* Fetch rule statuses using single aggregation instead of N separate requests
* Optimize _find API and _find_statuses
* Merge alerting framework errors into rule statuses
* Add sortSchema for top hits agg, update terms.order schema
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Re-introduces the changes from #100727 which was backed out due to a bug. Changes included:
* Generate random isolation values for endpoint metadata
* Generator for Fleet Actions
* Added creation of actions to the index test data loader
Plus:
* Fix generator `randomBoolean()` to ensure it works with seeded random numbers
* Update resolver snapshots due to additional call to randomizer
* Adding feature flag for enabling rule import and export
* Removing item from docs
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Update datafeed_windows_rare_user_type10_remote_login.json
refactor df query to work with newer field values
* Update datafeed_windows_rare_user_type10_remote_login.json
remove event.code test - was failing a test on the build server using the original data b/c this field was not there when the query was first developed.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Remove legacydetection rule stat summaries
* Remove ML usage summary and consolidate with ML metric telemetry.
* Remove ML usage summary and consolidate with ML metric telemetry.
* Move legacy helper constructs into index.
* Separate rule logic from ml logic. Add ml unit tests.
* Abstract types away into their own file.
* Update telemetry schema.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* WIP - creating alerting authorization client factory and exposing authorization client on plugin start contract
* Updating alerting feature privilege builder to handle different alerting types
* Passing in alerting authorization type to AlertingActions class string builder
* Passing in authorization type in each function call
* Passing in exempt consumer ids. Adding authorization type to audit logger
* Changing alertType to ruleType
* Changing alertType to ruleType
* Updating unit tests
* Updating unit tests
* Passing field names into authorization query builder. Adding kql/es dsl option
* Converting to es query if requested
* Fixing functional tests
* Removing ability to specify feature privilege name in constructor
* Fixing some types and tests
* Consolidating alerting authorization kuery filter options
* Cleanup and tests
* Cleanup and tests
* Initial commit with changes needed for subfeature privilege
* Throwing error when AlertingAuthorizationClientFactory is not defined
* Renaming authorizationType to entity
* Renaming AlertsAuthorization to AlertingAuthorization
* Fixing unit tests
* Changing schema of alerting feature privilege
* Changing schema of alerting feature privilege
* Updating feature privilege iterator
* Updating feature privilege builder
* Fixing types check
* Updating privilege string terminology
* Updating privilege string terminology
* Wip
* Fixing unit tests
* Unit tests
* Updating README and removing stack subfeature privilege changes
* Fixing README
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [Maps timeslider]
* just arrowLeft and arrowRight icons
* tslint
* color icon when timeslider is open, auto select first section on open
* increase width to prevent timeslider from changing sizes during interaction
* fix filters disappearing when timeslice advances
* use shorter date format for ticks
* review feedback
* do not show timeslider button when map is embedded
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
**Needed for:** rule execution log for Security https://github.com/elastic/kibana/pull/94143
**Related to:**
- alerts-as-data: https://github.com/elastic/kibana/issues/93728, https://github.com/elastic/kibana/issues/93729, https://github.com/elastic/kibana/issues/93730
- RFC for index naming https://github.com/elastic/kibana/issues/98912
## Summary
This PR adds a mechanism for writing to / reading from / bootstrapping indices for RAC project into the `rule_registry` plugin. Particularly, indices for alerts-as-data and rule execution events. This implementation is similar to existing implementations like `event_log` plugin (see https://github.com/elastic/kibana/pull/98353#issuecomment-833045980 for historical perspective), but we're going to converge all of them into 1 or 2 implementations. At least we should have a single one in `rule_registry` itself.
In this PR I tried to incorporate most of the feedback received in the RFC (https://github.com/elastic/kibana/issues/98912), but if you notice I missed/forgot something, please let me know in the comments.
Done in this PR:
- [x] Schema-agnostic APIs for working with Elasticsearch.
- [x] Schema-aware log definition and bootstrapping API (creating hierarchical logs).
- [x] Schema-aware write API (logging events).
- [x] Schema-aware read API (searching logs, filtering, sorting, pagination, aggregation).
- [x] Support for Kibana spaces, space-aware index bootstrapping (either at rule creation or rule execution time).
As for reviewing this PR, perhaps it might be easier to start with:
- checking description of https://github.com/elastic/kibana/issues/98912
- checking usage examples https://github.com/elastic/kibana/pull/98353/files#diff-c049ff2198cc69bd50a69e92d29e88da7e10b9a152bdaceaf3d41826e712c12b
- checking public api https://github.com/elastic/kibana/pull/98353/files#diff-8e9ef0dbcbc60b1861d492a03865b2ae76a56ec38ada61898c991d3a74bd6268
## Next steps
Next steps towards rule execution log in Security (https://github.com/elastic/kibana/pull/94143):
- define actual schema for rule execution events
- inject instance of rule execution log into Security rule executors and route handlers
- implement actual execution logging in rule executors
- update route handlers to start fetching execution events and metrics from the log instead of custom saved objects
Next steps in the context of RAC and unified implementation:
- converge this implementation with `RuleDataService` implementation
- implement robust index bootstrapping
- reconsider using FieldMap as a generic type parameter
- implement validation for documents being indexed
- cover the final implementation with tests
- write comprehensive docs: update plugin README, add JSDoc comments to all public interfaces
Make it so `xpack.observability.unsafe.alertingExperience.enabled` only shows and hides the Alerts page, and `xpack.observability.unsafe.cases.enabled` show and hides the Cases page.
resolves https://github.com/elastic/kibana/issues/100607
This fixes a problem when very large parameters (over 32K bytes) are saved with
an alert. Before this fix, an error from elasticsearch would be thrown with
the following message, and a 400 returned from create (and presumably update).
Document contains at least one immense term in field=\"alert.params\"
(whose UTF8 encoding is longer than the max length 32766), all of which
were skipped.
After the fix, alerts with immense params can be saved and executed.
Note that the immense params will not be searchable, since they won't be indexed,
but that seems both unavoidable, and not a severe issue.
* cleanup removed dirs
* delete removed folders from other places in the repo
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Move uptime actions to Kibana's HeaderActionsMenu.
* Delete a comment.
* Extract ActionMenu content to dedicated component to make testing easier.
* Add tests.
* Use `EuiHeaderLinks` instead of `EuiFlexItem`.
* Clean up tests.
* Prefer `getByRole` for a test.
* Fix copy mistake.
* Fix a test broken by the previous commit.
* Prefer `EuiHeaderSectionItem` over `EuiHeaderSectionLink` to avoid nesting `button`s within `buttons`.
* Reverse "Settings" and "Alerts" menu options to make them uniform with APM.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Manual cherry pick of work to support integration tiles and package-level vars
* Fix types
* Remove registry input group typings
* Show integration-specific readme, title, and icon in package details page
* Revert unnecessary changes
* Add package-level `vars` field to package policy SO mappings
* Fix types
* Fix test
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [ML] Adds functional tests for anomaly detection job custom URLs
* [ML] Remove debug test tag from custom URL tests
* [ML] Update custom URL editor Jest snapshots
* [ML] Clean up in embeddables tests to fix dashboard test
* [ML] Delete test dashboard after test suites complete
* [ML] Edits to custom URL tests following review
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [Maps] filter dashboard by map extent
* clean up
* remove warning from filter pill
* tslint
* API doc updates, i18n fixes, tslint
* only show context menu option in edit mode
* add functional test
* review feedback
* do not use search session when filtering by map bounds
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* add ip option type to convert processor
* remove duped option
* small CR changes
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [triggersActionsUi] Reduce page load bundle to under 100kB
* removed old code
* removed fragment
* changed svg logo to lazy react components
* fixed type checks and translations
* fixed type checks
* fixed type checks
* fixed type checks
* fixed tests
* fixed tests
* fixed iconClass
* fixed due to comments
* added info about new IconType to readme file
* fixed key errors
