## Summary
Holy moly.
What is happening in this PR? 🤷🏽♀️ Let's break it down:
- Added a package `@kbn/alerts` - another one?! ...yes
- This is meant to add shared hooks and components around alerts as data
- `useGetUserAlertsPermissions` - accepts the Kibana capabilities object and returns whether the user has `read` and `crud` alerts privileges
- `AlertsFeatureNoPermissions` - component displayed when user does not have alerts privileges
- UI changes for user with NO alerts privileges
- `Alerts` tab hidden in security solution side navigation
- `Alerts` tab hidden in rule details page
- UI changes for user with alerts READ ONLY privileges
- alerts checkboxes hidden in alerts table
- alerts bulk actions hidden in alerts table
* es-query types
* jest and lint
* cc
* options
* type
* types for kuery FUNCTIONS
* doc
* sec fixes
* typey type
* test typescript
* test
* fixes
* test
* cr
* cleanup a bit more
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* WIP: Adding integration test
* Replace threat.indicator mappings with threat.enrichments mappings
The nested threat.indicator mappings were experimental, and replaced by
threat.enrichmentsin ECS 1.10. While these fields are also experimental,
they fix the conflict between CTI data's normal threat.indicator
mappings.
* Add threat.enrichments mappings to our signals template mappings
event.* is no longer nested within here; it was determined that event
fields were not relevant to enrichment. All relevant ECS fieldsets
(file, pe, etc) are now nested under threat.enrichments.
* Update snapshot with newest threat.enrichments mappings
This test is a snapshot of the actual mappings applied by our templates. Looks good to me!
* Update ECS types to match latest
We now have two threat fields we care about for CTI, for legacy and
official ECS.
* Add a basic test for behavior of legacy enriched signals.
They're still queryable by threat.indicator, meaning that any existing
dashboards will still work.
* WIP: First pass at a data migration for CTI signals
* Defines reindex script to move things around
* Adds integration tests to make sure the migration and new mappings
work
* Need to test a few more things and verify corner cases
* Need to extract some helpers from tests
* Bump our template version to ensure devs roll over
Marshall bumped to 55, giving us 10 versions for 7.14.x updates.
However, devs would not otherwise roll over and get my mapping updates
without destroying their signals index and rebuilding (which is also not
the same thing, exactly), so this trades having one higher signals
version for a more streamlined dev workflow.
* More robust guard against data migration
We only attempt to migrate legacy enrichments if the document:
* is a signal from an indicator match rule
* has a `threat.indicator` field
* does not have a `threat.enrichments` field
* Minor reorder of operations to make logic clearer
* Add more assertions around our signals data migration
Tests a few more pieces of the resulting document, giving more
confidence that it's the correct transformation (and mappings).
This also modifies/anonymizes the data that was originally generated on
a work machine.
* Remove outdated note
This was for when these tests were driven via the UI; the API is more
responsive and now synchronization is currently needed here, beyond the
200 responses.
* Fix typo in comment
These fields are in ECS 1.11.
* Update snapshot test
We bumped the version previously, causing this test to become outdated.
* Update ECS typings in timelines plugin
These were copied from the security_solution plugin. I updated those,
but neglected to update these.
Until there's a better mechanism for deduplication here, I'm going to
kick the can and update both for now.
* Update enrichments logic to read/write from threat.enrichments
* indicator match rule logic
* we now simply copy from the specified indicator path, and place that
in `threat.enrichments.indicator`
* event enrichment API logic
* We were previously returning fields from `indicator.*`, we now
include the `indicator.*` suffix in order to be more consistent with
the sibling `matched.*` fields
* row renderer logic
* removal of dataset
* updates relevant to API changes above
* Fix logical error in generating links from indicator fields
We want to link the reference field, not a `first_seen` field.
* Always include the indicator prefix in first-party indicator fields
Prior to this change we would display e.g. `threatintel.indicator.foo`
for investigation enrichment fields. Now that the structure has changed
slightly and we return both `indicator.*` and `matched.*` fields for
existing enrichents, we want to display investigation enrichment
similarly.
* Update indicator match rule integration tests
Now that we've updated our enrichment logic, we need to update our
enrichment tests.
* Remove unused translation
* Update example row renderer data for enriched alerts
* Update parallel CTI constants to get our CTI row renderer working
We were not requesting the necessary fields for our row renderer, since
these constants (specifically CTI_ROW_RENDERER_FIELDS) now exist in both
security_solution and the timelines plugin. I had updated the former,
but only the latter is actually used.
* Update CTI enrichment UI tests
* Update prepackaged threat timeline template with new threat fields
Also bumps the timelineTemplateVersion.
* Update Indicator Match rule tests
These needed three things:
* Update to timeline template (see previous commit)
* Changing expectations from `threat.indicator` to `threat.enrichments`
* Update row renderer expectation to exclude dataset
* Update mock data with newest CTI enrichment fields
* Fix assertion on our threat details
These fields are prefixed with `indicator` now because:
1. This data pertains to the indicator, not the match per se
2. The actual field is prefixed with indicator (or, it at least
specifies an indicator in the case of a custom threat index (via
threat_indicator_path))
* Update test data and tests for our field parsing helpers
* Update more event-parsing tests
Ths one involved updating a mock in another package.
* Modify our helper function to support old filebeat indicators
When we query indicators for enrichment matches, the current expectation
is that we'll be querying 7.14 filebeat modules, which have an indicator
path of 'threatintel.indicator'. The only place that matters on the UI
is on the threat intel panel, where these indicators come back with such
a prefix.
This change has one behavior: it brings back the `provider` field on the
Alert summary tab for queried enrichments from filebeat modules.
* Update variable and method names to be more consistent with internal terminology
Indicators come from a CTI index. Enrichments are the application of
indicator data to other documents, and contain both indicator fields and
matched context.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Add ability to generate KQL filters in the "must" clause
Also defaults search source to generate filters in the must clause if _score is one of the sort fields
* Update docs
* Review feedback
* Fix tests
* update tests
* Fix merge error
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
### Summary
### Fields used moving forward
`kibana.alert.rule.consumer` will refer to the context in which a rule instance is created. Rules created in:
- stack --> `alerts`
- security solution --> `siem`
- apm --> `apm`
`kibana.alert.rule.producer` will refer to the plugin that registered a rule type. Rules registered in:
- stack --> `alerts`
- security solution --> `siem`
- apm --> `apm`
So an `apm.error_rate` rule created in stack will have:
- consumer: `alerts` and producer: `apm`
An `apm.error_rate` rule created in apm will have:
- consumer: `apm` and producer: `apm`
`kibana.alert.rule.rule_type_id` will refer to a rule's rule type id. Examples:
- `apm.error_rate`
- `siem.signals`
- `siem.threshold`
Also renamed the following because `rule.*` fields are meant to be ecs fields pulled from the source/event document, not refer to our rule fields.
`rule.name` --> `kibana.alert.rule.name` will refer to the rule's name.
`rule.category` --> `kibana.alert.rule.category` will refer to the rule's category.
`rule.id` --> `kibana.alert.rule.uuid` will refer to the rule's uuid.
* [build_ts_refs] improve caches, allow building a subset of projects
* cleanup project def script and update refs in type check script
* rename browser_bazel config to avoid kebab-case
* remove execInProjects() helper
* list references for tsconfig.types.json for api-extractor workload
* disable composite features of tsconfig.types.json for api-extractor
* set declaration: true to avoid weird debug error
* fix jest tests
Co-authored-by: spalger <spalger@users.noreply.github.com>
* Use Serializable from package
* Rename to align with core
* fix
* more replacements
* docssss
* fix
* Move it to @kbn/utility-types and remove core export
* buildy build
* tests
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Add aliases mapping signal fields to alerts as data fields
* Add aliases mapping alerts as data fields to signal fields
* Replace siem signals templates per space and add AAD index aliases to siem signals indices
* Remove first version of new mapping json file
* Convert existing legacy siem-signals templates to new ES templates
* Catch 404 if siem signals templates were already updated
* Enhance error message when index exists but is not write index for alias
* Check if alias write index exists before creating new write index
* More robust write target creation logic
* Add RBAC required fields for AAD to siem signals indices
* Fix index name in index mapping update
* Throw errors if bulk retry fails or existing indices are not writeable
* Add new template to routes even without experimental rule registry flag enabled
* Check template version before updating template
* First pass at modifying routes to handle inserting field aliases
* Always insert field aliases when create_index_route is called
* Update snapshot test
* Remove template update logic from plugin setup
* Use aliases_version field to detect if aliases need update
* Fix bugs
* oops update snapshot
* Use internal user for PUT alias to fix perms issue
* Update comment
* Disable new resource creation if ruleRegistryEnabled
* Only attempt to add aliases if siem-signals index already exists
* Fix types, add aliases to aad indices, use package field names
* Undo adding aliases to AAD indices
* Remove unused import
* Update test and snapshot oops
* Filter out kibana.* fields from generated signals
* Update cypress test to account for new fields in table
* Properly handle space ids with dashes in them
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Upgrade eui to v36.1.0
* Jest snapshots
* More jest snapshots; one test assertion update
* Bump core page load limit
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* incremental changes
* No more type errors
* Type guards
* Begin adding tests
* Flatten
* Reduce scope of branch
* Remove extraneous argument to filter_duplicate_signals
* injects bulkCreate and wrapHits to individual rule executors
* WIP create_security_rule_type_factory based on Marshall's work in #d3076ca54526ea0e61a9a99e1c1bce854806977e
* removes ruleStatusService from old rule executors, fixes executor unit tests
* fixes rebase
* Rename reference_rules to rule_types
* Fix type errors
* Fix type errors in base security rule factory
* Additional improvements to types and interfaces
* More type alignment
* Fix remaining type errors in query rule
* Add validation / inject lists plugin
* Formatting
* Improvements to typing
* Static typing on executors
* cleanup
* Hook up params for query/threshold rules... includes exceptionsList and daterange tuple
* Scaffolding for wrapHits and bulkCreate
* Add error handling / status reporting
* Fixup alert type state
* Begin threshold
* Begin work on threshold state
* Organize rule types
* Export base security rule types
* Fixup lifecycle static typing
* WrapHits / bulk changes
* Field mappings (partial)
* whoops
* Remove redundant params
* More flexibile implementation of bulkCreateFactory
* Add mappings
* Finish query rule
* Revert "Remove redundant params"
This reverts commit 87aff9c810.
* Revert "whoops"
This reverts commit a7771bd392.
* Fixup return types
* Use alertWithPersistence
* Fix import
* End-to-end rule mostly working
* Fix bulkCreate
* Bug fixes
* Bug fixes and mapping changes
* Fix indexing
* cleanup
* Fix type errors
* Test fixes
* Fix query tests
* cleanup / rename kibana.rac to kibana
* Remove eql/threshold (for now)
* Move technical fields to package
* Add indexAlias and buildRuleMessageFactory
* imports
* type errors
* Change 'kibana.rac.*' to 'kibana.*'
* Fix lifecycle tests
* Single alert instance
* fix import
* Fix type error
* Fix more type errors
* Fix query rule type test
* revert to previous ts-expect-error
* type errors again
* types / linting
* General readability improvements
* Add invariant function from Dmitrii's branch
* Use invariant and constants
* Improvements to field mappings
* More test failure fixes
* Add refresh param for bulk create
* Update more field refs
* Actually use refresh param
* cleanup
* test fixes
* changes to rule creation script
* Fix created signals count
* Use ruleId
* Updates to bulk indexing
* Mapping updates
* Cannot use 'strict' for dynamic setting
Co-authored-by: Marshall Main <marshall.main@elastic.co>
Co-authored-by: Ece Ozalp <ozale272@newschool.edu>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Stop tracking line numbers
* Updated api docs
* Fix type error and update tests
* wrap label in encodeURIComponent for the links
* Update docs after encodeUriComponent change
* [dev-utils/run] support --info flag when default log level changed
* update kbn/pm dist and remove excess --debug flag
Co-authored-by: spalger <spalger@users.noreply.github.com>
* chore(NA): moving @kbn/utils to babel transpiler
* chore(NA): changed import paths for that module on kbn-apm-config-loader
* fix(NA): import on test file
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Move more utils to package and cleanup API
* docs and imports
* better imports
* change comment
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Fixes https://github.com/elastic/kibana/issues/105731, by replacing these `any` types:
```json
type IFieldType = any;
type IIndexPattern = any;
type Filter = any;
```
With the types from `es-query` which are:
* IndexPatternFieldBase
* IndexPatternBase
* Filter
Note: I had to do a few creative casting to avoid having to use `FieldSpec` since that is not within the package `es-query` and is not planned to be within that package or another package for at least a while if ever.
### Checklist
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
## Summary
Fixes https://github.com/elastic/kibana/issues/102613, and targets `7.14.0` as a blocker/critical
Previously we never fully finished the plumbing for using the `os_types` (operating system type) in the exception lists to be able to filter out values based on this type. With the endpoint exceptions now having specific selections for os_type we have to filter it with exceptions and basically make it work.
Some caveats is that the endpoints utilize `host.os.name.casless` for filtering against os_type, while agents such as auditbeat, winlogbeat, etc... use `host.os.type`. Really `host.os.type` is the correct ECS field to use, but to retain compatibility with the current version of endpoint agents I support both in one query to where if either of these two matches, then that will trigger the exceptions.
* Adds e2e tests
* Enhances the e2e tooling to do endpoint exception testing with `os_types`.
* Adds the logic to handle os_type
* Updates the unit tests
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
## Summary
Creates an autocomplete package from `lists` and removes duplicate code between `lists` and `security_solutions`
* Consolidates different PR's where we were changing different parts of autocomplete in different ways.
* Existing Cypress tests should cover any mistakes hopefully
Manual Testing:
* Ensure this bug does not crop up again https://github.com/elastic/kibana/pull/87004
* Make sure that the exception list autocomplete looks alright
### Checklist
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
* expression_reveal_image skeleton.
* expression_functions added.
* expression_renderers added.
* Backup of daily work.
* Fixed errors.
* Added legacy support. Added button for legacy.
* Added storybook.
* Removed revealImage from canvas.
* Types fixed.
* Fixed test suite error.
* Fixed eslint error.
* Moved UI and elements, related to expressionRevealImage from canvas.
* Fixed unused translations errors.
* Moved type of element to types.
* Fixed types and added service for representing elements, ui and supported renderers to canvas.
* Added expression registration to canvas.
* Fixed
* Fixed mutiple call of the function.
* Removed support of a legacy lib for revealImage chart.
* Removed legacy presentation_utils plugin import.
* Removed useless translations and tried to fix error.
* One more fix.
* Small imports fix.
* Fixed translations.
* Made fixes based on nits.
* Removed useless params.
* fix.
* Fixed errors, related to jest and __mocks__.
* Removed useless type definition.
* Replaced RendererHandlers with IInterpreterRendererHandlers.
* fixed supported_shareable.
* Moved elements back to canvas.
* Moved views to canvas, removed expression service and imported renderer to canvas.
* Fixed translations.
* Moved libs to presentation utils.
* Fixed types and removed function_wrapper.ts
* Fixed types of test helpers.
* Fixed imports.
* One more fix.
* Fixed public API.
* Moved css to component.
* Fixed spaces at element.
* Removed unused plugin.
* Basic setup of error plugin.
* Removed not used `function` files at `error` expression.
* Moved related components from canvas.
* Changed imports of components.
* Removed useless translations and fixed .i18nrc.json
* More fixes of i18nrc.
* Fixed async functions.
Written current code, based on https://github.com/storybookjs/storybook/issues/7745
* Fixed one test with Expression input.
After changing the way of rendering in stories, all elements are mounting and componentDidMount is involved. The previous snapshot was without
mounted `monaco` editor.
* generated plugin and copied code from expression_reveal_image
* fixed double import after merge.
* Changed all names from reveal_image to shape.
* moved shape to plugin and added all necessary configs
* Fixed translations, fixed all imports and debug of svg.
* `function` moved to `server`.
* One shape is rewritten to `React` and rendering is written with passing necessary props.
* changed default width and heigth.
* Added `ShapeHOC`.
* Shapes changed.
* small refactor.
* Removed useless import.
* one more refactor.
* Refactor + fix errors + updated limits.
* Changed ShapePreview from pure js to react and removed `dangerouslySetInnerHTML`
* Fixed types of viewbox.
* Changed types source for Shape components.
* small refactor.
* Fixed imports.
* Removed `shape` from `canvas`
* Updated docs.
* Basic setup of error plugin.
* Removed not used `function` files at `error` expression.
* Changed imports of components.
* Fixed errors, related to shape and autosuggestions.
* Fixed i18n for shape.
* Moved function from public to common and registered at server.
* Fixed types error.
* Fixed snapshots and shape mocks.
* Moved some libs from `presentations_util` to `expression_shape`
* Shape refactored.
* Shape picker fixed.
* Moved `Popover` back to `canvas`
* Removed `Popover` export from presentation_utils components.
* Moved error_component and debug_component from presentation_util to expression_error.
* Removed `.i18nrc.json`.
* Removed `.i18nrc.json`.
* Removed useless scss.
* Fixed color of `error`.
* added fixes of rebase.
* More fixes of rebase error .
* Removed useless .i18nrc.json file.
* More fixes.
* More fixes of rebase.
* One more fix.
* More fixes.
* Fixed limits and translations.
* Added.
* Fixed i18nrc.
* Fixed error..
* Moved shapes to async chunks.
* One more fix.
* Some fixes.
* Trying to fix the typecheck error.
* Added temp of drawer.
* Moved shapes to the async chunk in a less complex way.
* Made `ShapeDrawer` reusable among different `expressions`.
* Changed type of `shapes` from `any` and `Shape` to `string`.
* Made changes, based on nits.
* Removed not necessary changes.
* Moved all reusable libs to `expression_shapes`.
* Reduced the size of the bundle.
* Hope, fixed type check errors.
* Removed getDefaultShapeData.
* Removed `getViewBox` from bundle.
## Summary
Addressees https://github.com/elastic/kibana/issues/83910 by removing the elastic legacy client from:
* `lists` plugin
* `security_solution` plugin
* `kbn-securitysolution-es-utils` package
Removes found dead code in `security_solution` plugin:
* `server/lib/configuration/inmemory_configuration_adapter.ts`
* `server/lib/detection_engine/privileges/read_privileges.ts`
* `server/lib/configuration/index.ts`
* `server/lib/configuration/adapter_types.ts`
* `server/lib/compose/kibana.ts`
* `server/lib/ecs_fields/extend_map.test.ts`
* `server/lib/ecs_fields/extend_map.ts`
* `server/lib/index_fields/elasticsearch_adapter.ts`
* `server/lib/index_fields/index.ts`
* `server/lib/index_fields/mock.ts`
* `server/lib/index_fields/types.ts`
* `server/lib/source_status/elasticsearch_adapter.ts`
* `server/lib/source_status/index.ts`
* `server/lib/source_status/query.dsl.ts`
* `server/lib/source_status/types.ts`
* `server/lib/sources/configuration.test.ts`
* `server/lib/sources/configuration.ts`
* `server/lib/sources/index.ts`
* `server/lib/sources/types.ts`
Removes dead code in `lists` plugin:
* `server/schemas/common/get_call_cluster.mock.ts`
* `server/lib/ecs_fields/index.ts`
* `server/lib/framework/kibana_framework_adapter.ts`
Removes dead types from `security_solution` plugin:
* `server/lib/framework/types.ts`
* `server/lib/types.ts`
Removes dead functions from `security_solution` plugin:
* `server/utils/build_query/calculate_timeseries_interval.ts`
* `server/utils/runtime_types.ts`
### What to check as a reviewer
* Ensure that there is no left over words of `legacy` such as `legacy.something`
* Ensure there are no more `callAsCurrentUser` since that is all dead and gone
* Ensure anywhere you see `esClient.someThing` it returns the `.body` at the end or destructors it as in `{ body } = esClient.someThing`
### Risk Matrix
| Risk | Probability | Severity | Mitigation/Notes |
|---------------------------|-------------|----------|-------------------------|
| Telemetry might stop working or have invalid values. | Med | High | We will have to manually test telemetry. Pinged people from telemetry for a code review |
| An REST route returns invalid values. | Med | High | e2e tests caught some of these already. The rest of the code was re-checked by hand |
| Deleted function/code might actually be still in use somewhere. | Low | High | e2e and unit tests should catch any of this. |
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
