* Fetch rule statuses using single aggregation instead of N separate requests
* Optimize _find API and _find_statuses
* Merge alerting framework errors into rule statuses
* Add sortSchema for top hits agg, update terms.order schema
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Re-introduces the changes from #100727 which was backed out due to a bug. Changes included:
* Generate random isolation values for endpoint metadata
* Generator for Fleet Actions
* Added creation of actions to the index test data loader
Plus:
* Fix generator `randomBoolean()` to ensure it works with seeded random numbers
* Update resolver snapshots due to additional call to randomizer
* Adding feature flag for enabling rule import and export
* Removing item from docs
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Update datafeed_windows_rare_user_type10_remote_login.json
refactor df query to work with newer field values
* Update datafeed_windows_rare_user_type10_remote_login.json
remove event.code test - was failing a test on the build server using the original data b/c this field was not there when the query was first developed.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Remove legacydetection rule stat summaries
* Remove ML usage summary and consolidate with ML metric telemetry.
* Remove ML usage summary and consolidate with ML metric telemetry.
* Move legacy helper constructs into index.
* Separate rule logic from ml logic. Add ml unit tests.
* Abstract types away into their own file.
* Update telemetry schema.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* WIP - creating alerting authorization client factory and exposing authorization client on plugin start contract
* Updating alerting feature privilege builder to handle different alerting types
* Passing in alerting authorization type to AlertingActions class string builder
* Passing in authorization type in each function call
* Passing in exempt consumer ids. Adding authorization type to audit logger
* Changing alertType to ruleType
* Changing alertType to ruleType
* Updating unit tests
* Updating unit tests
* Passing field names into authorization query builder. Adding kql/es dsl option
* Converting to es query if requested
* Fixing functional tests
* Removing ability to specify feature privilege name in constructor
* Fixing some types and tests
* Consolidating alerting authorization kuery filter options
* Cleanup and tests
* Cleanup and tests
* Initial commit with changes needed for subfeature privilege
* Throwing error when AlertingAuthorizationClientFactory is not defined
* Renaming authorizationType to entity
* Renaming AlertsAuthorization to AlertingAuthorization
* Fixing unit tests
* Changing schema of alerting feature privilege
* Changing schema of alerting feature privilege
* Updating feature privilege iterator
* Updating feature privilege builder
* Fixing types check
* Updating privilege string terminology
* Updating privilege string terminology
* Wip
* Fixing unit tests
* Unit tests
* Updating README and removing stack subfeature privilege changes
* Fixing README
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [Maps timeslider]
* just arrowLeft and arrowRight icons
* tslint
* color icon when timeslider is open, auto select first section on open
* increase width to prevent timeslider from changing sizes during interaction
* fix filters disappearing when timeslice advances
* use shorter date format for ticks
* review feedback
* do not show timeslider button when map is embedded
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Created common TSVB migrations. Registered them in serverside embeddable factory so that by value panels receive them
Co-authored-by: Stratoula Kalafateli <efstratia.kalafateli@elastic.co>
**Needed for:** rule execution log for Security https://github.com/elastic/kibana/pull/94143
**Related to:**
- alerts-as-data: https://github.com/elastic/kibana/issues/93728, https://github.com/elastic/kibana/issues/93729, https://github.com/elastic/kibana/issues/93730
- RFC for index naming https://github.com/elastic/kibana/issues/98912
## Summary
This PR adds a mechanism for writing to / reading from / bootstrapping indices for RAC project into the `rule_registry` plugin. Particularly, indices for alerts-as-data and rule execution events. This implementation is similar to existing implementations like `event_log` plugin (see https://github.com/elastic/kibana/pull/98353#issuecomment-833045980 for historical perspective), but we're going to converge all of them into 1 or 2 implementations. At least we should have a single one in `rule_registry` itself.
In this PR I tried to incorporate most of the feedback received in the RFC (https://github.com/elastic/kibana/issues/98912), but if you notice I missed/forgot something, please let me know in the comments.
Done in this PR:
- [x] Schema-agnostic APIs for working with Elasticsearch.
- [x] Schema-aware log definition and bootstrapping API (creating hierarchical logs).
- [x] Schema-aware write API (logging events).
- [x] Schema-aware read API (searching logs, filtering, sorting, pagination, aggregation).
- [x] Support for Kibana spaces, space-aware index bootstrapping (either at rule creation or rule execution time).
As for reviewing this PR, perhaps it might be easier to start with:
- checking description of https://github.com/elastic/kibana/issues/98912
- checking usage examples https://github.com/elastic/kibana/pull/98353/files#diff-c049ff2198cc69bd50a69e92d29e88da7e10b9a152bdaceaf3d41826e712c12b
- checking public api https://github.com/elastic/kibana/pull/98353/files#diff-8e9ef0dbcbc60b1861d492a03865b2ae76a56ec38ada61898c991d3a74bd6268
## Next steps
Next steps towards rule execution log in Security (https://github.com/elastic/kibana/pull/94143):
- define actual schema for rule execution events
- inject instance of rule execution log into Security rule executors and route handlers
- implement actual execution logging in rule executors
- update route handlers to start fetching execution events and metrics from the log instead of custom saved objects
Next steps in the context of RAC and unified implementation:
- converge this implementation with `RuleDataService` implementation
- implement robust index bootstrapping
- reconsider using FieldMap as a generic type parameter
- implement validation for documents being indexed
- cover the final implementation with tests
- write comprehensive docs: update plugin README, add JSDoc comments to all public interfaces
Make it so `xpack.observability.unsafe.alertingExperience.enabled` only shows and hides the Alerts page, and `xpack.observability.unsafe.cases.enabled` show and hides the Cases page.
* [TSVB] Support triggers only for timeseries chart
* fix the type
* Fix type falure
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>