discover (or anywhere
outside of the Security solution)?
Head over to http://localhost:5601/app/discover. Note that some
functionality is removed when using the AI assistant outside of
security:
- Only the "copy" comment action appears on messages.
- Code block augmentations (i.e. the button that opens ESQL inside of
the timeline) don't appear.
Things to test:
- Does the security AI assistant button appear in the nav bar?
- Can you open the security AI assistant?
- Are you able to send messages?
- Are conversations appearing as expected?
- Can you close the assistant?
- Do citations work?
- Can you switch to a different solution while the assistant is open?
Security AI assistant open in AI4SOC Discover:
<img width="1841" alt="image"
src="https://github.com/user-attachments/assets/36537b9b-e945-459e-ac13-43e9444e92b7"
/>
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [X] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [X]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [X] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [X] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [X] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [X] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [X] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
With these changes we add Case Action support to Attack Discovery
Schedule rule types.
Attack discovery alerts act differently from SIEM alerts and include the
reference to list of SIEM alerts that led to the attack - described
within the attack discovery alert document. Thus, we would like to
attach referenced SIEM alerts instead of the attack alert document
itself to the created Case. Also, as part of the Case creation we would
like to be able to add a comment generated by LLM that describes steps
and nuance of the discovery.
## NOTES
The attack discovery scheduling feature is hidden behind the feature
flag (in `kibana.dev.yml`):
```
feature_flags.overrides:
securitySolution.attackDiscoveryAlertsEnabled: true
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Christos Nasikas <xristosnasikas@gmail.com>
Fixed some issues found with the privileged access detection heatmap.
- Fixed an issue when multiple joined results per user come back from
privileged access detection anomalies "top users" query.
- Fixed an emotion CSS issue where I imported the wrong module
## Summary
- Implements traversal of `source` node children (string literals), like
`a` and `b` in `FROM a:b`. Before `a` and `b` would not be traversed.
- Implements traversal of `order` nodes, like `field DESC` in `FROM a |
SORT field DESC`. Before the `field DESC` would be skipped.
- Adds tests, which verify that all nodes in the query are traversed by
the `Walker`, see `walker_all_nodes.test.ts`.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
This PR introduces a new Search Home page.
Currently, the homepage experience differs across Classic nav, Solution
nav, and Serverless. Our goal is to unify these into a consistent,
foundational experience that we can iterate on to create a more
personalized and customizable homepage for Elasticsearch users.
The new page includes:
- An option to connect to Elasticsearch
- File upload and sample dataset ingestion
- Entry points to explore Elastic’s AI Search capabilities
- Quick access to Observability and Security solutions
- Links to Search Labs, Python notebooks, and Elasticsearch
documentation
https://github.com/user-attachments/assets/7b1b5330-59b4-43b7-aa5b-000fcd2654e2
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Lisa Cawley <lcawley@elastic.co>
Co-authored-by: Rodney Norris <rodney@tattdcodemonkey.com>
## Summary
This closes#224982
Asset Inventory relies on the `entity.id` field as a unique identifier
for visualizations, grouping, filtering, and flyout functionality.
Currently, documents missing this field are included in the results,
leading to noise, broken interactions, and misleading asset entries.
This PR implements filtering within the Asset Inventory fetchers and UI
components to ensure that only valid documents with `entity.id` are
processed and displayed.
### Screenshot
**Before**
Unexpected behaviour in the Inventory page due to empty `user.name`
<img width="2162" alt="Image"
src="https://github.com/user-attachments/assets/18131bfc-c05e-4165-ab86-fea03b0a1c49"
/>
**After:**
<img width="1985" alt="image"
src="https://github.com/user-attachments/assets/0a3ca7de-b237-4d97-b62c-6fbd665e8cc5"
/>
Closes https://github.com/elastic/kibana/issues/224084
This improves the knowledge base retrieval by rewriting the user prompt
before querying Elasticsearch. The LLM is asked to rewrite the prompt
taking into account screen description and conversation history. We then
use the LLM-generated prompt as the search query.
Other changes:
- Remove `screenContext` from being used verbatim as ES query. This was
causing noise and leading to bad results
- Take conversation history into account: with query rewriting, the LLM
has access to the entire conversation history. This context will be
embedded into the generated prompt along side screen context
---------
Co-authored-by: Viduni Wickramarachchi <viduni.ushanka@gmail.com>
## Summary
Updates `security-ai-prompts` README to include instructions on how to
update kibana/integrations
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Fixes https://github.com/elastic/kibana/issues/222575
## Summary
Ensure package policy names are unique when moving across spaces. The
check applies to any integration (not only Defend) but it's only applied
when moving a policy from a space to another, not when creating a new
policy)
### Testing
- Ensure to have space awareness enabled
- In `default` space, create an agent policy and add a package policy to
it with name `defend1`
- In a second space `space1`, create an agent policy and add a package
policy to it with same name `defend1`
- Try to update the settings of this agent policy changing the space to
'default' - you should get an error `an integration policy with name
"defend" already exists. Please rename it or choose a different name."
### Checklist
Check the PR satisfies following conditions.
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
# Overview
This pull request enables the Security Entity Analytics Privileged user
monitoring feature. This feature has many accompanying PRs, that have
until now been kept behind an experimental feature flag. The feature is
currently slated to ship as a Technical Preview.
Instead of removing the feature flag, we will be allowing for a
"disabled" version of the experimental flag, which allows this feature
to remain disabled in Serverless, until fully tested during the 9.1
release cycle. Disabling in Serverless is accomplished via setting the
configuration to disabled in the `config/serverless.security.yml` file.
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
This PR adds a management page to the current privmon dashboard to
facilitate adding data sources *after* the initial onboarding flow
---------
Co-authored-by: jaredburgettelastic <jared.burgett@elastic.co>
Co-authored-by: Pablo Machado <pablo.nevesmachado@elastic.co>
## Summary
- Implements the flyout to schedule reports
- Adds a Schedules table to the Stack Management > Reporting page to
view schedules
- Updates the Reports table to show information about scheduled reports
<details>
<summary>
## Verification steps
</summary>
### 🐞 Happy Path
- Add the following configuration to your Kibana config file
```
notifications.connectors.default.email: gmail
xpack.actions.preconfigured:
gmail:
name: 'email: my gmail'
actionTypeId: '.email'
````
- Log in as an admin user or user with Reporting privileges and a
license != `basic`
- If you don't have data in Kibana, navigate to Home > Try sample data
and activate a sample data set
- Create a Dashboard or Discover session
- Open the ⬇️ (Export) menu in the toolbar
- Click `Schedule export`
- Schedule reports with different combinations of file name, export
type, recurrence schedule and email notification settings
- Navigate to Stack Management > Reporting
- Check that the scheduled reports match the displayed items in the
Reports and Schedules tabs (⚠️ some jobs might not have started because
of the recurrence rule so you might not find the reports immediately)
### ⚡️ Edge Cases
Missing default notifications email connector
- Start Kibana without the default email connector from point n.1 of the
happy path
- When trying to schedule a report, the flyout should show a callout
informing the user about the missing email connector
Unmet prerequisites
- Start ES with any of the following flags: `-E
xpack.security.enabled=false` or `-E
xpack.security.authc.api_key.enabled=false`
- The `Schedule export` button should not appear in the Export menu
Unsupported license
- Log in as a user with a basic license or without capabilities to
generate reports
- The `Schedule export` button should not appear in the Export menu
Users without `Manage Scheduled Reports` privilege
- Create a role with sufficient privileges to access and export any
object type (Dashboards, Discover, ...), do not grant the `Manage
Scheduled Reports` privilege (under `Stack Management`)
- Create a user with this role, _without an email address_
- Open the Schedule export flyout
- Check that the `Send by email` field is disabled, showing a hint about
the user profile missing an email address
- Add an email address to the user (for the changes to take effect you
might have to renew the session, logging back in)
- Check that the `Send by email` toggle is now enabled
- Check that when toggling email notifications on, the `To` field is
disabled and precompiled with the user's email address
Flyout form validation
- `File name` should be required
- `To` should not allow to insert invalid email addresses
- `To` should not allow to insert unallowed email addresses (not in
allowlist)
- Recurrence subform should show presets based on the current datetime
### ❌ Failure Cases
</details>
<details>
<summary>
## Known issues
</summary>
- PDF print option is not displayed in readOnly mode
- Console error due to `compressed` attribute wrongly forwarded by
form-hook-lib to DOM element (this is likely a form lib issue):
<img width="916" alt="image"
src="https://github.com/user-attachments/assets/09d20ba9-8781-46d6-bcfa-862d8a4cbf90"
/>
- Email validation errors accumulate instead of replacing the previous
one (again looks like a fom lib issue):
https://github.com/user-attachments/assets/f2dc7a46-a3a9-465d-b8a1-3187b200f9b9
</details>
<details>
<summary>
## Screenshots
</summary>
Health API error:
<img height="500" alt="Screenshot 2025-05-31 at 10 48 40"
src="https://github.com/user-attachments/assets/dd069597-971c-489f-9c07-eb5edfd7bede"
/>
Health API loading state:
<img height="500" alt="Screenshot 2025-05-31 at 10 49 04"
src="https://github.com/user-attachments/assets/27d95bf3-bf7d-42c7-9a40-2826f38aa837"
/>
Health API success with some missing prerequisites:
<img width="449" alt="Screenshot 2025-06-17 at 16 59 57"
src="https://github.com/user-attachments/assets/c44afa97-70ff-4618-8b73-41b816514459"
/>
Form validation:
<img height="500" alt="image"
src="https://github.com/user-attachments/assets/a8d4cae1-2819-4f71-a911-9300a6cf81f8"
/>
Success toast:
<img width="480" alt="image"
src="https://github.com/user-attachments/assets/a87c3af5-dbb0-40e8-915a-fc9d7e1d97f2"
/>
Failure toast:
<img width="518" alt="image"
src="https://github.com/user-attachments/assets/908f9dea-b5cb-4da9-b4a5-76e313837f18"
/>
Print format toggle:
<img width="502" alt="image"
src="https://github.com/user-attachments/assets/602f3ab9-07ef-4689-a305-dc1b2b5495cd"
/>
Missing notifications email connector callout:
<img width="499" alt="image"
src="https://github.com/user-attachments/assets/fe4997a5-75e6-4450-85e5-7d853049e085"
/>
User without `Manage Scheduled Reports` privilege and without email
address in profile
<img width="492" alt="Screenshot 2025-06-23 at 14 51 07"
src="https://github.com/user-attachments/assets/e0867b7b-3358-4cf0-8adf-c141a1ded76f"
/>
User without `Manage Scheduled Reports` privilege with email address in
profile
<img width="498" alt="image"
src="https://github.com/user-attachments/assets/c45a0c31-cac7-4acb-b068-b3cfc02aac68"
/>
</details>
## Release Notes
Added the ability to schedule reports with a recurring schedule and view
previously scheduled reports
## References
Closes#216321Closes#216322
### Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Eyo O. Eyo <7893459+eokoneyo@users.noreply.github.com>
Co-authored-by: Janki Salvi <117571355+js-jankisalvi@users.noreply.github.com>
Co-authored-by: Janki Salvi <jankigaurav.salvi@elastic.co>
## Summary
Updates the logic around the test cases generator to allow for adding
cases to additional environments
example to test:
```
yarn generate:cases -c 1000 -o securitySolution
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
# Summary
This PR introduces support for populating the Privileged Users index
from custom data sources (Elasticsearch indices) by querying Privileged
User Monitoring Saved Objects from a Kibana task.
[Related Issue](https://github.com/elastic/security-team/issues/12289)
[Figma
Breakdown](https://www.figma.com/board/yBr1pBDGu4JqNxb5ZrULtk/MonEntitySourceSyncTask?node-id=0-1&p=f&t=q52ABMD5MLX0uGj1-0)
Working from the _"Synchronize Privileged User index based on configured
Entity Sources"_ section, to the right.
### ✅ Implemented
• Registered the temporary type and mappings
• Created a Descriptor Client that saves it via soClient.create()
• Called Descriptor Client create method from PrivMon initialisation.
* Testing above default Saved Object creation within PrivMon
Initialisation
* Update the entity_analytics:monitoring:privileges:engine task to:
* Read all Saved objects of index type
* query user.name values from given indexPattern
* Apply any filters or matchers defined in the Saved Object
* Insert matched user.names into
.entity_analytics.monitoring.users-<space> with source type index.
* Cleanup logic:
* Target pattern does not exist, log warning and continue task
* Failures will be caught and do not interrupt task loop
* Remove previously stored user.names with source type index, that are
no longer present.
* Component Testing
### 🚧 Wish List
* Pull out sync functions from privilege monitoring data client into
their own sync service class / similar
* * Currently in the data client, they should not be on this layer.
* Update GET and DELETE methods with dynamic id's for monitoring data
client as per [this
ticket](https://github.com/elastic/security-team/issues/12851)
# How to Test
- Pull branch into local machine
- Security experimental flag enable: 'privilegeMonitoringEnabled'
- Start up ElasticSearch and Kibana
**1. Optional - create the default index, this should just skip if you
don't make it.**
```
POST entity_analytics.privileged_monitoring/_doc
{
"user": {
"name": "default name"
}
}
```
**2. Create test index/ indicies**
```
POST tatooine-/_bulk
{ "index": {} }
{ "user": { "name": "Luke Skywalker" } }
{ "index": {} }
{ "user": { "name": "Leia Organa" } }
{ "index": {} }
{ "user": { "name": "Han Solo" } }
{ "index": {} }
{ "user": { "name": "Chewbacca" } }
{ "index": {} }
{ "user": { "name": "Obi-Wan Kenobi" } }
{ "index": {} }
{ "user": { "name": "Yoda" } }
{ "index": {} }
{ "user": { "name": "R2-D2" } }
{ "index": {} }
{ "user": { "name": "C-3PO" } }
{ "index": {} }
{ "user": { "name": "Darth Vader" } }
```
**3. Register Monitoring Entity Source Saved Objects**
```
POST kbn:/api/entity_analytics/monitoring/entity_source
{
"type": "index",
"name": "StarWars",
"managed": true,
"indexPattern": "tatooine-",
"enabled": true,
"matchers": [
{
"fields": ["user.role"],
"values": ["admin"]
}
],
"filter": {}
}
```
**- OPTIONAL: You can check what is in the monitoring entity_source
SO:**
```
GET kbn:/api/entity_analytics/monitoring/entity_source/list
```
**4. Initialise monitoring engine:**
```
POST kbn:/api/entity_analytics/monitoring/engine/init {}
```
**5. Verify Users in Monitoring Index**
- Check the list of synced user, should include:
- - The created users
- - The default user (if you created it)
```
GET kbn:/api/entity_analytics/monitoring/users/list
```
**e.g. output:**
```
[
{
"id": "FkMJoZcB7muj1aiwb_eQ",
"user": {
"name": "C-3PO",
"is_privileged": true
},
"labels": {
"sources": [
"index"
],
"source_indices": [
"tatooine-"
],
}
},
{
"id": "F0MJoZcB7muj1aiwb_eQ",
"user": {
"name": "Chewbacca",
"is_privileged": true
},
"labels": {
"sources": [
"index"
],
"source_indices": [
"tatooine-"
],
}
},
// ... more here
```
## Testing: Removing Stale Users
The engine should soft delete users from the internal index if they no
longer appear in the synced sources - e.g. label as
monitoring.privileged_users: "not_monitored"
**Example:**
- Delete users in index:
```
POST tatooine-/_delete_by_query
{
"query": {
"terms": {
"user.name.keyword": ["Chewbacca", "Han Solo"]
}
}
}
```
- re-run engine init
```
POST kbn:/api/entity_analytics/monitoring/engine/init
{}
```
-Fetch the updated user list:
```
GET kbn:/api/entity_analytics/monitoring/users/list
```
You should now only see both Chewbacca and Han Solo are no longer
privileged:
```
// ..
{
"id": "GUMJoZcB7muj1aiwb_eQ",
"user": {
"name": "Han Solo"
"is_privileged": false
},
"labels": {
"sources": [],
"source_indices": [],
}
}
]
```
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This PR adds guidelines for designing Kibana HTTP APIs that are
terraform-provider developer friendly.
fix https://github.com/elastic/kibana/issues/224643
## Summary
Kibana doesn't have specific guidelines for designing HTTP APIs. With
increasing constraints, it's time to document what was previously tribal
knowledge.
Elasticsearch is far further along this road, and other teams have
compiled their own.
This document serves as guidelines to designing _public_ HTTP APIs that
are suitable for managing with Terraform.
## How to test this (recommended for easier reading)
- pull this PR
- setup
[`docs.elastic.dev`](https://docs.elastic.dev/docs/local-dev-docs-setup)
locally
- run `yarn dev` from `docs.elastic.dev`
- review the docs live!
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
---------
Co-authored-by: florent-leborgne <florent.leborgne@elastic.co>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Closes https://github.com/elastic/kibana/issues/224294
### External team reviewers
@elastic/kibana-presentation team is working on "Dashboards as code"
project where we provide a human readable CRUD API for dashboards. Part
of this work is aligning dashboard client code with the shape of
dashboard server api. As such, we are changing the shape of `panels`
from a Map to an Array - to directly consume what is being returned from
the dashboard server api.
### PR Overview
The goal of this PR is to update dashboard client-side state `panels`
type to match the type from dashboard server api. The dashboard server
api returns panels as an Array, while the dashboard client-side logic is
expecting panels to be a Map keyed by panel id.
This type change required the following changes:
* Refactored dashboard client code to receive panels as an array and
return panels as an array. Biggest work is in layout_manager
`deserializeState` and `serializeState` methods.
* Remove `convertPanelsArrayToPanelSectionMaps` from
`loadDashboardState`. `convertPanelsArrayToPanelSectionMaps` performed 2
tasks
1) Convert panels array to map. This is no longer needed as now
dashboard client code accepts panels in its native shape from the
dashboard server api.
2) Move `id` and `title` fields into embeddable state. This is no longer
needed as now dashboard server api does this transform before sending
the dashboard to the client.
* Remove `convertPanelSectionMapsToPanelsArray` from
`getSerializedState`. `convertPanelSectionMapsToPanelsArray` performed 2
tasks.
1) Convert panels map into panels array. This is no longer needed as now
panels is provided to `getSerializedState` in the shape required for the
dashboard server api.
2) Lift `id` and `title` fields from into top level panel state. This is
no longer needed as all embeddable state should remain under
`panelConfig`.
* Remove a bunch of code in `dashboard/common` as now the client and
server are do not need to depend on shared logic as the client is much
simpler and no longer needs to transform the server response. Much of
this shared logic was copied into server saved object migrations in
https://github.com/elastic/kibana/pull/223980 but can now be removed
from common since its no longer used in the client.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Issue: https://github.com/elastic/kibana/issues/216631
This PR adds a new priority called `normalLongRunning` that is slightly
lower than the normal task priority. This priority is applied to the
`attack-discovery` rule type. Unit and E2E tests are also added to
verify that the new priority is working as intended.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Closes https://github.com/elastic/kibana/issues/217508,
https://github.com/elastic/kibana/issues/217510,
https://github.com/elastic/kibana/issues/217521
This pull request introduces significant updates to the ML anomaly
detection utilities and components. The changes focus on improving
theme-aware severity color handling, refining severity thresholds, and
deprecating legacy severity-related utilities.
## New Anomalies filtering UX and Influencers badges:
<img width="1361" alt="image"
src="https://github.com/user-attachments/assets/0f7e0aa3-310f-4f59-95aa-f74c576d0f91"
/>
## New Single Metric Viewer base colors
<img width="929" alt="image"
src="https://github.com/user-attachments/assets/9b3e33cf-23b4-4163-b274-f911ef9321e4"
/>
### Theme-aware severity color handling:
* Added `useSeverityColor` hook and `getThemeResolvedSeverityColor`
utility to provide theme-aware severity colors, replacing legacy fixed
colors. These utilities ensure better integration with the EUI theme.
`x-pack/platform/packages/shared/ml/anomaly_utils/use_severity_color.ts`
* Deprecated legacy severity color constants (`ML_SEVERITY_COLORS`) and
methods (`getSeverityColor`) in favor of theme-aware alternatives.
`x-pack/platform/packages/shared/ml/anomaly_utils/severity_colors.ts`
`x-pack/platform/packages/shared/ml/anomaly_utils/get_severity_color.ts`
### Severity thresholds and ramp:
* Removed the legacy `ML_SEVERITY_COLOR_RAMP` constant and introduced
`getMlSeverityColorRampValue` utility to dynamically generate
theme-aware severity ramps.
`x-pack/platform/packages/shared/ml/anomaly_utils/severity_ramp.ts`
### Type and interface updates:
* Introduced a new `SeverityThreshold` type to represent severity
ranges, replacing the previous numeric severity representation in
`ExplorerAppState`.
`x-pack/platform/plugins/shared/ml/common/types/anomalies.ts`
`x-pack/platform/plugins/shared/ml/common/types/locator.ts`
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Resolves
https://github.com/elastic/streams-program/issues/206?issue=elastic%7Cstreams-program%7C317
This PR introduces a new Advanced Settings for enabling streams
significant events. It is disabled by default.
This PR also registers the rule regardless of the settings.
Using an Advanced Settings makes it easier for internal customers to
toggle the feature on serverless.
<img width="1495" alt="Screenshot 2025-06-17 at 11 15 11 AM"
src="https://github.com/user-attachments/assets/27023c52-20a9-476f-9dfd-d3b8b3f03e94"
/>
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Dario Gieselaar <dario.gieselaar@elastic.co>
This pull request updates the `.github/CODEOWNERS` file to revise
ownership assignments for several configuration files related to
serverless setups. The changes primarily involve adding or modifying
team ownership for specific files.
Ownership updates:
* Added ownership for `@elastic/kibana-security` to
`config/serverless.*.yml`, ensuring broader coverage for serverless
configuration files.
* Updated ownership for `config/serverless.oblt.complete.yml` and
`config/serverless.oblt.logs_essentials.yml` to include
`@elastic/kibana-security` alongside existing teams.
## Summary
Added a check that will prevent dispatches when either id or fallbacks
patterns are not provided.
The only thing I am not sure about is some kind of warning, we need to
log it somehow probably.
Closes https://github.com/elastic/kibana/issues/223156
## Testing
Flip the flag: `xpack.securitySolution.enableExperimental:
['newDataViewPickerEnabled']`
then try to investigate alert in timeline.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
It fixes#217792 by having a consistent experience with the rule flyout.
### Resizable flyout:
- ✅ From the Apps on Create and Edit
- ✅ From the Rules page on Edit
### Full-page
- ✅ From the Rules page on Create
- ✅ From the Rule details page on Edit
# Backport
This will backport the following commits from `8.19` to `main`:
- [[Upgrade Assistant] Create actions column in Es deprecations
(#222346)](https://github.com/elastic/kibana/pull/222346)
- [[Upgrade Assistant] Change resolution column icons to filled
(#222764)](https://github.com/elastic/kibana/pull/222621)
- [[Upgrade Assistant] Add suggestions to resolution column
(#223113)](https://github.com/elastic/kibana/pull/222621)
- [[Upgrade Assistant] Update index unfreeze and read-only progress
strings (#223509)](https://github.com/elastic/kibana/pull/222621)
- [[Upgrade Assistant] Show single action button in ES
deprecations/Actions column
(#223576)](https://github.com/elastic/kibana/pull/223576)
- [[Upgrade Assistant] Create modal for setting to read-only and
unfreeze (#224525)](https://github.com/elastic/kibana/pull/224525)
- [[Upgrade assistant] Unify read-only copies
(#224532)](https://github.com/elastic/kibana/pull/224532)
- [[Upgrade Assistant] Small cosmetic fixes
(#224535)](https://github.com/elastic/kibana/pull/224535)
- [[Upgrade Assistant] Add manually resolve for follower readonly
(#224600)](https://github.com/elastic/kibana/pull/224600)
<!--- Backport version: 9.6.6 -->
### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)
<!--BACKPORT [{"author":{"name":"Sonia Sanz
Vivas","email":"sonia.sanzvivas@elastic.co"},"sourceCommit":{"committedDate":"2025-06-09T11:00:42Z","message":"[Upgrade
Assistant] Create actions column in Es deprecations (#222346)\n\nFixes
https://github.com/elastic/kibana/issues/222035\nPart of
https://github.com/elastic/kibana/issues/221977\n\n## Summary\nThis PR
is the first one for the enhancement in the ES deprecations\ntable in
Upgrade Assistant. This PR creates a new column called\n`Actions` and
moves the existing available actions in the `resolution`\ncolumn to it.
The icon and the flyout is the same. The status of the\nresolution still
gets updated in the `resolution` column.\n\nThe goal of this PR was that
no functionality or tests gets affected by\nthis changes (except the
unit test verifying that the entire row is\nclickable).\n\nNote: The
width of the columns is a little weird right now. It will\nadjust when
all columns have the expected content.\n\n### How to test\n\n* Follow
the instructions in\nhttps://github.com/elastic/kibana-team/issues/1521.
Use the data folder\nnamed `data_qaf_frozen` because it has the largest
variety of\ndeprecations.\nYou can also add some other deprecations by
replacing\n`x-pack/platform/plugins/private/upgrade_assistant/server/lib/es_deprecations_status/migrations.ts\n`
L272 with:\n````\nlet esDeprecations = (await
esClient.migration.deprecations()) as EsDeprecations;\nesDeprecations =
{\n ...esDeprecations,\n cluster_settings: [\n {\n level: 'warning',\n
message:\n 'Template patterns are no longer using `template` field, but
`index_patterns` instead',\n url:
'https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_indices_changes.html#_index_templates_use_literal_index_patterns_literal_instead_of_literal_template_literal',\n
details:\n 'templates using `template` field:
security_audit_log,watches,.monitoring-alerts,triggered_watches,.ml-anomalies-,.ml-notifications,.ml-meta,.monitoring-kibana,.monitoring-es,.monitoring-logstash,.watch-history-6,.ml-state,security-index-template',\n
resolve_during_rolling_upgrade: false,\n },\n {\n level: 'warning',\n
message: 'one or more templates use deprecated mapping settings',\n url:
'https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_indices_changes.html',\n
details:\n '{.monitoring-logstash=[Coercion of boolean fields],
.monitoring-es=[Coercion of boolean fields], .ml-anomalies-=[Coercion of
boolean fields], .watch-history-6=[Coercion of boolean fields],
.monitoring-kibana=[Coercion of boolean fields],
security-index-template=[Coercion of boolean fields]}',\n
resolve_during_rolling_upgrade: false,\n },\n ],\n ilm_policies: {\n
myfreezepolicy: [\n {\n level: 'warning',\n message:\n \"ILM policy
[myfreezepolicy] contains the action 'freeze' that is deprecated and
will be removed in a future version.\",\n url:
'https://www.elastic.co/guide/en/elasticsearch/reference/master/frozen-indices.html',\n
details:\n 'This action is already a noop so it can be safely removed,
because frozen indices no longer offer any advantages. Consider cold or
frozen tiers in place of frozen indices.',\n
resolve_during_rolling_upgrade: false,\n },\n ],\n },\n templates: {\n
mytemplate: [\n {\n level: 'critical',\n message:\n 'Configuring source
mode in mappings is deprecated and will be removed in future versions.
Use [index.mapping.source.mode] index setting instead.',\n url:
'https://github.com/elastic/elasticsearch/pull/117172',\n
resolve_during_rolling_upgrade: false,\n },\n ],\n },\n};\n````\n* Go to
\"Stack Management > Upgrade Assistant\". Navigate to\n\"Elasticsearch
deprecation issues\"\n * Verify that the new actions column is there\n*
Verify that the column now contains the actions icon and opens
the\nflyout.\n * Verify that the resolution column still updates the
status\n* Verify that the deprecations that requires Manual action, now
display\na Gear icon in the actions column.\n* Verify that the entire
row is not longer clickable and the flyout only\ngets opened when
clicking in the icon.\n\n###
Demo\n<details>\n<summary>Video</summary>\n\n\n\n\nhttps://github.com/user-attachments/assets/22f16b7d-de08-42dd-8ffe-91acec4dab92\n\n\n\n</details>\n\n---------\n\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"ba012f668c3385594dee9279467c8f51b28c789f","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Kibana
Management","release_note:skip","Feature:Upgrade
Assistant","backport:version","v8.19.0","UA_needs_forwardport_9.1"],"title":"[Upgrade
Assistant] Create actions column in Es
deprecations","number":222346,"url":"https://github.com/elastic/kibana/pull/222346","mergeCommit":{"message":"[Upgrade
Assistant] Create actions column in Es deprecations (#222346)\n\nFixes
https://github.com/elastic/kibana/issues/222035\nPart of
https://github.com/elastic/kibana/issues/221977\n\n## Summary\nThis PR
is the first one for the enhancement in the ES deprecations\ntable in
Upgrade Assistant. This PR creates a new column called\n`Actions` and
moves the existing available actions in the `resolution`\ncolumn to it.
The icon and the flyout is the same. The status of the\nresolution still
gets updated in the `resolution` column.\n\nThe goal of this PR was that
no functionality or tests gets affected by\nthis changes (except the
unit test verifying that the entire row is\nclickable).\n\nNote: The
width of the columns is a little weird right now. It will\nadjust when
all columns have the expected content.\n\n### How to test\n\n* Follow
the instructions in\nhttps://github.com/elastic/kibana-team/issues/1521.
Use the data folder\nnamed `data_qaf_frozen` because it has the largest
variety of\ndeprecations.\nYou can also add some other deprecations by
replacing\n`x-pack/platform/plugins/private/upgrade_assistant/server/lib/es_deprecations_status/migrations.ts\n`
L272 with:\n````\nlet esDeprecations = (await
esClient.migration.deprecations()) as EsDeprecations;\nesDeprecations =
{\n ...esDeprecations,\n cluster_settings: [\n {\n level: 'warning',\n
message:\n 'Template patterns are no longer using `template` field, but
`index_patterns` instead',\n url:
'https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_indices_changes.html#_index_templates_use_literal_index_patterns_literal_instead_of_literal_template_literal',\n
details:\n 'templates using `template` field:
security_audit_log,watches,.monitoring-alerts,triggered_watches,.ml-anomalies-,.ml-notifications,.ml-meta,.monitoring-kibana,.monitoring-es,.monitoring-logstash,.watch-history-6,.ml-state,security-index-template',\n
resolve_during_rolling_upgrade: false,\n },\n {\n level: 'warning',\n
message: 'one or more templates use deprecated mapping settings',\n url:
'https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_indices_changes.html',\n
details:\n '{.monitoring-logstash=[Coercion of boolean fields],
.monitoring-es=[Coercion of boolean fields], .ml-anomalies-=[Coercion of
boolean fields], .watch-history-6=[Coercion of boolean fields],
.monitoring-kibana=[Coercion of boolean fields],
security-index-template=[Coercion of boolean fields]}',\n
resolve_during_rolling_upgrade: false,\n },\n ],\n ilm_policies: {\n
myfreezepolicy: [\n {\n level: 'warning',\n message:\n \"ILM policy
[myfreezepolicy] contains the action 'freeze' that is deprecated and
will be removed in a future version.\",\n url:
'https://www.elastic.co/guide/en/elasticsearch/reference/master/frozen-indices.html',\n
details:\n 'This action is already a noop so it can be safely removed,
because frozen indices no longer offer any advantages. Consider cold or
frozen tiers in place of frozen indices.',\n
resolve_during_rolling_upgrade: false,\n },\n ],\n },\n templates: {\n
mytemplate: [\n {\n level: 'critical',\n message:\n 'Configuring source
mode in mappings is deprecated and will be removed in future versions.
Use [index.mapping.source.mode] index setting instead.',\n url:
'https://github.com/elastic/elasticsearch/pull/117172',\n
resolve_during_rolling_upgrade: false,\n },\n ],\n },\n};\n````\n* Go to
\"Stack Management > Upgrade Assistant\". Navigate to\n\"Elasticsearch
deprecation issues\"\n * Verify that the new actions column is there\n*
Verify that the column now contains the actions icon and opens
the\nflyout.\n * Verify that the resolution column still updates the
status\n* Verify that the deprecations that requires Manual action, now
display\na Gear icon in the actions column.\n* Verify that the entire
row is not longer clickable and the flyout only\ngets opened when
clicking in the icon.\n\n###
Demo\n<details>\n<summary>Video</summary>\n\n\n\n\nhttps://github.com/user-attachments/assets/22f16b7d-de08-42dd-8ffe-91acec4dab92\n\n\n\n</details>\n\n---------\n\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"ba012f668c3385594dee9279467c8f51b28c789f"}},"sourceBranch":"8.19","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/222346","number":222346,"mergeCommit":{"message":"[Upgrade
Assistant] Create actions column in Es deprecations (#222346)\n\nFixes
https://github.com/elastic/kibana/issues/222035\nPart of
https://github.com/elastic/kibana/issues/221977\n\n## Summary\nThis PR
is the first one for the enhancement in the ES deprecations\ntable in
Upgrade Assistant. This PR creates a new column called\n`Actions` and
moves the existing available actions in the `resolution`\ncolumn to it.
The icon and the flyout is the same. The status of the\nresolution still
gets updated in the `resolution` column.\n\nThe goal of this PR was that
no functionality or tests gets affected by\nthis changes (except the
unit test verifying that the entire row is\nclickable).\n\nNote: The
width of the columns is a little weird right now. It will\nadjust when
all columns have the expected content.\n\n### How to test\n\n* Follow
the instructions in\nhttps://github.com/elastic/kibana-team/issues/1521.
Use the data folder\nnamed `data_qaf_frozen` because it has the largest
variety of\ndeprecations.\nYou can also add some other deprecations by
replacing\n`x-pack/platform/plugins/private/upgrade_assistant/server/lib/es_deprecations_status/migrations.ts\n`
L272 with:\n````\nlet esDeprecations = (await
esClient.migration.deprecations()) as EsDeprecations;\nesDeprecations =
{\n ...esDeprecations,\n cluster_settings: [\n {\n level: 'warning',\n
message:\n 'Template patterns are no longer using `template` field, but
`index_patterns` instead',\n url:
'https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_indices_changes.html#_index_templates_use_literal_index_patterns_literal_instead_of_literal_template_literal',\n
details:\n 'templates using `template` field:
security_audit_log,watches,.monitoring-alerts,triggered_watches,.ml-anomalies-,.ml-notifications,.ml-meta,.monitoring-kibana,.monitoring-es,.monitoring-logstash,.watch-history-6,.ml-state,security-index-template',\n
resolve_during_rolling_upgrade: false,\n },\n {\n level: 'warning',\n
message: 'one or more templates use deprecated mapping settings',\n url:
'https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_indices_changes.html',\n
details:\n '{.monitoring-logstash=[Coercion of boolean fields],
.monitoring-es=[Coercion of boolean fields], .ml-anomalies-=[Coercion of
boolean fields], .watch-history-6=[Coercion of boolean fields],
.monitoring-kibana=[Coercion of boolean fields],
security-index-template=[Coercion of boolean fields]}',\n
resolve_during_rolling_upgrade: false,\n },\n ],\n ilm_policies: {\n
myfreezepolicy: [\n {\n level: 'warning',\n message:\n \"ILM policy
[myfreezepolicy] contains the action 'freeze' that is deprecated and
will be removed in a future version.\",\n url:
'https://www.elastic.co/guide/en/elasticsearch/reference/master/frozen-indices.html',\n
details:\n 'This action is already a noop so it can be safely removed,
because frozen indices no longer offer any advantages. Consider cold or
frozen tiers in place of frozen indices.',\n
resolve_during_rolling_upgrade: false,\n },\n ],\n },\n templates: {\n
mytemplate: [\n {\n level: 'critical',\n message:\n 'Configuring source
mode in mappings is deprecated and will be removed in future versions.
Use [index.mapping.source.mode] index setting instead.',\n url:
'https://github.com/elastic/elasticsearch/pull/117172',\n
resolve_during_rolling_upgrade: false,\n },\n ],\n },\n};\n````\n* Go to
\"Stack Management > Upgrade Assistant\". Navigate to\n\"Elasticsearch
deprecation issues\"\n * Verify that the new actions column is there\n*
Verify that the column now contains the actions icon and opens
the\nflyout.\n * Verify that the resolution column still updates the
status\n* Verify that the deprecations that requires Manual action, now
display\na Gear icon in the actions column.\n* Verify that the entire
row is not longer clickable and the flyout only\ngets opened when
clicking in the icon.\n\n###
Demo\n<details>\n<summary>Video</summary>\n\n\n\n\nhttps://github.com/user-attachments/assets/22f16b7d-de08-42dd-8ffe-91acec4dab92\n\n\n\n</details>\n\n---------\n\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"ba012f668c3385594dee9279467c8f51b28c789f"}}]},{"author":{"name":"Sonia
Sanz
Vivas","email":"sonia.sanzvivas@elastic.co"},"sourceCommit":{"committedDate":"2025-06-06T12:28:23Z","message":"[Upgrade
Assistant] Change resolution column icons to filled (#222764)\n\nPart of
https://github.com/elastic/kibana/issues/222036\n\n## Summary\n\nSmall
PR to change the icons in the ES deprecations table resolution\ncolumn
to the filled version as required in the mocks. I've also updated\nthe
icons in the Kibana Deprecations table for consistency.\n\nBefore:\n<img
width=\"583\" alt=\"Screenshot 2025-06-05 at 10 26
35\"\nsrc=\"https://github.com/user-attachments/assets/f22449dd-6859-4459-ba1d-bdfdaf535fde\"\n/>\n<img
width=\"522\" alt=\"Screenshot 2025-06-05 at 10 25
22\"\nsrc=\"https://github.com/user-attachments/assets/acb96c78-14b7-49b1-903d-c7f36237b15b\"\n/>\n\nAfter:\n<img
width=\"528\" alt=\"Screenshot 2025-06-05 at 10 23
09\"\nsrc=\"https://github.com/user-attachments/assets/6a7e888f-6fb7-44a7-a970-6b48d04f6f96\"\n/>\n\n<img
width=\"556\" alt=\"Screenshot 2025-06-05 at 10 24
31\"\nsrc=\"https://github.com/user-attachments/assets/fdb15ad7-825e-42d4-810f-869bf86dd36f\"\n/>\n\n\n##
How to test\n\n* Follow the instructions
in\nhttps://github.com/elastic/kibana-team/issues/1521. Use the any
data\nfolder.","sha":"1b5be7cc2e96f5ca4c03f215891969e45f062b30"},"sourcePullRequest":{"labels":[],"title":"Update
dependency chromedriver to ^137.0.4
(8.19)","number":222621,"url":"https://github.com/elastic/kibana/pull/222621"},"sourceBranch":"8.19","suggestedTargetBranches":[],"targetPullRequestStates":[]},{"author":{"name":"Sonia
Sanz
Vivas","email":"sonia.sanzvivas@elastic.co"},"sourceCommit":{"committedDate":"2025-06-11T13:38:03Z","message":"[Upgrade
Assistant] Add suggestions to resolution column (#223113)\n\nCloses
https://github.com/elastic/kibana/issues/222036\nPart of
https://github.com/elastic/kibana/issues/221977\n\n## Summary\n\nThis PR
modifies the resolution column to offer the user a\nrecommendation of
the action to take depending on the deprecation. The\nrow can also be
empty if we don't have any deprecation to show.\n\n###
Mocks\n\n\n\n###
How to test\n* Follow the instructions
in\nhttps://github.com/elastic/kibana-team/issues/1521. Use the data
folder\nnamed `data_most_types.zip` because it has almost all types
of\ndeprecations.\nYou can also add the remaining types by
replacing\n`x-pack/platform/plugins/private/upgrade_assistant/server/lib/es_deprecations_status/migrations.ts\n`
L272 with:\n````\nlet esDeprecations = (await
esClient.migration.deprecations()) as EsDeprecations;\nesDeprecations =
{\n ...esDeprecations,\n cluster_settings: [\n {\n level: 'warning',\n
message:\n 'Template patterns are no longer using `template` field, but
`index_patterns` instead',\n url:
'https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_indices_changes.html#_index_templates_use_literal_index_patterns_literal_instead_of_literal_template_literal',\n
details:\n 'templates using `template` field:
security_audit_log,watches,.monitoring-alerts,triggered_watches,.ml-anomalies-,.ml-notifications,.ml-meta,.monitoring-kibana,.monitoring-es,.monitoring-logstash,.watch-history-6,.ml-state,security-index-template',\n
resolve_during_rolling_upgrade: false,\n },\n {\n level: 'warning',\n
message: 'one or more templates use deprecated mapping settings',\n url:
'https://www.elastic.co/guide/en/elasticsearch/reference/6.0/breaking_60_indices_changes.html',\n
details:\n '{.monitoring-logstash=[Coercion of boolean fields],
.monitoring-es=[Coercion of boolean fields], .ml-anomalies-=[Coercion of
boolean fields], .watch-history-6=[Coercion of boolean fields],
.monitoring-kibana=[Coercion of boolean fields],
security-index-template=[Coercion of boolean fields]}',\n
resolve_during_rolling_upgrade: false,\n },\n ],\n ilm_policies: {\n
myfreezepolicy: [\n {\n level: 'warning',\n message:\n \"ILM policy
[myfreezepolicy] contains the action 'freeze' that is deprecated and
will be removed in a future version.\",\n url:
'https://www.elastic.co/guide/en/elasticsearch/reference/master/frozen-indices.html',\n
details:\n 'This action is already a noop so it can be safely removed,
because frozen indices no longer offer any advantages. Consider cold or
frozen tiers in place of frozen indices.',\n
resolve_during_rolling_upgrade: false,\n },\n ],\n },\n templates: {\n
mytemplate: [\n {\n level: 'critical',\n message:\n 'Configuring source
mode in mappings is deprecated and will be removed in future versions.
Use [index.mapping.source.mode] index setting instead.',\n url:
'https://github.com/elastic/elasticsearch/pull/117172',\n
resolve_during_rolling_upgrade: false,\n },\n ],\n },\n};\n````\n* Go to
\"Stack Management > Upgrade Assistant\". Navigate to\n\"Elasticsearch
deprecation issues\"\n \n\n### Screenshots\n<details>\n<img
width=\"1509\" alt=\"Screenshot 2025-06-09 at 15 31
02\"\nsrc=\"https://github.com/user-attachments/assets/5e2ff112-41d4-4c15-8d99-30da4129a1f4\"\n/>\n\n<img
width=\"1250\" alt=\"Screenshot 2025-06-09 at 15 27
16\"\nsrc=\"https://github.com/user-attachments/assets/b622eb6d-6af3-4c73-8d55-2c283352a477\"\n/>\n<img
width=\"1235\" alt=\"Screenshot 2025-06-09 at 15 26
54\"\nsrc=\"https://github.com/user-attachments/assets/ca56e143-6da4-4a9c-94c1-7f977e0645e4\"\n/>\n<img
width=\"1229\" alt=\"Screenshot 2025-06-09 at 15 16
51\"\nsrc=\"https://github.com/user-attachments/assets/9cf9a806-9b77-4a7f-aafd-2f7f7fa85714\"\n/>\n<img
width=\"1230\" alt=\"Screenshot 2025-06-09 at 15 15
53\"\nsrc=\"https://github.com/user-attachments/assets/dbdb2f7f-0b59-41ca-bfea-a27f72de7b35\"\n/>\n<img
width=\"1162\" alt=\"Screenshot 2025-06-09 at 15 13
08\"\nsrc=\"https://github.com/user-attachments/assets/58b0fb27-32d1-41d5-b18d-edd64c4cc941\"\n/>\n<img
width=\"1245\" alt=\"Screenshot 2025-06-09 at 15 12
40\"\nsrc=\"https://github.com/user-attachments/assets/f4872d46-c9c1-471e-9c26-29f5d56e55f6\"\n/>\n<img
width=\"1225\" alt=\"Screenshot 2025-06-09 at 15 12
28\"\nsrc=\"https://github.com/user-attachments/assets/64af7ee7-a75d-4b81-b7b8-399da78aff21\"\n/>\n<img
width=\"1246\" alt=\"Screenshot 2025-06-09 at 15 12
21\"\nsrc=\"https://github.com/user-attachments/assets/d581b5bd-ae37-4513-a2f1-035db36a2e9d\"\n/>\n<img
width=\"1235\" alt=\"Screenshot 2025-06-09 at 15 12
13\"\nsrc=\"https://github.com/user-attachments/assets/43b1a3b6-b30a-461d-b111-958911f175b4\"\n/>\n\n\n\n</details>\n\n---------\n\nCo-authored-by:
Vlada Chirmicci
<vlada.chirmicci@elastic.co>","sha":"c72c785e87f10e3a745b0de0bcbcc120beafd54d"},"sourcePullRequest":{"labels":[],"title":"Update
dependency chromedriver to ^137.0.4
(8.19)","number":222621,"url":"https://github.com/elastic/kibana/pull/222621"},"sourceBranch":"8.19","suggestedTargetBranches":[],"targetPullRequestStates":[]},{"author":{"name":"Sonia
Sanz
Vivas","email":"sonia.sanzvivas@elastic.co"},"sourceCommit":{"committedDate":"2025-06-16T14:02:00Z","message":"[Upgrade
Assistant] Update index unfreeze and read-only progress strings
(#223509)\n\nFixes https://github.com/elastic/kibana/issues/222036\n\n##
Summary\nThis PR changes the text we display when and index is set to
read-only\nor unfreeze. Until now, we only show a generic `Update
complete`.\n\n### How to test\n* Follow the instructions
in\nhttps://github.com/elastic/kibana-team/issues/1521. Use any data
folders\n* Verify that the status is correct when unfreezing or setting
as read\nonly an index. You can add a waiting time
in\n`x-pack/platform/plugins/private/upgrade_assistant/public/application/components/es_deprecations/deprecation_types/indices/use_update_index.tsx`\nto
review the `inProgress` state. Otherwise will be too fast and you\nwon't
be able to check that step.\n\n###
Demo\n\n\nhttps://github.com/user-attachments/assets/fa581b59-2fc5-41ab-adfb-c2d39682019e","sha":"7d02c645ecc3b5331a49240a12a612730b7c6665"},"sourcePullRequest":{"labels":[],"title":"Update
dependency chromedriver to ^137.0.4
(8.19)","number":222621,"url":"https://github.com/elastic/kibana/pull/222621"},"sourceBranch":"8.19","suggestedTargetBranches":[],"targetPullRequestStates":[]},{"author":{"name":"Sonia
Sanz
Vivas","email":"sonia.sanzvivas@elastic.co"},"sourceCommit":{"committedDate":"2025-06-19T08:08:49Z","message":"[Upgrade
Assistant] Show single action button in ES deprecations/Actions column
(#223576)\n\nCloses
https://github.com/elastic/kibana/issues/222317\nPart of
https://github.com/elastic/kibana/issues/221977\n\n## Summary\n\nThis PR
modifies the action column so it display the possible actions\nfor
indices and data streams. The read-only and unfreeze options are\nopened
in the flyout. Creating the modal would be done in a follow
up\ntask.\n\n###
Mocks\n\n\n\n###
How to test\n* Follow the instructions
in\nhttps://github.com/elastic/kibana-team/issues/1521. Use the data
folder\nnamed `data_most_types.zip` because it has almost all types
of\ndeprecations.\n* Go to ES deprecations table and click on the icons,
perform different\nactions and verify the flyout shows the status after
the action started.\n\n###
Demo\n\n\nhttps://github.com/user-attachments/assets/07764d05-31b5-4a05-85a1-85e18d3ec18e","sha":"5ffc7522f769b6a384f97281ff3a3d8e69b92040","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Kibana
Management","release_note:skip","Feature:Upgrade
Assistant","backport:version","v8.19.0","UA_needs_forwardport_9.1"],"title":"[Upgrade
Assistant] Show single action button in ES deprecations/Actions
column","number":223576,"url":"https://github.com/elastic/kibana/pull/223576","mergeCommit":{"message":"[Upgrade
Assistant] Show single action button in ES deprecations/Actions column
(#223576)\n\nCloses
https://github.com/elastic/kibana/issues/222317\nPart of
https://github.com/elastic/kibana/issues/221977\n\n## Summary\n\nThis PR
modifies the action column so it display the possible actions\nfor
indices and data streams. The read-only and unfreeze options are\nopened
in the flyout. Creating the modal would be done in a follow
up\ntask.\n\n###
Mocks\n\n\n\n###
How to test\n* Follow the instructions
in\nhttps://github.com/elastic/kibana-team/issues/1521. Use the data
folder\nnamed `data_most_types.zip` because it has almost all types
of\ndeprecations.\n* Go to ES deprecations table and click on the icons,
perform different\nactions and verify the flyout shows the status after
the action started.\n\n###
Demo\n\n\nhttps://github.com/user-attachments/assets/07764d05-31b5-4a05-85a1-85e18d3ec18e","sha":"5ffc7522f769b6a384f97281ff3a3d8e69b92040"}},"sourceBranch":"8.19","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/223576","number":223576,"mergeCommit":{"message":"[Upgrade
Assistant] Show single action button in ES deprecations/Actions column
(#223576)\n\nCloses
https://github.com/elastic/kibana/issues/222317\nPart of
https://github.com/elastic/kibana/issues/221977\n\n## Summary\n\nThis PR
modifies the action column so it display the possible actions\nfor
indices and data streams. The read-only and unfreeze options are\nopened
in the flyout. Creating the modal would be done in a follow
up\ntask.\n\n###
Mocks\n\n\n\n###
How to test\n* Follow the instructions
in\nhttps://github.com/elastic/kibana-team/issues/1521. Use the data
folder\nnamed `data_most_types.zip` because it has almost all types
of\ndeprecations.\n* Go to ES deprecations table and click on the icons,
perform different\nactions and verify the flyout shows the status after
the action started.\n\n###
Demo\n\n\nhttps://github.com/user-attachments/assets/07764d05-31b5-4a05-85a1-85e18d3ec18e","sha":"5ffc7522f769b6a384f97281ff3a3d8e69b92040"}}]},{"author":{"name":"Sonia
Sanz
Vivas","email":"sonia.sanzvivas@elastic.co"},"sourceCommit":{"committedDate":"2025-06-19T14:41:35Z","message":"[Upgrade
Assistant] Create modal for setting to read-only and unfreeze
(#224525)\n\nFixes https://github.com/elastic/kibana/issues/222037\nPar
to of https://github.com/elastic/kibana/issues/221977\n\n## Summary\n*
This PR creates the modal for the read-only actions in the
ES\ndeprecations table.\n* It add a confirm step for `Unfreeze`. \n* It
changes the `WarningCheckbox` for the data streams for both the\nmodal
and the flyout so it looks like the Index ones.\n* Introduces the
explicit name of the data stream in the steps for both\nreindex and
read-only.\n\n### Mocks\n<img width=\"395\" alt=\"Screenshot 2025-06-19
at 10 52
43\"\nsrc=\"https://github.com/user-attachments/assets/fe72c007-4299-4a05-9ec8-f2f375b4f55f\"\n/>\n\n\n**Note**:
As agreed with @jovana-andjelkovic, the warning checkbox would\nkeep the
border and the same format that it has in the flyout.\n\n\n### How to
test\n* Follow the instructions
in\nhttps://github.com/elastic/kibana-team/issues/1521. Use the data
folder\nnamed `data_most_types.zip` because it has almost all types
of\ndeprecations.\n* Verify unfreeze modal.\n* Check read-only index
modal\n* Check data stream read-only modal\n* Check changes in accept
checkbox in Data stream reindex modal\n\n###
Screenshots\n<details>\n<summary>Index unfreeze modal</summary>\n<img
width=\"989\" alt=\"Screenshot 2025-06-19 at 10 36
08\"\nsrc=\"https://github.com/user-attachments/assets/056e5cbf-1f53-409a-a2ab-6c897869ce7b\"\n/>\n<img
width=\"918\" alt=\"Screenshot 2025-06-19 at 10 37
53\"\nsrc=\"https://github.com/user-attachments/assets/e226df22-d450-47f8-a2e8-8301c3c79a7f\"\n/>\n<img
width=\"813\" alt=\"Screenshot 2025-06-19 at 10 38
04\"\nsrc=\"https://github.com/user-attachments/assets/4bdcc229-1664-418a-9d8f-2e8eed54e23e\"\n/>\n\n\n</details>\n\n<details>\n<summary>Index
read-only modal</summary>\n\n\n<img width=\"911\" alt=\"Screenshot
2025-06-19 at 10 37
27\"\nsrc=\"https://github.com/user-attachments/assets/069aabdf-5de1-4c6c-970a-180a6f29bf1d\"\n/>\n\n<img
width=\"776\" alt=\"Screenshot 2025-06-19 at 10 37
34\"\nsrc=\"https://github.com/user-attachments/assets/61416fc0-1008-4e21-87bc-e75c45f160fb\"\n/>\n\n<img
width=\"816\" alt=\"Screenshot 2025-06-19 at 10 37
43\"\nsrc=\"https://github.com/user-attachments/assets/9e509720-9346-416f-8ffa-1a0cbef5d918\"\n/>\n\n</details>\n\n\n<details>\n<summary>Data
stream read-only modal</summary>\n\n<img width=\"877\" alt=\"Screenshot
2025-06-19 at 10 39
36\"\nsrc=\"https://github.com/user-attachments/assets/dd2a5f94-f7cc-4ef9-aca6-a9cb789f0ce9\"\n/>\n\n<img
width=\"1066\" alt=\"Screenshot 2025-06-19 at 10 40
23\"\nsrc=\"https://github.com/user-attachments/assets/083fc674-3503-4cf8-bec5-24d551bd8e6d\"\n/>\n\n<img
width=\"865\" alt=\"Screenshot 2025-06-19 at 10 40
30\"\nsrc=\"https://github.com/user-attachments/assets/53cda862-41e1-4825-8309-090ebfbe9739\"\n/>\n\n<img
width=\"937\" alt=\"Screenshot 2025-06-19 at 10 40
43\"\nsrc=\"https://github.com/user-attachments/assets/8140917b-16a9-4e61-bf14-cb53bebe7ca5\"\n/>\n\n</details>\n<details>\n<summary>Data
stream flyout checkbox</summary>\n<img width=\"583\" alt=\"Screenshot
2025-06-19 at 10 40
54\"\nsrc=\"https://github.com/user-attachments/assets/8a9a6023-f474-4c7d-985c-26db11011934\"\n/>\n</details>","sha":"4da40d22780516ffea86be8eaf5092a1a6b3ad85","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Kibana
Management","release_note:skip","Feature:Upgrade
Assistant","backport:version","v8.19.0","UA_needs_forwardport_9.1"],"title":"[Upgrade
Assistant] Create modal for setting to read-only and
unfreeze","number":224525,"url":"https://github.com/elastic/kibana/pull/224525","mergeCommit":{"message":"[Upgrade
Assistant] Create modal for setting to read-only and unfreeze
(#224525)\n\nFixes https://github.com/elastic/kibana/issues/222037\nPar
to of https://github.com/elastic/kibana/issues/221977\n\n## Summary\n*
This PR creates the modal for the read-only actions in the
ES\ndeprecations table.\n* It add a confirm step for `Unfreeze`. \n* It
changes the `WarningCheckbox` for the data streams for both the\nmodal
and the flyout so it looks like the Index ones.\n* Introduces the
explicit name of the data stream in the steps for both\nreindex and
read-only.\n\n### Mocks\n<img width=\"395\" alt=\"Screenshot 2025-06-19
at 10 52
43\"\nsrc=\"https://github.com/user-attachments/assets/fe72c007-4299-4a05-9ec8-f2f375b4f55f\"\n/>\n\n\n**Note**:
As agreed with @jovana-andjelkovic, the warning checkbox would\nkeep the
border and the same format that it has in the flyout.\n\n\n### How to
test\n* Follow the instructions
in\nhttps://github.com/elastic/kibana-team/issues/1521. Use the data
folder\nnamed `data_most_types.zip` because it has almost all types
of\ndeprecations.\n* Verify unfreeze modal.\n* Check read-only index
modal\n* Check data stream read-only modal\n* Check changes in accept
checkbox in Data stream reindex modal\n\n###
Screenshots\n<details>\n<summary>Index unfreeze modal</summary>\n<img
width=\"989\" alt=\"Screenshot 2025-06-19 at 10 36
08\"\nsrc=\"https://github.com/user-attachments/assets/056e5cbf-1f53-409a-a2ab-6c897869ce7b\"\n/>\n<img
width=\"918\" alt=\"Screenshot 2025-06-19 at 10 37
53\"\nsrc=\"https://github.com/user-attachments/assets/e226df22-d450-47f8-a2e8-8301c3c79a7f\"\n/>\n<img
width=\"813\" alt=\"Screenshot 2025-06-19 at 10 38
04\"\nsrc=\"https://github.com/user-attachments/assets/4bdcc229-1664-418a-9d8f-2e8eed54e23e\"\n/>\n\n\n</details>\n\n<details>\n<summary>Index
read-only modal</summary>\n\n\n<img width=\"911\" alt=\"Screenshot
2025-06-19 at 10 37
27\"\nsrc=\"https://github.com/user-attachments/assets/069aabdf-5de1-4c6c-970a-180a6f29bf1d\"\n/>\n\n<img
width=\"776\" alt=\"Screenshot 2025-06-19 at 10 37
34\"\nsrc=\"https://github.com/user-attachments/assets/61416fc0-1008-4e21-87bc-e75c45f160fb\"\n/>\n\n<img
width=\"816\" alt=\"Screenshot 2025-06-19 at 10 37
43\"\nsrc=\"https://github.com/user-attachments/assets/9e509720-9346-416f-8ffa-1a0cbef5d918\"\n/>\n\n</details>\n\n\n<details>\n<summary>Data
stream read-only modal</summary>\n\n<img width=\"877\" alt=\"Screenshot
2025-06-19 at 10 39
36\"\nsrc=\"https://github.com/user-attachments/assets/dd2a5f94-f7cc-4ef9-aca6-a9cb789f0ce9\"\n/>\n\n<img
width=\"1066\" alt=\"Screenshot 2025-06-19 at 10 40
23\"\nsrc=\"https://github.com/user-attachments/assets/083fc674-3503-4cf8-bec5-24d551bd8e6d\"\n/>\n\n<img
width=\"865\" alt=\"Screenshot 2025-06-19 at 10 40
30\"\nsrc=\"https://github.com/user-attachments/assets/53cda862-41e1-4825-8309-090ebfbe9739\"\n/>\n\n<img
width=\"937\" alt=\"Screenshot 2025-06-19 at 10 40
43\"\nsrc=\"https://github.com/user-attachments/assets/8140917b-16a9-4e61-bf14-cb53bebe7ca5\"\n/>\n\n</details>\n<details>\n<summary>Data
stream flyout checkbox</summary>\n<img width=\"583\" alt=\"Screenshot
2025-06-19 at 10 40
54\"\nsrc=\"https://github.com/user-attachments/assets/8a9a6023-f474-4c7d-985c-26db11011934\"\n/>\n</details>","sha":"4da40d22780516ffea86be8eaf5092a1a6b3ad85"}},"sourceBranch":"8.19","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/224525","number":224525,"mergeCommit":{"message":"[Upgrade
Assistant] Create modal for setting to read-only and unfreeze
(#224525)\n\nFixes https://github.com/elastic/kibana/issues/222037\nPar
to of https://github.com/elastic/kibana/issues/221977\n\n## Summary\n*
This PR creates the modal for the read-only actions in the
ES\ndeprecations table.\n* It add a confirm step for `Unfreeze`. \n* It
changes the `WarningCheckbox` for the data streams for both the\nmodal
and the flyout so it looks like the Index ones.\n* Introduces the
explicit name of the data stream in the steps for both\nreindex and
read-only.\n\n### Mocks\n<img width=\"395\" alt=\"Screenshot 2025-06-19
at 10 52
43\"\nsrc=\"https://github.com/user-attachments/assets/fe72c007-4299-4a05-9ec8-f2f375b4f55f\"\n/>\n\n\n**Note**:
As agreed with @jovana-andjelkovic, the warning checkbox would\nkeep the
border and the same format that it has in the flyout.\n\n\n### How to
test\n* Follow the instructions
in\nhttps://github.com/elastic/kibana-team/issues/1521. Use the data
folder\nnamed `data_most_types.zip` because it has almost all types
of\ndeprecations.\n* Verify unfreeze modal.\n* Check read-only index
modal\n* Check data stream read-only modal\n* Check changes in accept
checkbox in Data stream reindex modal\n\n###
Screenshots\n<details>\n<summary>Index unfreeze modal</summary>\n<img
width=\"989\" alt=\"Screenshot 2025-06-19 at 10 36
08\"\nsrc=\"https://github.com/user-attachments/assets/056e5cbf-1f53-409a-a2ab-6c897869ce7b\"\n/>\n<img
width=\"918\" alt=\"Screenshot 2025-06-19 at 10 37
53\"\nsrc=\"https://github.com/user-attachments/assets/e226df22-d450-47f8-a2e8-8301c3c79a7f\"\n/>\n<img
width=\"813\" alt=\"Screenshot 2025-06-19 at 10 38
04\"\nsrc=\"https://github.com/user-attachments/assets/4bdcc229-1664-418a-9d8f-2e8eed54e23e\"\n/>\n\n\n</details>\n\n<details>\n<summary>Index
read-only modal</summary>\n\n\n<img width=\"911\" alt=\"Screenshot
2025-06-19 at 10 37
27\"\nsrc=\"https://github.com/user-attachments/assets/069aabdf-5de1-4c6c-970a-180a6f29bf1d\"\n/>\n\n<img
width=\"776\" alt=\"Screenshot 2025-06-19 at 10 37
34\"\nsrc=\"https://github.com/user-attachments/assets/61416fc0-1008-4e21-87bc-e75c45f160fb\"\n/>\n\n<img
width=\"816\" alt=\"Screenshot 2025-06-19 at 10 37
43\"\nsrc=\"https://github.com/user-attachments/assets/9e509720-9346-416f-8ffa-1a0cbef5d918\"\n/>\n\n</details>\n\n\n<details>\n<summary>Data
stream read-only modal</summary>\n\n<img width=\"877\" alt=\"Screenshot
2025-06-19 at 10 39
36\"\nsrc=\"https://github.com/user-attachments/assets/dd2a5f94-f7cc-4ef9-aca6-a9cb789f0ce9\"\n/>\n\n<img
width=\"1066\" alt=\"Screenshot 2025-06-19 at 10 40
23\"\nsrc=\"https://github.com/user-attachments/assets/083fc674-3503-4cf8-bec5-24d551bd8e6d\"\n/>\n\n<img
width=\"865\" alt=\"Screenshot 2025-06-19 at 10 40
30\"\nsrc=\"https://github.com/user-attachments/assets/53cda862-41e1-4825-8309-090ebfbe9739\"\n/>\n\n<img
width=\"937\" alt=\"Screenshot 2025-06-19 at 10 40
43\"\nsrc=\"https://github.com/user-attachments/assets/8140917b-16a9-4e61-bf14-cb53bebe7ca5\"\n/>\n\n</details>\n<details>\n<summary>Data
stream flyout checkbox</summary>\n<img width=\"583\" alt=\"Screenshot
2025-06-19 at 10 40
54\"\nsrc=\"https://github.com/user-attachments/assets/8a9a6023-f474-4c7d-985c-26db11011934\"\n/>\n</details>","sha":"4da40d22780516ffea86be8eaf5092a1a6b3ad85"}}]},{"author":{"name":"Sonia
Sanz
Vivas","email":"sonia.sanzvivas@elastic.co"},"sourceCommit":{"committedDate":"2025-06-19T11:22:22Z","message":"[Upgrade
assistant] Unify read-only copies (#224532)\n\nPart of:
https://github.com/elastic/kibana/issues/222037\n\n## Summary\nThis PR
unifies the copies for the `Set to read-only` option. We had\ndifferent
copies option such as \"Mark as read-only\", \"Flag as read-only\"\nor
\"Make
read-only\".","sha":"b414ba4d25320e8eddb8f2d68dce0604544a061c","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Kibana
Management","release_note:skip","Feature:Upgrade
Assistant","backport:version","v8.19.0","UA_needs_forwardport_9.1"],"title":"[Upgrade
assistant] Unify read-only
copies","number":224532,"url":"https://github.com/elastic/kibana/pull/224532","mergeCommit":{"message":"[Upgrade
assistant] Unify read-only copies (#224532)\n\nPart of:
https://github.com/elastic/kibana/issues/222037\n\n## Summary\nThis PR
unifies the copies for the `Set to read-only` option. We had\ndifferent
copies option such as \"Mark as read-only\", \"Flag as read-only\"\nor
\"Make
read-only\".","sha":"b414ba4d25320e8eddb8f2d68dce0604544a061c"}},"sourceBranch":"8.19","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/224532","number":224532,"mergeCommit":{"message":"[Upgrade
assistant] Unify read-only copies (#224532)\n\nPart of:
https://github.com/elastic/kibana/issues/222037\n\n## Summary\nThis PR
unifies the copies for the `Set to read-only` option. We had\ndifferent
copies option such as \"Mark as read-only\", \"Flag as read-only\"\nor
\"Make
read-only\".","sha":"b414ba4d25320e8eddb8f2d68dce0604544a061c"}}]},{"author":{"name":"Sonia
Sanz
Vivas","email":"sonia.sanzvivas@elastic.co"},"sourceCommit":{"committedDate":"2025-06-19T11:12:58Z","message":"[Upgrade
Assistant] Small cosmetic fixes (#224535)\n\nPart of
https://github.com/elastic/kibana/issues/221977\n\n## Summary\nThis PR
introduces two small cosmetic fixes:\n* Change Transforms callout color
to primary (not warning) to use the\nsame as other of the same
characteristics (ML, frozen, follower...)\n<img width=\"499\"
alt=\"Screenshot 2025-06-19 at 11 14
55\"\nsrc=\"https://github.com/user-attachments/assets/b04be621-15e4-4069-a7e8-4fc5755c72ea\"\n/>\n\n*
Modifies the size of the size of the info icon in the ES
deprecations\ntable so it doesn't compete visually with the Action
icons\n<img width=\"388\" alt=\"Screenshot 2025-06-19 at 11 33
00\"\nsrc=\"https://github.com/user-attachments/assets/df33fc14-1c96-437c-b19d-8729e0d974d9\"\n/>","sha":"f61f702ea7b2fad6f78529030b948706251d66ff","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Kibana
Management","release_note:skip","Feature:Upgrade
Assistant","backport:version","v8.19.0","UA_needs_forwardport_9.1"],"title":"[Upgrade
Assistant] Small cosmetic
fixes","number":224535,"url":"https://github.com/elastic/kibana/pull/224535","mergeCommit":{"message":"[Upgrade
Assistant] Small cosmetic fixes (#224535)\n\nPart of
https://github.com/elastic/kibana/issues/221977\n\n## Summary\nThis PR
introduces two small cosmetic fixes:\n* Change Transforms callout color
to primary (not warning) to use the\nsame as other of the same
characteristics (ML, frozen, follower...)\n<img width=\"499\"
alt=\"Screenshot 2025-06-19 at 11 14
55\"\nsrc=\"https://github.com/user-attachments/assets/b04be621-15e4-4069-a7e8-4fc5755c72ea\"\n/>\n\n*
Modifies the size of the size of the info icon in the ES
deprecations\ntable so it doesn't compete visually with the Action
icons\n<img width=\"388\" alt=\"Screenshot 2025-06-19 at 11 33
00\"\nsrc=\"https://github.com/user-attachments/assets/df33fc14-1c96-437c-b19d-8729e0d974d9\"\n/>","sha":"f61f702ea7b2fad6f78529030b948706251d66ff"}},"sourceBranch":"8.19","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/224535","number":224535,"mergeCommit":{"message":"[Upgrade
Assistant] Small cosmetic fixes (#224535)\n\nPart of
https://github.com/elastic/kibana/issues/221977\n\n## Summary\nThis PR
introduces two small cosmetic fixes:\n* Change Transforms callout color
to primary (not warning) to use the\nsame as other of the same
characteristics (ML, frozen, follower...)\n<img width=\"499\"
alt=\"Screenshot 2025-06-19 at 11 14
55\"\nsrc=\"https://github.com/user-attachments/assets/b04be621-15e4-4069-a7e8-4fc5755c72ea\"\n/>\n\n*
Modifies the size of the size of the info icon in the ES
deprecations\ntable so it doesn't compete visually with the Action
icons\n<img width=\"388\" alt=\"Screenshot 2025-06-19 at 11 33
00\"\nsrc=\"https://github.com/user-attachments/assets/df33fc14-1c96-437c-b19d-8729e0d974d9\"\n/>","sha":"f61f702ea7b2fad6f78529030b948706251d66ff"}}]},{"author":{"name":"Sonia
Sanz
Vivas","email":"sonia.sanzvivas@elastic.co"},"sourceCommit":{"committedDate":"2025-06-20T13:41:49Z","message":"[Upgrade
Assistant] Add manually resolve for follower readonly (#224600)\n\nPart
of https://github.com/elastic/kibana/issues/221977\n\n## Summary\nWhen
testing all my changes I realized I missed a case for sugestions:\nwhen
an index is a follower index and is set to read-only it still\nappears
in the table with a warning but we suggested to set to read-only\n(what
already was).\n\nThis PR improves the verification for the suggestions
and now, for a\nfollower that is already read-only, it display `Resolve
manually` and\nindicates the termination of replication in the
tooltip.\n<img width=\"628\" alt=\"Screenshot 2025-06-19 at 17 12
07\"\nsrc=\"https://github.com/user-attachments/assets/4a29b641-181e-4881-a008-5ccc80681376\"\n/>\n\n\n###
How to test\n* Follow the instructions
in\nhttps://github.com/elastic/kibana-team/issues/1521. Use the data
folder\nnamed `data_most_types.zip`.\n* Set to read-only the index
called `follower-index`\n* Refresh the page\n* Verify that know it
displays the `Resolve manually` suggestion and the\ntooltip explains
that replication can be
terminated.","sha":"802256e73dd1f52e2159bd8f0b413b94e40e8b31","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Kibana
Management","release_note:skip","Feature:Upgrade
Assistant","backport:version","v8.19.0","UA_needs_forwardport_9.1"],"title":"[Upgrade
Assistant] Add manually resolve for follower
readonly","number":224600,"url":"https://github.com/elastic/kibana/pull/224600","mergeCommit":{"message":"[Upgrade
Assistant] Add manually resolve for follower readonly (#224600)\n\nPart
of https://github.com/elastic/kibana/issues/221977\n\n## Summary\nWhen
testing all my changes I realized I missed a case for sugestions:\nwhen
an index is a follower index and is set to read-only it still\nappears
in the table with a warning but we suggested to set to read-only\n(what
already was).\n\nThis PR improves the verification for the suggestions
and now, for a\nfollower that is already read-only, it display `Resolve
manually` and\nindicates the termination of replication in the
tooltip.\n<img width=\"628\" alt=\"Screenshot 2025-06-19 at 17 12
07\"\nsrc=\"https://github.com/user-attachments/assets/4a29b641-181e-4881-a008-5ccc80681376\"\n/>\n\n\n###
How to test\n* Follow the instructions
in\nhttps://github.com/elastic/kibana-team/issues/1521. Use the data
folder\nnamed `data_most_types.zip`.\n* Set to read-only the index
called `follower-index`\n* Refresh the page\n* Verify that know it
displays the `Resolve manually` suggestion and the\ntooltip explains
that replication can be
terminated.","sha":"802256e73dd1f52e2159bd8f0b413b94e40e8b31"}},"sourceBranch":"8.19","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/224600","number":224600,"mergeCommit":{"message":"[Upgrade
Assistant] Add manually resolve for follower readonly (#224600)\n\nPart
of https://github.com/elastic/kibana/issues/221977\n\n## Summary\nWhen
testing all my changes I realized I missed a case for sugestions:\nwhen
an index is a follower index and is set to read-only it still\nappears
in the table with a warning but we suggested to set to read-only\n(what
already was).\n\nThis PR improves the verification for the suggestions
and now, for a\nfollower that is already read-only, it display `Resolve
manually` and\nindicates the termination of replication in the
tooltip.\n<img width=\"628\" alt=\"Screenshot 2025-06-19 at 17 12
07\"\nsrc=\"https://github.com/user-attachments/assets/4a29b641-181e-4881-a008-5ccc80681376\"\n/>\n\n\n###
How to test\n* Follow the instructions
in\nhttps://github.com/elastic/kibana-team/issues/1521. Use the data
folder\nnamed `data_most_types.zip`.\n* Set to read-only the index
called `follower-index`\n* Refresh the page\n* Verify that know it
displays the `Resolve manually` suggestion and the\ntooltip explains
that replication can be
terminated.","sha":"802256e73dd1f52e2159bd8f0b413b94e40e8b31"}}]}]
BACKPORT-->
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Updates the Dataset Quality functional test suite to skip tests
when running in Kibana 8.19 against Elasticsearch 9.0 in a forward
compatibility test run. , where the `read_failure_store` index privilege
is not available. The privilege checks for `read_failure_store` fail as
they are incompatible with ES 9.0, since ES 9.0 does not support Failure
Store.
#### Context
While investigating e2e test failures related to the missing
`read_failure_store` privilege in ES 9.0, it was found that almost all
Dataset Quality test suites fail. The failures occur because the
following endpoints which most of the e2e tests depend on, check for
this privilege and error out:
- `/settings`
- `/details`
- `/total_docs`
- `/stats`
#### Error thrown by endpoints:
```yaml
error: "Internal Server Error"
message: "illegal_argument_exception\n\tRoot causes:\n\t\tillegal_argument_exception: unknown index privilege [read_failure_store]. a privilege must be either one of the predefined fixed indices privileges [all,auto_configure,create,create_doc,create_index,cross_cluster_replication,cross_cluster_replication_internal,delete,delete_index,index,maintenance,manage,manage_data_stream_lifecycle,manage_follow_index,manage_ilm,manage_leader_index,monitor,none,read,read_cross_cluster,view_index_metadata,write] or a pattern over one of the available index actions"
statusCode: 500
```
#### Screenshots
<table>
<tr><th>Main Page</th><th>Details Page</th></tr>
<tr>
<td>
</td>
<td>
</td>
</tr>
</table>
## Summary
[Support collapsible section in Integration
README](https://github.com/elastic/integration-experience/issues/82)
The public Integrations docs page recently added support for collapsible
sections (e.g., for field tables and sample events). This PR brings the
same functionality to Kibana to reduce scrolling and help users focus on
the most relevant information.
To display an accordion, the README should include the following markup:
```
<details>
<summary>Click to expand</summary>
This content is hidden by default.
</details>
```
However, we do not want to modify the integration READMEs directly.
Doing so would cause these tags to appear as raw HTML in older versions
of Kibana
Bumping the minimum supported Kibana version for each integration is
also not a solution, as it would complicate backports and maintenance.
#### Proposed solution
Detect in Kibana parts that should be collapsible, like `exported
fields` and update the markdown with the necessary markups. Similar to
what the `integration-docs` does in
https://github.com/elastic/integration-docs/issues/342
#### Dependencies added:
- `rehype-raw`: Parse and render HTML inside Markdown.
- `rehype-sanitize`: Sanitize potentially unsafe HTML.
#### Version pinning for compatibility
- `rehype-sanitize@4.0.0`: Uses hast-util-sanitize@3+, which provides a
built-in default schema and is compatible with CommonJS environments.
- `rehype-raw@5.1.0`: The latest version that supports CommonJS. Later
versions are ESM-only.
https://github.com/user-attachments/assets/15f0822b-9b36-45e6-a47e-c8fa0dedd4c3
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
This PR makes the following fields available as advanced policy options
in Elastic Defend.
* `windows.advanced.events.security.provider_etw`
## Release Note
{elastic-defend} Adds advanced policy options that let users enable or
disable the Microsoft-Windows-Security-Auditing ETW provider for
security events collection.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## 📓 Summary
Given the setting introduced in [#221286 [ML] AIOps: Adds ability to
disable AIOps features in
Kibana](https://github.com/elastic/kibana/pull/221286), this adds the
expected configuration value to disable all the AIOPS features for
`logs_essentials` projects.
**Addresses:** https://github.com/elastic/kibana/issues/202078
**Resolves:** https://github.com/elastic/kibana/issues/166215
## Summary
This PR actualizes prebuilt rule upgrade test plans to correspond to the current feature state.
## Details
The changes are summarized in the following items
- Missing scenarios were added
- https://github.com/elastic/kibana/issues/166215 was addressed
- The wording was fixed to make the test scenarios shorter and focused
- Prebuilt Rules Customization Milestone 2 test scenarios were migrated to a separate test plan `prebuilt_rule_json_diff.md`. The functionality is still relevant and used for rule type changes and under low-tier licenses.
Fixes some issues introduced by
https://github.com/elastic/kibana/pull/217865
## Summary
While testing something in Serverles, we realized that the Console
copy/cut/paste commands weren't working as expected: cut wasn't working
and paste something from outside Kibana behaved weird. Those changes
were introduced in https://github.com/elastic/kibana/pull/217865.
This PR fixes it by:
* Uncomment commented line (probably by mistake), allowing cut.
* Deletes the keybindings lines, allowing them to be native to the
user's OS.
* Removes the trick done for set position when copying. This glitch was
caused by the keybindings let them to default by OS fix it.
Note: You may need to do `yarn kbn clean && yarn kbn bootstrap` before
starting the dev server to see the changes.
Closes#224081
This PR enables Traces in Discover by default. There's no longer a need
to enable trace related profiles in the yml configuration, it will work
out of the box.
Depends on https://github.com/elastic/kibana/pull/221610
This PR adds the import index workflow to privileged user monitoring and
API changes required to support it.
### API Enhancements
* **New API for privilege monitoring index creation**: Added a new API
endpoint (`PUT /api/entity_analytics/monitoring/privileges/indices`) to
create indices for privilege monitoring with support for `standard` and
`lookup` modes. This includes the implementation of request and response
schemas (`create_indidex.gen.ts`, `create_indidex.schema.yaml`).
[[1]](diffhunk://#diff-68329bb90dea945f343e1637990d5d05bc159e0aa2511ef1e45d37ed1a6cda51R1-R41)
[[2]](diffhunk://#diff-e979499654a27b3c1930d63c5b1002113c1c3f53f84ce27a4d75a5c492717a96R1-R42)
* **Updated privilege monitoring health response**: Modified the health
response schema to include a `status` field and an optional `error`
object for detailed error handling
(`privilege_monitoring/health.gen.ts`,
`privilege_monitoring/health.schema.yaml`).
[[1]](diffhunk://#diff-00f39a3e65a336eaddf7d3203d1370d910f5ecd2062b6cc21d9c06922c12884eR19-R28)
[[2]](diffhunk://#diff-83afa72b7a1fc48f3cc063e9fb855190d3525228bc0488fb8b871e112b90e961L22-R33)
### Frontend Integration
* **Introduce the create index modal that opens when the create index
button is clicked.
* **Onboarding modal improvements**: Updated the `AddDataSourcePanel`
component to handle index creation more robustly by passing callbacks to
the modal (`add_data_source.tsx`).
* **Error handling in UI**: Enhanced the `PrivilegedUserMonitoring`
component to display error callouts when privilege monitoring data fails
to load (`privileged_user_monitoring/index.tsx`).
[[1]](diffhunk://#diff-273ad32c97dcf15c6c6054fd7c5516d587132674578d25986b235cd174c75789R22-R26)
[[2]](diffhunk://#diff-273ad32c97dcf15c6c6054fd7c5516d587132674578d25986b235cd174c75789R38-R51)
### How to test it?
* Go to the priv mon page with an empty cluster
* Click on the data source by the index button
* Search for available indices, it should return indices with
`user.name.keyword` fields
* Click 'create index' and create a new index
* Choose the created index and click 'Add privileged users'
* You should be redirected to the dashboard (The API is currently not
working)
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Implements #213020
Partially implements filter bar seen with #213015
This PR adds a callout on the alert details page to encourage users to
visit the related alerts page when at least one alert was triggered
within 30 minutes of the current alert. If no alerts were triggered, the
message remains without a call to action.
https://github.com/user-attachments/assets/23b2d3e9-353b-45e1-a007-d188db5617fc
## Testing
The related alert query usually find alerts that were raised within a
day of each other. To find alerts that were raised within a few minutes,
try creating an SLO with a chosen groupBy field that will easily violate
a burn rate rule. Alerts should be triggered for each instance within
seconds. Once the filter is executed, these alerts should appear without
alerts that were triggered earlier in the day.
## Summary
Part of https://github.com/elastic/kibana-team/issues/1503
This PR adds `kbn/cypress-test-helper` as platform shared package to
replace invalid imports from private `security-solution` plugin in
platform shared plugin `osquery`.
The reason is that we are **currently blocked with x-pack relocation due
to circular dependency**, e.g. in
https://github.com/elastic/kibana/pull/223897
```
info starting [tsc] > node_modules/typescript/bin/tsc -b tsconfig.refs.json --pretty
--
| 2025-06-13 13:17:30 UTC | proc [tsc] error TS6202: Project references may not form a circular graph. Cycle detected: /opt/buildkite-agent/builds/bk-agent-prod-gcp-1749820368903967112/elastic/kibana-pull-request/kibana/tsconfig.refs.json
| 2025-06-13 13:17:30 UTC | proc [tsc] /opt/buildkite-agent/builds/bk-agent-prod-gcp-1749820368903967112/elastic/kibana-pull-request/kibana/x-pack/platform/plugins/shared/osquery/cypress/tsconfig.type_check.json
| 2025-06-13 13:17:30 UTC | proc [tsc] /opt/buildkite-agent/builds/bk-agent-prod-gcp-1749820368903967112/elastic/kibana-pull-request/kibana/x-pack/test_serverless/tsconfig.type_check.json
| 2025-06-13 13:17:30 UTC | proc [tsc] /opt/buildkite-agent/builds/bk-agent-prod-gcp-1749820368903967112/elastic/kibana-pull-request/kibana/x-pack/solutions/security/test/tsconfig.type_check.json
| 2025-06-13 13:17:30 UTC | proc [tsc] /opt/buildkite-agent/builds/bk-agent-prod-gcp-1749820368903967112/elastic/kibana-pull-request/kibana/x-pack/test/security_solution_endpoint/tsconfig.type_check.json
```
**Important:**
This PR focuses only on replacing test helpers imports from
`@kbn/security-solution-plugin` and `@kbn/test-suites-xpack` in
`osquery` plugin, no code cleanup and updates in other plugins / test
packages.
We expect code owners to update other imports / refactor package to
avoid code duplication
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
## Summary
### What is included?
* Improves the auth dashboard to display system events
* Add data view index patterns as visualisations index
* Move ESQL query generation to a shared folder
* Parse ESQL query and validate if fields exist in the dataview
* Rewrite the ESQL query if a FORK command has missing fields
* Add a visualisation warning message when there is no valid FORK branch
### Pros
* To be able to render parts of the query depending on whether indices
or fields exist in the cluster
* The queries become much easier to read, maintain and fix
### Cons
* We need to test the performance
* FORK is in tech preview
* The commands we can use in a fork are limited to “WHERE, LIMIT, SORT,
EVAL, STATS, DISSECT”
### How to test it?
* Open the dashboard without privmon data, some of the visualisations
should display the warning message
* Add privmon data, the visualisation should display the data
(https://github.com/elastic/security-documents-generator/pull/163)
* Check if the visualisation displays the correct data.
* To test if the FORK rewrite logic is working, I update the queries on
my local environment to use a non-existent field and update the page.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary
Objective: avoid exposing the entire API surface area of `HttpService`
(and it's internal preboot/setup/start contracts) to test code outside
core.
* Refactor the `createHttpService -> createInternalHttpService` mock
test helper moved to scoped folder
`./src/core/server/integration_tests/utilities`
* Create an "integration test ready" version of the original
`createHttpService` for plugins to use from
`@kbn/core-http-server-mocks`
* Clean up some types
* Refactor the 2 plugin test usages of the internal `HttpService`
### Notes
* We have been exposing this surface area already in
`src/core/packages/http/server-mocks/src/http_service.mock.ts`. But it
seems to not have a adoption outside Core code... I wonder if we need a
concept of `mock-internal`?
* I don't think this is a **massive** issue, I just happened to realise
this when [messing
around](https://github.com/elastic/kibana/pull/222956) with an
`HttpService` related refactor. Would be nice to not leak more
information about internal code than necessary (it's clearly too late
for that, but maybe we can improve the situation for HttpService a bit).
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
When checking the Overview cluster, I noticed that we previously had
`labels.error_type` in APM. In this PR, I changed the label that I've
added in the following PRs for fatal react errors and toast errors to
use `labels.error_type` instead of `labels.errorType` for consistency.
- Toast error: https://github.com/elastic/kibana/pull/217948
- Fatal react error: https://github.com/elastic/kibana/pull/218846
## Summary
Prior to this change, with data view manager feature flag enabled, we
would only see the "expand" cell action in the alerts. Now,
all the actions should be visible. This was because cell actions
rendering was unintentinally omitted in the initial batch of changes
that added data view sourcing from the new store / hooks.
fixes https://github.com/elastic/security-team/issues/12853
### Testing
```
xpack.securitySolution.enableExperimental: ['newDataViewPickerEnabled']
```
then navigate to alerts page, hovering on timeline cell for example
should render full set of hover actions.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
Filters we applied but no listed in the timeline, again - some mismatch
in how the data view object was passed around.
## Testing
Set the feature flag:
```
xpack.securitySolution.enableExperimental: ['newDataViewPickerEnabled']
```
Then, adding a filter via cell action should render the correct pill in
the top level filters pane.
### Checklist
Check the PR satisfies following conditions.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Summary
Recently, an alarm was fired in the Kibana Serverless Slack Channel due
a problem with Data Usage. Issue explanation:
> Kibana's data_usage plugin allows collecting misc stats about Kibana
usage.
> The browser side performs requests to /internal/api/data_usage/*,
providing stats related to the user interaction with the UI.
> Recently, in an internal customer project, on production, one of these
requests (POST /internal/api/data_usage/metrics) contained a payload
that was deemed invalid by the server-side validation logic.
>
> The handler on that endpoint logged an error message.
> This error message was spotted by a Rule.
> Consequently, the rule fired an alert in our Slack channel.
>
> We shouldn't have invalid payloads coming from browser side, so unless
someone intentionally tampered with the HTTP request, this indicates a
bug in our browser-side logic.
> Customer Impact: This was an isolated error on an internal project,
but other folks within Elastic have spotted the same error message in
their projects. Due to that error, we might be missing a few data_usage
metrics.
The issue was caused because the plugin validation was waiting for an
array for the data property, but the payload from the API was returning
`null`. The validation was incorrect in the Kibana side since only
[name](https://github.com/elastic/autoops-services/blob/master/monitoring/service/specs/serverless_project_metrics_api.yaml#L189)
is mandatory.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This PR is for a feature branch that is being merged into main.
The relevant PRs are:
- https://github.com/elastic/kibana/pull/219211
- https://github.com/elastic/kibana/pull/222820
- https://github.com/elastic/kibana/pull/223241
- https://github.com/elastic/kibana/pull/224388
- https://github.com/elastic/kibana/pull/224682
## Summary
This PR adds 4 new indexes with case analytics data, which are created
when the cases plugin starts.
- `.internal.cases`
- `.internal.cases-comments`
- `.internal.cases-attachments`
- `.internal.cases-activity`
After the indexes are created, a backfill task for each of them is
scheduled to run 1 minute after creation. This task populates the
indexes with relevant data from `.kibana_alerting_cases`.
A second type of task is registered, the index synchronization task.
Four of these tasks, one for each index, are scheduled to run every 5
minutes. The synchronization tasks populated the indexes with data from
`.kibana_alerting_cases` that was created or updated in the last five
minutes.
## How to test
You might want to start Kibana with `--verbose` to see relevant index
messages in the console.
Alternatively(what I normally do), is go to `analytics_index.ts`,
`backfill_task_runner.ts`, and `synchronization_task_runner.ts`, and
change the `logDebug` function to call `this.logger.info` instead. This
way, you will have less spam in the console.
Every log message starts with the index name between square brackets, so
you can look for `[.internal.cases-` and follow what is happening.
1. You should have some existing case data, so before anything else,
please create some activity, attachments, etc.
2. Add `xpack.cases.analytics.index.enabled: true` to `kibana.dev.yml`
and restart Kibana.
3. Check out [this
branch](https://github.com/elastic/elasticsearch/pull/129414) from the
ES project.
4. Start Elastic Search with `yarn es source`. This will use the above
version of Elasticsearch.
5. Wait a bit for the indexes to be created and populated(backfilled).
6. Using the dev tools:
- Confirm the indexes exist.
- Check the index mapping. Does it match the one in the code? Is the
`_meta` field correct?
-
`x-pack/platform/plugins/shared/cases/server/cases_analytics/******_index/mappings.ts`
- Check that the painless scripts match the code.
-
`x-pack/platform/plugins/shared/cases/server/cases_analytics/******_index/painless_scripts.ts`
- Confirm your existing case data is in the indexes. (See **Queries**
section below.)
7. Play around with cases. Some examples:
- Create a case
- Change status/severity
- Attach alerts
- Add files
- Change category/tags
- Add comments
- etc
8. Go to the dev tools again and confirm all this shows up in the
relevant indexes. (See **Queries** section below.)
## Queries
In addition to the ones, below I have a few more. Things like reindexing
with specific scripts or fetching relevant data from
`.kibana_alerting_cases`. Ping me if you want those queries.
### Checking index content
```
GET /.internal.cases/_search
GET /.internal.cases-comments/_search
GET /.internal.cases-attachments/_search
GET /.internal.cases-activity/_search
```
### Checking index mappings
```
GET /.internal.cases
GET /.internal.cases-comments
GET /.internal.cases-attachments
GET /.internal.cases-activity
```
### Fetching the painless scripts
```
GET /_scripts/cai_cases_script_1
GET /_scripts/cai_attachments_script_1
GET /_scripts/cai_comments_script_1
GET /_scripts/cai_activity_script_1
```
### Emptying the indexes
It is sometimes useful for testing.
```
POST /.internal.cases/_delete_by_query
POST /.internal.cases-comments/_delete_by_query
POST /.internal.cases-attachments/_delete_by_query
POST /.internal.cases-activity/_delete_by_query
```
### Deleting the indexes
It is sometimes useful for testing.
```
DELETE /.internal.cases
DELETE /.internal.cases-comments
DELETE /.internal.cases-attachments
DELETE /.internal.cases-activity
```
## Release notes
Four dedicated case analytics indexes were created, allowing users to
build dashboards and metrics over case data. These indexes are created
on Kibana startup and updated periodically with cases, comments,
attachments, and activity data.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Christos Nasikas <christos.nasikas@elastic.co>
## Summary
Issue reported by users that some unenrolled agents on the UI are not
being deleted by the background task.
The cause turned out to be a discrepancy in how unenrolled agents are
determined on the UI versus the background task.
The UI shows agents as unenrolled if `active:false` field matches (logic
[here](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/fleet/server/services/agents/build_status_runtime_field.ts#L115-L119))
The delete unenrolled agents task also queried on the existence of
`unenrolled_at` field.
It seems some agents don't have this field set, those should be deleted
too.
Integrating latest translations extracted from main branch.
Skipping backports from main to target branches since the `i18n_check`
might trim unused translations that are still used in different
branches. Integration script is ran against each target branch
separately.
## Summary
This PR customized Discover's Security Root Profile with 3 new changes.
\
With this change Discover's Security profile ceases to be
`experimental`. Below are the changes listed one in this profile.
>[!Note]
> This change also removes the Flyout changes that were added for
security solution to the Discover's security profile.
### Row Indicators.
Adds row indicators based on Alert or an event as shown in the
screenshot below. Note the highlights on the left of the row.
`Yellow` for Alerts.
`Gray` for Events.
### Default list of Columns.
Adds the list of default columns that should appear when security
profile is activated.
### Explore in Security Flyout.
As shown the demo below, this action explores and event or an alert in
security solution as shown in the screenshot below.
https://github.com/user-attachments/assets/4c228bb1-60af-433b-8e8f-1a5d4d049985
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Davis McPhee <davis.mcphee@elastic.co>
## Summary
This PR fixes some code paths/requests for calculating Duration
histograms and Trace summaries to account for unprocessed OTEL data. It
isn't the nicest way of doing things, because deep in APM, there is of
course an assumption that data is being dealt with in ECS format.
Probably longer term, this should be refactored, but this at least adds
in support for unprocessed OTEL for the duration widget.
Related to #221521
## How to test
* Add the following to your `kibana.dev.yml` file:
```yaml
discover.experimental.enabledProfiles:
- observability-traces-data-source-profile
- observability-traces-transaction-document-profile
- observability-traces-span-document-profile
```
* Set up a source of unprocessed OTEL data to feed into ES (Open
telemetry demo, etc)
* Set your space to Observability mode, and go to Discover.
* Query for `traces-*` and open any record for the document viewer
* The Span Overview waterfall should show the duration histogram that
match the document's formatted duration in the Table/JSON tabs, as well
as the trace summary information (trace id & span name)
---------
Co-authored-by: Milosz Marcinkowski <38698566+miloszmarcinkowski@users.noreply.github.com>
Closes: https://github.com/elastic/kibana/issues/220954
`fleet/remote_synced_integrations/<output-id>/remote_status` includes
non-http request errors in the error field of the status response for
improved client handling.
## Summary
Resolves#222051.
This PR makes a richer empty state UX for the Investigation Guide
feature we added to the Alert Details page.
Before, when a rule did not have an investigation guide, the tab on the
alert details page dedicated to the feature was disabled. Now, the tab
is always enabled. When an investigation guide is present on a rule, a
badge will display to indicate the tab contains content.
If the user clicks into the tab when the rule does not have an
investigation guide, they will see an empty state with a call to action
to create a guide. If the user decides to click the empty state button,
it will open the Rule Edit flyout. I have added additional functionality
that allows the flyout to take an `initialStep` prop, so we pre-set the
flyout to the `Details` step which contains the text field the user can
use to create their guide.
The copy, iconography, and layout of the tab heading are all in draft
state pending some design feedback. I will also add some tests to the
code that I have added.
## Reviewing this PR
_Note to technical writers:_ You can see the copy added for the empty
state
[here](https://github.com/elastic/kibana/pull/223974/files#diff-71b439414e4974e2decb0f25c136f52ccea4b49ebe393af68dfc5fd184d56e1cR37).
Here's a screenshot as well:
<img width="375" alt="image"
src="https://github.com/user-attachments/assets/491d87ac-b473-484e-82cd-45a1bd197c61"
/>
### Technical review
1. Create a rule that will generate alerts; _do not_ define an
Investigation Guide for it
1. Trigger an alert, and go to the details page
1. You should see the Investigation guide tab is available, whereas on
`main` it would be disabled
1. Open the Investigation Guide tab, you should see the empty state with
its CTA
1. Click this button, the rule flyout should open in Edit mode, and the
Details step should be pre-selected
1. Define an investigation guide, this can be any text. Save the rule.
1. Once you have saved the rule you should see the rule data update in
the page. The empty state will be gone and the investigation guide you
defined will be there instead.
## Summary 🌷
Resolves https://github.com/elastic/observability-dev/issues/4568
### Test Now flyout
Checked this by throwing an error within the flyout:
<img width="1584" alt="image"
src="https://github.com/user-attachments/assets/d8cfe96e-8b1b-4c28-819e-82411b5f20af"
/>
### Monitor detail flyout
In the case of this flyout, IMO, we should not use an error boundary. We
are receiving an error that has been caught and placed into the plugin's
Redux store, and then selecting that as part of the render procedure of
this component. Thus, we should display it using `EuiCallout`, which is
the recommended course per [the
docs](https://eui.elastic.co/docs/patterns/error-messages/error-banners/).
Example implementation below:
_note:_ all the copy here is placeholder and we should run it by our
tech writers.
<img width="607" alt="image"
src="https://github.com/user-attachments/assets/ef60258e-e50e-4fa7-adc5-b77469ddc0fb"
/>
We should not use an error boundary, as they are there specifically to
handle unforeseen errors that we can't account for at development time.
In this case, we have already caught the error and persisted it in app
state, so I don't think it's appropriate to display it in an error
boundary as the runtime is still progressing and is not broken.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Fixes tab selection issue when user opens alert details page from
"Related alerts" tab. In this case, "Overview" tab should be selected by
default. In other cases, tab Id passed from URL should be used otherwise
default to "Overview".
## Summary
- Adds configuration for the product intercept in `oblt`, `es` and
`security` serverless offerings, alongsides stateful offering too. The
configuration provided sets the intercept to display every 90days, this
is configurable through the config `xpack.product_intercept.interval`.
The intercept can also be turned off through the config
`xpack.product_intercept.enabled`
- Also tweaks prompter timer implementation to accommodate inherent
[issue with long timer
delays](https://developer.mozilla.org/en-US/docs/Web/API/Window/setTimeout#maximum_delay_value)
in the browser
- Adjusts the signature of the `registerIntercept` method, such that a
deferred value to be evaluated when the intercept is to be displayed is
passed. This unlocks the ability to have consumers provide dynamically
imported modules that provide the config for the intercept, see
0e07892217
for an example.
### How to test
- Add the following config to your `kibana.dev.yml` file;
```yml
xpack.product_intercept.enabled: true
# we set the interval to 30s so the wait long period to display the
intercept is bearable
xpack.product_intercept.interval: '30s'
```
- Start kibana in stateful, and serverless mode, in either scenario you
should be presented the product intercept, with the intercept
specifically stating the current product the user is interacting with.
See below for an example of observability solution;
https://github.com/user-attachments/assets/6ca6baf2-58d3-4002-ac94-ec6e9a0902ae
<!--
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
-->
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Resolves https://github.com/elastic/kibana/issues/222104
## Summary
Adds optional flag when registering a rule type for "dangerously
creating alerts in all spaces". If a rule type opts into this flag,
alerts created during rule execution will persist the `kibana.space_ids`
field as `"*"` instead of the space ID of the rule. Note that we store
`kibana.space_ids` as a string array, so the final alert document will
have
```
'kibana.space_ids': ['*']
```
This PR just adds the flag and updates the code to respect the flag. It
does not opt any rule types into using it. You can look at the
functional tests to see example test rule types that use it.
Because the streams rule type that we expect to be the first user of
this flag uses the `persistenceRuleTypeWrapper` in the rule registry for
writing alerts, we also had to update the rule registry code.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Addresses a bug with the `ConnectorTokenClient` when using the
`UnsecuredActionClient` to execute actions directly (vs enqueuing a task
for execution). We previous pass in an internal saved objects repository
(that doesn't require a user request) to the `ConnectorTokenClient` when
using the `UnsecuredActionsClient` but this does not create the
`connector_token` saved object correctly so the next time it's read, we
get a `Failed to decrypt attribute` error.
This only occurs when using the `sendAttachmentEmail` with the MS
Exchange connector function added in this PR:
https://github.com/elastic/kibana/pull/219164. It does not affect the
other email service methods.
## To Verify
1. Ask me for MS Exchange credentials
2. Add this to your Kibana config:
```
xpack.actions.preconfigured:
test-exchange-email:
name: preconfigured-exchange-email
actionTypeId: .email
config:
service: exchange_server
clientId: <clientId>
tenantId: <tenantId>
from: <from>
secrets:
clientSecret: <secret>
notifications.connectors.default.email: test-exchange-email
```
3. Make this change to the code so Kibana sends 2 emails when it starts
up:
```
--- a/x-pack/platform/plugins/shared/notifications/server/plugin.ts
+++ b/x-pack/platform/plugins/shared/notifications/server/plugin.ts
@@ -40,6 +40,27 @@ export class NotificationsPlugin
public start(_core: CoreStart, plugins: NotificationsServerStartDependencies) {
const emailStartContract = this.emailServiceProvider.start(plugins);
+ const emailService = emailStartContract.getEmailService();
+ emailService
+ .sendAttachmentEmail({
+ to: ['<email>'],
+ subject: 'yo',
+ message: 'i am here',
+ attachments: [],
+ spaceId: 'default',
+ })
+ .then(() => {
+ new Promise((resolve) => setTimeout(resolve, 5000)).then(() => {
+ emailService.sendAttachmentEmail({
+ to: ['<email>'],
+ subject: 'yo',
+ message: 'i am here again',
+ attachments: [],
+ spaceId: 'default',
+ });
+ });
+ });
+
return {
```
4. Verify there are no decryption errors for the `connector_token` SO
logged and that the emails are sent successfully.
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
This is a farewell PR to Cases. Probably my last PR to the cases
codebase. It was quite a journey, and I learned a lot. I hope the best
for the feature of Cases.
## Decisions
Just before Cases was forbidden to do migrations, we did a last
migration to all cases to persist `total_alerts: -1` and
`total_comments: -1`. We did that so that in the future, when we would
want to populate the fields, we would know which cases have their fields
populated and which do not. In this PR, due to time constraints and
criticality of the feature, I took the following decisions:
- Cases return from their APIs the total comments and alerts of each
case. They do that by doing an aggregation, getting the counts, and
merging them with the response. I did not change that behavior. In
following PRs, it can be optimized and fetch the stats only for cases
that do not yet have their stats populated (cases with -1 in the counts)
- When a case is created, the counts are zero.
- When a comment or alert is added, I do an aggregation to get the stats
(total alerts and comments) of the current case, and then update the
counters with the number of the newly created attachments. The case is
updated without version checks. In race conditions, where an attachment
is being added before updating the case, the numbers could be off. This
is a deliberate choice. It can be fixed later with retries and version
concurrency control.
- The case service will continue to not return the `total_alerts` and
`total_comments`.
- The case service will accept the `total_alerts` and `total_comments`
attributes to be able to set them.
Fixes: https://github.com/elastic/kibana/issues/217636
cc @michaelolo24
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [papaparse](https://www.papaparse.com/)
([source](https://redirect.github.com/mholt/PapaParse)) | dependencies |
patch | [`^5.5.2` ->
`^5.5.3`](https://renovatebot.com/diffs/npm/papaparse/5.5.2/5.5.3) |
---
### Release Notes
<details>
<summary>mholt/PapaParse (papaparse)</summary>
###
[`v5.5.3`](e3c7b2628c...a4f8b0f1e3)
[Compare
Source](e3c7b2628c...a4f8b0f1e3)
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjUuMSIsInVwZGF0ZWRJblZlciI6IjM5LjEwNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJUZWFtOiBTZWN1cml0eVNvbHV0aW9uIiwiYmFja3BvcnQ6YWxsLW9wZW4iLCJyZWxlYXNlX25vdGU6c2tpcCJdfQ==-->
Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com>
Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>
## Rule gaps callout
### Summary
This PR introduces a new callout on the **Rules** page and improves the
**Gaps** panel with clearer metrics and filtering logic to enhance the
user experience when managing gap filling.
---
### Key Changes
1. **Rules Page – Callout for Recent Gaps**
- A dismissible callout is displayed if there are any unfilled gaps in
the **last 24 hours**.
- The callout includes:
- A link to the Gaps dashboard.
- A link to relevant documentation.
- Once dismissed, the callout won’t reappear for 24 hours **unless** new
gaps are detected during that time.
2. **Gaps Panel – Rule Count Display**
- Displays two separate counts:
- The **number of rules with unfilled gaps**.
- The **number of rules currently in progress** (gaps are being filled).
- Provides users with a quick overview of the current gap state.
3. **Filtering Logic**
- The filter now only shows **rules with unfilled gaps that can still be
filled**.
- Example: If 5 rules had unfilled gaps and filling started for 3, the
filtered list will only show the remaining 2.
**Note**: we don't immediately update number for rules with gap
"in-progress", because gap update async and can happen after bulk
request if finished.
https://github.com/user-attachments/assets/3c913129-16c3-449a-9847-a01e2657e9aa
### How to test
Enable FF `storeGapsInEventLogEnabled`.
[Use this tool to create a lot of rules with/without
gaps](https://github.com/elastic/security-documents-generator)
```
// will create 100 without gaps, and 5 minute interval
yarn start rules --rules 100 -g 0 -c -i "5m" -f 1
```
Alternatively you can create a rule with small interval (1m) and
lookback time(1s). Enable rule, wait for completion and then disable it.
Wait 5m (> 4x interval). Then enable it and rule should fail and
generate gap.
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
- Moved `search_navigation` to `plugins` root
- `search_navigation` being inside the search_solution folder was a
pre-cursor to the solutions/search migration. The introduction of the
solutions/search folder made the search_solution folder redundant,
therefore this migrates the search_navigation plugin up with all the
other search plugins.
- Moved the base classic nav items list to the search_navigation plugin.
The classic nav items are now a static list and can be servered from the
search_navigation plugin instead of being shared from
`enterprise_search`. This is mainly a devx improvement to allow all
search related navigation changes to eventually be maintained in the
search navigation plugin.
### Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
Changes are in support of space awareness:
- Updated response action service utility for retrieving action requests
(list) so that response actions with a tag of
`INTEGRATION-POLICY-DELETED` will be returned when in a space that
matches the space defined in the `ORPHAN-RESPONSE-ACTIONS-SPACE` ref.
data key
- Updated response action service utility that retrieve a single action
to allow returning an action request with tag
`INTEGRATION-POLICY-DELETED` if the active space matches the space
defined in `ORPHAN-RESPONSE-ACTIONS-SPACE` ref. data key
- `ensureActionRequestsIndexIsConfigured()` was adjusted to be more
robust at checking index for missing mappings
## Summary
This PR changes the "soft delete" mechanism in the CSV upload to use
scripted updates.
There were 2 main reasons for this:
1. We need to check if a privileged user has been added from some other
data source
In this case, not including the user in the CSV upload shouldn't delete
it, instead only remove the `"csv"` source label.
2. The soft delete needs to take into account the full list of users
being uploaded, and not only the current batch
This means we need to collapse the stream first and then run the soft
delete logic. Doing this allows the soft delete to search the Privmon
index for all users not included in the full csv file
## How to test
#### Prerequisite
Make sure you have a CSV file with usernames
Check
[here](https://gist.github.com/tiansivive/0be2f09e1bb380fdde6609a131e929ed)
for a little helper script
Create a few copies where some of the users are deleted, in order to
test soft delete.
Make sure to create files that are over the batch size (`100`) or change
the batch size in the code.
1. Start up kibana and ES
2. Navigate to Security > Entity Analytics > Privilege User Monitoring
3. Select the `File` option to add data
4. Add one of the CSV files to the open modal and upload
5. Repeat but now upload one of files with the omitted users
Alternatively, testing only the backend only is possible by directly
hitting the API wit curl
```sh
curl -u elastic:changeme \
-X POST "http://localhost:5601/api/entity_analytics/monitoring/users/_csv" \
-H "kbn-xsrf: true" \
-F "file=@test.csv;type=text/csv"
```
#### Verifying
Easiest way is to use the dev tools to `_search` the privmon users index
with:
```
GET .entity_analytics.monitoring.users-default/_search
```
Look for number of hits and/or use `query` to search for omitted users
like:
```json
{
"query": {
"bool": {
"must": [
{ "term": { "labels.monitoring.privileged_users": "deleted" } }
]
}
}
}
```
Verify that the `"deleted"` users are _only_ the ones missing from the
last uploaded file.
## Summary
This PR introduces Fleet’s agent space awareness to the Osquery plugin.
The primary goal is to ensure that agents, policies, packs, and queries
remain isolated to their respective Kibana spaces. Specifically:
1. Agents enrolled in policy A (belonging to Space A) are not accessible
from Space B—live queries cannot be performed on them from other spaces.
2. Packs created in Space A are not visible in Space B.
3. Saved queries created in Space A are not visible in Space B.
4. Agent policies, agents, and space-exclusive operating systems from
Space A are not visible from Space B.
5. Live query history is only visible in a space if it includes agents
from that space.
## Implementation Details
- All usages of the Saved Object Client have been updated to use the
space-aware SO client, ensuring queries only return results from the
current space.
- When creating live queries, we now add a `space_id` field to
`.logs-osquery_manager.actions-default` documents. This field stores the
integration policy (osquery_manager) IDs of the agents involved in each
query.
- When reading live queries, searches are filtered to include only
documents with `policy_ids` that are present in the current space.
This ensures strict separation of Osquery data and actions across
different spaces.
## Feature Flag Considerations
At this stage, we believe no feature flag or gating is necessary. In all
cases, we default to the `default` space ID. We have tested these
changes with the feature flag turned off and observed the following:
| Scenario | Result |
|------------------------------------------------------|:-----------:|
| Agents and policies are visible in the Live query UI |
✅ |
| Users can query different agents/policies | ✅ |
| Live queries are saved in the live query history | ✅
|
| Users can create both packs and saved queries | ✅ |
| Users can run packs and saved queries | ✅ |
| Users can enable packs for interval execution | ✅ |
Based on these results, we conclude that this PR can be safely merged
without enabling the feature flag, as it does not impact current
operations.
**The index mappings for `.logs-osquery_manager.actions-default` will be
updated to introduce the `policy_ids` field. This field will also be
populated when actions are created. This change is fully backward
compatible and does not introduce any breaking changes.**
### Enable feature flags
```yaml
xpack.securitySolution.enableExperimental:
- endpointManagementSpaceAwarenessEnabled
xpack.fleet.enableExperimental:
- useSpaceAwareness
```
### Switch Fleet to Space aware
```http request
POST /internal/fleet/enable_space_awareness
Elastic-Api-Version: 1,
```
## Manual Test Cases for Space Awareness (Feature Enabled)
### Setup
- **Space A:** Policies `PolicyA1`, `PolicyA2`, `PolicyAB` (each with an
enrolled agent)
- **Space B:** Policies `PolicyB1`, `PolicyB2`, `PolicyAB` (each with an
enrolled agent)
- `PolicyAB` is present in both spaces
---
### 1. Agent Visibility
| Test Step | Expected Result | Pass |
|---------------------------------------------------------------------------|------------------------------------------------------|----------|
| In Space A, view the list of agents and policies | Only agents for
`PolicyA1`, `PolicyA2`, `PolicyAB` are visible | ✅ |
| In Space B, view the list of agents and policies | Only agents for
`PolicyB1`, `PolicyB2`, `PolicyAB` are visible | ✅ |
| `PolicyAB`'s agents are visible in both spaces | Agents enrolled in
`PolicyAB` are visible in both spaces | ✅ |
---
### 2. Live Query Permissions
| Test Step | Expected Result | Pass |
|---------------------------------------------------------------------------|------------------------------------------------------|----------|
| In Space A, attempt a live query on an agent from `PolicyB1` or
`PolicyB2`| Agent is not available for selection/query |
✅ |
| In Space B, attempt a live query on an agent from `PolicyA1` or
`PolicyA2`| Agent is not available for selection/query |
✅ |
| In either space, perform a live query on an agent from `PolicyAB` |
Query is allowed and succeeds | ✅ |
| In Space A, attempt a live query on an agent from `PolicyA1` or
`PolicyA2`| Query is allowed and succeeds | ✅ |
| In Space B, attempt a live query on an agent from `PolicyB1` or
`PolicyB2`| Query is allowed and succeeds | ✅ |
---
### 3. Packs and Saved Queries
| Test Step | Expected Result | Pass |
|---------------------------------------------------------------------------|------------------------------------------------------|----------|
| In Space A, create a pack and a saved query | Only visible in Space A
| ✅ |
| In Space B, create a pack and a saved query | Only visible in Space B
| ✅ |
| In Space A, check for packs/queries created in Space B | Not visible |
✅ |
| In Space B, check for packs/queries created in Space A | Not visible |
✅ |
| In Space A, live query a pack that has Agent A and Agent AB. | In
space B user doesnt see results from Agent A | ✅ |
---
### 4. Live Query History
| Test Step | Expected Result | Pass |
|---------------------------------------------------------------------------|------------------------------------------------------|----------|
| In Space A, view live query history | Only queries involving agents
from Space A (including `PolicyAB`) are visible | ✅ |
| In Space B, view live query history | Only queries involving agents
from Space B (including `PolicyAB`) are visible | ✅ |
---
### 5. Pack Execution
| Test Step | Expected Result | Pass |
|---------------------------------------------------------------------------|------------------------------------------------------|----------|
| In Space A, run a pack on agents from `PolicyA1`, `PolicyA2`,
`PolicyAB` | Execution succeeds | ✅ |
| In Space B, run a pack on agents from `PolicyB1`, `PolicyB2`,
`PolicyAB` | Execution succeeds | ✅ |
| Attempt to run a pack on an agent from another space | Not possible;
agent not available for selection | ✅ |
---
### 6. Interval Execution of Packs
| Test Step | Expected Result | Pass |
|---------------------------------------------------------------------------|------------------------------------------------------|----------|
| In Space A, enable interval execution for a pack | Only
agents/policies in Space A are affected | ✅ |
| In Space B, enable interval execution for a pack | Only
agents/policies in Space B are affected | ✅ |
closes https://github.com/elastic/kibana/pull/222935
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
> [!TIP]
> looks huge, but
> - 5,402 lines snapshot tests
> - 714 lines yaml files
## Summary
This PR adds a new feature version `siemV3` with the required role
migrations, in order to enable the new privilege
`global_artifact_management_all` for users where needed.
### What's in the PR?
- Required changes around security role migration from `siemV2` to
`siemV3`
- Improvements by parameterizing `siemV3` in lots of places, to ease
future role migrations by decreasing the occurrences that have to be
changed.
- A new function called `baseFeatureConfigModifier()` in
`ProductFeaturesConfig`: now product features have the ability to modify
the base Kibana feature. de05a3b167
- Product feature `endpointArtifactManagement` is split to
ESS/Serverless counterparts, and adds role migrations to the base Kibana
config using `baseFeatureConfigModifier()`
(1c31f56b43). This solves 2 problems:
- Different migrations are needed for ESS and Serverless.
- The product feature `endpointArtifactManagement`, and hence the
privilege `global_artifact_management_all` is not available on all
serverless tiers (see [these
fails](https://buildkite.com/elastic/kibana-pull-request/builds/310534/summary/annotations?jid=019788c8-d03e-44e7-867f-ff1557f9e894#019788c8-d03e-44e7-867f-ff1557f9e894/256-4872)),
therefore the migration needed to be separated from the base Kibana
feature config.
- (note: these changes were safeguarded by the role migration tests and
snapshot tests)
- Security / **Global Artifact Management** [space awareness]:
- moves the sub-privilege out of feature flag, in order to be able to
target it for role migrations
- adds a 'Coming soon' test to the privilege
- `endpointManagementSpaceAwarenessEnabled:false`
<img width="500" alt="image"
src="https://github.com/user-attachments/assets/fdfd5fc7-7f7d-4210-96c9-09e2357530c0"
/>
- `endpointManagementSpaceAwarenessEnabled:true`
<img width="500" alt="image"
src="https://github.com/user-attachments/assets/f8361a4c-da6e-416c-b728-5788eb1a053e"
/>
- role migration is added: in short, any artifact ALL privilege causes
the new Global Artifact Management ALL privilege to be added
(https://github.com/elastic/security-team/issues/11717)
- predefined roles are updated locally
(note: in elasticsearch-controller, it'll be updated after this PR is
merged and deployed,
https://github.com/elastic/elasticsearch-controller/pull/1010)
- tests!
- testing the migration itself: b8d90d085f
and 309abb30a8
- snapshot test with deprecated features:
https://github.com/elastic/kibana/pull/219566/files#diff-ed11536475a7a6f0a835cbc950c3b7405093058ad42bab30cf06f41ed21561a3
- some functional tests enabled for deprecated features:
4b4f49ea3d
## Global Artifact Management role migrations
```mermaid
flowchart LR
subgraph siemV2[siem/siemV2]
none1[none]
end
subgraph siemV3
none2[none]
end
none1 --> none2
```
```mermaid
flowchart LR
subgraph siemV2[siem/siemV2]
read1[read]
end
subgraph siemV3
read2[read]
end
read1 --> read2
```
```mermaid
flowchart LR
classDef serverless stroke:blue,stroke-dasharray: 5 5
subgraph siemV2[siem/siemV2]
subgraph minread1[minimal_read]
minread1_subs["`trusted_applications_read
event_filters_read
blocklist_read
host_isolation_exceptions_read`"]
minall1_subs["`trusted_applications_all
event_filters_all
blocklist_all
host_isolation_exceptions_all`"]
eer1["`endpoint_exceptions_read
(only serverless)`"]:::serverless
eea1["`endpoint_exceptions_all
(only serverless)`"]:::serverless
end
end
subgraph siemV3
subgraph minread2[minimal_read]
minread2_subs["`trusted_applications_read
event_filters_read
blocklist_read
host_isolation_exceptions_read`"]
minall2_subs["`trusted_applications_all
event_filters_all
blocklist_all
host_isolation_exceptions_all`"]
eer2["`endpoint_exceptions_read
(only serverless)`"]:::serverless
eea2["`endpoint_exceptions_all
(only serverless)`"]:::serverless
g2[global_artifact_management_all]
end
end
minread1 --> minread2
minread1_subs -->|each to his own| minread2_subs
minall1_subs -->|global for any of these| g2
minall1_subs -->|each to his own| minall2_subs
eer1 -->|only serverless| eer2
eea1 -->|only serverless| eea2
eea1 -->|only serverless| g2
linkStyle 4,5,6 stroke:#00f,color:blue
```
notes for above:
- `global_artifact_management_all` have to be added for **any** artifact
write privilege (trusted apps, event filters, blocklists, host isolation
exceptions)
- on serverless, there is a separate endpoint exceptions privilege, it
counts as an artifact
```mermaid
flowchart LR
subgraph siemV2[siem/siemV2]
all1[all]
end
subgraph siemV3
subgraph minall2[minimal_all]
g1[global_artifact_management_all]
end
end
all1 -->|keep access to the included Endpoint Exceptions ALL| g1
all1 -->|enable sub-feature toggle| minall2
```
notes for above:
both on serverless and ESS, Endpoint Exceptions are included in ALL,
hence the migration
> [!note]
> `siem` sub-privileges are not included in READ/ALL parent privileges.
The user needs to enable them one-by-one after enabling the sub-feature
privileges toggle. So Endpoint Exception here is an exception. In any
sense of the word.
```mermaid
flowchart LR
classDef serverless stroke:blue,stroke-dasharray: 5 5
subgraph siemV2[siem/siemV2]
subgraph minall1[minimal_all]
minread1_subs["`trusted_applications_read
event_filters_read
blocklist_read
host_isolation_exceptions_read`"]
minall1_subs["`trusted_applications_all
event_filters_all
blocklist_all
host_isolation_exceptions_all`"]
eer1["`endpoint_exceptions_read
(only serverless)`"]:::serverless
eea1["`endpoint_exceptions_all
(only serverless)`"]:::serverless
end
end
subgraph siemV3
subgraph minall2[minimal_all]
minread2_subs["`trusted_applications_read
event_filters_read
blocklist_read
host_isolation_exceptions_read`"]
minall2_subs["`trusted_applications_all
event_filters_all
blocklist_all
host_isolation_exceptions_all`"]
g2[global_artifact_management_all]
eer2["`endpoint_exceptions_read
(only serverless)`"]:::serverless
eea2["`endpoint_exceptions_all
(only serverless)`"]:::serverless
end
end
minall1 -->|only on ESS to keep access to the included Endpoint Exceptions ALL| g2
minall1 --> minall2
minread1_subs -->|each to his own| minread2_subs
minall1_subs -->|global for any of these| g2
minall1_subs -->|each to his own| minall2_subs
eer1 -->|only serverless| eer2
eea1 -->|only serverless| eea2
eea1 -->|only serverless| g2
linkStyle 5,6,7 stroke:#00f,color:#00f
linkStyle 0 stroke:#0a0,color:#0a0
```
notes for above:
when sub-feature privileges are enabled,
- on ESS endpoint exceptions are still automatically included, that's
why we need to add global access
- on serverless, endpoint exceptions are controlled by the sub-feature
privilege (just like all other artifact privileges, see the note above)
## Background
- Previous role migration PR:
https://github.com/elastic/kibana/pull/201780
- Role migration description:
https://github.com/elastic/kibana/pull/186800
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
After merging [this PR](https://github.com/elastic/kibana/pull/210769)
that updates Playwright to 1.50.1 we started to see failures in
onboarding e2e tests. After an investigation, turns out that playwright
1.50.1 has an issue where `test` CLI command is not exposed and we use
that command to run the tests.
This change updates playwright to 1.53.1 which returns the `test` CLI
command.
Co-authored-by: Dzmitry Lemechko <dzmitry.lemechko@elastic.co>
## Summary
This PRs builds on top of the [extension point added to the E|QL
editor](https://github.com/elastic/kibana/pull/221474) by registering
recommended ES|QL queries from the Observability plugin.
It registers two recommended queries for logs and two for metrics:
- Kubernetes pods sorted by memory usage
- Kubernetes pods sorted by CPU usage
- Logs with "error" or "warn" messages
- Error occurrences by host name
### Demo - Solution navigation enabled
https://github.com/user-attachments/assets/ca06b89b-5574-4775-8beb-157fa1eaa97a
### Demo - Solution navigation disabled
Only the default recommended ES|QL queries are enabled in this mode.
https://github.com/user-attachments/assets/52043076-6467-44fa-a847-937d3e723afc
## Testing instructions
There is an environment deployed with `/oblt-deploy` that has logs and
metrics (check last month in Discover), you can find the credentials in
the issue posted by the bot in the issue timeline below
For local testing:
- Ingest logs and metrics. This can be done by running a Synthtrace
scenario, e.g. `node scripts/synthtrace.js logs_traces_hosts`
- Enable the Observability solution navigation
- Start writing an ES|QL query targeting indices that match the `logs-*`
or `metrics-*` patterns
## Open questions
- Should the `KQL` command be used in the queries?
Closes https://github.com/elastic/kibana/issues/224027
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Automatically maps ECS fields to Otel semantic conversion.
Mapping logic is pulled from
https://www.elastic.co/guide/en/ecs/master/ecs-otel-alignment-details.html
using
`x-pack/platform/plugins/shared/streams/scripts/extract_otel_mappings.js`
## Testing
The only way to test this logic is to setup an AI connector and use the
"Generate patterns" button.
To setup EIS see email from Dario title "AI for everyone":
1. Run command - `VAULT_ADDR={...} vault login -method oidc`
2. Run command - `node scripts/eis.js` (This will output the config for
the connector which needs to be pasted to kibana.dev.yml)
3. Run Elasticsearch - `yarn es snapshot --license trial -E
xpack.inference.elastic.url=http://localhost:8443`
4. Start Kibana as usual
5. The connector should be visible in the connectors list in Kibana and
in the AI Assistant
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Joe Reuter <johannes.reuter@elastic.co>
This PR updates the ES|QL grammars (lexer and parser) to match the
latest version in Elasticsearch.
- The `RERANK` command is in development by Elasticsearch, as such, this
PR comments out and disables `RERANK` tests where necessary to get the
lates grammar changes merged. Kibana will add `RERANK` command support
once it is ready in Elasticsearch.
---------
Co-authored-by: vadimkibana <vadimkibana@gmail.com>
## Summary
Follow up to #210579. Close#193683.
This PR removes the deprecated `visualization:useLegacyTimeAxis`
advanced setting and all related code. This setting was previously used
to enable legacy time axis behavior for charts in Lens, Discover,
Visualize and TSVB, but has been deprecated and is no longer needed. All
usage of the setting was already removed in #210579, this PR just cleans
up the advanced setting itself.
## Changes
- Removed the `visualization:useLegacyTimeAxis` UI setting registration
from the charts plugin
- Removed `LEGACY_TIME_AXIS` constant export from charts common module
- Cleaned up related TypeScript configuration dependencies
- Removed telemetry schema entries for the deprecated setting
- Removed translation strings for the deprecated setting
- Adds a saved object migration to remove the setting (see [advanced
settings
migrations](https://docs.elastic.dev/kibana-dev-docs/tutorials/advanced-settings#registering-migrations))
### Identify risks
- Identified that a saved object migration needs to be added for the
removal of the setting. See this
[PR](https://github.com/elastic/kibana/pull/157699) for reference.
- Advanced settings [can be
overridden](https://www.elastic.co/docs/extend/kibana/ui-settings-service#uisettings-overrides)
in `kibana.yml`. If the setting is present in `kibana.yml` and we remove
support for it, if verification of the file was too strict, it would
fail to start Kibana. I verified that Kibana still starts when support
for the advanced setting was removed but it's still present in
`kibana.yml`.
## Release note
Removal of the deprecated `visualization:useLegacyTimeAxis` advanced
setting.
Closes https://github.com/elastic/kibana/issues/179173.
## Rule type
A dedicated stack rule type was created `datasetQuality.degradedDocs`.
<img width="1759" alt="image"
src="https://github.com/user-attachments/assets/5004a08d-6f12-4f5e-b27f-5f4db242dcf0"
/>
<img width="2318" alt="image"
src="https://github.com/user-attachments/assets/f8b2664a-f1c6-48c5-a617-c6f1b79bf0f7"
/>
This new rule is aggregated by default using `_index` and could be
further configured by the user (e.g. user can also aggregate by
`cloud.provider`).
A new rule type was needed to be created since there is no actual way to
aggregate all documents in a dataStream if we use a DataView like
`logs-*-*`. Inside datasStream documents there is no indication about
the dataStream where they belong to, instead we just have `_index` which
contains backingIndexName instead of actual index.
It's important to note, that this rule type is also visible from
`Observability > Alerts`, which is useful specially for serverless.
https://github.com/user-attachments/assets/000aee51-4895-4f4c-9484-924ace4325c5
## Role Based Access-Control (RBAC)
RBAC for dataset quality alerts is defined within dataQuality kibana
feature.
We have three privileges defined:
1. `all`: This privilege now contains a subFeature `manage_rules` that
will allow for more granularity on alerting level. It's by default
assigned to `all` but can be disabled.
2. `read`: This privilege is only related to serverless (when we don't
have yet custom roles).
https://github.com/user-attachments/assets/70ed5bde-bf45-4024-b448-228799fcaf71
3. `none`: This privilege is only relevant for stateful (in serverless
we don't have custom roles).
## 🎥 Demo
### Serverless
#### `all` privileges
https://github.com/user-attachments/assets/8dad6e30-a261-4a69-979f-6dfc2a41c888
#### `read` privileges
https://github.com/user-attachments/assets/e1cb108d-22a0-4e7f-b252-9cc12d1e9d65
### Stateful
#### `all` privileges
https://github.com/user-attachments/assets/d96f3b70-35b2-466b-aa59-a07190d24d93
#### `all` privileges with subFeature disabled
https://github.com/user-attachments/assets/808ab811-9320-43e4-b2a6-06d530a78b82
#### `none` privileges (Stateful)
https://github.com/user-attachments/assets/18f2a2d6-d825-4713-acea-0d72f451e9ab
## How to test?
1. run synthrace scenario `degraded_logs` in live mode
```
node scripts/synthtrace degraded_logs --live
```
2. Open dataset quality page (/app/management/data/data_quality)
3. Select `synth.3` dataset
(/app/management/data/data_quality/details?pageState=(dataStream:logs-synth.3-default)
4. Click on `Actions` and then select `Create rule`
5. Fill out the alert form
6. Go to `Observability > Alerts` or `Stack management > Alerts`
(/app/observability/alerts)
## Release note
Adds the Create alert rule action to dataset quality page and dataset
quality details. This allows you to generate an alert when the
percentage of degraded docs on the chart crosses a certain threshold.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@elastic.co>
Co-authored-by: Faisal Kanout <faisal.kanout@elastic.co>
## Summary
Adds the ability to register recommended fields per datasource. It
follows the logic [of the recommended queries]
(https://github.com/elastic/kibana/pull/221474).
These fields will get prioritized in the editor. So the fields
prioritization goes like:
- recommended fields from the registry first
- ecs schema second
- everything else
### How to register them
- Use the esql server side registry as described in the aforementioned
PR
- Register the fields like that
```
this.extensionsRegistry.setRecommendedFields(
[
{
name: 'log_level',
pattern: 'logs*', // This field is relevant for any index starting with 'logs...'
},
{
name: 'host.ip.keyword',
pattern: 'logs-apache_error', // This field is specific to 'logs-apache_error'
},
{
name: 'http.request.method',
pattern: 'logs*',
},
],
'oblt'
);
```
You will see that the fields are getting prioritized in the editor
<img width="730" alt="image"
src="https://github.com/user-attachments/assets/c4941579-c04f-4c5f-875d-369355420a3d"
/>
As a bonus: The good thing with the recommended fields is that we are
prioritizing fields that exist in the datasource. So this means that a
solution team can register fields per datasource and not afraid if these
fields do not exist at the instance
### Checklist
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
## Details
⚠️ This PR was created by an automated tool. Please review the changes
carefully. ⚠️
Add permissions `pull-requests: write` to the docs-build workflow.
## Why
We want to comment on the PR with the links to modified docs pages.
See https://github.com/elastic/docs-builder/issues/1395 for further
details
## 📓 Summary
Closes#212728
There was already an empty prompt in place when samples are not
available for the simulation; this change makes it clearer that pipeline
changes can be saved, but we can't confirm they'll work correctly.
<img width="3006" alt="Screenshot 2025-06-18 at 12 39 57"
src="https://github.com/user-attachments/assets/c4dc7d4e-7634-4790-a356-b3de07098adb"
/>
/x-pack/test/api_integration/services/infraops_source_configuration.ts @elastic/obs-ux-infra_services-team @elastic/obs-ux-logs-team # Assigned per https://github.com/elastic/kibana/pull/34916
/x-pack/solutions/observability/plugins/observability/public/pages/overview @elastic/obs-ux-infra_services-team # Assigned to this team since it mostly uses infra/APM components
/x-pack/test/ftr_apis/common/fixtures/es_archiver/base_data/space_1.json @elastic/kibana-security # Assigned per only use: https://github.com/elastic/kibana/blob/main/x-pack/test/ftr_apis/security_and_spaces/apis/test_utils.ts#L33
/x-pack/test/ftr_apis/common/fixtures/es_archiver/base_data/default_space.json @elastic/kibana-security # Assigned per only use: https://github.com/elastic/kibana/blob/main/x-pack/test/ftr_apis/security_and_spaces/apis/test_utils.ts#L33
/x-pack/platform/test/ftr_apis/common/fixtures/es_archiver/base_data/space_1.json @elastic/kibana-security # Assigned per only use: https://github.com/elastic/kibana/blob/main/x-pack/platform/test/ftr_apis/security_and_spaces/apis/test_utils.ts#L33
/x-pack/platform/test/ftr_apis/common/fixtures/es_archiver/base_data/default_space.json @elastic/kibana-security # Assigned per only use: https://github.com/elastic/kibana/blob/main/x-pack/platform/test/ftr_apis/security_and_spaces/apis/test_utils.ts#L33
/x-pack/platform/test/api_integration/apis/cloud @elastic/kibana-security # Assigned per https://github.com/elastic/kibana/pull/198444
/src/platform/test/plugin_functional/snapshots/baseline/hardening @elastic/kibana-security # Assigned per https://github.com/elastic/kibana/pull/190716
@ -16,6 +16,7 @@ Reviewers should verify this PR satisfies this list as well.
- [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.
"\nOptional flag to indicate that these alerts should not be space aware. When set\nto true, alerts for this rule type will be created with the `*` space id."
"\nThis version key was used to store Kibana version information from versions 7.3.0 -> 8.11.0.\nAs of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the\nembeddable's input. This key is needed for BWC, but its value will be removed on Dashboard save."
