* [DOCS] Updates to thee Reporting docs
* Adds the main sharing page
* Final changes
* Changed configuring-reporting link to secure-reporting
* Updates from meeting with Tim and Larry
* Moves reporting and sharing content above ML
* Update docs/setup/configuring-reporting.asciidoc
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
* Review comments from Tim and Larry
* Fixes broken links
* Fixes redirect
* Fixes broken link from ES docs
* Adds metadata to changed pages
* Review comments
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
* Correctly orders imports via ESLint
* Accounts for "yellow" status
We should do much better than this.
a) We shouldn't be converting the statuses to colors in the first place
b) We shouldn't always show the same message for all non-green statuses
c) We shouldn't link to kibana status when we are the kibana monitoring product
* Revert "Remove post-installation redirect for integrations (#103179)"
This reverts commit 96c4350289.
* Restore post-save redirects but only when user hasn't navigated away
* use new client for licensing API
* add logs
* adapt unit tests
* Revert "add logs"
This reverts commit 4a61b646
* fix some type errors
* fix test types
* adapt monitoring usage of `createLicensePoller`
* remove test comment
* fix unit test
* remove createLicensePoller from setup contract
* fix unit tests
* converting Maps es_archiver to kbn_archiver
* delete the esArchiver .kibana reference directory
* fix the path of the json file
* use the delete API to delete the missing references populated in the data.json
* fix the path
* kbn_archiver_maps.json
* added the missing ref
* restoring it to use esArchiver
* replace esArchiver to use kbnArchiver
* moved the data.json directly under kbnArchiver
Please enter the commit message for your changes. Lines starting
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [TSVB] Metric count is depicted as - instead of 0
* Rename extractData to mapEmptyToZero and remove unnecessary intervalString undefined assignment in get_bucket_size.js
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [ML] remove advanced settings
* [ML] fix getUpdatedItem for switching to single field agg
* [ML] incremental naming for top aggs
* [ML] set default sorting field based on date type
* [ML] set desc order by default
* [ML] fix TS
* [ML] change sorting direction init
* [PH] Initial setup for endpoint task telemetry.
* Refactor / Add daily task for collecting fleet detail / policy resp / EP metrics
* [PH CD] Code walkthrough. Start fetching fleet policy configs.
* [PH] pass in fleet agent service rather than homebrew kuerys.
* [PH] prepare to move away from legacy es client. Get fleet ep agents.
* Fetch agent policy configs.
* Stub ep policy responses.
* Fix CI + Types. Fix dep injection. Reimagine SO client creation.
* Create SO client properly
* Fetch EP Policy responses.
* Fetch EP Policy responses.
* Remove unused import
* Fetch failed policy responses from EP data stream.
* Remove unused imports.
* Combine failed policy responses with policy configs.
* Attach fleet agent + ep agent ids
* Add dedicated channel sender. Temp disable with feature flag.
* Remove ublock from the failed policy response.
* Fetch endpoint metrics.
* Fix bad merge commit.
* Get EP telemetry.
* Record last execution time of endpoint task
* Remove send on demand feature flag.
* Simplify cache conditional.
* Refactor into Promise.allSettled
* Fix type error.
* Bail if there is no endpoint metrics
* Bump interval to 24h.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [TSVB] Fix TSVB is not reporting all categories of Elasticsearch error
Closes: #94182
* move validation to server side
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Add pure fn and consuming hook to fetch event enrichment
It's not being invoked yet, but I've added a placeholder where it's
going.
* Move existing enrichment tests to new spec file
This is a rough copy/paste, I'll clean up as I flesh out the new tests.
* Move test constants into tests that use them
* style: declare FC function as an FC
* Extract some inline parsing logic into a helper function
And test it!
* Solidifying enrichment types on the backend
* Declares an enum for our types
* Sets type during indicator match rule enrichment
* Sets type during investigation-time enrichment
* WIP: Enrichment rows are rendered on the alerts summary
There are lots of TODOs here, but this implements the following:
* Fetching investigation-time enrichments from the backend
* Parsing existing enrichments from timeline data
* Merging the two enrichment types together, and rendering them in rows
as specified
Much of the data-fetching is hardcoded, and this broke the existing
pattern with SummaryView/SummaryRow so that got a little messy; I may
end up just using my own EuiTable but we'll see.
Threat Intel tab is currently broken; that's up next.
* Updates ThreatDetailsView to accept an array of enrichments
The investigation-time enrichments are a little messy because they
contain all the non-ECS fields that indicators contain; other than that,
this is looking good.
Still need to add the new header, and potentially sort the fields.
* Sort our details fields
This promotes sanity for the user.
* Add "view threat intel data" button
This simply opens the threat intel tab.
* Implement header for threat details sections
* Add a basic jest "unit" test around ThreatSummaryView
* Fix remaining tests for components we modified
This also addresses a bug where we were not properly sorting new
enrichments by first_seen; this is covered under the tests that were
fixed.
* Filter out duplicate investigation-time enrichments
Because the enrichment endpoint is dumb and doesn't know about the
existing event or its enrichments, we need to merge these together on
the client to reduce noise and redundant data.
* Add inspect button to investigation enrichments
* Massages the response into the format that the inspect component uses
* Moves stateful fetching of query and persisting in redux to new, more
specialized hook
* Moves existing enrichment hook to a more suitable location in
containers/
* Fix failing unit tests
* indicator match rule now specifies `matched.type` as coming from the
rule
* Inspecting the enrichment query requires use of the redux store, which
was not previously mocked
* Fix existing CTI cypress tests
This covers the basics of the Alert Summary and Threat Intel tabs; the
investigation-time enrichment functionality is up next.
* Adds a cypress test exercising investigation time enrichment
* Loads more indicators (filebeat data, `threat_indicator2` archive)
AFTER the rule has executed
* Asserts that those indicators are also found on the alert summary.
* Populate event enrichment call with actual alert fields
This was previously hardcoded during development.
* Add a new field to our suspicious event to trigger enrichment
The existing myhash field will generate an alert due to the way the rule
is written, but the alert had no other fields that would match the
investigation time enrichment. This gives it a source.ip, and updates
the indicator to match.
* Only fetch enrichments data if there are valid event fields
If none of the alert's fields would be relevant to the enrichment query,
then we don't make the request at all.
* Update enrichments matched.typed in integration tests
This field was updated to reflect the source of the match, in this case:
indicator match rules.
* Ensure draggable fields are unique in a multi-match scenario
If a given field matched multiple indicators, then the previous
contextId was not unique as it was based on field/value that matched.
Adding provider to the mix would fix it, except that we're not
guaranteed to have a provider.
I've added both provider (if present) and an index value to the key to
ensure that it's unique.
* Simplify types
This field can never be null, as we always set it in our response.
* Move helper functioons out of shared location and into consuming component
These are unlikely to be used elsewhere.
* Clean up data parsing logic using reduce
This obviates the need for our filter/guard function and the extra loop
that it entails. We have to specify the return value of our reduce fn,
however, but that's mostly equivalent to our type guard.
* Move our general function into a general location
* Extract the concept of "enrichment identifiers"
This was already partially codified with 'buildEnrichmentId,' which is
used to dedup enrichments; this extends the idea to all fields that
could uniquely identify a given indicator.
* Use existing constant as the source of our enrichments query
This is now used by both the overview card and the enrichment query.
* Codify our default enrichment lookback as constants
* Remove unnecessary flexbox
The generic SummaryView component previously had to deal with
multi-valued CTI fields, representing the multiple values coming from
the multiple nested objects with that field.
However, with the new UI we no longer have that constraint, and so the
default columnar style, and the corresponding overriding styles, are no
longer necessary.
* Filter out partial responses in the event enrichment observable
The UI does not currently handle these. We need to test the behavior of
long-running queries with this filter, but this should simplify the
behavior to complete/error until we handle partial responses.
* Display placeholders while event enrichment is loading
Displays a loading spinner in the Threat Intel tab title, and some
loading lines where the enrichments summary is.
* Update our indicator data to be within the last 30 days
This fixes our cypress test, but it's going to start failing again in 30
days. However, by that time I'll have implemented the absolute data
picker, which will allow for a more comprehensive test in addition to us
sidestepping this issue.
* Fix type error with our details tabs
The name prop on a Tab will be rendered as a node, so both strings and
elements are acceptable. This relaxes the types to inherit from the
component itself.
* Fix failing jest tests
The addition of our filtering of the search observable broke this test,
since we now need to implement the search observable.
Rather than do that, we'll instead mock our local hook as that's more
likely to change.
* Update format_number test for APJ timezones
* Switch asertion to optional leading 1
* Allow leading 1 or 2
In EMEA timezones H:mm:ss can return 20:42:17
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* wip: adds clear messages endpoint
* wip: clear messages and index new message for clearing
* remove icon from jobs list on clear
* remove unnecessary comments and fix typo
* ensure clear messages has correct permissions
* use cleaner ml context and add type
* only show clear button with canCreateJob and if warning icon in table
* fix types for job message pane
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [labs] Update Labs Status
* Fix translations
* Supply IntersectionObserver mock
* Set defer fold project to not enabled by default
* Update copy for labs flyout