* [Discover] fix saved search become active
* [Discover] add another fix to be consistent with data fetching code
* [Discover] simplify solution
* [Discover] add functionals
* [Discover] fix saved query bug, add functionals
* [Discover] fix functionals
* [Discover] fix functional test
* [Discover] split saved query tests
* [Discover] preselect logstash index pattern
* [Discover] remove saved query after test complete
* [Discover] change query fill order
* [Discover] try to fix unrelated functional test
* [Discover] one more fix
* [Discover] try to fix one more problem
* [Discover] fix commonly used time range test
* [Discover] revert uisettings init in before statement, do small adjustments
* [Discover] fix unit test
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* refactors timeline test
* tries to remove flakiness on indicator match test
* fixes issues
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Add constants
Placeholders in place whle content is being written
* Update mock to match API and add types
The weird typing around `DaysOfWeek` was taken from this SO answer to get an array from a union type:
https://stackoverflow.com/a/45486495/1949235
* Add routes and stubbed docs urls
* Add components for list items
These components are the repeatable components in each of the frequency tabs.
- FrequencyItem
- BlockedWindowItem
Form changes methods are stubbed for now.
* Add tab components for Frequency page
* Add Frequency page component
* Add synchronization logic
This is just the basics. More will be added in a future PR
* Add Synchronization op-level page
* Add Synchronization router and subnav
* Add `Objects and assets` page stub
This is merely a placeholder page so the routes could be built out. Section will be moved from settings in a future PR
* Add name and new nav item to source sub nav
* Add SynchronizationRouter nav to Source router
* Fix a couple of typos
* Add callout and disable subnav for disabled sync
This was added to the API after the rest of the work was done, so adding it here.
https://github.com/elastic/workplace-search-team/issues/2043
* Update frequency item to account for edge case
There was a very long discussion about the edge case that is covered here.
https://github.com/elastic/ent-search/pull/4715
Basically here is what we landed on:
In most cases, the user will use the form to set the sync frequency, in which case the duration will be in the format of "PT3D" (ISO 8601). However, if an operator has set the sync frequency via the API, the duration could be a complex format, such as "P1DT2H3M4S". It was decided that in this case, we should omit seconds and go with the least common denominator from minutes.
Example: "P1DT2H3M4S" -> "1563 Minutes"
* Fix failing tests and add key
* Update constants with note for translators
* Fix typo
Co-authored-by: Vadim Yakhin <yakhin.v@gmail.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Vadim Yakhin <yakhin.v@gmail.com>
* [Alerting][Docs] Elasticsearch setting search.allow_expensive_queries should be set to true.
* fixed text
* fixed text
* fixed due to comments
* Update alerting-setup.asciidoc
- Add Authorization type to ES UI shared.
- Add convertPrivilegesToArray, patch to also accept privileges that might contain dots in its name, and add tests.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* remove transport API in favour of typed public API
* put elasticsearch_client back
* fix create index call
* fix setpolicy
* fix unit tests in SecuritySolution
* Update the slugs to improve google analytics drilldown tracking
* more slug updates
* Fix some formatting issues in building blocks
* update paths
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [TSVB] Rename Index pattern to Data view
* Update some labels
* Make asterisk bold to indicate it's text input
* Remove redundant translation
* Remove "now" from TSVB callout notification title
* Update variable name to match the text
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* initial pass at moving data views into own plugin
* require expressions plugin, fix META_FIELDS reference
* bundle limits and localization
* fix integration test
* update plugin list and jest config
* type fixes
* search fixes
* fix localization
* fix mocks
* fix mocks
* fix stub
* type fixes
* fix import on test file
* path fixes
* remove shorted dotted from data plugin
* more todo removal
* eslint fixes
* eslint fix
* simplify data views server plugin
* simplify data views server plugin
* simplify data views server plugin
* fix imports on api routes
* fix imports on api routes
* update plugin list
* ts fixes
* ts fixes
* add deprecation notice
* fix circular dependency and api integration test
* fix circular dependency and api integration test
* rename types for better clarity
* path fixes
* jest.config and tsconfig cleanup
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Fixes https://github.com/elastic/kibana/issues/113276
* Migrates the legacy `siem.notifications` "ruleAlertId" to be within the references array
* Adds code to serialize and de-serialize "ruleAlertId" from the saved object references array
* Adds migration code to `kibana-alerting` to migrate on startup
* Adds `legacy_saved_object_references/README.md` which describes how to test and what those files are for.
* Updates earlier similar `signals/saved_object_references/README.md` after reviewing it during my work
* Names these files the format of `legacy_foo` since this is all considered legacy work and will be removed once the legacy notification system is removed after customers have migrated.
* Adds unit tests
* Adds 2e2 tests
We only migrate if we find these conditions and cases:
* "ruleAlertId" is not `null`, `undefined` or malformed data
* The"ruleAlertId" references do not already have an exceptionItem reference already found within it.
We migrate on the common use case:
* "ruleAlertId" exists and is a string
We do these additional (mis-use) cases and steps as well. These should NOT be common things that happen but we safe guard for them here:
* If the migration is run twice we are idempotent and do NOT add duplicates or remove items.
* If the migration was partially successful but re-run a second time, we only add what is missing. Again no duplicates or removed items should occur.
* If the saved object references already exists and contains a different or foreign value, we will retain the foreign reference(s) and still migrate.
Before migration you should see data structures like this if you query:
```json
# Get the alert type of "siem-notifications" which is part of the legacy system.
GET .kibana/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.notifications"
}
}
}
```
```json
"data..omitted": "data..omitted",
"params" : {
"ruleAlertId" : "933ca720-1be1-11ec-a722-83da1c22a481" <-- Pre-migration we had this Saved Object ID which is not part of references array below
},
"actions" : [
{
"group" : "default",
"params" : {
"message" : "Hourly\nRule {{context.rule.name}} generated {{state.signals_count}} alerts"
},
"actionTypeId" : ".slack",
"actionRef" : "action_0" <-- Pre-migration this is correct as this work is already done within the alerting plugin
},
"references" : [
{
"id" : "879e8ff0-1be1-11ec-a722-83da1c22a481",
"name" : "action_0", <-- Pre-migration this is correct as this work is already done within the alerting plugin
"type" : "action"
}
]
],
"data..omitted": "data..omitted",
```
After migration you should see data structures like this:
```json
"data..omitted": "data..omitted",
"params" : {
"ruleAlertId" : "933ca720-1be1-11ec-a722-83da1c22a481" <-- Post-migration this is not used but rather the serialized version references is used instead.
},
"actions" : [
{
"group" : "default",
"params" : {
"message" : "Hourly\nRule {{context.rule.name}} generated {{state.signals_count}} alerts"
},
"actionTypeId" : ".slack",
"actionRef" : "action_0"
},
"references" : [
{
"id" : "879e8ff0-1be1-11ec-a722-83da1c22a481",
"name" : "action_0",
"type" : "action"
},
{
"id" : "933ca720-1be1-11ec-a722-83da1c22a481", <-- Our id here is preferred and used during serialization.
"name" : "param:alert_0", <-- We add the name of our reference which is param:alert_0 similar to action_0 but with "param"
"type" : "alert" <-- We add the type which is type of alert to the references
}
]
],
"data..omitted": "data..omitted",
```
## Manual testing
There are e2e and unit tests but for any manual testing or verification you can do the following:
If you have a 7.14.0 system and can migrate it forward that is the most straight forward way to ensure this does migrate correctly and forward. You should see that the legacy notification system still operates as expected.
If you are a developer off of master and want to test different scenarios then this section is for below as it is more involved and harder to do but goes into more depth:
* Create a rule and activate it normally within security_solution
* Do not add actions to the rule at this point as we are exercising the older legacy system. However, you want at least one action configured such as a slack notification.
* Within dev tools do a query for all your actions and grab one of the `_id` of them without their prefix:
```json
# See all your actions
GET .kibana/_search
{
"query": {
"term": {
"type": "action"
}
}
}
```
Mine was `"_id" : "action:879e8ff0-1be1-11ec-a722-83da1c22a481"`, so I will be copying the ID of `879e8ff0-1be1-11ec-a722-83da1c22a481`
Go to the file `detection_engine/scripts/legacy_notifications/one_action.json` and add this id to the file. Something like this:
```json
{
"name": "Legacy notification with one action",
"interval": "1m", <--- You can use whatever you want. Real values are "1h", "1d", "1w". I use "1m" for testing purposes.
"actions": [
{
"id": "879e8ff0-1be1-11ec-a722-83da1c22a481", <--- My action id
"group": "default",
"params": {
"message": "Hourly\nRule {{context.rule.name}} generated {{state.signals_count}} alerts"
},
"actionTypeId": ".slack" <--- I am a slack action id type.
}
]
}
```
Query for an alert you want to add manually add back a legacy notification to it. Such as:
```json
# See all your siem.signals alert types and choose one
GET .kibana/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.signals"
}
}
}
```
Grab the `_id` without the alert prefix. For mine this was `933ca720-1be1-11ec-a722-83da1c22a481`
Within the directory of detection_engine/scripts execute the script:
```json
./post_legacy_notification.sh 933ca720-1be1-11ec-a722-83da1c22a481
{
"ok": "acknowledged"
}
```
which is going to do a few things. See the file `detection_engine/routes/rules/legacy_create_legacy_notification.ts` for the definition of the route and what it does in full, but we should notice that we have now:
Created a legacy side car action object of type `siem-detection-engine-rule-actions` you can see in dev tools:
```json
# See the actions "side car" which are part of the legacy notification system.
GET .kibana/_search
{
"query": {
"term": {
"type": {
"value": "siem-detection-engine-rule-actions"
}
}
}
}
```
But more importantly what the saved object references are which should be this:
```json
# Get the alert type of "siem-notifications" which is part of the legacy system.
GET .kibana/_search
{
"query": {
"term": {
"alert.alertTypeId": "siem.notifications"
}
}
}
```
If you need to ad-hoc test what happens when the migration runs you can get the id of an alert and downgrade it, then
restart Kibana. The `ctx._source.references.remove(1)` removes the last element of the references array which is assumed
to have a rule. But it might not, so ensure you check your data structure and adjust accordingly.
```json
POST .kibana/_update/alert:933ca720-1be1-11ec-a722-83da1c22a481
{
"script" : {
"source": """
ctx._source.migrationVersion.alert = "7.15.0";
ctx._source.references.remove(1);
""",
"lang": "painless"
}
}
```
If you just want to remove your your "param:alert_0" and it is the second array element to test the errors within the console
then you would use
```json
POST .kibana/_update/alert:933ca720-1be1-11ec-a722-83da1c22a481
{
"script" : {
"source": """
ctx._source.references.remove(1);
""",
"lang": "painless"
}
}
```
Check your log files and should see errors about the saved object references missing until you restart Kibana. Once you restart then it will migrate forward and you will no longer see errors.
### Checklist
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
* Update ESLint config to disallow usage of the any type
* Remove the any type usages from the expressions plugin
* Update plugins using expressions according to the updated public API
