Adds a tab in the _Edit Alert_ flyout which allows the user to _test_ their connector by executing it using an example action. The execution relies on the connector being updated, so is only enabled when there are no saved changes in the Connector form itself.
* Fields dropdowns are not populated if one of the indices is missing
* Fix tests and accept api changes
* Add indexPatternsService to get default index pattern
* Replace simple error message string with i18n translation
* Remove unnecessary displaying error code
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Create reusable renderHeaderActions
- I put it in the same file as renderApp, since both functions behave similarly (one renders in the main Kibana app/body, the other renders in Kibana's header)
- slightly opinionated: renamed renderActionMenu to renderHeaderActions from Kibana's examples
* Add example renderHeaderActions usage
* Add example WorkplaceSearchHeaderActions component
- not sure if this should be where it lives or is exported from, feel free to change @scottybollinger
* Update WorkplaceSearchHeaderActions with realistic functionality
- pass required externalUrl helper as arg/prop
- TODO: Consider refactoring KibanaContext to a Kea store so that we can share it across our renderApp and renderHeaderActions
* Fix type errors
* accessibility tests for dashboard panel
* added back the skipped test as it is still required to pass through th ea11ySnapshot
* wip dashboard panel tests
* wip- accessibility
* wip -accessibility
* wip accessibility
* accessibility tests for dashboard edit panel
* accessibility tests
* removed the unused variables
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Closes#48538 by removing the average duration by country custom geo map.
* adds link to client side monitoring below the rum charts
* removes unused translations
* Removes RUM-specific chart for Avg Duration By Browser
* Replace link under charts with CallOut above charts with link to Client Side Monitoring
* removes api integration tests for avg_duration_by_browser and usused i18n translations
* updates to copy in the CSM callout
* Closes#76372 by removing the `zoom` query param from the ml time series explorer link
* updated test snapshot for updated ML link href
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* res.customError -> defaultIngestErrorHandler
* Missed a variable rename in prior commit
* copying an invalid policy will 404; not 500
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* [Setup] Fix onboarding var name
- I camelCased too hard 🤦♀️ should be just onboardingComplete per ent-search code
* [Cleanup] Remove role.ability.destroy array
- This was only being used for 'session'/canDestroySession, which no longer applies in a Kibana world
- The destroy property still remains in the API endpoint, but will be ignored/unused by our front-end (similar to the defunct `roles: {}` obj)
* Hydrate AppLogic with more app-wide data
- namely: account, myRole, configuredLimits, and ilmEnabled
- also port over setOnboardingComplete action because it's fairly small and will be used
- role/myRole changes:
- This is a fairly opinionated change - open to thoughts!
- Ditch the Role()/Ability() classes and useAbilities() hook in favor of just storing that data from the get-go in myRole
- Remove unused fns from myRole (mostly those around the role obj, which is now always empty in SMAS)
- Type updates:
- Move IRole to client-side only, and to describe the myRole value
- IAccount.role should now only describe role data coming from the server-side
* Wrap App Search routes/navigation in ability checks
* Fix merged test
* PR feedback: Move myRole transformation to its own file
- Turns out Kea may or may not have been squashing some type errors! Moving to a separate file helped catch some type issues
* [Opinion] Move role-related types to role file
- Open to debate on this one, but it feels like it makes sense to keep all role related types in the same area.
+ keep export in main ./types file for convenience
* Product feedback: Remove canViewEngines
- there shouldn't be a scenario where a user isn't able to access any engines but can access the rest of the product
* Misc PR feedback
* Typescript feedback: use partials to account for default state
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Adding KibanaRequest#uuid
* Adding tests
* Fixing test which was mocking uuid.v4() to get expected IDs
* Fixing another mock
* Updating docs
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* [Timelion] Hide Timelion from search results when the setting is disabled
* Add link status to app register
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* feat: 🎸 add grouping to presentable interface
* feat: 🎸 add group to "Explore underlying" data action
* refactor: 💡 return panel list and simplify context creation
* refactor: 💡 simplify context menu builder code
* refactor: 💡 further simplify context menu builder code
* feat: 🎸 add grouping to context menu builder
* feat: 🎸 add icon to drilldowns group
* fix: 🐛 sort in the other order
* feat: 🎸 group drilldown actions in edit mode
* fix: 🐛 fix TypeScript error
* feat: 🎸 wrap long context menu list into a submenu
* feat: 🎸 improve context menu long list wrapping
* feat: 🎸 display drilldowns panel at the bottom of main panel
* feat: 🎸 add separator line for context menu
* test: 💍 add basic context menu builder unit tests
* feat: 🎸 remove meta decoratiosn from generated menu
* test: 💍 add test subject attribute to "More" menu item
* chore: 🤖 remove separator line and add comment about EUI
* test: 💍 update Jest snapshots
* chore: 🤖 revert back change of showing both drilldown options
* test: 💍 add context menu samples to example plugin
* feat: 🎸 collapse long groups into a sub-panel
* test: 💍 add context menu panel edit mode examples
* test: 💍 fix OSS functional test
* test: 💍 fix X-Pack functional tests
* fix: 🐛 re-introduce item sorting by title
* test: 💍 allow explicitly opening more menu
* test: 💍 try opening more panel in functional tests
* test: 💍 disable some tests
* chore: 🤖 remove unused code
* test: 💍 use action test helper in unit tests
* refactor: 💡 add helper utility to generate actions in examples
* test: 💍 disable one more functional test
* test: 💍 improve how inspector is opened in functional tests
* test: 💍 enable functional test
* refactor: 💡 convert test suite to typescript
* test: 💍 move panel replace tests into a separate test suite
* test: 💍 move panel cloning tests to a separate test suite
* test: 💍 set up dashboard context menu test suite
* test: 💍 enable few panel context menu tests
* test: 💍 enable saved search panel tests
* test: 💍 enable expanded panel context menu tests
* test: 💍 remove render complete awaits
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* [ILM] Add index templates to "add policy" modal in policies table
* [ILM] Change select to a combobox in 'add policy' modal in policies table
* [ILM] Add not found message to "add policy to template" modal
* [ILM] Fix api integration test
* [ILM] Fix type check error
* [ILM] Add PR review suggestions
* [ILM] Fix type check error
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
This is the backend, first iteration of threat matching API and rule type. You see elements using the backend API on the front end but cannot use the UI to add or edit a threshold rule with this PR.
Screen shots of it running in the UI elements that do work:
<img width="1862" alt="Screen Shot 2020-09-16 at 10 34 26 AM" src="https://user-images.githubusercontent.com/1151048/93366465-6e2b9c00-f808-11ea-923b-78e8d0fdfbaa.png">
<img width="1863" alt="Screen Shot 2020-09-16 at 10 34 48 AM" src="https://user-images.githubusercontent.com/1151048/93366476-71268c80-f808-11ea-8247-d2091ff1599a.png">
**Usage**
Since this is only backend API work and does not have the front end add/edit at the moment, you can use the existing UI's (for the most part) to validate the work here through CURL scripts below:
Go to the folder:
```ts
/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/scripts
```
And post a small ECS threat mapping to the index called `mock-threat-list`:
```ts
./create_threat_mapping.sh
```
Then to post a small number of threats that represent simple port numbers you can run:
```ts
./create_threat_data.sh
```
However, feel free to also manually create them directly in your dev tools like so:
```ts
# Posts a threat list item called some-name with an IP but change these out for valid data in your system
PUT mock-threat-list-1/_doc/9999
{
"@timestamp": "2020-09-09T20:30:45.725Z",
"host": {
"name": "some-name",
"ip": "127.0.0.1"
}
}
```
```ts
# Posts a destination port number to watch
PUT mock-threat-list-1/_doc/10000
{
"@timestamp": "2020-09-08T20:30:45.725Z",
"destination": {
"port": "443"
}
}
```
```ts
# Posts a source port number to watch
PUT mock-threat-list-1/_doc/10001
{
"@timestamp": "2020-09-08T20:30:45.725Z",
"source": {
"port": "443"
}
}
```
Then you can post a threat match rule:
```ts
./post_rule.sh ./rules/queries/query_with_threat_mapping.json
```
<details>
<summary>Click here to see Response</summary>
```ts
{
"actions": [],
"author": [],
"created_at": "2020-09-16T04:25:58.041Z",
"created_by": "yo",
"description": "Query with a threat mapping",
"enabled": true,
"exceptions_list": [],
"false_positives": [],
"from": "now-6m",
"id": "f4226ab0-6f88-49c3-8f09-84cf5946ee7a",
"immutable": false,
"interval": "5m",
"language": "kuery",
"max_signals": 100,
"name": "Query with a threat mapping",
"output_index": ".siem-signals-hassanabad3-default",
"query": "*:*",
"references": [],
"risk_score": 1,
"risk_score_mapping": [],
"rule_id": "threat-mapping",
"severity": "high",
"severity_mapping": [],
"tags": [
"tag_1",
"tag_2"
],
"threat": [],
"threat_index": "mock-threat-list-1",
"threat_mapping": [
{
"entries": [
{
"field": "host.name",
"type": "mapping",
"value": "host.name"
},
{
"field": "host.ip",
"type": "mapping",
"value": "host.ip"
}
]
},
{
"entries": [
{
"field": "destination.ip",
"type": "mapping",
"value": "destination.ip"
},
{
"field": "destination.port",
"type": "mapping",
"value": "destination.port"
}
]
},
{
"entries": [
{
"field": "source.port",
"type": "mapping",
"value": "source.port"
}
]
},
{
"entries": [
{
"field": "source.ip",
"type": "mapping",
"value": "source.ip"
}
]
}
],
"threat_query": "*:*",
"throttle": "no_actions",
"to": "now",
"type": "threat_match",
"updated_at": "2020-09-16T04:25:58.051Z",
"updated_by": "yo",
"version": 1
}
```
</details>
**Structure**
You can see the rule structure in the file:
```ts
x-pack/plugins/security_solution/server/lib/detection_engine/scripts/rules/queries/query_with_threat_mapping.json
```
<details>
<summary>Click here to see JSON</summary>
```ts
{
"name": "Query with a threat mapping",
"description": "Query with a threat mapping",
"rule_id": "threat-mapping",
"risk_score": 1,
"severity": "high",
"type": "threat_match",
"query": "*:*",
"tags": ["tag_1", "tag_2"],
"threat_index": "mock-threat-list",
"threat_query": "*:*",
"threat_mapping": [
{
"entries": [
{
"field": "host.name",
"type": "mapping",
"value": "host.name"
},
{
"field": "host.ip",
"type": "mapping",
"value": "host.ip"
}
]
},
{
"entries": [
{
"field": "destination.ip",
"type": "mapping",
"value": "destination.ip"
},
{
"field": "destination.port",
"type": "mapping",
"value": "destination.port"
}
]
},
{
"entries": [
{
"field": "source.port",
"type": "mapping",
"value": "source.port"
}
]
},
{
"entries": [
{
"field": "source.ip",
"type": "mapping",
"value": "source.ip"
}
]
}
]
}
```
</details>
Structural elements that are new:
New type enum called "threat_match"
```ts
"type": "threat_match",
```
New `threat_index` string which can be set to a single threat index (This might change to an array in the near future before release):
```ts
"threat_index": "mock-threat-list"
```
New `threat_query` string which can be set any valid query to filter the threat list before executing the rule. This can be undefined, if you are only pushing in filters from the API.
```ts
"threat_query": "*:*",
```
New `threat_filters` array which can be set to any valid filter like `filters`. This can be `undefined` if you are only using the query from the API.
```ts
threat_filter": []
```
New `threat_mapping` array which can be set to a valid mapping between the threat list and the ECS list. This structure has an inner array called `entries` which represent a 2 level tree of 1st level OR elements followed by 2nd level AND elements.
For example, if you want to find all threat matches where ECS documents will match against some ${threatList} index where it would be like so:
<details>
<summary>Click here to see array from the boolean</summary>
```ts
"threat_mapping": [
{
"entries": [
{
"field": "host.name",
"type": "mapping",
"value": "host.name"
},
{
"field": "host.ip",
"type": "mapping",
"value": "host.ip"
}
]
},
{
"entries": [
{
"field": "destination.ip",
"type": "mapping",
"value": "destination.ip"
},
{
"field": "destination.port",
"type": "mapping",
"value": "destination.port"
}
]
},
{
"entries": [
{
"field": "source.port",
"type": "mapping",
"value": "source.port"
}
]
},
{
"entries": [
{
"field": "source.ip",
"type": "mapping",
"value": "source.ip"
}
]
}
]
```
</details>
What that array represents in pseudo boolean logic is:
<details>
<summary>Click here to see pseduo logic</summary>
```ts
(host.name: ${threatList.host.name} AND host.ip: ${threatList.host.name}) OR
(destination.ip: ${threatList.destination.ip} AND destination.port: ${threatList.destination.port}) OR
(source.port ${threatList.source.port}) OR
(source.ip ${threatList.source.ip})
```
</details>
### Checklist
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
## Summary
Fixes: https://github.com/elastic/kibana/issues/77255, https://github.com/elastic/kibana/issues/63712
This bubbles up errors when we cannot correctly create signal documents. Before this PR, we sometimes would mark documents as being in the error state for the end user but ask them to look in their Kibana logs for the specific error. In some cases we did not bubble up any error states and the signal would look like it had 0 signals when that wasn't true. It had valid signals but could not write the signals to its index because the source index had incompatibilities with ECS and cannot write the document to the signals index.
This fixes those issues to correctly bubble up the errors. If you're interested in manual testing there are two ways. The first way is to take advantage of an existing "threshold bug" by making a "threshold rule" which has a CIDR in it like so below:
<img width="1046" alt="Screen Shot 2020-09-10 at 4 08 18 PM" src="https://user-images.githubusercontent.com/1151048/93532721-cba21480-f8fe-11ea-90e7-27c39fdb870b.png">
On output you should see that the threshold is in an error state for the rule and also additional details:
<img width="1852" alt="Screen Shot 2020-09-16 at 1 26 37 PM" src="https://user-images.githubusercontent.com/1151048/93532789-eaa0a680-f8fe-11ea-9327-81cf128a344e.png">
The second way to trigger this is to create a mock invalid ECS index with an invalid mapping in dev tools:
```ts
# This is invalid because it has an odd "original" inside of it
PUT mock-bad-ecs-index
{
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"message": {
"properties": {
"original": {
"type": "text",
"index": false,
"doc_values": false
}
}
}
}
}
}
# You might have to change your timestamp to be 5 minutes from now to catch it as a signal or use a really long look back time
PUT mock-bad-ecs-index/_doc/1
{
"@timestamp": "2020-09-17T21:50:54.240Z",
"message": {
"original": "invalid subobject"
}
}
```
Then create a rule against this index:
<img width="1045" alt="Screen Shot 2020-09-17 at 3 52 40 PM" src="https://user-images.githubusercontent.com/1151048/93532922-30f60580-f8ff-11ea-8131-172aab7b7c68.png">
And you should see an error banner and error state where before it would not show the error message:
<img width="1866" alt="Screen Shot 2020-09-17 at 3 53 20 PM" src="https://user-images.githubusercontent.com/1151048/93532972-4408d580-f8ff-11ea-8105-44b0f767cc70.png">
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
* [Reporting] Use spaceId from request in export generation
* remove todo that has been done
* whitespace
* use post params api in test
* add logging to core
* Update x-pack/plugins/reporting/server/export_types/printable_pdf/lib/get_custom_logo.ts
Co-authored-by: Joel Griffith <joel@joelgriffith.net>
* more logging
* fix interdependence and remove Promise.all
* getAbsoluteUrl have only 1 way to provide basePath
* --wip-- [skip ci]
* log apipath
* deleteAllReports at the end
* tests pass locally
* set config in the tests
* re-add skips of flaky tests
* test using csv:quoteValues
Co-authored-by: Joel Griffith <joel@joelgriffith.net>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
