Documents new RBAC for value reports #3817
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
🔍 Preview links for changed docs |
Contributor
florent-leborgne
left a comment
florent-leborgne
left a comment
There was a problem hiding this comment.
Nice one those sections are so useful. I have a few comments/questions.
Also, could it still make sense to add a list item to this section https://www.elastic.co/docs/solutions/security/get-started/elastic-security-requirements#security-requirements-overview-feature-specific-requirements? (the page originally linked in the issue)
Comment on lines
+24
to
+27
| ```{applies_to} | ||
| serverless: preview | ||
| stack: preview 9.3 | ||
| ``` |
Contributor
There was a problem hiding this comment.
Nice usage of applies_to. One thing though:
- "stack" doesn't exist at the page level. Is the feature available there too?
- This also sounds confusing to me because EASE is a serverless project type and we're in the EASE docs.
Can you look into this? Happy to provide input about what to do once we know more exactly what is available where and what do we need to call out (or locate things) exactly
Contributor
Author
There was a problem hiding this comment.
Good point Florent. This page was initially introduced just for the EASE feature tier of the Serverless Security project type. It's now available in the security analytics complete feature tier of Serverless Security — and also planned for Stack 9.3.
I've added stack: preview 9.3 at the page level. Also, as part of this PR I made it so that this page appears in two places in the ToC:
- The original place, within the EASE docs (which is a sub-section within the AI docs section)
- A new place, within the AI docs section but not within the EASE sub-section.
My thinking here is that this page should still be findable in the EASE docs since it's one of this feature tier's core features, and it should also be findable when a user is just looking at the AI for Security docs, but not EASE specifically.
What do you think?
Contributor
Author
There was a problem hiding this comment.
Also, to address your comment about possibly linking to this page from this section, I'd recommend against it. The pages in that section are dedicated specifically to requirements — they aren't feature pages with requirements sections, such as the one this PR updates. I think the link would be out of place there.
Contributor
There was a problem hiding this comment.
I think the link would be out of place there.
Fine by me, thanks for explaining!
I made it so that this page appears in two places in the ToC
I understand your reasoning here but this isn't well supported in our docs system (it creates 2 pages with the same URL, especially in this case where the 2 pages are close in the TOC, could impair linking, etc.). So we must work around this.
Since it's a core feature of EASE security projects, one approach we could take is:
- Mention and describe it and link to the page in the highlighted features on this page: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3817/solutions/security/ai/ease/ease-intro#features
- Reading that page ^^ I would even propose moving the Features section just after the page intro (before "Create an EASE project) because at this point knowing what these projects offer might even be more valuable for users)
- Removing the Value report page from the EASE tree, and only keeping it at its new location.
Happy to hear your thoughts on this but I believe we have to find a way to keep only one occurrence of this page, that using snippets wouldn't make sense either here since the entirety of the page makes sense, and that better referencing it from the EASE docs should be sufficient.
Contributor
Author
There was a problem hiding this comment.
Love this. Implemented it. Thanks!
Contributor
Author
There was a problem hiding this comment.
I reused much of the content from the EASE value reports page in the Features section. I think it works, but it might be a bit repetitive since the content now appears on both pages. Thoughts?
stephmilovic
reviewed
Nov 5, 2025
Co-authored-by: florent-leborgne <florent.leborgne@elastic.co>
Contributor
florent-leborgne
left a comment
florent-leborgne
left a comment
There was a problem hiding this comment.
I think we're nearly there. Using a snippet will help keep this content single sourced
stephmilovic
approved these changes
Nov 10, 2025
florent-leborgne
approved these changes
Nov 13, 2025
Contributor
florent-leborgne
left a comment
florent-leborgne
left a comment
There was a problem hiding this comment.
LGTM! Nice work @benironside 🚢
denar50
added a commit
to elastic/kibana
that referenced
this pull request
Dec 2, 2025
## Summary Issue: elastic/security-team#14504 [A previous PR](#228877) introduced the EASE Value report and the ability to export it in serverless. This PR makes the report available in ESS and adds logic to export it using the share plugin. The ESS export logic is different from that of serverless because schedule reporting is not available in Serverless yet (ResponseOps [plans](elastic/kibana-team#1847) to add support for it in 9.4). The reporting is initiated in the client's browser when the user clicks on the "Export report" button, which becomes available once the report data and the cost savings trend insight have been fetched and generated respectively. The export report button makes a call to the server to generate a PDF for the report and passes the insight and a hash of the report data as parameters (aka "forwarded state"). A headless browser is used to navigate to a special route `/app/reportingRedirect` that looks up a the corresponding locator locator (in this case, `AIValueReportLocatorDefinition`) which in turns resolves the URL of the value report (`/app/security/reports/ai_value`) _and_ the forwarded state to be stored in `history.location.state`. The value report page reacts to this state being present and renders itself in "export mode". When the components finish loading, the headless browser takes screenshots of everything that is contained within the value report page, which has a `data-shared-items-container` attribute attached to it. Notice that we only forward the insight and the hash of the report data in order to avoid calling an LLM again in the headless browser when the data itself hasn't changed. <img width="2766" height="948" alt="image" src="https://github.com/user-attachments/assets/01fbac58-1450-42e0-a16d-c456e9137878" /> ## How to test 1. Run ESS locally (Elasticsearch and Kibana). Then log in as an admin and navigate to the rules management page (`app/security/rules/management`) to ensure that all indexes are properly initialized. 2. Use the [Security documents generator](https://github.com/enriquesanchez-elastic/security-documents-generator) (fork) to generate 60 days of alert data. By running: `yarn start generate-alerts -n 10000 -h 100 -u 100 --start-date 60d --end-date now` 3. Run Attack Discovery over the 60 days of data that you generated (see the video below) https://github.com/user-attachments/assets/85cdefe8-2fc0-4a9c-ab7c-051ca7188b6f 4. Navigate to the "Value report" page. You can use the link on the left side, or you can go to `/app/security/reports/ai_value`. 5. Once the report loads, the "Export report" button should be enabled. Click on it and export it to a PDF. You should see a toast indicating that the export in ongoing and when it is done you should get a toast with a "Download report" button. Click on "Download report" and verify that the downloaded PDF matches the data that you are seeing on the screen. Play with it by adjusting the time window in the date picker next to the Export report button. https://github.com/user-attachments/assets/e1aea0ad-4b74-4ee3-b329-43181d479328 ## Known issues 1. The icons next to these headings are clearer in the PDF and therefore hard to see PDF <img width="2856" height="254" alt="image" src="https://github.com/user-attachments/assets/849b465b-2efd-4f5d-a907-e5570639e2bd" /> Website <img width="1814" height="166" alt="image" src="https://github.com/user-attachments/assets/9de8da9d-4779-4495-8477-3803d0a3e8e4" /> ## Pending 1. Copy adjustments to the value report button 2. Placement of the value report button in the launchpad 3. Update the documentation on the restricted access view. See elastic/docs-content#3817 4. Follow the instructions after updating the Elastic Assistant prompt. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Steph Milovic <stephanie.milovic@elastic.co>
NicholasPeretti
pushed a commit
to NicholasPeretti/kibana
that referenced
this pull request
Dec 2, 2025
## Summary Issue: elastic/security-team#14504 [A previous PR](elastic#228877) introduced the EASE Value report and the ability to export it in serverless. This PR makes the report available in ESS and adds logic to export it using the share plugin. The ESS export logic is different from that of serverless because schedule reporting is not available in Serverless yet (ResponseOps [plans](elastic/kibana-team#1847) to add support for it in 9.4). The reporting is initiated in the client's browser when the user clicks on the "Export report" button, which becomes available once the report data and the cost savings trend insight have been fetched and generated respectively. The export report button makes a call to the server to generate a PDF for the report and passes the insight and a hash of the report data as parameters (aka "forwarded state"). A headless browser is used to navigate to a special route `/app/reportingRedirect` that looks up a the corresponding locator locator (in this case, `AIValueReportLocatorDefinition`) which in turns resolves the URL of the value report (`/app/security/reports/ai_value`) _and_ the forwarded state to be stored in `history.location.state`. The value report page reacts to this state being present and renders itself in "export mode". When the components finish loading, the headless browser takes screenshots of everything that is contained within the value report page, which has a `data-shared-items-container` attribute attached to it. Notice that we only forward the insight and the hash of the report data in order to avoid calling an LLM again in the headless browser when the data itself hasn't changed. <img width="2766" height="948" alt="image" src="https://github.com/user-attachments/assets/01fbac58-1450-42e0-a16d-c456e9137878" /> ## How to test 1. Run ESS locally (Elasticsearch and Kibana). Then log in as an admin and navigate to the rules management page (`app/security/rules/management`) to ensure that all indexes are properly initialized. 2. Use the [Security documents generator](https://github.com/enriquesanchez-elastic/security-documents-generator) (fork) to generate 60 days of alert data. By running: `yarn start generate-alerts -n 10000 -h 100 -u 100 --start-date 60d --end-date now` 3. Run Attack Discovery over the 60 days of data that you generated (see the video below) https://github.com/user-attachments/assets/85cdefe8-2fc0-4a9c-ab7c-051ca7188b6f 4. Navigate to the "Value report" page. You can use the link on the left side, or you can go to `/app/security/reports/ai_value`. 5. Once the report loads, the "Export report" button should be enabled. Click on it and export it to a PDF. You should see a toast indicating that the export in ongoing and when it is done you should get a toast with a "Download report" button. Click on "Download report" and verify that the downloaded PDF matches the data that you are seeing on the screen. Play with it by adjusting the time window in the date picker next to the Export report button. https://github.com/user-attachments/assets/e1aea0ad-4b74-4ee3-b329-43181d479328 ## Known issues 1. The icons next to these headings are clearer in the PDF and therefore hard to see PDF <img width="2856" height="254" alt="image" src="https://github.com/user-attachments/assets/849b465b-2efd-4f5d-a907-e5570639e2bd" /> Website <img width="1814" height="166" alt="image" src="https://github.com/user-attachments/assets/9de8da9d-4779-4495-8477-3803d0a3e8e4" /> ## Pending 1. Copy adjustments to the value report button 2. Placement of the value report button in the launchpad 3. Update the documentation on the restricted access view. See elastic/docs-content#3817 4. Follow the instructions after updating the Elastic Assistant prompt. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Steph Milovic <stephanie.milovic@elastic.co>
JordanSh
pushed a commit
to JordanSh/kibana
that referenced
this pull request
Dec 9, 2025
## Summary Issue: elastic/security-team#14504 [A previous PR](elastic#228877) introduced the EASE Value report and the ability to export it in serverless. This PR makes the report available in ESS and adds logic to export it using the share plugin. The ESS export logic is different from that of serverless because schedule reporting is not available in Serverless yet (ResponseOps [plans](elastic/kibana-team#1847) to add support for it in 9.4). The reporting is initiated in the client's browser when the user clicks on the "Export report" button, which becomes available once the report data and the cost savings trend insight have been fetched and generated respectively. The export report button makes a call to the server to generate a PDF for the report and passes the insight and a hash of the report data as parameters (aka "forwarded state"). A headless browser is used to navigate to a special route `/app/reportingRedirect` that looks up a the corresponding locator locator (in this case, `AIValueReportLocatorDefinition`) which in turns resolves the URL of the value report (`/app/security/reports/ai_value`) _and_ the forwarded state to be stored in `history.location.state`. The value report page reacts to this state being present and renders itself in "export mode". When the components finish loading, the headless browser takes screenshots of everything that is contained within the value report page, which has a `data-shared-items-container` attribute attached to it. Notice that we only forward the insight and the hash of the report data in order to avoid calling an LLM again in the headless browser when the data itself hasn't changed. <img width="2766" height="948" alt="image" src="https://github.com/user-attachments/assets/01fbac58-1450-42e0-a16d-c456e9137878" /> ## How to test 1. Run ESS locally (Elasticsearch and Kibana). Then log in as an admin and navigate to the rules management page (`app/security/rules/management`) to ensure that all indexes are properly initialized. 2. Use the [Security documents generator](https://github.com/enriquesanchez-elastic/security-documents-generator) (fork) to generate 60 days of alert data. By running: `yarn start generate-alerts -n 10000 -h 100 -u 100 --start-date 60d --end-date now` 3. Run Attack Discovery over the 60 days of data that you generated (see the video below) https://github.com/user-attachments/assets/85cdefe8-2fc0-4a9c-ab7c-051ca7188b6f 4. Navigate to the "Value report" page. You can use the link on the left side, or you can go to `/app/security/reports/ai_value`. 5. Once the report loads, the "Export report" button should be enabled. Click on it and export it to a PDF. You should see a toast indicating that the export in ongoing and when it is done you should get a toast with a "Download report" button. Click on "Download report" and verify that the downloaded PDF matches the data that you are seeing on the screen. Play with it by adjusting the time window in the date picker next to the Export report button. https://github.com/user-attachments/assets/e1aea0ad-4b74-4ee3-b329-43181d479328 ## Known issues 1. The icons next to these headings are clearer in the PDF and therefore hard to see PDF <img width="2856" height="254" alt="image" src="https://github.com/user-attachments/assets/849b465b-2efd-4f5d-a907-e5570639e2bd" /> Website <img width="1814" height="166" alt="image" src="https://github.com/user-attachments/assets/9de8da9d-4779-4495-8477-3803d0a3e8e4" /> ## Pending 1. Copy adjustments to the value report button 2. Placement of the value report button in the launchpad 3. Update the documentation on the restricted access view. See elastic/docs-content#3817 4. Follow the instructions after updating the Elastic Assistant prompt. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Steph Milovic <stephanie.milovic@elastic.co>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #3720 — documents a new RBAC control that controls access to the Value Report feature in Elastic Security (only available on serverless security and EASE projects for now — planned for Stack v9.3).
Tweaks the value reports page to make it more generic, since previously it was only available on EASE, and it's now available in serverless.
Although in the original ticket @stephmilovic requested that the new RBAC control be documented here, for this draft I opted to document it directly on the Value Reports page, since the security requirements page is more of a high-level page that isn't focused on specific features (other than linking to other requirements pages that are related to specific features). Instead, I suggest we make the in-product link go to the Value Reports page rather than the security requirements page.
Also added the value reports page to another spot in the GenAI for security section — it's still present in the original spot in the EASE subfolder, but now that it's available in serverless too, I wanted to make it more findable.