[8.19] [AI4DSOC] Backport of AI4DSOC alert summary related PRs (#214889)#222074
Merged
PhilippeOberti merged 26 commits intoelastic:8.19from Jun 4, 2025
Merged
[8.19] [AI4DSOC] Backport of AI4DSOC alert summary related PRs (#214889)#222074PhilippeOberti merged 26 commits intoelastic:8.19from
PhilippeOberti merged 26 commits intoelastic:8.19from
Conversation
2 tasks
botelastic
bot
added
the
Team:Fleet
Contributor
|
Pinging @elastic/fleet (Team:Fleet) |
PhilippeOberti
force-pushed
the
backport/8.19/pr-214889
branch
from
4dd839e to
236e8d7
Compare
PhilippeOberti
changed the title
PhilippeOberti
force-pushed
the
backport/8.19/pr-214889
branch
from
388c67c to
c9fa298
Compare
## Summary This PR is the setting the foundations for the AI for SOC Alert summary page. It has very little UI, instead it focuses on the following: - add routing for the `alert_summary` page - fetches the integrations, filters them to only keep the ones related to AI for SOC, then decides what to render depending on if some AI for SOC packages have been installed or not The PR also makes a small change to the `SecurityRoutePageWrapper` component, to allow us to redirect to the Security Solution HomePage instead of the NoPrivilegesPage. While this might not be a long term solution, it is the easiest path forward. In the future, AI for SOC will most likely be its own plugin (leaving outside of Security Solution) hence this will not be needed anymore. Here's the basic behavior of the Alert summary page: - The `Landing page` will be shown if none of the hardcoded AI for SOC packages are installed (these values are hardcoded as we currently do not have a way to filter integrations for the AI for SOC ones only): - splunk // doesnt yet exist - google_secops - microsoft_sentinel - sentinel_one - crowdstrike - The `Wrapper` component will only be shown if you have at least one of the above AI for SOC packages installed. ### Very limited UI added in this PR | Loading integrations | No installed packages | Some installed packages | | ------------- | ------------- | ------------- | |  |  |  | ### Notes We need to remove the section at the top of the page that currently shows the `Add integrations` button. A follow PR will take care of that. [This](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/app/home/index.tsx#L54) is where that bar is being added. We will have to find a way to not show that for the AI for SOC tier. ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` The Alert summary navigation will NOT be shown for the following Serverless users: `viewer`, `t1_analyst`. and `t2_analyst`. For those, the navigation entry is not present, and navigating to the url directly will automatically re-route to the Security home page. Currently, retrieving the integrations (via the `fleet/epm/packages` endpoint) is also unauthorized for the following users: `editor`, `t3_analyst`, `threat_intelligence_analyst`, `rule_author`, `soc_manager` and `detections_admin`. This means that the only users that can be currently used to test this PR are: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Will help close elastic/security-team#11954 as well as elastic/security-team#11979. (cherry picked from commit 3605a33)
## Summary This PR continues the work done in elastic#214889 and implements the landing page for the new alert summary page. This landing page should only be visible by users if none of the AI for SOC integrations have been installed (more info in [the previous PR](elastic#214889)). The landing page consist of 2 main sections: - the top section with a title and an image - the bottom section where we list the top 2 AI for SOC integrations - Splunk and GoogleSecOps - which are clickable and will redirect the users to the respective integration detail pages, as well as a `View all integrations` button which will redirect the users to the integrations page.  https://github.com/user-attachments/assets/0d15a65d-7f2e-4e2d-9919-896f5532f08c Link to mocks: https://www.figma.com/design/DYs7j4GQdAhg7aWTLI4R69/AI4DSOC?node-id=4408-128249&t=GaxMP8OEZ9Qsjl0R-0 ### Notes - The current image is only temporary and acts as a placeholder while the UIUX team is creating a gif or video (no ETA on when it will be available). - The integration links are subject to change in the future, but that work is handled by a different team and as not being completed yet ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Contributes to elastic/security-team#11979 (cherry picked from commit 11a512e)
## Summary This PR continues and finalizes the pre-work done in elastic#214889. Once this PR is merged, the actual alert summary page content implementation will begin. We need a dataView to be created before being able to fetch any data. The `wrapper.tsx` component creates a dataView. - While the dataView is being created, a loading skeleton mimicking the future layout of the alert summary page is rendered. - If the dataView fails to be correctly created (meaning if it comes back undefined or without an id) we show an error message. - If the dataView is correctly created, we continue to the alert summary page (currently just a div) https://github.com/user-attachments/assets/f1c8f63e-30a0-4186-94b6-f18a18a89218  ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` ### Notes You'll need to either have some AI for SOC integrations installed, or more easily you can change the `alert_summary.tsx` line 38 from `if (installedPackages.length === 0) {` to `if (installedPackages.length > 0) {` to force the wrapper component to render. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit d46bd47)
## Summary
This PR adds the SiemSearchBar to the alert summary page. The search bar
is pretty basic: it hides the query menu and the filter buttons to the
left of the query input. Instead, the PR builds a new filter button.
That button lists all the sources available. Sources are basically
equivalent to integrations, or their corresponding rules. It is a
friendly UI name to abstract the concept or a rule.
In the AI for SOC effort, each integration is bundled with a single
rule. This means that deselecting a source from the Source filter button
is equivalent to adding a filter to the search bar to exclude all alerts
with the `kibana.alert.rule.name` property having the value of that
integration.
### Example:
There are following 2 integrations installed:
```typescript
[
{
id: 'splunk',
name: 'splunk',
status: installationStatuses.Installed,
title: 'Splunk',
version: '',
},
{
id: 'google_secops',
name: 'google_secops',
status: installationStatuses.Installed,
title: 'Google SecOps',
version: '',
},
]
```
This means that - in theory - there are the following 2 rules installed
and running:
```typescript
[
{
related_integrations: [{ package: 'splunk' }],
name: 'Splunk Rule',
},
{
related_integrations: [{ package: 'google_secops' }],
name: 'Google SecOps Rule',
},
]
```
In this case, the `Sources` button would show 2 entries, as follow:
```typescript
[
{
checked: 'on',
key: 'Splunk Rule',
label: 'Splunk',
},
{
checked: 'on',
key: 'Google SecOps Rule',
label: 'Splunk',
},
]
```
By default, the `checked` property should be set to `on`. It would be
`off` if a filter for the corresponding `label` existed.
https://github.com/user-attachments/assets/059815d2-9181-4bf1-bd78-e0e5bfa7439d
https://github.com/user-attachments/assets/126606c7-b4e0-4d0b-82c1-b531c6490de3
## How to test
This needs to be ran in Serverless:
- `yarn es serverless --projectType security`
- `yarn serverless-security --no-base-path`
You also need to enable the AI for SOC tier, by adding the following to
your `serverless.security.dev.yaml` file:
```
xpack.securitySolutionServerless.productTypes:
[
{ product_line: 'ai_soc', product_tier: 'search_ai_lake' },
]
```
And this to generate data: `yarn test:generate:serverless-dev`
Use one of these Serverless users:
- `platform_engineer`
- `endpoint_operations_analyst`
- `endpoint_policy_manager`
- `admin`
- `system_indices_superuser`
### Notes
You'll need to either have some AI for SOC integrations installed, or
more easily you can:
- change the `alert_summary.tsx` line `38` from `if
(installedPackages.length === 0) {` to `if (installedPackages.length >
0) {` to force the wrapper component to render
- update `42` of the same `alert_summary.tsx` file from `return <Wrapper
packages={installedPackages} />;` to `return <Wrapper
packages={availablePackages} />;` to be able to see some packages
- comment out line the if condition line `66` of `use_integrations.ts`
file to make sure that values are added even if there is no
`matchingRule`
- replace `const ruleName = changedOption.key;` with `const ruleName =
changedOption.label;` on line `78` of the
`integrations_filter_button.tsx` file
### Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### Links
Ticket elastic/security-team#11956
Mocks
https://www.figma.com/design/DYs7j4GQdAhg7aWTLI4R69/AI4DSOC?node-id=3284-70999&m=dev
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit 27bc009)
## Summary This PR adds the KPI charts section to the alert summary page. The 3 charts are similar to the ones in the alerts page, but there are some subtle differences, which lead to one of them being a separate component, while the other 2 I was able to reuse the existing components and just add a property to handle the different logic. Here are the differences: - in the AI for SOC we do not (currently) have cell actions, so a property was added to the charts to be able to hide the cell actions entirely - the title of the right chart as well as the fact that it does not have a dropdown to select the field to group the alerts by meant that a new component (still using existing child components) was created  The charts react to changes to the KQL bar: https://github.com/user-attachments/assets/ed0e8f14-ba66-46ae-94df-6c8064c7a648 ### Notes Compared to the mocks (link at the end of the PR description), it was decided to not add the icons to the left of the next for the middle and right chart of the KPI section. These might be added in the future, but there is some complexity related to fetching them (especially for the alert by host) and more thoughts need to be had to make sure we're handling all the possible cases. ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` And this to generate data: `yarn test:generate:serverless-dev` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` ### Notes You'll need to either have some AI for SOC integrations installed, or more easily you can: - change the `alert_summary.tsx` line `38` from `if (installedPackages.length === 0) {` to `if (installedPackages.length > 0) {` to force the wrapper component to render - update `42` of the same `alert_summary.tsx` file from `return <Wrapper packages={installedPackages} />;` to `return <Wrapper packages={availablePackages} />;` to be able to see some packages ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Mocks: https://www.figma.com/design/DYs7j4GQdAhg7aWTLI4R69/AI4DSOC?node-id=3284-70999&m=dev Ticket: elastic/security-team#11958 (cherry picked from commit 5b7d5ab)
## Summary This PR adds the integration section at the top of the alert summary page. This section shows the installed AI for SOC integrations and an `Add integration` button. Clicking on the button navigates to the fleet's page. In each integration card, we show the integration name, its logo as well as the last activity time. This last activity value is retrieve as follow: - fetch all dataStreams (see [this api documentation](https://www.elastic.co/docs/api/doc/kibana/operation/operation-get-fleet-data-streams)) - find all the dataStreams that are related to the installed integrations (via the `package` property) - from all the matching dataStreams, take the most recently updated (via the `last_activity_ms` value  https://github.com/user-attachments/assets/7c67e629-e4d3-4ba2-b756-b9ba81e7a667 ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` ### Notes You'll need to either have some AI for SOC integrations installed, or more easily you can: - change the `alert_summary.tsx` line `38` from `if (installedPackages.length === 0) {` to `if (installedPackages.length > 0) {` to force the wrapper component to render - update `42` of the same `alert_summary.tsx` file from `return <Wrapper packages={installedPackages} />;` to `return <Wrapper packages={availablePackages} />;` to be able to see some packages Also you'll dataStreams if you want to be able to test the last activity value. Easiest would probably be to mock the call return value following [the documentation](https://www.elastic.co/docs/api/doc/kibana/operation/operation-get-fleet-data-streams). ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios elastic/security-team#11955 (cherry picked from commit 59c8d19)
## Summary This PR fixes an issue with the logic implemented in [this previous PR](elastic#215586): _In the AI for SOC effort, each integration is bundled with a single rule. This means that deselecting a source from the Source filter button is equivalent to adding a filter to the search bar to exclude all alerts with the kibana.alert.rule.name property having the value of that integration._ The problem with the previous logic above is the value in the `kibana.alert.rule.name` field can be overridden (see `Rule name override [here](https://www.elastic.co/guide/en/security/current/rules-ui-create.html)). Therefore filtering alerts by this value does not guarantee that all the alerts generated by the rule will be correctly filtered out. The new logic uses the `rule.id` instead of the `rule.name`, which we then use to filter using the `signal.rule.id` field instead of `kibana.alert.rule.name` ### Example: There are following 2 integrations installed: ```typescript [ { id: 'splunk', name: 'splunk', status: installationStatuses.Installed, title: 'Splunk', version: '', }, { id: 'google_secops', name: 'google_secops', status: installationStatuses.Installed, title: 'Google SecOps', version: '', }, ] ``` This means that - in theory - there are the following 2 rules installed and running: ```typescript [ { related_integrations: [{ package: 'splunk' }], id: 'splunk_rule_id', }, { related_integrations: [{ package: 'google_secops' }], id: 'google_secops_rule_id', }, ] ``` In this case, the `Sources` button would show 2 entries, as follow: ```typescript [ { checked: 'on', key: 'splunk_rule_id', label: 'Splunk', }, { checked: 'on', key: 'google_secops_rule_id', label: 'Splunk', }, ] ``` This PR also fixes a small miss in [the prior PR](elastic#215585) that implemented the KPI section, where I had forgotten to pass the KQL filters to the charts. #### Before https://github.com/user-attachments/assets/77e583c6-718f-46d9-96b4-42ee9976161b #### After https://github.com/user-attachments/assets/50e8e541-5798-4906-b7cc-4f9756dbdefc ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` ### Notes - generate data: `yarn test:generate:serverless-dev` - create 4 catch all rules, each with a name of a AI for SOC integration (`google_secops`, `microsoft_sentinel`,, `sentinel_one` and `crowdstrike`) - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts#L73) to `installedPackages: availablePackages` to force having some packages installed - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_integrations.ts#L63) to `r.name === p.name` to make sure there will be matches between integrations and rules ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios elastic/security-team#11956 (cherry picked from commit 2ed4266)
## Summary This PR adds the foundation for the table in the AI for SOC alerts summary page. These changes implement a new usage of the GroupedAlertTable component. These are the functionalities implemented in this PR: - default 3 options when opening the `Group alerts by` dropdown: - Integration: grouping by `signal.rule.id` field - Severity: grouping by `kibana.alert.severity` - Rule name: grouping by `kibana.alert.rule.name` - we have custom group title renderer: - for the group by Integration, we render the icon and the name of the integration if found, or we fallback to the `signal.rule.id` value - for the others we use the same code as the default GroupedAlertTable - we have custom group statistics: - for Integration we show severities, rules and alerts - for Severity we show integrations, rules and alerts - for Rules we show integrations, severities and alerts - for everything else we show integrations, severities, rules and alerts #### Here a video showing default grouping on the alert summary page https://github.com/user-attachments/assets/43694969-8b43-4451-8f51-00622178ddf5 #### And another one showing custom fields and page refresh https://github.com/user-attachments/assets/7b8d1047-4704-4149-a481-19721a381154 ## Notes Follow PRs will tackle custom column titles, cell renderers, row actions... for the table (wip [here](elastic#217124)). Mocks for reference: https://www.figma.com/design/DYs7j4GQdAhg7aWTLI4R69/AI4DSOC?node-id=3284-69401&p=f&m=dev ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` Then: - generate data: `yarn test:generate:serverless-dev` - create 4 catch all rules, each with a name of a AI for SOC integration (`google_secops`, `microsoft_sentinel`,, `sentinel_one` and `crowdstrike`) - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts#L73) to `installedPackages: availablePackages` to force having some packages installed - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_integrations.ts#L63) to `r.name === p.name` to make sure there will be matches between integrations and rules ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios elastic/security-team#11973 (cherry picked from commit 579dbae)
## Summary This PR is a follow up of [this previous one](elastic#216744) which was adding the foundation for the alerts table on the AI for SOC alert summary page. It focuses on adding the necessary boilerplate code for the alert summary flyout implementation: - add the row action cell component that displays the open flyout icon as well as the logic to open the flyout - add the boilerplate files for the new `ai_for_soc` panel - make necessary changes to a few components within the `document_details` folder that will be used in both flyouts - implement the header for the flyout - make sure the flyout history works with this new panel https://github.com/user-attachments/assets/738268f5-795f-40c4-90d5-6b14f7d4de36 The alerts page alert details flyout remains unchanged, except for the severity value at the very top, which is now displayed as an `EuiBadge` instead of an `EuiHealth`. This guarantees consistency with the design of the new AI for SOC flyout:  ## Notes Follow PRs will tackle custom column titles, cell renderers, row actions... for the table (wip [here](elastic#217124)). Mocks for reference: https://www.figma.com/design/DYs7j4GQdAhg7aWTLI4R69/AI4DSOC?node-id=3284-69401&p=f&m=dev ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` Then: - generate data: `yarn test:generate:serverless-dev` - create 4 catch all rules, each with a name of a AI for SOC integration (`google_secops`, `microsoft_sentinel`,, `sentinel_one` and `crowdstrike`) => to do that you'll need to temporary comment the `serverless.security.dev.yaml` config changes as the rules page is not accessible in AI for SOC. - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts#L73) to `installedPackages: availablePackages` to force having some packages installed - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_integrations.ts#L63) to `r.name === p.name` to make sure there will be matches between integrations and rules ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios elastic/security-team#11973 (cherry picked from commit 5080c5f) # Conflicts: # x-pack/solutions/security/plugins/security_solution/public/flyout/index.tsx
…7696) ## Summary This PR adds some alert actions to the AI for SOC alert summary page: - table row action via a more actions icon button, to allow users to add the alert to a new case, an existing case, or to apply tags to the current alert - a take action in the footer of the flyout, to allow the user to perform the same actions Table row actions: https://github.com/user-attachments/assets/a5991ec0-a1c1-4c8f-821a-5adedd3d68a7 Flyout footer actions: https://github.com/user-attachments/assets/f5d853d3-8b5e-47f8-ba30-33cdf440651b ### Notes The code is extremely similar between the 2 components added in this PR. The difference between the 2 is the type of button that is used to open the popover. I debated 2 others approaches, but was not happy with either: - create a hook that would return the items and panels for cases and tags, then use that hook to limit the amount of duplicated code in both components. I decided against this as I hate having hooks that return components (in this case `EuiContextMenuItems`... - create a shared component that would do the logic and have some props to conditionally decide how the button is being displayed. Here also, I decided against this approach because I feel like components that allow these sort of UI customization quickly end up hard to maintain, because we want to change the text, then the color of the button, then the type of icon... If you feel strongly about the choice I made here, let me know and I'll reconsider the approach! 😄 ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` Then: - generate data: `yarn test:generate:serverless-dev` - create 4 catch all rules, each with a name of a AI for SOC integration (`google_secops`, `microsoft_sentinel`,, `sentinel_one` and `crowdstrike`) => to do that you'll need to temporary comment the `serverless.security.dev.yaml` config changes as the rules page is not accessible in AI for SOC. - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts#L73) to `installedPackages: availablePackages` to force having some packages installed - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_integrations.ts#L63) to `r.name === p.name` to make sure there will be matches between integrations and rules ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios elastic/security-team#11973 (cherry picked from commit e09548e)
## Summary This PR builds up on the previous [table setup PR](elastic#216744) and add custom cell renderers for the alert summary table: - we show the package's icon for the Integration column (pointing to the `kibana.alert.rule.parameters` field) - we show an EuiBadge for the severity column (pointing to the `kibana.alert.severity` field) All the other fields remain unchanged. | Before | After | | ------------- | ------------- | |  |  | ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios elastic/security-team#11973 (cherry picked from commit 7160b36)
## Summary This PR builds up on the previous elastic#216744 and the AI assistant in 2 places in the AI for SOC alert summary page: - in each row of the alert table as a row action - in the footer of the alert details flyout https://github.com/user-attachments/assets/65fb10f1-c22b-4796-9109-3b7dbdba6313 To keep consistency between the alert summary and the alerts page, this PR also removes the Chat icon button in the header of the alert details flyout and adds a `Ask AI Assistant` button in the footer. | Before | After | | ------------- | ------------- | |  |  | ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` Then: - generate data: `yarn test:generate:serverless-dev` - create 4 catch all rules, each with a name of a AI for SOC integration (`google_secops`, `microsoft_sentinel`,, `sentinel_one` and `crowdstrike`) - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts#L73) to `installedPackages: availablePackages` to force having some packages installed - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_integrations.ts#L63) to `r.name === p.name` to make sure there will be matches between integrations and rules ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios elastic/security-team#11973 (cherry picked from commit add6e30)
## Summary This PR applies some performance improvements to the newly created Alert summary page (for AI for SOC). Here are the multiple changes: - instead of fetching all rules in multiple places (components and hooks), we're now fetching all rules in the most top level `alert_summary.tsx` pages component. We're then passing the result down via props to the children components. Though some of the components inside the `alerts_table` component for example cannot be passed via props, so we're leveraging the `additionalContext` property to pass down rules information. Also, for the components working within the `grouping_alerts_table`, we had to wrap the whole component with a local context. - similarly, the packages were already fetched in the very top `alert_summary.tsx` pages component and were passed via props to the children components, but we applied the same logic for the `alerts_table` and the `grouping_alerts_table` components. The PR also improves the `integration_icon.tsx` component to make it more generic, and reused in all places to avoid the previous code duplication. **No UI or behavior changes are introduced!** https://github.com/user-attachments/assets/1fc1b6d0-290c-4b8e-b3e1-6ccb82f4f82b ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` Then: - generate data: `yarn test:generate:serverless-dev` - create 4 catch all rules, each with a name of a AI for SOC integration (`google_secops`, `microsoft_sentinel`,, `sentinel_one` and `crowdstrike`) - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts#L73) to `installedPackages: availablePackages` to force having some packages installed - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_integrations.ts#L63) to `r.name === p.name` to make sure there will be matches between integrations and rules ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 112eab3) # Conflicts: # x-pack/solutions/security/plugins/security_solution/public/detections/components/alert_summary/table/render_cell.test.tsx # x-pack/solutions/security/plugins/security_solution/public/detections/components/alert_summary/table/table_section.tsx
…ts table (elastic#218736) ## Summary While testing, we realized that the Attack Discovery alerts tab was showingn the `DetectionEngineAlertsTable`, even in the AI4DSOC tier. This PR updates the logic to show the correct alerts table depending on the tier: - AI4DSOC will show the same table as the Alert summary page - the other tiers will continue showing the same table as the Alerts page (`DetectionEngineAlertsTable`) Switching the table allows us to tackle at once all the other related issues: - wrong flyout was being shown - too many actions were being shown - wrong default columns, and wrong cell renderes ### Notes The approach is not ideal. We shouldn't have to check for the following ```typescript const AIForSOC = capabilities[SECURITY_FEATURE_ID].configurations; ``` in the code, but because of time constraints, this was the best approach. [A ticket](elastic#218731) has been opened to make sure we come back to this and implement the check the correct way later. Current (wrong) behavior https://github.com/user-attachments/assets/c41a25f1-ae9a-4bbf-9c02-9b1054f3a0e3 New behavior https://github.com/user-attachments/assets/0eb20a2f-ba00-42c0-9353-7ac788c9bea0 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Relates to elastic/security-team#11973 (cherry picked from commit c8cbe87)
…lastic#218742) ## Summary While testing, we realized that the Cases alerts tab was showing the `DetectionEngineAlertsTable` and the normal alert details flyout, even in the AI4DSOC tier. This PR updates the logic to show the correct alerts table and the correct alert details flyout depending on the tier: - AI4DSOC will show the same table and flyout as the ones shown in the Alert summary page - the other tiers will continue showing the same table and flyout we show today under the Alerts page or any other pages (`DetectionEngineAlertsTable`) Switching the table allows us to tackle at once all the other related issues: - wrong flyout was being shown - too many row actions were being shown - wrong default columns, and wrong cell renderers ### Notes The approach is not ideal. We shouldn't have to check for the following ```typescript const AIForSOC = capabilities[SECURITY_FEATURE_ID].configurations; ``` in the code, but because of time constraints, this was the best approach. [A ticket](elastic#218741) has been opened to make sure we come back to this and implement the check the correct way later. Current (wrong) behavior https://github.com/user-attachments/assets/5d769f45-26d9-4631-af95-de38b0797ff9 New behavior https://github.com/user-attachments/assets/1f9a2e4d-50b7-40e6-8efa-1a0cfdbf5c9a ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Relates to elastic/security-team#11973 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 9a66ec9)
… card (elastic#218868) ## Summary This PR a small UI issue with the AI4DSOC alert summary landing page. Originally added via [this PR](elastic#215246), some of that logic was changed in [this more recent PR](elastic#218632), where the `IntegrationIcon` logic was extracted into a reusable component, packages with a `EuiSkeletonText` component, which somehow breaks the `inlineMargingEnd` value applied to the icon... This PR fixes the spacing issue now seen on the integration card. | Before | After | | ------------- | ------------- | |  |  | (cherry picked from commit 0a4268c)
…nanceWindow capability (elastic#218999) ## Summary This PR fixes an issue with the ResponseOps alerts table not handling the `maintenanceWindow` capability being `undefined`. In the AI4DSOC effort, [we recently disabled](elastic#214586) the `maintenanceWindow` capability which cause the `useBulkGetMaintenanceWindowsQuery` hook to crash. Current behavior https://github.com/user-attachments/assets/8ab8c97f-04a0-45cb-95e7-cc9114e87190 Fixed behavior https://github.com/user-attachments/assets/0749bda3-7838-47b7-a65b-5c9b6a92a245 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios relates to elastic/security-team#11973 Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit 23ad755)
## Summary This PR fixes the links to the integrations page, introduced in [this PR](elastic#215246) and [that one](elastic#215266). At the time of the previous PRs, the new AI4DSOC integration page had not been created, so we were using the link to the normal integrations page. [This recent PR](elastic#217905) added the new page, so we need to update those links From the landing page https://github.com/user-attachments/assets/907c12be-84dc-4bbd-a161-c8b16e2ecdba From the alert summary page https://github.com/user-attachments/assets/c25be7b3-f7ef-4e5f-8948-40def6a8d026 ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` Then: - generate data: `yarn test:generate:serverless-dev` - create 4 catch all rules, each with a name of a AI for SOC integration (`google_secops`, `microsoft_sentinel`,, `sentinel_one` and `crowdstrike`) - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts#L73) to `installedPackages: availablePackages` to force having some packages installed - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_integrations.ts#L63) to `r.name === p.name` to make sure there will be matches between integrations and rules ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Relates to elastic/security-team#11955 (cherry picked from commit 10cfa31)
…y page (elastic#219033) ## Summary This PR disabled the cell actions and the preview links on the Attack discovery page for the AI4DSOC (searchLakeAI tier) effort. For the first phase of AI4DSOC (at least for now) we do not have the host, user, network... flyouts available, as the interactions between those flyouts and the normal alert detail flyout are many. Also, having the cell actions to filter in/out for example don't really make sense at this time, as the other pages do not listen to these. It would be confusing to the user to try to click on elements without any actual actions being performed. Before fix https://github.com/user-attachments/assets/46be2f69-ad10-43a8-8c6b-7b56e231cf0b After fix https://github.com/user-attachments/assets/aeda65c1-f762-4696-b2fb-5837c6f06c54 ## TODO If the approach looks good to the @elastic/security-generative-ai team, the following items needs to be done before merging: - [ ] write unit tests - [ ] create a ticket for the techdebt and link it in the code ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit a1b749a)
…table (elastic#219126) ## Summary This PR improves the AI4DSOC alert summary table cell renderers by rendering datetime type fields correctly. That way we have datetime fields rendered the same way the alerts page alerts table does. The code uses the `schema` field to know when a field needs to be rendered accordingly. This field is provided by the EuiDataGrid. Previous behavior  New behavior  ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios relates to elastic/security-team#11973 (cherry picked from commit e014955)
elastic#219141) ## Summary During testing we discovered an issue related to the Assistant icon displayed in the AI4DSOC alert summary page table. The issue is related to the fact that the alert registers its context with the assistant. When the assistant flyout is opened from the `Ask AI assistant` button in the alert flyout, we have one flyout which means one alert in the assistant. But with the Assistant icon shown on each row of the table, we need to register context for each alert. That means that x alert buttons equals to x alerts in the assistant. This is how it translates in the UI:  Redesigning how the assistant context works is very involved and too risky to do at such a late time. This PR removes the Assistant button from the row actions, which solves the issue: https://github.com/user-attachments/assets/0fd94cc1-4fbd-4e70-9790-22e4913477ff Also, @stephmilovic noticed that when the assistant is opened from a different launch point than the suggested prompt, and the suggested prompt is still in the DOM, its prompt context shows up empty: <img width="600" alt="Screenshot 2025-04-24 at 11 41 23 AM" src="https://github.com/user-attachments/assets/0ceb3ffc-72e5-425c-b550-9b8d5896f359" /> She resolved this by adding a check in the ContextPills component for `description.length > 0`. This would be resolved by the on click issue, so might be worth coming back to. This change is visible in the second commit and stolen from [this PR](elastic#219144). ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios relates to elastic/security-team#11973 (cherry picked from commit cc98975)
## Summary This PR adds bulk actions to the Alert summary table: - apply alert tags - add to new case - add to existing case Apply alert tags https://github.com/user-attachments/assets/e27d40b0-f60e-498b-8845-a5d014117398 Add to new case https://github.com/user-attachments/assets/9d714948-6123-4e24-ae25-fe504b836aed Add to existing case https://github.com/user-attachments/assets/ec51c3e6-3bb9-45e5-a66a-812f67873e98 ### TODO - [x] not mandatory for this PR (as the conference is next week) but I'm trying to figure the best and simplest way to refresh the table after performing bulk actions (done in second [commit](elastic@f71ac3c)!!) ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios relates to elastic/security-team#11973 (cherry picked from commit ee44e35)
…tack discovery and Cases pages in AI4DSOC (elastic#219410) ## Summary This PR fixes an issue with the `apply alert tags` functionality. This [setAlertTags](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/common/components/toolbar/bulk_actions/use_set_alert_tags.tsx) hook introduced in [this PR](elastic#157786) was making use of a `useRef` and a `useCallback` which lead to the table having a `null` reference when it was expecting a `function`. This meant that for parent table components that were written efficiently (meaning that do not render too many times), the set alert tags bulk actions was just plain not working. As can be seen in the following video: https://github.com/user-attachments/assets/50545677-d7a7-4d45-828e-89bdd7b2de34 And this is with the fix in this PR https://github.com/user-attachments/assets/b1f07e55-43bb-4d01-bfd9-3b0dd23e30cc The PR also makes 2 very small adjustments to the AI4DSOC alerts table in the Cases and Attack discovery pages, to make sure that the table refreshes after applying alert tags. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 6f4d780)
PhilippeOberti
force-pushed
the
backport/8.19/pr-214889
branch
from
c9fa298 to
e9cb7fc
Compare
…egrations (elastic#219430) ## Summary This PR makes a small changes to the logic originally introduced in [this PR](elastic#216744). Previously we were expecting the rule to have its name being identical to the name of the integration it would be installed along with. This was a bad assumption. Instead we should look at the `related_integrations` field of the rule and check that it has the package (integration) name that we expect. This is a more robust solution, and this logic is actually already being use in [this other hook](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_integrations.ts#L75), so it seems that it was an oversight on my end... If the rule name is not identical, the UI falls back to rendering the id of the rule  But with this change, this is how the UI will look  ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Relates to elastic/security-team#11973 (cherry picked from commit 07be70d)
…ield/value pair in tooltip (elastic#219438) ## Summary This PR fixes a small rendering issue in the AI4DSOC alert summary alerts table (those changes will also be automatically applied to the alerts table in the Cases and Attack discovery pages also for AI4DSOC). The basic cell renderer (which renders all values outside of a couple of selected custom renderers we have) was not truncating values, which sometimes lead to weird renders, as seen in the video below. https://github.com/user-attachments/assets/efcca0b7-5f0e-46d6-be85-85a9e824835c This PR reuses the same logic used today in the Alerts page alerts table: it truncates the values and show the field and value pairs in a tooltip. https://github.com/user-attachments/assets/3941ba38-1ecc-49d9-9989-20015f219677 ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` Then: - generate data: `yarn test:generate:serverless-dev` - create 4 catch all rules, each with a name of a AI for SOC integration (`google_secops`, `microsoft_sentinel`,, `sentinel_one` and `crowdstrike`) => to do that you'll need to temporary comment the `serverless.security.dev.yaml` config changes as the rules page is not accessible in AI for SOC. - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts#L73) to `installedPackages: availablePackages` to force having some packages installed ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Relates to elastic/security-team#11973 (cherry picked from commit 7b3efa8)
…ssignees (elastic#219460) ## Summary This PR implements a similar change that was just merged a few hours ago. While [that change](elastic#219410) was made to the alert tags not always working on the alerts table, this current change is applied to the alert assignees that faced a potential similar issue. The alert assignee code was introduced in [this PR](elastic#170579), and I believe the code was using the similar logic of [the alert tag PR](elastic#157786). The issue is related to the fact that we have a `useRef` for a function that is returned before the `useEffect` in the same hook runs, and setting the value of the function returned is happening within that `useEffect`. This has not caused any issues because the few places where this code is being used (the alerts page alerts table) is extremely not efficient and renders multiple times. This gives enough tries to the hook to actually get a value and return the correct function. This PR fixes that by returning the function directly. Here's a video showing that the functionality still works correctly for bulk actions: https://github.com/user-attachments/assets/b3394ffe-8333-4e0a-9bf7-831ef8ea8aea And also for normal row actions: https://github.com/user-attachments/assets/5f8c9d23-f0ef-4c65-b7de-4dc34478a8e7 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 254477e)
PhilippeOberti
force-pushed
the
backport/8.19/pr-214889
branch
from
e9cb7fc to
64977d3
Compare
PhilippeOberti
changed the title
stephmilovic
approved these changes
Jun 4, 2025
Contributor
stephmilovic
left a comment
stephmilovic
left a comment
There was a problem hiding this comment.
LGTM! Thanks for tackling this complex task, we appreciate you!!
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Jun 5, 2025
was introduced in elastic#222074
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Jun 5, 2025
was introduced in elastic#222074
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto8.19: