* Upversion to EUI 39.1.0
* Update i18n_eui_mapping tokens
@see https://github.com/elastic/eui/blob/master/i18ntokens_changelog.json
* Merge refractor in yarn.lock
* Fix functional table filter selector
- Popover ID was removed in recent EUI a11y fix, so we're using child-position selection to target the Tags filter now
* Update snaphots
* Upgrade to 39.1.1 for extra bugfixes
* Update i18n mappings
* Fix i18n snapshot
* Attempt to harden flaky Security Cypress test
* More combobox entry hardening
- Got a flake on clicking the combobox dropdown on run 17/20 locally
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [Logs/Metrics UI] Add deprecated field configuration to Deprecations API
* Add correction steps
* Add unit test for source config deprecations
* Apply suggestions from code review
Co-authored-by: Chris Cowan <chris@chriscowan.us>
* Lint fix
Co-authored-by: Chris Cowan <chris@chriscowan.us>
* Update UI links to Fleet and Agent docs
* Update link service
* Fix merge problem
* Update link service
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [ML] Adding ability to change data view in advanced job wizard
* updating translation ids
* type and text changes
* code clean up
* route id change
* text changes
* text change
* changing data view to index pattern
* adding api tests
* text updates
* removing first step
* renaming temp variable
* adding permission checks
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* WIP replacing indexPattern.flattenHit by tabify
* Fix jest tests
* Read metaFields from index pattern
* Remove old test code
* remove unnecessary changes
* Remove flattenHitWrapper APIs
* Fix imports
* Fix missing metaFields
* Add all meta fields to allowlist
* Improve inline comments
* Move flattenHit test to new implementation
* Add deprecation comment to implementation
* WIP - Show ignored field values
* Disable filters in doc_table
* remove redundant comments
* No, it wasn't
* start warning message
* Enable ignored values in CSV reports
* Add help tooltip
* Better styling with warning plus collapsible button
* Disable filtering within table for ignored values
* Fix jest tests
* Fix types in tests
* Add more tests and documentation
* Remove comment
* Move dangerouslySetInnerHTML into helper method
* Extract document formatting into common utility
* Remove HTML source field formatter
* Move formatHit to Discover
* Change wording of ignored warning
* Add cache for formatted hits
* Remove dead type
* Fix row_formatter for objects
* Improve mobile layout
* Fix jest tests
* Fix typo
* Remove additional span again
* Change mock to revert test
* Improve tests
* More jest tests
* Fix typo
* Change wording
* Remove dead comment
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
The ml.max_open_jobs node attribute is going away in
version 8, as the maximum number of open jobs has been
defined by a dynamic cluster-wide setting during the 7
series and there is no chance of version 8 needing to
run in a mixed version cluster with version 6.
The ml.machine_memory attribute will still be available,
so this can be checked instead as a way of detecting ML
nodes.
## Summary
Adds the security detection rule actions as being exportable and importable.
* Adds exportable actions for legacy notification system
* Adds exportable actions for the new throttle notification system
* Adds importable but only imports into the new throttle notification system.
* Updates unit tests
In your `ndjson` file when you have actions exported you will see them like so:
```json
"actions": [
{
"group": "default",
"id": "b55117e0-2df9-11ec-b789-7f03e3cdd668",
"params": {
"message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts"
},
"action_type_id": ".slack"
}
]
```
where before it was `actions: []` and was not provided.
**Caveats**
If you delete your connector and have an invalid connector then the rule(s) that were referring to that invalid connector will not import and you will get an error like this:
<img width="802" alt="Screen Shot 2021-10-15 at 2 47 10 PM" src="https://user-images.githubusercontent.com/1151048/137554991-b3984be9-d2ad-488e-a309-29da656ca4ea.png">
This does _not_ export your connectors at this point in time. You have to export your connector through the Saved Object Management separate like so:
<img width="1545" alt="Screen Shot 2021-10-15 at 2 58 03 PM" src="https://user-images.githubusercontent.com/1151048/137555135-3f0bfd63-5d67-496b-8d5b-bdef01d6122f.png">
However, if remove everything and import your connector without changing its saved object ID and then go to import the rules everything should import ok and you will get your actions working.
**Manual Testing**:
* You can create normal actions on an alert and then do exports and you should see the actions in your ndjson file
* You can create legacy notifications from 7.14.0 and then upgrade and export and you should see the actions in your ndjson file
* You can manually create legacy notifications by:
By getting an alert id first and ensuring that your `legacy_notifications/one_action.json` contains a valid action then running this command:
```ts
./post_legacy_notification.sh 3403c0d0-2d44-11ec-b147-3b0c6d563a60
```
* You can export your connector and remove everything and then do an import and you will have everything imported and working with your actions and connector wired up correctly.
### Checklist
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added
Migrate legacy actions whenever user interacts with the rule (#115101)
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## [Security Solution] Improves the formatting of array values and JSON in the Event and Alert Details panels
This PR improves the formatting of array values and JSON in the Event and Alert details panels by:
- in the `Table` tab, formatting array values such that each value appears on a separate line, (instead of joining the values on a single line)
- in the `JSON` tab, displaying the raw search hit JSON, instead displaying a JSON representation based on the `Fields` API
### Table value formatting
In the Event and Alert details `Table` tab, array values were joined on a single line, as shown in the _before_ screenshot below:
![event-details-value-formatting-before](https://user-images.githubusercontent.com/4459398/137524968-6450cd73-3154-457d-b850-32a3e7faaab2.png)
_Above: (before) array values were joined on a single line_
Array values are now formatted such that each value appears on a separate line, as shown in the _after_ screenshot below:
![event-details-value-formatting-after](https://user-images.githubusercontent.com/4459398/137436705-b0bec735-5a83-402e-843a-2776e1c80da9.png)
_Above: (after) array values each appear on a separte line_
### JSON formatting
The `JSON` tab previously displayed a JSON representation based on the `Fields` API. Array values were previously represented as a joined string, as shown in the _before_ screenshot below:
![event-details-json-formatting-before](https://user-images.githubusercontent.com/4459398/137525039-d1b14f21-5f9c-4201-905e-8b08f00bb5a0.png)
_Above: (before) array values were previously represented as a joined string_
The `JSON` tab now displays the raw search hit JSON, per the _after_ screenshot below:
![event-details-json-formatting-after](https://user-images.githubusercontent.com/4459398/137437257-330c5b49-a4ad-418e-a976-923f7a35c0cf.png)
_Above: (after) the `JSON` tab displays the raw search hit_
CC @monina-n @paulewing
* [RAC] [Metrics UI] Include group name in the reason message
* remove console log
* fix i18n errors
* fix more i18n errors
* fix i18n & check errors and move group to the end of the reason text
* add empty lines at the end of translation files
* fix more i18n tests
* try to remove manually added translations
* Revert "try to remove manually added translations"
This reverts commit 6949af2f70.
* apply i18n_check fix and reorder values in the formatted reason
* log threshold reformat reason message and move group info at the end
* Hide building block rules in "Security/Overview"
* Add Cypress tests for alerts generated by building block rules
Co-authored-by: Dmitry Shevchenko <dmshevch@gmail.com>
* Make 1h default value for IM rule interval and lookback time
* Fix test name
* Move value to cosntants
* Update lookback
* Change lookback to 5 minutes
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Throw an error to stop execution if IM rule has exceeded its interval
* Extract and unit test our timeout validation
* Add integration test around timeout behavior
Configures a very slow rule to trigger a timeout and assert the
corresponding failure.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Add `item_id` to list of searchable fields
* trusted apps api changes to use `item_id` instead of SO `id`
* Change Policy Details Trusted App "View all details" action URL to show TA list filtered by the TA id
* Adds new `canIsolateHost` and `canCreateArtifactsByPolicy` privileges for endpoint
* Refactor `useEndpointPrivileges` mocks to also provide a test function to return the full set of default privileges
* refactor useEndpointPrivileges tests to be more resilient to future changes
## Summary
During testing I encountered this error message:
```
[2021-10-18T13:19:07.053-06:00][ERROR][plugins.securitySolution] The notification throttle "from" and/or "to" range values could not be constructed as valid. Tried to construct the values of "from": now-null "to": 2021-10-18T19:19:00.835Z. This will cause a reset of the notification throttle. Expect either missing alert notifications or alert notifications happening earlier than expected.
```
This error was happening whenever I had a rule that was using an immediately invoked action and was encountering an error such as a non ECS compliant signal. The root cause is that I was not checking everywhere to ensure we had a throttle rule to ensure scheduling.
This fixes that by adding an `if` statement/guard around the areas of code.
I also improve the error message by adding which ruleId the error is coming from.
### Checklist
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
* rename legacy actions/responses
fixes elastic/security-team/issues/1702
* use correct name for responses index
refs elastic/kibana/pull/113621
* extract helper method to utils
* append endpoint responses docs to activity log
* Show completed responses on activity log
fixes elastic/security-team/issues/1703
* remove width restriction on date picker
* add a simple test to verify endpoint responses
fixes elastic/security-team/issues/1702
* find unique action_ids from `.fleet-actions` and `.logs-endpoint.actions-default` indices
fixes elastic/security-team/issues/1702
* do not filter out endpoint only actions/responses that did not make it to Fleet
review comments
* use a constant to manage various doc types
review comments
* refactor `getActivityLog`
Simplify `getActivityLog` so it is easier to reason with.
review comments
* skip this for now
will mock this better in a new PR
* improve types
* display endpoint actions similar to fleet actions, but with success icon color
* Correctly do mocks for tests
* Include only errored endpoint actions, remove successful duplicates
fixes elastic/security-team/issues/1703
* Update tests to use non duplicate action_ids
review comments
fixes elastic/security-team/issues/1703
* show correct action title
review fixes
* statusCode constant
review change
* rename
review changes
* Update translations.ts
refs 74a8340b5e
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>