github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-27 18:51:07 -04:00
Code Issues Projects Releases Packages Wiki Activity
Your window into the Elastic Stack
87573 commits 499 branches 518 tags 21 GiB
Find a file
Andrew Macri ea7d174e3c
[Attack discovery] Optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries (#225029) 
## [Attack discovery] Optionally update the `kibana.alert.workflow_status` of alerts associated with Attack discoveries

This PR introduces a new UI to optionally update the `kibana.alert.workflow_status` of alerts associated with Attack discoveries, as illustrated by the animated gif below:

![update_attack_discovery_alerts](https://github.com/user-attachments/assets/5974fc4e-50b4-43e9-9939-885f9577c153)

Users may (optionally) update all alerts for a single attack discovery, or just update the discovery itself:

![update_one_attack_discovery](https://github.com/user-attachments/assets/fd774ae7-976d-4649-a97d-b9bae8d359ad)

When multiple attack discoveries are selected, users may also (optionally) update the status of all their related alerts via the bulk action menu:

![update_multiple_discoveries](https://github.com/user-attachments/assets/71463945-f201-4810-9798-2646751dc919)

### Alert document enhancements

Attack discoveries generated via the Attack discovery page, and scheduled Attack discoveries (generated via the alerting framework), are persisted as alert documents.

To support the new UI, this PR populates Attack discovery alert documents with two additional (existing, but unused by Attack discovery) alert document fields:

1) `kibana.alert.start` - timestamp when Attack discoveries are created

2) `kibana.alert.workflow_status_updated_at` - timestamp when the `kibana.alert.workflow_status` was last updated

This PR introduces three new alert document fields to capture metadata about when alerts are updated. Attack discovery is the first implementation to use these new fields, however any consumer of the alerting framework may utilize them in the future:

1) `kibana.alert.updated_at` - timestamp when the alert was last updated

2) `kibana.alert.updated_by.user.id` - user id of the user that last updated the alert

3) `kibana.alert.updated_by.user.name` -  user name of the user that last updated the alert

The three new alert fields above are updated when Attack discovery users update:

- The `kibana.alert.workflow_status` status of Attack discoveries
- The visibility (sharing) status of Attack discoveries (`kibana.alert.attack_discovery.users`)

The three new fields above were added to the [alert_field_map](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts) and [alert_schema](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/alert_schema.ts).

Using the `default` space as an example, the fields above may be observed in the `.adhoc.alerts-security.attack.discovery.alerts-default` data stream for Attack discoveries generated on the Attack discovery page, and scheduled discoveries for the same space are found in the `.alerts-security.attack.discovery.alerts-default` data stream.

### @timestamp updated when sharing status changes

To ensure newly-shared Attack discoveries are bumped to the top of search results, the `@timestamp` field is updated when the visibility (sharing) status of Attack discoveries (`kibana.alert.attack_discovery.users`) is updated.

(The original time an Attack discovery was generated is represented by the `kibana.alert.start` field, which is not mutated.)

### Visibility menu changes

This PR disables the visibility menu items for shared Attack discoveries, as illustrated by the screenshot below:

![visibility_menu_disabled](https://github.com/user-attachments/assets/168db75c-de8f-4bf1-9490-7e3995faed9d)

The disabled menu has a tooltip that reads:

```
The visibility of shared discoveries cannot be changed
```

Note: The internal Attack discovery bulk API still (intentionally) allows changes to the visibility of shared attack discoveries.

### `kibana.alert.workflow_status` added to default `Alerts` tab columns

The `kibana.alert.workflow_status` field was added to default `Alerts` tab columns, as illustrated by the screenshot below:

![alerts_tab_workflow_status](https://github.com/user-attachments/assets/264647d0-5782-444f-ad0e-c5485fae1e96)

### Summary of field updates

The following table describes when fields are updated (via this PR):

| Field                                     | Updated when                                                                                                                         | Description                                                                                  |
|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|
| `kibana.alert.start`                      | - Attack discoveries are created                                                                                                     | timestamp when Attack discoveries are created                                                |
| `kibana.alert.workflow_status_updated_at` | - Workflow status (`kibana.alert.workflow_status`) is updated                                                                        | timestamp when `kibana.alert.workflow_status` was last updated                               |
| `kibana.alert.updated_at`                 | - Workflow status (`kibana.alert.workflow_status`) is updated<br>- Sharing status (`kibana.alert.attack_discovery.users`) is updated | timestamp when the alert was last updated                                                    |
| `kibana.alert.updated_by.user.id`         | - Workflow status (`kibana.alert.workflow_status`) is updated<br>- Sharing status (`kibana.alert.attack_discovery.users`) is updated | user id of the user that last updated the alert                                              |
| `kibana.alert.updated_by.user.name`       | - Workflow status (`kibana.alert.workflow_status`) is updated<br>- Sharing status (`kibana.alert.attack_discovery.users`) is updated | user name of the user that last updated the alert                                            |
| `@timestamp`                              | - Attack discoveries are created<br>- Sharing status (`kibana.alert.attack_discovery.users`) is updated                              | ECS [`@timestamp`](https://www.elastic.co/docs/reference/ecs/ecs-base#field-timestamp) field |

### Feature flags

The _required_ feature flag below is necessary to desk test with Ad hoc attack discoveries. The _recommended_ feature flag below enables testing with scheduled Attack discoveries.

### required: `securitySolution.attackDiscoveryAlertsEnabled`

Enable the required `securitySolution.attackDiscoveryAlertsEnabled` feature flag in `config/kibana.dev.yml`:

```yaml
feature_flags.overrides:
  securitySolution.attackDiscoveryAlertsEnabled: true
```

### recommended: `securitySolution.assistantAttackDiscoverySchedulingEnabled: true`

Also enable the recommended `assistantAttackDiscoverySchedulingEnabled` feature flag in `config/kibana.dev.yml`:

```yaml
feature_flags.overrides:
  securitySolution.attackDiscoveryAlertsEnabled: true
  securitySolution.assistantAttackDiscoverySchedulingEnabled: true
```
2025-06-24 20:47:10 -04:00
.buildkite [Security Solution] Implement prebuilt rules import test plan (#223421) 2025-06-24 13:24:10 +01:00
.devcontainer Upgrade to Storybook 8 (#195148) 2025-03-14 15:41:03 -07:00
.github [Security Solution] [AI assistant] Make the Security AI assistant global (#223936) 2025-06-24 19:11:43 +01:00
api_docs [api-docs] 2025-06-24 Daily api_docs build (#224989) 2025-06-24 07:10:32 +01:00
config Logs Essentials for Observability (#223030) 2025-06-25 00:08:51 +02:00
dev_docs Adds guidelines for designing HTTP APIs (#224348) 2025-06-24 08:01:06 -07:00
docs Update elastic-managed-llm.md (#225108) 2025-06-24 18:46:34 +00:00
examples [Dashboards as code] remove client transform of panels array to map (#224314) 2025-06-24 08:48:08 -06:00
kbn_pm add es-cache to cleaned folders (#223373) 2025-06-12 10:58:05 +02:00
legacy_rfcs Optimize existing image assets with lossless compression (#223998) 2025-06-19 16:44:13 +02:00
licenses Adds AGPL 3.0 license (#192025) 2024-09-06 19:02:41 -06:00
oas_docs [SecuritySolution] Create PrivMon index import flow (#224822) 2025-06-24 10:09:06 +01:00
packages [Security Solution][Tech Debt] Move remaining chart related components to alert KPI folder (#223570) 2025-06-24 16:17:21 -05:00
plugins
scripts [Inference] Instrument inference with OpenTelemetry (#218694) 2025-05-07 11:44:29 +02:00
src [Attack discovery] Optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries (#225029) 2025-06-24 20:47:10 -04:00
typings chore: remove react-syntax-highlighter leftovers (#213076) 2025-03-04 15:35:34 +01:00
x-pack [Attack discovery] Optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries (#225029) 2025-06-24 20:47:10 -04:00
.backportrc.json chore(NA): prepare replacement of 8.x branch with 8.19 (#218514) 2025-04-17 04:02:40 +01:00
.bazelignore Remove references to deleted .ci folder (#177168) 2024-02-20 19:54:21 +01:00
.bazeliskversion
.bazelrc chore(NA): use new and more performant BuildBuddy servers (#130350) 2022-04-18 02:01:38 +01:00
.bazelrc.common Transpile packages on demand, validate all TS projects (#146212) 2022-12-22 19:00:29 -06:00
.bazelversion chore(NA): revert bazel upgrade for v5.2.0 (#135096) 2022-06-24 03:57:21 +01:00
.browserslistrc Add Firefox ESR to browserlistrc (#184462) 2024-05-29 17:53:18 -05:00
.editorconfig
.eslintignore chore(fullstory): serve the snippet as an asset (#220368) 2025-05-07 23:06:24 +02:00
.eslintrc.js [ska] create platform shared package for Cypress test helpers (#224361) 2025-06-24 10:51:12 +02:00
.gitattributes
.gitignore Upgrade Node.js to 22.16.0 (#205983) 2025-06-18 08:55:18 -05:00
.i18nrc.json [Discover] Support Lens fetches across tabs (#218506) 2025-05-02 13:39:25 -03:00
.node-version Upgrade Node.js to 22.16.0 (#205983) 2025-06-18 08:55:18 -05:00
.npmrc [npmrc] Fix puppeteer_skip_download configuration (#177673) 2024-02-22 18:59:01 -07:00
.nvmrc Upgrade Node.js to 22.16.0 (#205983) 2025-06-18 08:55:18 -05:00
.prettierignore
.prettierrc
.puppeteerrc Add .puppeteerrc (#179847) 2024-04-03 09:14:39 -05:00
.stylelintignore
.stylelintrc Bump stylelint to ^14 (#136693) 2022-07-20 10:11:00 -05:00
.telemetryrc.json Sustainable Kibana Architecture: Move modules owned by @elastic/kibana-core (#201653) 2025-01-04 11:47:24 -07:00
.yarnrc
BUILD.bazel Transpile packages on demand, validate all TS projects (#146212) 2022-12-22 19:00:29 -06:00
catalog-info.yaml Configures PagerDuty Backstage Integration for kbn (#208440) 2025-01-27 23:29:11 +00:00
CODE_OF_CONDUCT.md
CONTRIBUTING.md Docs: fix broken links in CONTRIBUTING.md (#219158) 2025-04-24 17:25:00 -06:00
FAQ.md Fix small typos in the root md files (#134609) 2022-06-23 09:36:11 -05:00
fleet_packages.json [Security solution] Remove feature flag, always automatically install prompts (#224489) 2025-06-24 18:26:32 +01:00
github_checks_reporter.json
kibana.d.ts Adds AGPL 3.0 license (#192025) 2024-09-06 19:02:41 -06:00
LICENSE.txt Adds AGPL 3.0 license (#192025) 2024-09-06 19:02:41 -06:00
NOTICE.txt [api-docs] 2025-01-01 Daily api_docs build (#205342) 2025-01-01 01:37:13 -06:00
package.json Update dependency @apidevtools/swagger-parser to v12 (main) (#223300) 2025-06-24 15:21:59 -04:00
preinstall_check.js Adds AGPL 3.0 license (#192025) 2024-09-06 19:02:41 -06:00
README.md
renovate.json Render accordion in integration readme (#223916) 2025-06-24 13:22:55 +02:00
RISK_MATRIX.mdx
run_fleet_setup_parallel.sh Sustainable Kibana Architecture: Move modules owned by @elastic/fleet (#202422) 2024-12-24 15:32:43 +01:00
SECURITY.md
sonar-project.properties [sonarqube] update memory, cpu (#190547) 2024-09-09 16:16:30 -05:00
STYLEGUIDE.mdx [styleguide] update path to scss theme (#140742) 2022-09-15 10:41:14 -04:00
tsconfig.base.json [Security Solution] [AI assistant] Make the Security AI assistant global (#223936) 2025-06-24 19:11:43 +01:00
tsconfig.browser.json
tsconfig.browser_bazel.json
tsconfig.json Transpile packages on demand, validate all TS projects (#146212) 2022-12-22 19:00:29 -06:00
TYPESCRIPT.md Fix small typos in the root md files (#134609) 2022-06-23 09:36:11 -05:00
updatecli-compose.yaml deps(updatecli): bump all policies (#195865) 2024-10-15 07:37:12 -05:00
versions.json chore(NA): update versions after v8.17.8 bump (#222415) 2025-06-03 21:39:35 +01:00
WORKSPACE.bazel Upgrade Node.js to 22.16.0 (#205983) 2025-06-18 08:55:18 -05:00
yarn.lock Update dependency @apidevtools/swagger-parser to v12 (main) (#223300) 2025-06-24 15:21:59 -04:00

README.md

Kibana

Kibana is your window into the Elastic Stack. Specifically, it's a browser-based analytics and search dashboard for Elasticsearch.

Getting Started

If you just want to try Kibana out, check out the Elastic Stack Getting Started Page to give it a whirl.

If you're interested in diving a bit deeper and getting a taste of Kibana's capabilities, head over to the Kibana Getting Started Page.

Using a Kibana Release

If you want to use a Kibana release in production, give it a test run, or just play around:

Building and Running Kibana, and/or Contributing Code

You might want to build Kibana locally to contribute some code, test out the latest features, or try out an open PR:

Documentation

Visit Elastic.co for the full Kibana documentation.

For information about building the documentation, see the README in elastic/docs.

Version Compatibility with Elasticsearch

Ideally, you should be running Elasticsearch and Kibana with matching version numbers. If your Elasticsearch has an older version number or a newer major number than Kibana, then Kibana will fail to run. If Elasticsearch has a newer minor or patch number than Kibana, then the Kibana Server will log a warning.

Note: The version numbers below are only examples, meant to illustrate the relationships between different types of version numbers.

Situation Example Kibana version Example ES version Outcome
Versions are the same. 7.15.1 7.15.1 💚 OK
ES patch number is newer. 7.15.0 7.15.1 ⚠️ Logged warning
ES minor number is newer. 7.14.2 7.15.0 ⚠️ Logged warning
ES major number is newer. 7.15.1 8.0.0 🚫 Fatal error
ES patch number is older. 7.15.1 7.15.0 ⚠️ Logged warning
ES minor number is older. 7.15.1 7.14.2 🚫 Fatal error
ES major number is older. 8.0.0 7.15.1 🚫 Fatal error

Questions? Problems? Suggestions?

  • If you've found a bug or want to request a feature, please create a GitHub Issue. Please check to make sure someone else hasn't already created an issue for the same topic.
  • Need help using Kibana? Ask away on our Kibana Discuss Forum and a fellow community member or Elastic engineer will be glad to help you out.