* Add new x-pack advanced setting searchTimeout and use it in the EnhancedSearchInterceptor
* docs
* Rely on server timeout in OSS (?)
Use UI setting in xpack.
* Rename function
* doc
* Remove esShard from client
* cleanup request parameters from FE
* doc
* doc
* Align request parameters on server,
Remove leftover parameters from client
Shim responses for search and msearch routes
* docs
Stop using toSnakeCase
Updates jest tests
* add management docs
* docs
* Remove import
* Break circular dep + fix msearch test
* Remove deleted type
* Fix jest
* Bring toSnakeCase back
* docs
* fix jest
* Fix merge
* Fix types
* Allow timeout to be undefined
* Fix jest test
* Upldate docs
* Fix msearch jest
* docs
* Fix rollup search merge
* docs
Co-authored-by: Lukas Olson <olson.lukas@gmail.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* [DOCS] Add default time range filter to advanced settings
* [DOCS] More edits
* [DOCS] Adds behaviour when disabled
* [DOCS] Synchs setting name changes
* [DOCS] More edits
* Add tutorial for ILM with filebeat
* Change screenshots and add additional steps
* Update screenshots, add numbered steps, and other minor edits
* Incorporate feedback: update links, formatting, and minor edits
* Move tip inline with list
* Apply suggestions from code review
Co-Authored-By: James Rodewig <james.rodewig@elastic.co>
* Move TIP inline . . . again
* Put TIP inline
Co-authored-by: James Rodewig <james.rodewig@elastic.co>
## [SIEM] Overview Page "1.5"
A redesigned SIEM Overview page that includes `Recent timelines`, a `Security news` feed, visualizations, and rolled-up event counts
![overview-day](https://user-images.githubusercontent.com/4459398/72396016-90f53600-36f8-11ea-9b41-6d54d09de589.png)
![overview-night](https://user-images.githubusercontent.com/4459398/72394575-fb57a780-36f3-11ea-868e-8fcd2c5c4543.png)
### Overview enhancements
- Added the global Search bar and Date picker to the Overview page
- New `Recent timelines` widget affords quick access to favorite and recently modified timelines
- New `Security news` widget
- New Kibana advanced settings (toggle switch) for enabling or disabling the news widget and configuring the news URL
![news-settings](https://user-images.githubusercontent.com/4459398/72362776-fd4c4700-36b0-11ea-805b-3c7353f2c1cd.png)
- New `Events count by dataset` widget
- Updated the `Host Events` and `Network Events` widgets to integrate with the Search bar and date picker input
- Enhanced the `Host Events` and `Network Events` widgets to use an accordion paradigm that summarizes stats by source (e.g. `Auditbeat`, `Endgame`)
- Enhanced the `Host Events` and `Network Events` widgets to visualize relative percentages of events collected as progress bars
- New `Alerts count by category` widget
- New `Signals count by MITRE ATT&CK™ category` widget
- New `View events`, `View alerts`, and `View signals` navigation buttons for their respective visualizations
### FTUE enhancements
- FTUE "no data" view design refresh
![ftue](https://user-images.githubusercontent.com/4459398/72361771-43a0a680-36af-11ea-969f-5872ac4a01a1.png)
- When the FTUE "no data" page is displayed, hide all global navigation links (i.e. `Hosts`, `Network`, `Detection engine`), such that only `Overview` appears in the global nav
- App Help popover design refresh
![help](https://user-images.githubusercontent.com/4459398/72362132-d80b0900-36af-11ea-9b58-1fd3b923b7c8.png)
- Removed the `Beta` badge and `Security Information & Event Management with the Elastic Stack` from the Overview header
- Tested in Chrome `79.0.3945.117`, Firefox `72.0.1`, and Safari `13.0.4`
## Known issues
- The `siem:newsFeedUrl` advanced setting is defaulted to `https://feeds.elastic.co/kibana`
- The `Signals count by MITRE ATT&CK™ category` visualization does not display all categories
- The `Signals count by MITRE ATT&CK™ category` visualization may require a different index pattern
- `EuiButtonGroup` throwing a `Can't perform a React state update on an unmounted component` warning when switching from the Overview tab
https://github.com/elastic/siem-team/issues/484
* [DOCS] Moves index pattern doc to Discover
* [DOCS] Improves intro to index patterns doc
* [DOCS] Edits index patterns doc
* [DOCS] Incorporates comments into index patterns doc
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Asciidoctor sees `,` as the edge of parameters and chokes on one of our
deprecation warnings, rendering funny looking garbage. This wraps the
whole parameter in `"` which makes it look good. It *does* add `"`s
around the result in AsciiDoc, but we plan to migrate from AsciiDoc
"real soon now".
* [DOCS] Updates Index Management doc to include index templates
* [DOCS] Added example of creating a template
* [DOCS] Incorporates review comments
* [DOCS] Fixes typo
* Added an inclusion of, "This setting is off by default..."
* Update docs/management/advanced-options.asciidoc
Co-Authored-By: gchaps <33642766+gchaps@users.noreply.github.com>
Discover currently executes a search as soon as it loads. For some users this is useful. But for others it may return worthless results at the expense of extra load on their ES cluster and increased page load times, making it harder to get to the data they actually want. This PR adds an advanced setting allowing users to turn off the "search on page load" functionality in Discover.
* [DOCS] Updates index patterns doc
* [DOCS] Incorporates review comments in index patterns doc
* [DOCS] More review comments on index patterns doc
* [DOCS] Fixed section on managing index patterns
* Adding read-only mode section to Discover
* No more "mode" or "badge" terminology
* Putting newline back
* Adding "Saving" section for visualize
* Adding dashboard read only access section
* Timelion gets read-only documentation
* Adding read only access section to index patterns and advanced settings
* Adding graph read only access section
* Allow select settings to specify labels for their values
* Rename kuery setting to KQL
* Change docs for KQL setting
* Add warnings for unused options
* Address review
* Remove chinese translation for modified string
* Fix translations again (... should have pulled first)
* Remove old chinese translation
* [dashboard+gis] remove dark mode options
* [reporting/extract] restore fixtures
* remove mentions of old `.theme-dark` class
* import panel styles from panel/_index.scss
* [DOCS] Adds documentation for index lifecycle policies
* [DOCS] Updated image for policy options to show all menu items
* Update create-policy.asciidoc
* [DOCS] Incorporated review comments on hot and warm phase
* [DOCS] Additional changes to warm phase
* [DOCS] Removed the word open in the warm phase
Allows Kibana users to configure the max_concurrent_shard_requests param used by Kibana when sending _msearch requests. Exposes the config as an advanced setting. By default we won't send the param at all, relying on the ES default instead.
* Beginning to work on the role management APIs. Added docs for GET
* Adding PUT docs
* Adding PUT details
* Adding delete docs
* Fixing linking
* Adding Kibana privileges section
* Fixing dashboard only mode docs
* Fixing a few more references to managing roles
* Beginning to work on authorization docs, might be moving some to
stack-docs
* Collapsing authorization description in the kibana privileges page
* Adding audit logging section
* Revising the language on the Kibana role management section
* Splitting back out the auth/privileges and adding legacy fallback
details
* Revising language around impact of disabling security
* Changing Kibana to {kib} and Elasticsearch to {es}
* Beginning to work on developer centric docs
* Fixing some formatting, adding some diagrams
* Adding note about the role management APIs
* Adding overview, fixing small syntax issues
* Fixing chunk name for transitioning to application privileges
* Adjusting tone for the authorization introduction
* Changing the tone and structure of the RBAC docs
* Deleting blog stuff after refactoring
* Addressing first round of peer review comments
* Fixing endpoints links
* Peer review suggested edits
* Addressing other PR feedback
* enhance index pattern delete documenation
* add line about breaking saved objects that still reference index pattern
* indices spelling
* better wording from gchaps
Makes our language updates more visible to users and removes mentions of Kuery as a separate language. Users still get the old lucene experience by default, but have the option to opt-in to "experimental query features" directly in the query bar. Goal is to get more feedback by making these new features more prominent and less of a jump from lucene.
* First stab at refactoring typeahead
* Don't double submit on enter
* Add item templating
* Introduce simple kuery language
* Rename to kql and add modules
* Update KQL syntax
* Automatically insert matching pairs
* Don't match quotes after alphanumeric chars
* Get field and value suggestions
* Remove accidental changes
* Remove unnecessary test
* Don't submit on enter
* Fix typeahead
* Suggest matching recent searches
* Suggest operators
* Suggest conjunctions
* Use template, separate suggestions into separate modules
* Whoops, add this module back
* Add clarifying comment
* Fix history log key
* Don't update suggestions on every key press
* Fix key handling
* Update terminology to be clearer
* Fix typo
* Simplify building of nodes
* Don't always hide on submit
* Check items exists
* Add icon directive which wraps EuiIcon.
* kql design start
* remove comment bits
* Simplify select next/prev and reset selected on hide/backspace
* Add test
* Put persistedLog on scope so it can be tested
* Fix typos
* Build up AST for sublist by returning functions that take a field name
* Remove single quoted strings and add double quote to special characters
* Build nodes with arg nodes instead of args themselves
* Add support for exact phrase search for quoted values
* Update typeahead items when language changes
* Finish that work I didn't do in the last commit
* This commit makes Bargs very happy cuz it does a lot
* Add wildcard field support to range query
* Remove range support for wildcard values
* Remove KQL as a separate language
Updates kuery to use KQL's grammar. This will lead to a smoother
transition for both us and Kuery users. We mainly added KQL as a
separate language so that we could notify Kuery users that the syntax
had changed. I realized we could do the same by trying to parse their
query strings with the old grammar if the new grammar fails, and if the
old grammar parses successfully we can display an error message with a
link to the docs describing the syntax changes. Since Kuery now uses the
more simple KQL syntax, I've also re-enabled the filter bar when Kuery
is selected.
* Fix typeahead behavior
* Update conjunctions
* Use scope apply
* Suggest conjunctions after ranges
* Support strings in wildcard node constructor and add tests for wildcard node
* test updates
* Removing unused serializeStyle and toKueryExpression, updating tests
* Fix functional test
* Fix typo
* Show fields that match in any part of the name
* Alter order of operators
* Preserve focus after selecting by click
* Ports tests for `fromKueryExpression` to `fromKqlExpression`
* More KQL syntax tests
* Suggest conjunctions after ranges
* Fix suggestions inside parens
* fromLiteralExpression tests
* remove serializeStyle arguments which no longer exist in the function definition
* tests for getFields
* Case insensitive search for field names
* update tests for is.js
* add wildcard fieldname test for range.js
* Fix removed div
* Fix line spacing for autocomplete suggestions
* Fix conjunction suggestions with escaped preceding literals
* Escape special characters in fields and values
* Don't suggest the value that's already selected
* Update icons
* Sort prefix first
* Simplify cursor detection and suggest booleans
* Use quotes for suggested values
* get rid of references to KQL
* Don't show errors from parsing
* That didn't even exist
* Use config to determine if values are suggested
* Update suggestions on home/end
* remove hack
* Update reference to kql
* Suggestions for quoted values
* Clean up grammar
* Better support for cursor inside spaces
* Create grunt task to generate parsers from peg files
* Simplify wildcard handling
* Don't filter out the exact fields/values
* Update parsing modules
* Fix peg task
* Make operator syntax more visible
* Update OR verbiage
* Simplify and improve match pairs
* Revert "Simplify wildcard handling"
This reverts commit 915861beab.
* Support escaped backslashes inside quoted strings
* Support escaped keywords
* Remove lodash dependency cuz w33ble
* Escape user input and fix conjunction description
* Clear suggestions after submitting
* Fix insertion of suggestion to account for selection
* Remove unnecessary?
* Remove extraneous file
* Better name for method
* Move functions out of event handler
* Don't wrap result in promise
* Don't show kuery suggestions for lucene
* some cleanup and polish for kql autocomplete
* Omit description completely for values
* Don't suggest and/or for quoted strings that end in spaces
* Submit recent search suggestions on select
* Scroll selected suggestion into view
* Better handling of key events and hiding typeahead
* Update suggestions to work in other apps with multiple index patterns
* Only update suggestions if not submitting
* Hide suggestions on focus
* Simplify wildcard (again)
* Fix console error
* Remove references to kql
* Fix match pairs so that suggestions occur with cursor in correct place
* Memoize value suggestions
* Debounce model updates
* Add tests for suggestion providers
* Add setting and docs
* Add custom error, helper for detecting leading wildcards, and check for
leading wildcards in the Value rule of the grammar.
* Better handling of suggestion clicks
* Dedup suggestions
* Sort keywords first
* Fix value suggestions memoizing
* Check if query exists
* Reduce size of dialog and fix ranges
* Create grunt task to generate parsers from peg files
* Lazy load typeahead items
* Fix wildcard tests
* Fix value suggestion tests
* Fix typeahead tests
* Fix value suggestion memoize resolver
* Leave comment
* Add a ttl for the value suggestion resolver
* Move grunt config to config/
* Bargs can suck it
* Fix more tests that bargs broke (and one I did too)
* Fix tests