## [SIEM] Overview Page "1.5"
A redesigned SIEM Overview page that includes `Recent timelines`, a `Security news` feed, visualizations, and rolled-up event counts
### Overview enhancements
- Added the global Search bar and Date picker to the Overview page
- New `Recent timelines` widget affords quick access to favorite and recently modified timelines
- New `Security news` widget
- New Kibana advanced settings (toggle switch) for enabling or disabling the news widget and configuring the news URL
- New `Events count by dataset` widget
- Updated the `Host Events` and `Network Events` widgets to integrate with the Search bar and date picker input
- Enhanced the `Host Events` and `Network Events` widgets to use an accordion paradigm that summarizes stats by source (e.g. `Auditbeat`, `Endgame`)
- Enhanced the `Host Events` and `Network Events` widgets to visualize relative percentages of events collected as progress bars
- New `Alerts count by category` widget
- New `Signals count by MITRE ATT&CK™ category` widget
- New `View events`, `View alerts`, and `View signals` navigation buttons for their respective visualizations
### FTUE enhancements
- FTUE "no data" view design refresh
- When the FTUE "no data" page is displayed, hide all global navigation links (i.e. `Hosts`, `Network`, `Detection engine`), such that only `Overview` appears in the global nav
- App Help popover design refresh
- Removed the `Beta` badge and `Security Information & Event Management with the Elastic Stack` from the Overview header
- Tested in Chrome `79.0.3945.117`, Firefox `72.0.1`, and Safari `13.0.4`
## Known issues
- The `siem:newsFeedUrl` advanced setting is defaulted to `https://feeds.elastic.co/kibana`
- The `Signals count by MITRE ATT&CK™ category` visualization does not display all categories
- The `Signals count by MITRE ATT&CK™ category` visualization may require a different index pattern
- `EuiButtonGroup` throwing a `Can't perform a React state update on an unmounted component` warning when switching from the Overview tab
https://github.com/elastic/siem-team/issues/484
* remove batch action on signals
* fix callback dependency bug
* open timeline in signals table + add a way to pick between signal and raw events in timeline
* add status on all rules
* fix i18n
* review I
* fix test
* Upgraded EUI to 18.0.0
* Fix breaks from `palette._.colors` changes
* snapshots
* Updated hard coded hex color codes in tests, fixed TS errors
* Updated a functional test's selector; added (BSD-3-Clause AND Apache-2.0) to license checker whitelist
* Functional test selector update
* Updated vega browser-ci tests for palette changes
* rebased on master
* One more location for EUI package number update and yarn lock
* Fixed lurking [but introduced] TypeScript logic bug
* Swap a prop definition for the same value but tied closer to its source
Co-authored-by: Caroline Horn <549577+cchaos@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Update spec conversion to exclude deprecated completions
* Update OSS spec
* Remove console.log
* Add skip deprecated endpoints option to script
* Actually, remove skip deprecated flag for now. Just do not include deprecated. See this issue: https://github.com/elastic/kibana/issues/48375
* x-pack: Delete data from transform completions
* Update to existing x-pack autocomplete extensions
* Added ml explain with overrides
* Added put trained model with doc override
* Added SLM get_status, start and stop with URL param overrides where needed
* Add data completion for clear scroll
* Remove include_type_name flag from indices and delete create.json override
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Add support for scripted fields and
default index pattern
* Add scripted fields and aliases to existence API
* Fix TypeScript errors.
* Fix mappings parsing
* Default to the index pattern timeFieldName
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This moves the beta badges for the Ml integration tabs from the tabbed navigation bar into the primary headings of the respective setup and result pages.
* wip: initialize newJobCaps service in parent element
* wip: use jobCaps service to create columns
* add render and types to talble columns
* add keyword suffix when constructing query. ensure pagination works
* Ensure search query and sorting works
* wip: update regression table to use jobCaps api
* move shared resources to central location
* ensure 0 and false values show up in table
* add error handling to jobCaps initialization
* ensure outlier detection table can toggle columns
* check for undefined before using moment to create date
* add tests for fix for getNestedProperty
* Working status updates in executor. Need to update read rules api endpoint to only respond with 'status' and not status info. Will create another endpoint to get status details for a rule which will include last five errors (if there are any). Still need tests
* adds new route for getting statuses for a list of given alert ids, adds try-catch and more logic in executor for logging errors, adds scripts and rules for testing, updates find_rules endpoint to display statuses too. Would like to look into using the alerts executor state to better manage logic for statuses, and need to update some types. Also needs unit tests still.
* updated types for routes, updated how merging of alert-to-rule and rule status happens when formatting REST response.
* typecast test server as ServerFacade type
* fix bug where we were not awaiting the accumulated result in the reducer
* update rule status saved object interfaces to play nicely with interfaces provided by saved objects module. Update tests to pass - Need to write new unit tests in an upcoming commit. Next commit will be cleanup from comments then new unit tests.
* fix missed conflicts after rebase
* replace id param with rule.id when searching in statuses, adds sort fields to the saved objects find queries.
* fixes bug where 'executing' statuses were being written into failing historical status list
* camelCase to snake_case in new statuses route, also fix merge conflict
* add deletion of rule statuses to delete_rules_bulk_route. Statuses are created inside of executor so we will not be needing to create statuses directly inside of the create rules bulk route, so I removed that extraneous code.
* pr feedback I forgot to fix earlier
* remove unused import. fixes type check error generated in previous commit
* removes status information from rule when saved to signals index and updates tests to represent this change. Also removes extraneous quotes inserted around alertId field when creating a new historical status.
* adds new bash script to delete all rule statuses, updates error messages in rule statuses to just store actual message, moved querying of rules statuses under a null check, initialize everything to null when first creating rule status, update number of results returned when querying saved objects based on usage, updates saved objects mapping types to use date for dates and keyword for alertId.
* use lodash snake case and update total number of saved objects to return for find rules, delete rules, and read rules.
* updates how statuses are transformed inside of read_rules_route, only update updated_at in rule on update of rule, removes unlabeled todo comment, updates scripts descriptions, removes interval from query_with_rule_id.json sample query, removes debug statement, removes verbose from curl script.
* display rule status on update
This reduces the panel paddings on the log rate and categorization result tabs from `l` to `m` as per elastic/logs#7 and brings a title padding in line with the rest.
In elastic/apm-server/pull/3096, an alternative to stacktrace.filename was introduced: stacktrace.classname. This change makes sure classname is properly represented in the UI and in our types.
* Refactored reducers type definitions
* Fixed dependancy objects
* Fixed action add
* Fixed logging app icon
* Added action types params fields
* Added fields for check and re-notify alert
* Add tags to alert list
* Adjusted threshold expression with validation, added visualization
* Move delete button to the left and hide when no selection
* Rename action list title column to name
* fixed request
* Removed watcher labels
* Design cleanup
* Added expression default values
* Added visualization for index threshold alert
* Rename Actions tab to Connectors
* Rename "create action" to "create connector"
* Remove actions column name
* Add count per action type
* Hide checkboxes when user can't delete
* Add title to home, rename Alerting UI breadcrumb (remove UI part)
* Added correct binding for interval and throttle
* Added tags support for create Alert UI
* Added server error display in UI on save alert
* Added connectors for action forms
* Update button styles
* Switch inputs to compressed forms
* Fixed some fields for add alert form
* Fixed updating action by index
* Fixed filter for index/fields api requests
* Remove the test alert type that was in the init function
* Fixed action type icon on add connector form and did small refactoring on action forms; added action validation
* Rename alerting UI plugin to triggers and actions UI (or something else) #50305
* Implemented action connector edit UI
* Add bulk actions to alerts list
* Update home title spacing
* Fixed editing secrets action property
* Changing behaviour of bulk actions and disable buttons during request
* Refactored plugin definition with appdependency interface
* Moved add dependencies to the separate file
* Enable visualization if only hasExpressionErrors passed
* Fixed add action twice on click card
* Fix actions column in alert list
* Fixed action canSave capability
* Renamed Actions to ActionConnectors in appropriate UI files
* Renamed alertTypeParams to params in UI code
* Add filter for tags
* Cleanup previous commit
* Fix alert type filter
* Refactored edit form to use ActionTableItem
* Renamed ActionTableItem to ActionConnectorTableItem
* Fixed missing button key error for alerts list filter
* Renamed translation labels for connectors
* Enable UI plugin by default
* Rename buildin to builtin
* Fix some type checks
* Add API tests
* Split API file into smaller files
* Rename plugin id
* Remove dependency on actions plugin (should be optional dep in NP)
* Fix some translation ids
* Revert "Rename plugin id"
This reverts commit f6daeb3d5e.
* Rename method for loading connectors
* Added functional tests base
* Fix functional test type filter
* Add test alert type for now
* Initial connectors functional tests
* Rename description to name
* Use unique connector names to allow re-running tests
* Assert on more things
* Update alert/action menu items. Flyout width. Add index.scss file
* Added action connector list unit tests
* Add bulk delete functional test
* Move tests to SSL functional environment
* Fix tests
* Added unit tests for actionTypeRegistry and alertTypeRegistry
* Fixed update connector with only properties
* Added some functional tests for alerts with TODOs
* connectors list page cleanup
* empty state cleanup
* Added connector edit flyout unit test
* Fix functional tests
* text cleanup
* zindex fix for index threshold trigger
* Expand the functional tests, add assertions
* Fixed edit connector from the Name column, and removed pencil button
* Remove tags filter, use search bar instead
* Finalize functional tests
* Support filtering alerts by action type
* Rename plugin name for translations
* Rename default breadcrumb title to alerts and actions
* Added unit tests for connectors empty prompt, fixed api tests
* Added unit test for select action type menu for create connector; Fixed update selected connector for edit form
* Added unit test for edit connector flyout
* Added alerts list unit tests
* Added connector form unit tests
* Added connector reducer unit tests
* Fixed some failing unit tests
* Fixed alerts list unit tests
* Set alert tab default if it is available
* Added doc_title and get_time_units unit tests
* Added some test fixes
* Fixed index threshold expression to display only index and fields
* Added email building action unit tests
* Added unit tests for builtin action types
* Remove test alert type
* Move create alert UI behind feature flag 'createAlertUiEnabled'
* Fix functional tests
* Update codeowners
* Update codeowners for tests
* Revert watcher changes
* Fix type check failure
* Fix unit test failures
* Fixed typecheck failures
* Fixed language check errors
* Did some text/type fixes
* Fixed typecheck
* Fixed unit tests warning
* Fix failing functional tests
* Fix registry tests to have cleaner diff when it fails
* Make DEFAULT_SECTION a Section type
* Remove unused constructor
* Make app dependency error string same line
* Remove unused error pages
* Set interface to alerts context
* Fix action_connector_form.tsx label
* Fix label in connector_add_flyout.tsx
* Fix label in alert_add.tsx
* Move alert_types to builtin_alert_types
* Move some threshold constants into threshold folder
* Move api.ts within threshold folder
* Removed duplication logic from action type and alert type registry list
* Fixed email action type test and adjusted validation to support arrays ony
* Added missing connector fields for email action type
* Fixed building action types issues due to comments
* Refactored with more new platform structure; fixed some comments from review
* Capitalize Actions in 'Alerts and Actions' labels
* Skip flaky tests
* Fix failing functional test
* Fixed failing unit tests, added new deps
* Fixed type checks
* Fixed language check failing
* Fix broken functional tests
* Refactored actionConnectors and alerting context
* Removed doc title service
* added get time options type definitions
* removed obsolete code
* Made generic registry type for actionTypes and alert types
* Fixed some enum types
* fixed type check CI
* Convert EuiSearchBar to normal text field
* Fix typo
* Fix conditional rendering
* Fix bug where selection doesn't reset
* Fix broken functional test, wait for ENTER key to search alerts
* Make app section hide from menu when user doesn't have access
* Fixed connector name validation (error due to renaming from description)
* Removed obsolete useEffect
* Removed unused ShareRouter
* Fixed key validation error
* Mobed wrongly wrapped objects
* Removed useEffect from connectors form
* Replaced error forms with eui controls props
* Added delete confirmation dialog for connectors list
* Fixed build errors
* Fixed failing test
* Skip flaky tests
* Added null check for app context - render components tree only if it isn't null
* Fixed type check eror
* Did changes on the UX and text/labels commnets
* Fixed failing tests
* Fixed error handling
* Refactored Webhook form http headers due to the mockup
* Fixed build
* Fix labels issue
* Fix spacing and form row alignment
* Fixed failing type check
* put ownfocus on popover in actions list
* fix spacing and flex
* fix color on conectors list
* clean up webhook headers form
* fix logic check for headers
* Made changes due to review comments
* Fixed delete connector test
* Fixed all flaky test for delete connectors 53956
* Fixed type check due to NP changes
* Disable plugin by default
* Added configuration props for functional tests to enable triggers and actions ui
* removed timeout from test
* added enable triggers and actions to functional/config.js
* fix the build
* Changed ci group and disabled plugin
* changed config setting to root
* Changed disable approach
* Experiment with index managment
* Set back configuration settings for triggers and actions
* Enable plugins
* Set index management to disabled to see the failing issue
* Revert experimental back for index_managment
* Fixed type check
Co-authored-by: Mike Côté <mikecote@users.noreply.github.com>
Co-authored-by: dave.snider@gmail.com <dave.snider@gmail.com>
Co-authored-by: DeFazio <michael.defazio@elastic.co>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Peter Schretlen <peter.schretlen@gmail.com>
* [Maps] add text halo color and width style properties
* fix jest test
* update for new editor UI
* add removed styling
* get halo size from label size
* fix label border size with dynamic label size
* clean up
* fix jest test
* fix jest test
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* [APM] Runtime service maps
* Make nodes interactive
* Don't use smaller range query on initial request
* Address feedback from Ron
* Get all services separately
* Get single service as well
* Query both transactions/spans for initial request
* Optimize 'top' query for service maps
* Use agent.name from scripted metric
* adds basic loading overlay
* filter out service map node self reference edges from being rendered
* Make service map initial load time range configurable with
`xpack.apm.serviceMapInitialTimeRange` default to last 1 hour in
milliseconds
* ensure destination.address is not missing in the composite agg when
fetching sample trace ids
* wip: added incremental data fetch & progress bar
* implement progressive loading design while blocking service map interaction during loading
* adds filter that destination.address exists before fetching sample trace ids
* reduce pairs of connections to 1 bi-directional connection with arrows on both ends of the edge
* Optimize query; add update button
* Allow user interaction after 5s, auto update in that time, otherwise
show toast for user to update the map with button
* Correctly reduce nodes/connections
* - remove non-interactive state while loading
- use cytoscape element definition types
* - readability improvements to the ServiceMap component
- only show the update map button toast after last request loads
* addresses feedback for changes to the Cytoscape component
* Add span.type/span.subtype do external nodes
* PR feedback
Co-authored-by: Dario Gieselaar <d.gieselaar@gmail.com>
Migrates the existing TaskManager plugin from Legacy to Kibana Platform.
We retain the Legacy API to prevent a breaking change, but under the hood, the legacy plugin is now using the Kibana Platform plugin.
Another reason we retain the Legacy plugin to support several features that the Platform team has yet to migrate to Kibana Platform (mapping, SO schema and migrations).
Snapshot names that contain date math may require capital letters, e.g. "<snapshot-{now/d{yyyy.MM.dd|+09:00}}>". This change fixes a bug which complained that capital letters are not allowed in snapshot names, by scoping this validation to only the name part of this pattern, ignoring the date math part.
* First version of adding Lens to dashboard
* Fix failing unit test
* Replacing explicit Lens query param with a more generic one
* Fixing failing unit test
* Adding a unit test for redirect
* Do not show Save New if adding from Dashboard
* Adding functional test
* Adding functional test
* Fixing type issues
* Renaming query params
* Fixing failing unit test
* Removing unused constants
* Fixing erroneous imports
* Fixing erroneous import
* Fixing import
* Fix failing typecheck
* Removing timefilter from Dashboard URL
* Fixing type error
* Replacing time parsing with rison
* Replacing URL regex parsing with legacy URLs
* Fixing failing test
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Prevents an edge cases where Alerts can end up in a zombie state.
1. Decrypting attributes throws an error
2. Fetching an Api Key throws an error
3. Getting Services with user permissions throws an error
* [Maps] refactor isPointsOnly, isLinesOnly, and isPolygonsOnly to make synchronous
* fix jest test
* review feedback
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Initial role mappings UI
* apply design edits
* address PR feedback
* fix type cast for number field
* Update x-pack/legacy/plugins/security/public/views/management/role_mappings/edit_role_mapping/components/mapping_info_panel/mapping_info_panel.tsx
Co-Authored-By: Joe Portner <5295965+jportner@users.noreply.github.com>
* Cleanup FTR configuration, and handle role mapping 404 errors properly
* align naming of role mappings feature check
* Apply suggestions from code review
Co-Authored-By: Brandon Kobel <brandon.kobel@gmail.com>
* add missing test assertions
* inlining feature check logic
* switch to using snapshot
* use href instead of onClick
* adding delete unit test
* consolidate href building
* unify page load error handling
* simplify initial loading state
* documenting unconditional catch blocks
* use nodes.info instead of transport.request
* Apply suggestions from code review
Co-Authored-By: Brandon Kobel <brandon.kobel@gmail.com>
* move model out of LP into NP
* convert except_field_rule to except_any_rule
* docs, take 1
* update gif
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
Co-authored-by: Brandon Kobel <brandon.kobel@gmail.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* allow read only user with no CRUD
* use ../../lib/kibana
* fix timeline-template
* add re-routing on page
* bug
* cleanup
* review I
* review II
* a pretty shameful bug I will live thanks Frank
* bug select rule
* only activate deactivate if user has the manage permission
* add permissions rule with manage api key
* bug on batch action for rules
* add permissions to write status on signal
* Added repository cleanup button. Added logic for spinner while loading, added new repository request, type and telemetry metric.
* Added additional bindings for server side to hit the cleanup endpoint.
* fix cleanup request
* Added data test subject to the code editors to differentiate them and fixed a broken inport of RepositoryCleanup.
* Added files for a component integration test. The tests are failing right now so we need to get those green. Added a functional test. Need to set up kbn-es to be able to set up a file repository before being able to run the functional tests.
* Added change to the way data-test-subjects were created for the repository list table so that columns can be individually identified. Added functional test to allow checking the details of repositories.
* Removed the jest tests for repository details until we get jest fixed.
* Fixed jest test to reflect updated test subjects.
* Made changes per feedback in PR comments.
* Fixed i10n issues using <FormattedMessage>. Removed reference to blueBird and used Promise.all(). Fixed all nits in PR comments.
* Added i10n fixes for header.
* Added i10n fixes for header.
* Added name parameter for i18n strings.
* Removed i18n string from JSON.stringify call since it's already a string.
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Alison Goryachev <alisonmllr20@gmail.com>
* wip
* update timelien select to design
* Rename label to design
Timeline Select match design with favorite
Now, you are able to add mutiple items for url and false positive
Add tm for Mitre Att&ck (tnaks Frank)
And match mitre selection to design
* cleanup with michael
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* share specific instances of some ui packages
* remove unnecessary eslint changes, every package will define deps anyway
* remove mentions of moment webpackShims in eslint resolver
* remove use of lodash
* list angular as dep for x-pack
* add operations as codeowner of shared-deps pkg
* [APM] Delay rendering invalid license notification
Don't render an invalid license notification if the license information has not been loaded. (Don't render any UI either).
* Show UI if license has not loaded
* converting mocha tests to jest
* adding a few lib tests
* adding more lib tests
* moving test files and adding autocomplete tests
* updating test definition
* fixing import and test definitions
* For the nodes listing page, do not fetch shard data for indices
* Optimize our shard queries for the index and node listing pages
* This change isn't necessary
* Rename file and function
* Use optimized query for ml jobs and es overview
* Apply to node/index detail page, and more renaming
* Unnecessary change
* Fix tests
* Add basic tests
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Fix Watcher regression in which a threshold watch's termOrder and hasTermsAgg properties weren't being passed to the serializeThresholdWatch function.
* Remove unused upstreamJson getter method from server models.
* Finish implementing snapshot count redux code.
* Replace GQL-powered Snapshot export with Redux/Rest-powered version.
* Add tests for Snapshot API call.
* Rename new test file from tsx to ts, it has no JSX.
* Rename outdated snapshot file.
* Update filter groups to use redux and add tags dropdown.
* Delete obsolete graphql filter bar query.
* Add fetch effect factory.
* Use generic fetch effect factory to avoid code redundancy.
* Infer isDisabled status from data for filter group buttons and disable when there are no items.
* Fix removal of overview filter from previous rebase.
* Rename generator-related functions from *saga to *effect.
* WIP trying to make filters filterable.
* WIP cleaning up.
* Delete obsolete API test.
* Add API test for filters endpoint.
* Remove obsolete fields from overview filters.
* Add functional testing attributes and delete a comment for filter popover.
* Update obsolete unit test snapshots and test props for filter popover.
* Fix broken types and delete obsolete test snapshots for filters api call.
* Modify filters endpoint to adhere to np routing contracts.
* Add functional test and associated helper functions for filters API.
* Remove obsolete resolver function for filter bar.
* Remove obsolete FilterBar type from graphql schema.
* Delete static types generated for obsolete GQL schema types.
* Delete obsolete fields from default filters state.
* Delete obsolete method from graphql schema.
* Add default values to unit test that requires complete app state mock.
* Extract helper logic to dedicated module.
* Finish working on adapter/helper tests.
* Add state field for overview page search query.
* Apply search kuery to filters.
* Simplify creation of overview filter fetch actions and API call.
* Add tests for overview filter action creators.
* Simplify api query parameterizaton.
* Improve a variable name.
* Update formatting of file.
* Improve a variable name.
* Improve a variable name.
* Simplify API endpoint typing.
* Clean up helper code and rename some functions/vars.
* Clean up parameterization of filter values.
* Move function from dedicated file back to calling file.
* Clean up naming in a function.
* Move function from dedicated file to caller's file.
* Modify interface of function return value.
* Have function throw error when it receives invalid input instead of returning empty object.
* Extract constant value to dedicated function value and remove parameter from function.
* Clean up object declarations.
* Rename a property.
* Fix issue where function was not handling empty input.
* Delete unnecessary snapshots.
* Add message to internal server error response.
* Fix broken type.
* Delete type that was added as a result of a merge error.
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Adding placeholder for functionbeat telemetry in test fixture
* Adding placeholder for functionbeat telemetry expectation
* Adding placeholder for aggregating functionbeat telemetry per cluster
* Update test + fixture
* Updating code
* [ML] Display anomaly actual in chart tooltip when model plot enabled
* [ML] Fixes translations for chart tooltip fixes
* [ML] Edits to chart tooltip div following review
* add onAppLeave to AppMountParameters
* adapt legacy shims of app mount
* update generated doc
* returns properly typed AppLeaveAction from leave handler instead of raw strings
* add openConfirm to modal service and use it instead of window.confirm
* fix unit test
* update querystringinput snapshots
* add integration tests
* nits and review comments
* add functional tests
* Added max tree depth guard
Removed recursive normalizeTimes functions (one fewer iteration through the entire data structure)
Optimizied appliation of tree mutations by taking `if` out of tight loop
Cleaned up types
* Tidy up data being passed into store (and through immer)
* Fix max tree depth logic
* Remove immer from non-test code.
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary
* Adds Import and Export REST endpoints
* Fixes minor misc issues with types
* Changes camel case from bulk api to become snake_case
For the API and testing it is very similar to the saved objects API
For import:
```ts
POST /api/detection_engine/rules/_import
```
With a ndjson body of:
```ts
{"created_at":"2020-01-09T01:38:00.740Z","updated_at":"2020-01-09T01:38:00.740Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"6688f367-1aa2-4895-a5a8-b3701eecf57d","immutable":false,"interval":"5m","rule_id":"query-rule-id-1","language":"kuery","output_index":".siem-signals-frank-hassanabad-default","max_signals":100,"risk_score":1,"name":"Query with a rule id Number 1","query":"user.name: root or user.name: admin","references":[],"severity":"high","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threats":[],"version":1}
{"created_at":"2020-01-09T01:38:00.745Z","updated_at":"2020-01-09T01:38:00.745Z","created_by":"elastic_kibana","description":"Query with a rule_id that acts like an external id","enabled":true,"false_positives":[],"from":"now-6m","id":"7a912444-6cfa-4c8f-83f4-2b26fb2a2ed9","immutable":false,"interval":"5m","rule_id":"query-rule-id-2","language":"kuery","output_index":".siem-signals-frank-hassanabad-default","max_signals":100,"risk_score":2,"name":"Query with a rule id Number 2","query":"user.name: root or user.name: admin","references":[],"severity":"low","updated_by":"elastic_kibana","tags":[],"to":"now","type":"query","threats":[],"version":1}
{"exported_count":2,"missing_rules":[],"missing_rules_count":0}
```
If you want to overwrite existing objects you can use the overwrite query parameter like so:
```ts
POST /api/detection_engine/rules/_import?overwrite=true
```
See and run the scripts of:
```ts
import_rules.sh
import_rules_no_overwrite.sh
```
For exporting everything:
```ts
POST /api/detection_engine/rules/_export
```
For exporting just a handful of things you would send a body like so:
```ts
POST /api/detection_engine/rules/_export
{
"objects": [
{
"rule_id": "query-rule-id-1"
},
{
"rule_id": "query-rule-id-2"
}
]
}
```
To change either the filename of the file that gets downloaded or to remove the extra appended export details you can do the following:
```ts
POST /api/detection_engine/rules/_export?exclude_export_details=true&file_name=my_file.ndjson"
```
See the scripts of:
```ts
export_rules.sh
export_rules_by_rule_id.sh
export_rules_by_rule_id_to_file.sh
export_rules_to_file.sh
```
### Checklist
Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.
~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~
~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~
~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~
- [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios
~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~
### For maintainers
~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~
- [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
resolves https://github.com/elastic/kibana/issues/50522
The alert executor function is now passed these additional alert-specific
properties as parameters:
- spaceId
- namespace
- name
- tags
- createdBy
- updatedBy
* Fix server types
* Remove graphql types from the frontend
* More type cleanup
* Replace more types. Delete unused files
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* [Reporting] Update some runtime validations
* fix unit test
* i18n
* make warning logging of encryptionKey possible
* update snapshot
* revert unrelated config change
* Add header element to indices page for WCAG
* Add h1 element for WCAG to node page
* Add h1 element for WCAG to stack monitoring overview page
* Add h1 to advanced nodes page in stack monitoring
* Add h1 to nodes page in stack monitoring
* Add h1 header for index advanced page in stack monitoring
* Standarize more on ide for h1 tag
* Give heading element to beats overview
* Update Beats listing page for H1 compat with WAVE
* Modified beat page to comply with heading rules from WCAG
* Kibana instance listing page updated for header WCAG
* Add WCAG header fix to logstash listing page
* Added headings for WCAG to logstash overview page
* Update pipeline listing page for WCAG A headings
* Fix WCAG heading problems in pipeline viewer
* Fix screen reader heading for APM overview page
* Update APM instances page for screen reader headings
* Update APM instance page for screen reader heading
* Update ccr page for screen reader headings
* More a11y fixes for headings in stack monitoring
* Fixup
* Consistant captalization per review
* Removed help text per review comment
* Include Elasticsearch node into screen reader message, per review feedback
* Update snapshots
* Linting
* Implement review suggestion for i8n compat
* Revert back to just plain string
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Check for a trial license as well as platinum when loading the map
* Increase the z-index of the controls so clicking on them works
* Rename the styled component to `ControlsContainer` from `Container` to make a less ambiguous class name on the element
This PR optimizes both the snapshot component and the monitor list on the overview page by using the new monitor.timespan field from elastic/beats#14778. Note that the functionality here will work with heartbeats lacking that patch, but the performance improvements will be absent.
This PR adapts the snapshot tests to use synthetically generated data which should be easier to maintain. As a result some of that code is refactored as well.
See #52433 parent issue as well.
* Update button styles, page panel and page title
* Add getJobCreatorTitle function for human readable job type name
* Add formatMessage to Create job title
* Fix translation test
* Update tests
* change create to only have only one form to be open at the same time
* add tick to risk score
* remove compressed
* fix select in schedule
* fix bug to not allow more than one step panel to be open at a time
* Add a color/health indicator to severity selector
* Move and reword tags placeholder to bottom helper text
* fix ux on the index patterns field
* Reorganize MITRE ATT&CK threat
* add url validation + some cleaning to prerp work for UT
* add feature to get back timeline + be able to disable action on timeline modal
* Add option to import the query from a saved timeline.
* wip
* Add timeline template selector
* fix few bugs from last commit
* review I
* fix unit test for timeline_title
* ui review
* fix truncation on timeline selectable
* Update Duration to coerce number strings to numbers (in millis)
* Coerce in a way that's consistent with kbn-config-schema
* Update ByteSizeValue to coerce strings to numbers
* Update Boolean to coerce strings to boolean values
* Fix Jest test
* Address PR review feedback
* Whoops
* Whoops 2
* Whoops 3
* check depVar field type before adding keyword suffix for evaluate endpoint
* update indexPattern type and use FIELD types
* add keyword suffix if field type is keyword
* keyword suffix added if depVar is of type keyword AND text
* expose ES clients without observables
* expose observable-less api to plugins
* update core api and mocks
* update plugins
* NP SO & legacy use updated API
* update SO tests
* update TSDocs
* update types
* update docs
* document createCluster analog in np
* typo
* Set up our react app in the NP way
* Defines the setup() method for our UI plugin
* Renders the app in the NP way within our setup() method
* Defines a legacy file that invokes the plugin manually
Things seem to be mostly working; the app mounts with no immediate
errors, at least.
* Move files into NP structure
Our plugin function and class are both direct children of siem/public.
The app folder contains both our React app and the function to render
it.
* Register SIEM in the feature catalogue via NP format
Unfortunately, this can't live in the plugin for now because it doesn't
get invoked when we need it. For now, it's going to live in the same
spot, and once we're a real NP plugin we can move it.
* Eliminate usage of timezoneBrowser UI setting
This seems to be redundant with dateFormat:tz except that it always
returns a real timezone, not just a preference. By wrapping that logic
in our own hook, useTimeZone, we can remove this weird usage and stick
to the standard dateFormat and dateFormat:tz.
* Clean up tests for FormattedDate components
Mocks our simpler wrapping hooks rather than the entire UI Settings
module.
* Remove remaining uses of UI Settings mocks
These remaining tests can mock settings directly, or otherwise were
misusing the settings mocks to retrieve assertion values.
* Remove unnecessary intermediate `describe` blocks
They were not adding any information to the tests.
* Remove use of kibana version in client requests
We were previously passing this version all over the place for the sake
of our framework-specific request header. The sole advantage of supplying
such a header is that the client will receive an informative error modal
in the case of a version mismatch between the client and server.
We can successfully perform these requests with the `kbn-xsrf` header
instead. Long-term, we can use core.http.fetch to perform the requests
and auto-populate the version header, but it would be nicer to abstract
those requests to the framework level rather than threading the HTTP
client throughout the application.
* Remove newly added uses of kbnVersion
These happened on master in the meantime.
* Use helper to generate test assertion
Allows us to change the implementation of the empty string without
breaking the test.
* Remove guard from date formatting component
We're always going to get back usable values from these hooks; while the
user can unset the dateFormat in their settings, we'll still get an
empty string which is effectively the same as no formatting (as
evidenced in the tests).
* Remove default from byte formatting component
If the user has deleted this default, they presumably meant to do so and
we shouldn't supersede it.
* Refactor bytes formatting to allow use in our charts
We need a formatting function to use with our charts, so this splits out
a hook from the original react component, allowing our charts to be
formatted as specified in the user's UI settings.
* Refer to our constant for APP_ID
* Explicit return values for some UI Settings hooks
This forces accidental changes to the return value to be explicit.
* Remove use of ui/chrome in request header
This is an unnecessary use: kibana works the same no matter what
contents the `kbn-xsrf` header contains (as long as it's there).
* Mock UI Settings values in our TestProvider
When using our TestProvider components, we were previously relying on
platform's UISettings mocks instead of our own, more comprehensive ones.
This worked for the most part, and when we needed real settings we would
mock the UI Settings client manually.
When we removed some app code that defaulted UI Settings values when the
client did not return a value, tests that used TestProviders but also
relied on those defaults broke. This adds that behavior back,
and obviates the need for manual calls to jest.mock except when we're a)
not using TestProviders but b) overriding the platform mocks.
Also removes some of those unneeded uses.
* Remove unused import
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
