* filter filter bar suggestions by time (according to flag)
add api integration tests for autocomplete apis
* test fix: setDefaultAbsoluteRange
* timeRangeForSuggestionsOverride
* revert
* tests
* doc
* set time range
* Added tests following code review
* eslint
* fun-ctional tests
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Liza Katz <lizka.k@gmail.com>
* change alerts table filter text box placeholder
* update alerts table placeholder to use the status field
* use threshold for the alerts table placeholder
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: mgiota <giota85@gmail.com>
* Add behaviour-protection-for-mac-and-linux
* Display the correct os names in the OS section
* Fix policy config returning windows values
Co-authored-by: Esteban Beltran <academo@users.noreply.github.com>
* adds entries.list.id field in the searchable event filters fields list
* adds test case for list.id operator
* Revert "adds entries.list.id field in the searchable event filters fields list"
This reverts commit 45a66fd966.
* Revert "adds test case for list.id operator"
This reverts commit 9dba145df2.
* Disable large value list option in operators dropdown
* Refactor event filters form test to use context provider
* Fix ts checks
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: David Sánchez <davidsansol92@gmail.com>
* Don't skip last bucket for most aggs
* Allow alerting on partial buckets for certain aggs
* Fix test, PR feedback, and some comments
* Remove all offset logic for date_range aggs
* Remove code comment
* Add delivery delay
* Fix the date range for query
* Add TODO
Co-authored-by: Phillip Burch <phillip.burch@live.com>
* incremental changes
* No more type errors
* Type guards
* Begin adding tests
* Flatten
* Reduce scope of branch
* Remove extraneous argument to filter_duplicate_signals
### Summary
We are integrating alert search strategy with RBAC on top of alert tables for security solution and o11y.
Co-authored-by: Xavier Mouligneau <189600+XavierM@users.noreply.github.com>
* Add aliases mapping signal fields to alerts as data fields
* Add aliases mapping alerts as data fields to signal fields
* Replace siem signals templates per space and add AAD index aliases to siem signals indices
* Remove first version of new mapping json file
* Convert existing legacy siem-signals templates to new ES templates
* Catch 404 if siem signals templates were already updated
* Enhance error message when index exists but is not write index for alias
* Check if alias write index exists before creating new write index
* More robust write target creation logic
* Add RBAC required fields for AAD to siem signals indices
* Fix index name in index mapping update
* Throw errors if bulk retry fails or existing indices are not writeable
* Add new template to routes even without experimental rule registry flag enabled
* Check template version before updating template
* First pass at modifying routes to handle inserting field aliases
* Always insert field aliases when create_index_route is called
* Update snapshot test
* Remove template update logic from plugin setup
* Use aliases_version field to detect if aliases need update
* Fix bugs
* oops update snapshot
* Use internal user for PUT alias to fix perms issue
* Update comment
* Disable new resource creation if ruleRegistryEnabled
* Only attempt to add aliases if siem-signals index already exists
* Fix types, add aliases to aad indices, use package field names
* Undo adding aliases to AAD indices
* Remove unused import
* Update test and snapshot oops
* Filter out kibana.* fields from generated signals
* Update cypress test to account for new fields in table
* Properly handle space ids with dashes in them
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
# Conflicts:
# x-pack/plugins/security_solution/cypress/ccs_integration/detection_alerts/alerts_details.spec.ts
# x-pack/plugins/security_solution/cypress/integration/detection_alerts/alerts_details.spec.ts
* Remove legacy imports from 'elasticsearch' package
This prefers the newer types from '@elastic/elasticsearch'.
There was one instance where mock data was insufficient to satisfy the
newer analogous types; in all other cases this was just a find/replace.
* Fix type errors with a null guard
We know that this mock has hits with _source values, but we cannot
convey this to typescript as null assertions are disabled within this
project. This seems like the next best solution, preferable to a
@ts-expect-error.
* Fix a few more type errors
* Replace legacy type imports in integration tests
* refactors destructuring due to _source being properly declared as
conditional
* Update more integration tests to account for our optional _source
Changes here fall into one of two categories:
* If the test was making an assertion on a value from _source, we simply
null chain and continue to assert on a possibly undefined value.
* If the test logic depends on _source being present, we first assert that
presence, and exit the test early if absent.
* Fix more type errors
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
## Summary
This PR implements cell actions in the `TGrid`, rendering them via `EuiDataGrid`, per the `Before` and `After` screenshots below:
### Before
Users previously hovered over a draggable field to view and trigger cell actions:
<img width="1348" alt="legacy_cell_actions" src="https://user-images.githubusercontent.com/4459398/128351498-49b4d224-6c51-4293-b14f-46bbb58f7cb3.png">
_Above: legacy `TGrid` cell action rendering_
### After
Cell actions are now rendered via `EuiDataGrid` cell actions:
<img width="997" alt="euidatagrid_cell_actions" src="https://user-images.githubusercontent.com/4459398/128358847-c5540ea4-8ba1-4b35-ab6b-3b3e39ae54ce.png">
_Above: new `TGrid` cell action rendering via `EuiDataGrid`_
## Technical Details
Every instance of the `TGrid` on a page can specify its own set of cell actions via `defaultCellActions` when calling the `timelines.getTGrid()` function to create an instance.
For example, the Observability Alerts `TGrid` is initialized in with a default set of actions in `x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid.tsx`, as shown in the code below:
```ts
{timelines.getTGrid<'standalone'>({
type: 'standalone',
columns,
deletedEventIds: [],
defaultCellActions: getDefaultCellActions({ enableFilterActions: false }), // <-- defaultCellActions
// ...
</>
```
The type of the `defaultCellActions` is:
```ts
defaultCellActions?: TGridCellAction[];
```
and the definition of `TGridCellAction` is in `x-pack/plugins/timelines/common/types/timeline/columns/index.tsx`:
```ts
/**
* A `TGridCellAction` function accepts `data`, where each row of data is
* represented as a `TimelineNonEcsData[]`. For example, `data[0]` would
* contain a `TimelineNonEcsData[]` with the first row of data.
*
* A `TGridCellAction` returns a function that has access to all the
* `EuiDataGridColumnCellActionProps`, _plus_ access to `data`,
* which enables code like the following example to be written:
*
* Example:
* ```
* ({ data }: { data: TimelineNonEcsData[][] }) => ({ rowIndex, columnId, Component }) => {
* const value = getMappedNonEcsValue({
* data: data[rowIndex], // access a specific row's values
* fieldName: columnId,
* });
*
* return (
* <Component onClick={() => alert(`row ${rowIndex} col ${columnId} has value ${value}`)} iconType="heart">
* {'Love it'}
* </Component>
* );
* };
* ```
*/
export type TGridCellAction = ({
browserFields,
data,
}: {
browserFields: BrowserFields;
/** each row of data is represented as one TimelineNonEcsData[] */
data: TimelineNonEcsData[][];
}) => (props: EuiDataGridColumnCellActionProps) => ReactNode;
```
For example, the following `TGridCellAction[]` defines the `Copy to clipboard` action for the Observability Alerts table in `x-pack/plugins/observability/public/pages/alerts/default_cell_actions.tsx`:
```ts
/** actions common to all cells (e.g. copy to clipboard) */
const commonCellActions: TGridCellAction[] = [
({ data }: { data: TimelineNonEcsData[][] }) => ({ rowIndex, columnId, Component }) => {
const { timelines } = useKibanaServices();
const value = getMappedNonEcsValue({
data: data[rowIndex],
fieldName: columnId,
});
return (
<>
{timelines.getHoverActions().getCopyButton({
Component,
field: columnId,
isHoverAction: false,
ownFocus: false,
showTooltip: false,
value,
})}
</>
);
},
];
```
Note that an _implementation_ of the copy to clipboard cell action, including the button, is available for both the Observability and Security solutions to use via `timelines.getHoverActions().getCopyButton()`, (and both solutions use it in this PR), but there's no requirement to use that specific implementation of the copy action.
### Security Solution cell actions
All previously-available hover actions in the Security Solution are now available as cell actions, i.e.:
- Filter for value
- Filter out value
- Add to timeline investigation
- Show Top `<field>` (only enabled for some data types)
- Copy to clipboard
### Observability cell actions
In this PR:
- Only the `Copy to clipboard` cell action is enabled by default in the Observability Alerts table
- The `Filter for value` and `Filter out value` cell actions may be enabled in the `Observability` solution by changing a single line of code, (setting `enableFilterActions` to true), on the following line in `x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid.tsx`:
```js
defaultCellActions: getDefaultCellActions({ enableFilterActions: false }), // <-- set this to `true` to enable the filter actions
```
`enableFilterActions` is set to `false` in this PR because the Observability Alerts page's search bar, defined in `x-pack/plugins/observability/public/pages/alerts/alerts_search_bar.tsx`:
```ts
return (
<SearchBar
indexPatterns={dynamicIndexPattern}
placeholder={i18n.translate('xpack.observability.alerts.searchBarPlaceholder', {
defaultMessage: 'kibana.alert.evaluation.threshold > 75',
})}
query={{ query: query ?? '', language: queryLanguage }}
// ...
/>
````
must be integrated with a `filterManager` to display the filters. A `filterManager` instance may be obtained in the Observability solution via the following boilerplate:
```ts
const {
services: {
data: {
query: { filterManager },
},
},
} = useKibana<ObservabilityPublicPluginsStart>();
```
## Desk testing
To desk test this PR, you must enable feature flags in the Observability and Security Solution:
- To desk test the `Observability > Alerts` page, add the following settings to `config/kibana.dev.yml`:
```
xpack.observability.unsafe.cases.enabled: true
xpack.observability.unsafe.alertingExperience.enabled: true
xpack.ruleRegistry.write.enabled: true
```
- To desk test the TGrid in the following Security Solution, edit `x-pack/plugins/security_solution/common/experimental_features.ts` and in the `allowedExperimentalValues` section set:
```typescript
tGridEnabled: true,
```
cc @mdefazio
Co-authored-by: Andrew Goldstein <andrew-goldstein@users.noreply.github.com>
* Upgrade eui to v36.1.0
* Jest snapshots
* More jest snapshots; one test assertion update
* Bump core page load limit
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
# Conflicts:
# packages/kbn-optimizer/limits.yml
* [APM] Service view for all dependencies
Closes#103257.
* Update API tests
* Fix type issue
Co-authored-by: Dario Gieselaar <dario.gieselaar@elastic.co>
* New route to retreive data for a single domain
* New CrawlerSingleDomainLogic logic
* New CrawlerSingleDomain view component
* Add CrawlerSingleDomain to CrawlerRouter
* Use different default text for page title while loading
* Apply suggestions from code review
Co-authored-by: Orhan Toy <toyorhan@gmail.com>
Co-authored-by: Orhan Toy <toyorhan@gmail.com>
Co-authored-by: Byron Hulcher <byronhulcher@gmail.com>
Co-authored-by: Orhan Toy <toyorhan@gmail.com>
* [ML] enable test selection
* [ML] executor update for annotations
* [ML] update unit tests
* [ML] fix i18n
* [ML] update schema
* [ML] fix ts
* [ML] account for docs count, update unit tests
* [ML] update translation strings
* [ML] add types
* [ML] fetch the latest annotation sorted by modified_time
* [ML] getDelayedDataAnnotations
* [ML] update unit tests
* [ML] set default number of docs to 1, update schema validation
* [ML] getDelayedDataLookbackTimestamp
* [ML] filter null values, update unit tests
* [ML] account for query delay, refactor with memoize
* [ML] update unit test
* [ML] remove previousStartedAt
* [ML] filter based on the job config
* [ML] fix tests
* [ML] add maps
* [ML] combine filters
* [ML] move range query inside of a filter
* [ML] filter out jobs with missing datafeed
* [ML] resolveLookbackInterval only from jobs with datafeeds
* [ML] do not show an error on empty time interval
* [ML] add help tooltips
* [ML] update description for the datafeed check
Co-authored-by: Dima Arnautov <dmitrii.arnautov@elastic.co>
* injects bulkCreate and wrapHits to individual rule executors
* WIP create_security_rule_type_factory based on Marshall's work in #d3076ca54526ea0e61a9a99e1c1bce854806977e
* removes ruleStatusService from old rule executors, fixes executor unit tests
* fixes rebase
* Rename reference_rules to rule_types
* Fix type errors
* Fix type errors in base security rule factory
* Additional improvements to types and interfaces
* More type alignment
* Fix remaining type errors in query rule
* Add validation / inject lists plugin
* Formatting
* Improvements to typing
* Static typing on executors
* cleanup
* Hook up params for query/threshold rules... includes exceptionsList and daterange tuple
* Scaffolding for wrapHits and bulkCreate
* Add error handling / status reporting
* Fixup alert type state
* Begin threshold
* Begin work on threshold state
* Organize rule types
* Export base security rule types
* Fixup lifecycle static typing
* WrapHits / bulk changes
* Field mappings (partial)
* whoops
* Remove redundant params
* More flexibile implementation of bulkCreateFactory
* Add mappings
* Finish query rule
* Revert "Remove redundant params"
This reverts commit 87aff9c810.
* Revert "whoops"
This reverts commit a7771bd392.
* Fixup return types
* Use alertWithPersistence
* Fix import
* End-to-end rule mostly working
* Fix bulkCreate
* Bug fixes
* Bug fixes and mapping changes
* Fix indexing
* cleanup
* Fix type errors
* Test fixes
* Fix query tests
* cleanup / rename kibana.rac to kibana
* Remove eql/threshold (for now)
* Move technical fields to package
* Add indexAlias and buildRuleMessageFactory
* imports
* type errors
* Change 'kibana.rac.*' to 'kibana.*'
* Fix lifecycle tests
* Single alert instance
* fix import
* Fix type error
* Fix more type errors
* Fix query rule type test
* revert to previous ts-expect-error
* type errors again
* types / linting
* General readability improvements
* Add invariant function from Dmitrii's branch
* Use invariant and constants
* Improvements to field mappings
* More test failure fixes
* Add refresh param for bulk create
* Update more field refs
* Actually use refresh param
* cleanup
* test fixes
* changes to rule creation script
* Fix created signals count
* Use ruleId
* Updates to bulk indexing
* Mapping updates
* Cannot use 'strict' for dynamic setting
Co-authored-by: Marshall Main <marshall.main@elastic.co>
Co-authored-by: Ece Ozalp <ozale272@newschool.edu>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Marshall Main <marshall.main@elastic.co>
Co-authored-by: Ece Ozalp <ozale272@newschool.edu>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Allow users select policies from a dropdown
* Policy filters are passed throguh the API call and the results are now filtered by policy
* Moved policies selector inside search component and triggers search only when refresh button is clicked
* Fixes tests
* Triggers policy filter when policy is selected. Also fix unit test because now policies are loaded at the trusted apps list
* Renamed components and added an index.ts for the exports
* Adds unit tests for policies selector component
* Fix unit tests and changed camelcase by snack case for url params
* adds multilang
* Fixes i18n keys
* Move mock resonse to the mocks file
* Use string templating in test
* remove === true from boolean comparison
* Set function in useCallback. Renames some variables and types. Use reourceState helper function to get the prev state. Use generated data for policies in tests
* Fix ts errors
* Removes unused type and fix type name for Item
* Puts exclude clause on policy dropdown behind a feature flag
* Adds missing feature flags in some tests and in global reducer
* Fix test adding useExperimentalValua mock for FF
* Wrapp handlers in a useCallback in order to prevent useless rerenders
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: David Sánchez <davidsansol92@gmail.com>
