Support installing alert rules as kibana assets in packages #226085
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 tasks
Contributor
Author
|
/ci |
MichelLosier
force-pushed
the
support-alert-kbn-assets
branch
from
965b7e0 to
f9bc0dd
Compare
…ort non-request contexts
… to support non-request contexts" This reverts commit ab73d22.
This reverts commit e9f260c.
…policy service and tasks" This reverts commit e30bfae.
This reverts commit 053dd9c.
This reverts commit 8a44dfa.
This reverts commit bb2057e.
This reverts commit 0780831.
…tags" This reverts commit 0372350.
This reverts commit e46caf1.
This reverts commit 76e018c.
…t to package install" This reverts commit 3a0802d.
This reverts commit 1e826cf.
Contributor
Author
|
Left a note on the new approach on the original ticket: #221633 (comment) |
Contributor
Author
|
EPM FTRs seem to be failing on |
| enableAgentMigrations: false, | ||
| enablePackageRollback: false, | ||
| enableAutoInstallContentPackages: false, | ||
| enableAlertRuleTemplateSupport: false, |
Contributor
There was a problem hiding this comment.
We could rename the feature flag to something that can be used for the overall feature, e.g. enableAgentStatusAlerting
Contributor
Author
There was a problem hiding this comment.
Yeah it seemed to me this could be functionality we could turn on separately for folks before the overall feature is complete, but on second thought I guess I wouldn't expect too much of gap between this functionality being ready and the agent status feature for it to be worthwhile to check multiple flags to support it. I see in your PR here you are using enableAgentStatusAlerting. I'll go ahead and update this to use that.
MichelLosier
added
release_note:skip
tomsonpl
approved these changes
Jul 31, 2025
Contributor
tomsonpl
left a comment
tomsonpl
left a comment
There was a problem hiding this comment.
Defend workflows LGTM 👍
joeypoon
approved these changes
Jul 31, 2025
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Page load bundle
History
|
kpollich
approved these changes
Aug 1, 2025
szaffarano
pushed a commit
to szaffarano/kibana
that referenced
this pull request
Aug 5, 2025
…elastic#226085) ## Summary Resolves in part: elastic#221633 Related to: elastic/package-spec#918 * Adds fleet support for installing alert rule assets from packages behind a feature flag * Alert rule assets should be * updated on subsequent installs * removed when the package is uninstalled * Note tag management for alert rules are done directly on the alert SO. * This is likely to be followed up to switching to an alert rule template saved object instead
delanni
pushed a commit
to delanni/kibana
that referenced
this pull request
Aug 5, 2025
…elastic#226085) ## Summary Resolves in part: elastic#221633 Related to: elastic/package-spec#918 * Adds fleet support for installing alert rule assets from packages behind a feature flag * Alert rule assets should be * updated on subsequent installs * removed when the package is uninstalled * Note tag management for alert rules are done directly on the alert SO. * This is likely to be followed up to switching to an alert rule template saved object instead
NicholasPeretti
pushed a commit
to NicholasPeretti/kibana
that referenced
this pull request
Aug 18, 2025
…elastic#226085) ## Summary Resolves in part: elastic#221633 Related to: elastic/package-spec#918 * Adds fleet support for installing alert rule assets from packages behind a feature flag * Alert rule assets should be * updated on subsequent installs * removed when the package is uninstalled * Note tag management for alert rules are done directly on the alert SO. * This is likely to be followed up to switching to an alert rule template saved object instead
10 tasks
MichelLosier
added a commit
that referenced
this pull request
Sep 9, 2025
#233533) Resolves: elastic/ingest-dev#5901 Relates: #233214 Largely re-works the changes from this PR: #226085 * Adds support for installing alerting_rule_template assets from packages * Adds tagging support for `alerting_rule_template` Requires the feature flag `'enableAgentStatusAlerting'` added to the `xpack.fleet.enableExperimental` array ## Release Notes * Adds support for installing alerting_rule_template assets from packages * Adds tagging support for alerting_rule_template --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
hop-dev
added a commit
to hop-dev/kibana
that referenced
this pull request
Sep 10, 2025
commit d4f175284b4d6ff782a824603ab749a87ed651c2
Author: Yan Savitski <yan.savitski@elastic.co>
Date: Wed Sep 10 12:00:22 2025 +0200
[Onboarding ingest] Sample data ingest dashboard (#234077)
## Summary
Create Dashboard visualization for sample_data_ingestion
- Add new data-view configuration
- Add dashboard configuration
- Add SavedObjectsManager class to manage saved objects
- Update response for `status` and `install` queries
- Add new `Dashboard` option in `View Data` menu
- Hide `Dashboard` option in `View Data` menu if user removed it, but
keep sample index
- Add fallback functionality to remove dashboard if during install any
error appeared
- Update/Add tests
<img width="767" height="723" alt="image"
src="https://github.com/user-attachments/assets/979f51d1-fa66-4c7b-813f-27d0bb1c84b0"
/>
<img width="1604" height="1312" alt="image"
src="https://github.com/user-attachments/assets/f92a7089-eff9-42a7-8b2e-4c219ffb241c"
/>
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] ~Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] ~If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~
- [ ] ~This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.~
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
### Identify risks
Keep tracking if mapping in archives changed the dashboards also might
broke. Add this case to a QA plan
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
commit ec7c013de8a4046c672b1fce6612043278aa2a46
Author: Chris <50221462+chrisbmar@users.noreply.github.com>
Date: Wed Sep 10 10:53:31 2025 +0100
[Agent Builder] Conversation - scroll behaviour improvements (#234367)
commit 7f9a54a86a51b01515b1dc3a19cbf3893a112e8e
Author: Sergi Massaneda <sergi.massaneda@elastic.co>
Date: Wed Sep 10 11:24:12 2025 +0200
[Automatic Migrations][Dashboards] Add server side migration task telemetry (#234471)
# Summary
Adds server-side telemetry for **Dashboard Migration** and clarifies
**Rules Migration** event names. Centralizes SIEM migration event
constants/types.
>[!NOTE]
>Telemetry-only. No user-visible changes.
## Changes
* Add `type: 'dashboards' | 'rules'` to generic migration lifecycle
events.
* Rename rule translation events to domain-specific names.
* Add new dashboard translation events.
* Move SIEM migration events to `event_based/events/siem_migrations`
along with `event_meta.ts` and `types.ts` content.
* Remove `event_meta.ts` and `types.ts` as they are no longer needed.
* Updated `DashboardMigrationTelemetryClient` and
`RuleMigrationTelemetryClient` accordingly.
### Event changes
* **Dashboards:**
`SIEM_MIGRATIONS_DASHBOARD_TRANSLATION_{SUCCESS|FAILURE}`
* **Rules (renamed):** `RuleTranslation{Success|Failure}`,
`RuleTranslationIntegrationsMatch`, `RuleTranslationPrebuiltRulesMatch`
* **Lifecycle (both):**
`SIEM_MIGRATIONS_MIGRATION_{SUCCESS|FAILURE|ABORTED}` with `type`
commit 3dc96c7c0643866f8f7b466f7599272c5f26903d
Author: Miriam <31922082+MiriamAparicio@users.noreply.github.com>
Date: Wed Sep 10 10:14:47 2025 +0100
[ObsUX][Hosts] Fix schema selector for hosts detected by APM (#234483)
Closes https://github.com/elastic/observability-dev/issues/4826
## Summary
- Change copy to No schema available
- Schema selector should select Elastic System Integration when there
are only hosts detected by APM
<img width="1086" height="859" alt="image"
src="https://github.com/user-attachments/assets/ea32611e-f776-475f-ac39-efcfb9c52e3e"
/>
commit cbc1f1cbcf2fa79d5d372cb51a05acb0c47dfbcc
Author: Joe Reuter <johannes.reuter@elastic.co>
Date: Wed Sep 10 10:59:37 2025 +0200
🌊 Streams: Improve retention page card layout (#234415)
Before
<img width="858" height="446" alt="Screenshot 2025-09-09 at 12 38 42"
src="https://github.com/user-attachments/assets/db0208e1-ee31-4f7e-bd9e-fc15f412bef8"
/>
After
<img width="858" height="220" alt="Screenshot 2025-09-09 at 12 37 58"
src="https://github.com/user-attachments/assets/2c812806-4d6b-426d-9e4e-ea52955f0a55"
/>
commit b7da05f940f9afbeb19918e63a56e4fe336a35c6
Author: Vadim Kibana <82822460+vadimkibana@users.noreply.github.com>
Date: Wed Sep 10 10:58:51 2025 +0200
[ES|QL] Composer API (query composition, FORK, conflicting params) (#234032)
## Summary
Closes https://github.com/elastic/kibana/issues/220608
This PR is the final in the series of Composer API introduction. This PR
adds:
- Conditional command support
- Query AST building without source command
- Composition for `FORK` command
- Composition of queries
- Improved duplicate parameter name conflict resolution
- The `.dpar()` helper method, for explicit double param insertion
### Conditional command support
Now supports conditional command insertion using the `esql.nop` (no
operation) helper. You can manually insert a no-op command `WHERE TRUE`
or use the `esql.nop` helper:
```ts
// Build query with conditional command hole
const query = esql`FROM index
| ${includeFilters ? esql.cmd`WHERE foo > 42` : esql.nop}
| LIMIT 10`;
// same as:
const query = esql`FROM index
| ${includeFilters ? esql.cmd`WHERE foo > 42` : esql.cmd`WHERE TRUE`}
| LIMIT 10`;
```
In either case the `WHERE TRUE` command is automatically removed.
### Query AST building without source command
The Synth API and Composer API now support query construction, which do
not start with a source command. For example:
```ts
synth.qry `WHERE 123 | LIMIT 123`;
```
See next, this is useful for query composition.
### Composition for `FORK` command
The Composer API now support composition for the `FORK` command. You can
construct a fork sub-query using the `esql` or `esql.qry` (`synth.qry`)
helpers and compose it into the main query:
```ts
const where = esql `WHERE 123 | LIMIT 123`;
const query = esql `FROM a | FORM ( ${ where } ) ( WHERE 456 )`;
```
It also merges the parameter sets of the composed queries, if parameters
used.
### Improved duplicate parameter name conflict resolution
The composer now better merges conflicting parameter names. If parameter
names conflict, but the values are the same it allows the re-use of the
same name. However, if a sub-query, sub-command or some expression
introduces a parameter with an existing name but different value, it
automatically renames (by appending `_<num>`) the incoming parameter
name.
### The `.dpar()` helper method, for explicit double param insertion
A `esql.dpar()` helper was introduced for explicit double `??` parameter
construction, for example:
```ts
const query = esql `FROM index | WHERE ${ esql.dpar('field') } > 42`;
// Result: FROM index | WHERE ??p0 > 42
```
### Checklist
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or
commit 032219aa2df2f55ebb7a95c868ec951b400ad460
Author: Nicolas Chaulet <nicolas.chaulet@elastic.co>
Date: Wed Sep 10 10:33:22 2025 +0200
[Fleet] Persist input id (#234136)
commit eeee2e841f32c51ada30a33553c622167a3c51cc
Author: Kirill Chernakov <yakiryous@gmail.com>
Date: Wed Sep 10 12:14:46 2025 +0400
feat: view step by step timeline workflow detail page (#233820)
Closes https://github.com/elastic/security-team/issues/13589
## Demo
https://github.com/user-attachments/assets/6b9b4a98-ab33-4b2c-babf-53a9fabde221
## Summary
This pull request introduces a new unified type for workflow execution
graph nodes and adds functionality for extracting nested step structures
from workflow graphs. It also improves API consistency by using
`stepExecutionId` instead of `stepId` and enhances filtering for
workflow executions. The changes are grouped into improvements to
execution graph typing and tree extraction, API consistency, and
workflow execution querying.
**Execution graph typing and nested step extraction:**
* Introduced the new `UnionExecutionGraphNode` type, a discriminated
union covering all possible node types in a workflow execution graph,
along with its schema definition in `nodes/union.ts`. This type is now
used throughout the graph-building and traversal code, improving type
safety and extensibility.
[[1]](diffhunk://#diff-5976ea8aaaf104365856026c74fdd207004eae3e7a953d476d8f3346624a1aefR1-R54)
[[2]](diffhunk://#diff-c9ff643e4fbc8eee450c1c08aaa783886aa03a28bcdfd5091e922f9a27cc1266R45)
[[3]](diffhunk://#diff-420319c8a97fe2d1758c0d2c614cd0882e22bd9bb29e4c97bd70caea3725cf6fR55-R56)
[[4]](diffhunk://#diff-c3ddbdafa867a543f22035b7975fb55e4ca36fb1542ae5533f55826a3746f0a7R70)
* Added the `getNestedStepsFromGraph` utility and its test, which
traverses a workflow execution graph and returns a hierarchical tree of
steps, preserving control flow constructs like foreach and if/else. This
enables easier rendering and analysis of nested workflow steps.
[[1]](diffhunk://#diff-0d5620889e361f6178634f6fa7d350429e2b88cd426d5417d02b574368b835bcR1-R272)
[[2]](diffhunk://#diff-1dea0f28c681e8abdd9d1b8bd3f6b3f53293f2abd9325249338ca8bb91a5f842R1-R87)
[[3]](diffhunk://#diff-74e5f85eb111e260409cd520e5fb02214e5eb4f2f6597fc225acb3abc6b3e9a3R14)
**API consistency and usage of step execution IDs:**
* Refactored APIs and hooks to use `stepExecutionId` instead of `stepId`
for fetching step execution logs and details, ensuring consistent
identification and retrieval of step executions. Updated query keys,
HTTP requests, and function signatures accordingly.
[[1]](diffhunk://#diff-193a4d614c03fbf65e89b4c482d90d1e84c6abc72d9ad8d9b47ba2d7b9d6e503L34-R34)
[[2]](diffhunk://#diff-193a4d614c03fbf65e89b4c482d90d1e84c6abc72d9ad8d9b47ba2d7b9d6e503L44-R44)
[[3]](diffhunk://#diff-193a4d614c03fbf65e89b4c482d90d1e84c6abc72d9ad8d9b47ba2d7b9d6e503L54-R68)
[[4]](diffhunk://#diff-1a1515d1023b287743e3dba262d3fbd8e198cc70258b6d0a5c83c9dbaec97d85L14-R25)
[[5]](diffhunk://#diff-5eec7d82334d74dad7ad3cf731c6ce1fc22d8fb302fb79d9981e17dbbc415aa3L19-R30)
**Workflow execution filtering and typing:**
* Enhanced the `useWorkflowExecutions` hook to support filtering
executions by status and execution type, using the new `ExecutionType`
enum and improved query key construction for better cache management and
query specificity.
[[1]](diffhunk://#diff-12181aeacb3576de07800d3c8030a49ada38c0fb489657f66acd65da77a3d9a6L11-R43)
[[2]](diffhunk://#diff-c3ddbdafa867a543f22035b7975fb55e4ca36fb1542ae5533f55826a3746f0a7R41)
[[3]](diffhunk://#diff-c01d54b54de63c40706d20e4a57229a1f3856ab054ef0424342df84de02c48f8R28-R32)
* Updated the `WorkflowExecutionDto` interface to include the full
`workflowDefinition`, providing richer execution context for consumers.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
---------
Co-authored-by: Ihor Panasiuk <igorskynet13@gmail.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
commit 4ade3c2c405a24a7dca45f3c609decbca34aa03c
Author: Vladimir Filonov <vladimir.filonov@elastic.co>
Date: Wed Sep 10 11:13:26 2025 +0400
Add `WorkflowsTriggersList` component and integrate it into workflows list table (#234417)
## Summary
- Implemented `WorkflowsTriggersList` to display workflow triggers with
a collapsible UI.
- Integrated the new component into the workflows list table.
https://github.com/user-attachments/assets/53757c60-2b28-4455-bdd8-14e238516bc0
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
commit 85455e72fc711c9bab1637f5ae9bdd1ad598ce73
Author: Carlos Crespo <crespocarlos@users.noreply.github.com>
Date: Wed Sep 10 09:01:10 2025 +0200
[Metrics][Discover] Configurable `topPanelHeight` via context profile (#232237)
closes: [#232049](https://github.com/elastic/kibana/issues/232049)
## Summary
Adds the possibility to configure the chart section height via context
provider.
>[!NOTE]
> ~To achieve this, I had to create a new variable to Discover App
State.~
### With tabs
### Without tabs
## How to test
- Set the following config to `kibana.dev.yml`
```yml
discover.experimental.enabledProfiles:
- observability-metrics-data-source-profile
metricsExperience.enabled: true
```
- Navigate to Discover and Switch to ESQL mode
- Run `FROM metrics-*` search
- Ensure that local storage variables `discover:histogramHeight ` and `metricsExperience:histogramHeight` are empty
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Davis McPhee <davis.mcphee@elastic.co>
commit 26a9d14d0b1fe1ac3f4065e8f793ebb123a5cced
Author: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed Sep 10 08:41:48 2025 +0200
[api-docs] 2025-09-10 Daily api_docs build (#234517)
Generated by
https://buildkite.com/elastic/kibana-api-docs-daily/builds/1191
commit 1d540a7216fbd5ad2ab305572e56dffce8adc619
Author: Dzmitry Lemechko <dzmitry.lemechko@elastic.co>
Date: Wed Sep 10 08:07:51 2025 +0200
[kbn-eslint-plugin-eslint] add scout_no_describe_configure rule (#234390)
## Summary
Adding new rule to prevent playwright runner configuration overrides in
spec files. It is important to keep runner functionality unified across
all the Scout tests and having custom logic may lead to unexpected CI
behavior or wrong test results ingestion.
We already have unified functionality in place:
- retrying failure is handled on CI script level
- parallel test execution is limited to test spec level (we don't allow
concurrent run of tests within the same file)
- explicit timeouts for test execution is not recommended, but can be
accepted for individual cases
Adding smth like:
```
spaceTest.describe('Discover app - errors', { tag: tags.ESS_ONLY }, () => {
spaceTest.describe.configure({
retries: 2,
timeout: 120000,
});
```
will be blocked by pre-commit hook:
```
*[scout/scout_no_describe_configure][~/github/kibana]$ gc "add configure"
ERROR
/Users/dmle/github/kibana/x-pack/platform/plugins/private/discover_enhanced/test/scout/ui/parallel_tests/error_handling.spec.ts
12:3 error Using describe.configure is not allowed in Scout tests @kbn/eslint/scout_no_describe_configure
```
commit b628562b9cccb56827a8863aafce3c601b4454d6
Author: Christiane (Tina) Heiligers <christiane.heiligers@elastic.co>
Date: Tue Sep 9 16:32:01 2025 -0700
[package-docs] code deprecations domain level README (#234250)
This PR adds a README for the `deprecations` domain in core/packages.
The doc is intended for orientating core-contributors to core's packages
conventions and consumers who intend to integrate with deprecations.
Core yet has to decide on a code documentation strategy when it comes to
packages' READMEs. I took the pragmatic approach to add the README at a
domain level to serve both contributors and consumers.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
commit a6e04cb5fd21e2ed7639745f18abbcfe9f3a33a2
Author: Elena Stoeva <59341489+ElenaStoeva@users.noreply.github.com>
Date: Wed Sep 10 01:22:07 2025 +0300
[Streams] Integrate data quality page in Streams (#230442)
Closes https://github.com/elastic/kibana/issues/230258
## Summary
This PR integrates the Data quality page into Streams.
<img width="1162" height="577" alt="Screenshot 2025-09-03 at 10 42 19"
src="https://github.com/user-attachments/assets/aaacceea-cee6-484b-846d-e859dc99fdf1"
/>
**How to test:**
1. Start Es and Kibana and load some data with `node
scripts/synthtrace.js failed_logs --live
--kibana=http://elastic:changeme@localhost:5601
--target=http://elastic:changeme@localhost:9200 --liveBucketSize=1000`
2. Navigate to Console and enable Streams with `POST
kbn:/api/streams/_enable`
3. Navigate to Streams and click on one of the streams. Verify that the
Quality tab is displayed and functions correctly.
4. Verify that the state of the Quality view is correctly saved in the
URL and that loading a URL with a specific state displays the state in
the view. For example, navigating to
`app/streams/logs-synth.2-default/management/dataQuality?pageState=(dataStream:logs-synth.2-default,qualityIssues:(table:(page:0,rowsPerPage:25,sort:(direction:asc,field:lastOccurrence))),qualityIssuesChart:degraded,showCurrentQualityIssues:!f,timeRange:(from:now-1h,refresh:(pause:!f,value:60000),to:now),v:2)`
should load the Quality tab for the `logs-synth.2-default` stream with a
time range of the last 1 hour, 25 rows per page in the issues table and
the table sorted by Last Occurence column.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
commit 7163d35784bdb8d1bbfb0c88d70b80a70dfa0feb
Author: Georgii Gorbachev <georgii.gorbachev@elastic.co>
Date: Tue Sep 9 21:19:34 2025 +0200
[Security Solution] Format the Customized rule alert telemetry RFC (#234448)
**Partially addresses:**
https://github.com/elastic/security-team/issues/12507 (internal)
**Follow-up to:** https://github.com/elastic/kibana/pull/230856
## Summary
This is a nitpicky PR that slightly improves the formatting of the RFC
introduced in https://github.com/elastic/kibana/pull/230856.
The main goal was to check if @sdesalas has all the needed access to GH.
---------
Co-authored-by: Steven de Salas <steven.desalas@elastic.co>
commit 09b4d599fa3c3b1cd8b0ec9236492c560b0aa0ed
Author: Jedr Blaszyk <jedrazb@gmail.com>
Date: Tue Sep 9 21:01:05 2025 +0200
[Agent Builder]: Index Search Tool UI (#234272)
## Summary
Add support for Index Search Tool UI.
Changes:
- Add custom configuration component for index patter (UI + internal
endpoint to fetch candidates)
- Keep tool type in URL query param
- Select tool type is in sync with URL query param (felt that's better
fit than path param but are free to revisit)
- We can navigate to create particular tool type (and have type
preselected)
- Copy tool works (also preselects type correctly)
- Add support for test quick action from context menu (also use URL
query param to open this on load)
## Preview
https://github.com/user-attachments/assets/3e6c6260-afe0-4af7-88df-d2c92576313b
commit eed21dbca87029b245c44f5d8d4d64c9f491c877
Author: Paulo Silva <paulo.henrique@elastic.co>
Date: Tue Sep 9 10:41:28 2025 -0700
[Asset Inventory] Refactors grouping components into package (#234382)
## Summary
This closes https://github.com/elastic/security-team/issues/12242
This PR Moves and refactors grouping components from the Asset Inventory
plugin to the cloud security posture package to be further reused by the
Cloud Security plugin, promoting reusability and reducing redundancy.
## Snapshots
<img width="1166" height="394" alt="image"
src="https://github.com/user-attachments/assets/bf6477a6-bfa6-461e-b154-ea4f167ddbd2"
/>
<img width="1145" height="680" alt="image"
src="https://github.com/user-attachments/assets/59e7424e-1531-4404-97ff-7cafb93fa110"
/>
commit 45203ed92164b62705fab143ea47e26e2bc0e27a
Author: Stratoula Kalafateli <efstratia.kalafateli@elastic.co>
Date: Tue Sep 9 19:37:35 2025 +0200
[ES|QL] Supports remote cluster lookup mode indices in the editor (#232907)
## Summary
Closes https://github.com/elastic/kibana/issues/232872
Adds support for remote cluster lookup mode indices
<img width="724" height="88" alt="image"
src="https://github.com/user-attachments/assets/2cb922b9-f76a-414e-8c88-31251855fb3a"
/>
commit 19df1a8986d056f9da1c476fc8ad6caf073bed86
Author: Alejandro Fernández Haro <alejandro.haro@elastic.co>
Date: Tue Sep 9 18:59:51 2025 +0200
[Otel metrics] Add documentation (#234231)
## Summary
Resolves https://github.com/elastic/kibana/issues/230002
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
---------
Co-authored-by: Chris Earle <pickypg@users.noreply.github.com>
commit f33e6a447942b329cca52b122232459ee22540ff
Author: Stratoula Kalafateli <efstratia.kalafateli@elastic.co>
Date: Tue Sep 9 18:55:22 2025 +0200
[ES|QL][Discover] Removes the default limit 10 added on the query (#234349)
## Summary
This PR removes the limit 10 from Discover ES|QL default query.
We think that ES is more performant to do this change atm. The maximum
default in ES is 10K (thanx Matthias who discovered this) so we must be
safe without pagination
### Checklist
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
commit 7319260cece632687e5f1dd5e56a1d858c5e4bf5
Author: Michel Losier <michel.losier@elastic.co>
Date: Tue Sep 9 08:53:41 2025 -0700
Add support for installing alerting_rule_template assets from packages (#233533)
Resolves: https://github.com/elastic/ingest-dev/issues/5901
Relates: https://github.com/elastic/kibana/pull/233214
Largely re-works the changes from this PR:
https://github.com/elastic/kibana/pull/226085
* Adds support for installing alerting_rule_template assets from
packages
* Adds tagging support for `alerting_rule_template`
Requires the feature flag `'enableAgentStatusAlerting'` added to the
`xpack.fleet.enableExperimental` array
## Release Notes
* Adds support for installing alerting_rule_template assets from
packages
* Adds tagging support for alerting_rule_template
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
commit 73b96d780f33ca8eccdbcdb81f2a6aded3f954db
Author: Robert Stelmach <60304951+rStelmach@users.noreply.github.com>
Date: Tue Sep 9 17:28:41 2025 +0200
[Streams 🌊] Remember mapped fields across simulations (#233799)
Closes: #217608
## Summary 📚
This PR implements persistent field mappings for stream enrichment
processors
**Key Features:**
- **Persistent Storage**: Automatically stores field mappings in memory,
persisting them across simulation runs
- **Restoration**: Uses exact name matching to restore field mappings
when fields reappear after pattern fixes
## How to Test 🔬
### Basic Persistence Test:
1. Add Grok: `%{WORD:service} %{WORD:level}: %{GREEDYDATA:message}`
2. Map fields → Break pattern with anything → Fix pattern
3. ✅ **Expected**: Fields restore with original mappings
### Disect Persistence Test:
1. Add Dissect: `%{date} %{source} %{ref_code} %{message}`
2. Map fields → Break pattern with anything → Fix pattern
3. ✅ **Expected**: Fields restore with original mappings
## Demo 🎥
https://github.com/user-attachments/assets/37dc5084-9298-4876-b69b-3cf2af7198a7
## Note
This approach preserves field mappings by name across pattern changes,
solving the core use case. It doesn't handle edge cases like field
reordering, but the upcoming schema editor confirmation modal will act
as a gatekeeper, allowing users to review and correct mappings before
saving changes.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
commit 4a1f396c9ac644fec587fa01693d3eef6aeeb647
Author: Philippe Oberti <philippe.oberti@elastic.co>
Date: Tue Sep 9 17:15:44 2025 +0200
[Security Solution][EASE] fix alert details flyout not showing the integration icon (#234394)
## Summary
This PR fixes an issue that was introduced by [this previous
PR](https://github.com/elastic/kibana/pull/231436) which changed the
logic to render the integration icon in the table. The integration icon
stopped being rendered in the alert detail flyout, because the flyout
did not have the same dataView and therefore the same runTime mappings.
### Approach
I considered a few solutions
- the first one was to modify the existing
[useEventDetails](https://github.com/elastic/kibana/tree/main/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/hooks/use_event_details.ts)
hook that we use to retrieve the alert related objects used in the
flyout. But this was a bit of a risky approach, as the hook is used in
many other places. Also, we would have had to have even more if/else
conditions in the code and this is not desired...
- the second one was to pass the runTime mappings to the flyout (I
thought about passing the `dataView` directly but we should not do that
as it's not serializable and shouldn't be placed in the url
- the third and final option was suggested by @michaelolo24 and consists
of creating the same `dataView` in the flyout
### Implementation details
I decided to create a hook to take care of this `dataView` creation.
That way, we can share the hook between all the places where we were
previously creating the dataView:
- case details page alerts tab
- attack discovery page alerts tab
- alerts summary page
- and now flyout
This also allows us to better prevent any renders of the components
while the `spaceId` is `undefined`, or while the `dataView` is being
created.
Finally, recommended by @michaelolo24, we're passing an constant `id` to
the dataView creation.
- This allows easy reusability on the flyout (which is on a different
level of the DOM and does not have access to the dataView created on the
page) as we can just fetch the `dataViewService` and retrieve the
`dataView`.
- Also as we're relying on the caching mechanism, the dataView is not
longer recreated every time we change page. It's a welcome performance
improvement.
-----------------
The flyout was not showing the integration icon:
<img width="1380" height="886" alt="Screenshot 2025-09-09 at 10 54
28 AM"
src="https://github.com/user-attachments/assets/73e62f50-ff4f-4d70-82aa-d37ff700f706"
/>
And it is now fixed (tested from all pages) and after a refresh:
https://github.com/user-attachments/assets/443ec958-8452-4cb3-beec-647026e562d0
## How to test
**_You might need to clear localStorage as the table columns are saved
in there and this PR changes the Integration column to the new runTime
field._**
This needs to be ran in Serverless:
- `yarn es serverless --projectType security`
- `yarn serverless-security --no-base-path`
You also need to enable the AI for SOC tier, by adding the following to
your `serverless.security.dev.yaml` file:
```
xpack.securitySolutionServerless.productTypes:
[
{ product_line: 'ai_soc', product_tier: 'search_ai_lake' },
]
```
Use one of these Serverless users:
- `platform_engineer`
- `endpoint_operations_analyst`
- `endpoint_policy_manager`
- `admin`
- `system_indices_superuser`
Then:
- generate data: `yarn test:generate:serverless-dev`
- create multiple catch all rules, each with a name of a AI for SOC
integration (`google_secops`, `microsoft_sentinel`,, `sentinel_one` and
`crowdstrike`) and make sure to add the related integration (with the
same names) => to do that you'll need to temporary comment the
`serverless.security.dev.yaml` config changes as the rules page is not
accessible in AI for SOC.
- change [this
line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts#L73)
to `installedPackages: availablePackages` to force having some packages
installed
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
https://github.com/elastic/kibana/issues/234354
commit a1b9b94351bb4cd07c84da8ef2ea5273e42267b7
Author: Peter Pisljar <peter.pisljar@elastic.co>
Date: Tue Sep 9 17:07:54 2025 +0200
[Lens as Code] transformation utilities (#234262)
commit cbb0d83af9fcfc9d6acb937199b3c915a8d1b892
Author: Ania Kowalska <63072419+akowalska622@users.noreply.github.com>
Date: Tue Sep 9 17:03:02 2025 +0200
[Discover] [Unified Tabs] Add default value for max items count (#234440)
Closes #234436
This pull request introduces a default limit for the number of tabs that
can be displayed in the `TabbedContent` component, improving consistency
and preventing excessive tabs from being shown. The main change is the
addition of a new constant for the maximum number of items, which is now
used as the default value in the component.
Lack of prop on a consumer side mentioned in issue was already resolved
in a meantime with [#227159 [Discover] Save and load Discover session
tabs](https://github.com/elastic/kibana/pull/227159), so this PR is
limited only to a guard on a provider side.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
### Identify risks
Does this PR introduce any risks? For example, consider risks like hard
to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified
risk. Invite stakeholders and evaluate how to proceed before merging.
- [ ] [See some risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)
- [ ] ...
commit 2545c4fc76a013fd45983991a720ff587bb0dbc9
Author: Dzmitry Lemechko <dzmitry.lemechko@elastic.co>
Date: Tue Sep 9 15:58:32 2025 +0200
[scout] add `--testFiles` flag run individual test files / dirs (#234192)
## Summary
Extending Scout CLI with capability to run individual spec files / test
directories.
How to test:
- explicit test files:
```
node scripts/scout run-tests --serverless=es \
--testFiles=\
x-pack/platform/plugins/private/discover_enhanced/test/scout/ui/parallel_tests/value_suggestions_non_time_based.spec.ts,\
x-pack/platform/plugins/private/discover_enhanced/test/scout/ui/parallel_tests/value_suggestions.spec.ts
```
- tests sub-directory:
```
node scripts/scout run-tests --serverless=es \
--testFiles=\
x-pack/solutions/observability/plugins/apm/test/scout/ui/parallel_tests/service_inventory
```
Note:
- either `--config` or `--testFiles` flag is required, but no both at
the same time
- Playwright config is defined based on tests root dir (`/tests` or
`parallel_tests`), so script validates that all test files are form the
same root dir.
commit 01b3ab21ba432bb16d0ca3d80afa40d07dbadded
Author: Sid <siddharthmantri1@gmail.com>
Date: Tue Sep 9 15:54:22 2025 +0200
fix(api keys): Query API Keys correctly returns valid API key name if not present (#234083)
Closes #234194
## Summary
Reintroduces fallback for API Keys with null names which was causing the
API Keys page to break
### Release notes
Fixes a potential bug on the API Keys Management page when trying to
load API keys with null names.
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
commit 5573d9356bda17a73c2c94e1af06301f98e3db3f
Author: Elena Shostak <165678770+elena-shostak@users.noreply.github.com>
Date: Tue Sep 9 14:31:42 2025 +0100
Replaced globby with native glob (#233481)
## Summary
Replaced `globby` with native glob.
### Checklist
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
__Related: https://github.com/elastic/kibana/issues/233193__
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
commit c9ea5f898cd1cb40db11cdc41c01d111ae25eca1
Author: Carlos Crespo <crespocarlos@users.noreply.github.com>
Date: Tue Sep 9 15:24:58 2025 +0200
[Metrics][Discover] Add copy to dashboard action (#234330)
closes [#234200](https://github.com/elastic/kibana/issues/234200)
## Summary
Adds an action to copy a visualization in the metrics explorer grid to a
dashboard
**Copy to dashboard**
**Copy a visualization with dimensions to a dashboard**
**Copy a visualization to an existing dashboard**
## How to test
- Clone https://github.com/simianhacker/simian-forge/tree/main
- Run ` ./forge --dataset hosts --count 25 --interval 30s`
- Set the following config to `kibana.dev.yml`
```yml
discover.experimental.enabledProfiles:
- observability-metrics-data-source-profile
metricsExperience.enabled: true
```
- Navigate to Discover and Switch to ESQL mode
- Hover the mouse over a visualization, and click on the triple dots icon to copy a visualization to a dashboard
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
commit 2c7d2a36aa13ee546d5e4ef655f5bee79d9c93e1
Author: Pierre Gayvallet <pierre.gayvallet@elastic.co>
Date: Tue Sep 9 15:22:00 2025 +0200
[onechat] add doc sampling to search context (#234123)
## Summary
- add utilities to do data sampling for a given index, by retrieving
sample documents, extracting the top values for all fields containing in
the documents, and then generating lists of top values
- use those utilities for the `nl_search` prompt, to include more
context and hints for the query generation
- also cleanup and regroup the utilities in
`@kbn/onechat-genai-utils/tools`
### Doc sampling in prompt
<details>
<summary>Example of resource representation with data sampling</summary>
```xml
<target_resource name="hr-questions" type="index">
<fields>
<field path="_run_ml_inference" type="boolean">
<sample_values>
<value>true</value>
</sample_values>
</field>
<field path="category" type="keyword">
<sample_values>
<value>sharepoint</value>
<value>teams</value>
<value>github</value>
</sample_values>
</field>
<field path="content" type="semantic_text">
<sample_values>
<value>Executive Summary:
This sales strategy document outlines the key objectives, focus areas, and action...</value>
<value>Performance Management Policy
Purpose and Scope
The purpose of this Performance Management Policy is...</value>
<value>This career leveling matrix provides a framework for understanding the various roles and responsibil...</value>
</sample_values>
</field>
<field path="created_on" type="date">
<sample_values>
<value>2018-01-12</value>
<value>2018-04-15</value>
<value>2023-04-15</value>
</sample_values>
</field>
<field path="name" type="text">
<sample_values>
<value>Fy2024 Company Sales Strategy</value>
<value>Performance Management Policy</value>
<value>Swe Career Matrix</value>
</sample_values>
</field>
<field path="restricted" type="boolean">
<sample_values>
<value>true</value>
</sample_values>
</field>
<field path="rolePermissions" type="text">
<sample_values>
<value>manager</value>
<value>demo</value>
</sample_values>
</field>
<field path="summary" type="text">
<sample_values>
<value>This sales strategy document outlines objectives, focus areas, and action plans for our tech company...</value>
<value>This Performance Management Policy outlines a consistent and transparent process for evaluating, rec...</value>
<value>This career leveling matrix provides a framework for understanding the various roles and responsibi...</value>
</sample_values>
</field>
<field path="updated_at" type="date">
<sample_values>
<value>2023-04-15</value>
<value>2020-03-01</value>
<value>2018-04-16</value>
</sample_values>
</field>
<field path="url" type="text">
<sample_values>
<value>./sharepoint/FY2024 Company Sales Strategy.txt</value>
<value>https://enterprisesearch.sharepoint.com/:t:/s/MSBuilddemo/ERsxt9p1uehJqeJu4JlxkakBavbKwcldrYv_hpv3xH...</value> <value>https://enterprisesearch.sharepoint.com/:t:/s/MSBuilddemo/EVYuEyRhHh5Aqc3a39sqbGcBkqKIHRWtJBjjUjNs6s...</value>
</sample_values>
</field>
</fields>
</target_resource>
```
</details>
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
commit bb58cb22e4ef33101eebcc1dfc5f09c5d5604693
Author: Milton Hultgren <milton.hultgren@elastic.co>
Date: Tue Sep 9 15:20:59 2025 +0200
🌊 Make Streams global search case insensitive (#234416)
commit 144bc3743e5a6eed2d4e5de2e899b7b80061eee8
Author: Joe Reuter <johannes.reuter@elastic.co>
Date: Tue Sep 9 15:15:57 2025 +0200
🌊 Streams: Per-level breadcrumbs (#234409)
Fixes https://github.com/elastic/streams-program/issues/358
<img width="968" height="369" alt="Screenshot 2025-09-09 at 11 59 31"
src="https://github.com/user-attachments/assets/231bbca8-3a64-44de-ab5a-4a22a3f56272"
/>
Only applies to wired streams:
<img width="1304" height="452" alt="Screenshot 2025-09-09 at 11 59 40"
src="https://github.com/user-attachments/assets/3dfbbba1-b433-47f6-b082-1f3675a42cad"
/>
commit 204398cd7ea6c4099cd26d7f1768cc1f6d86880c
Author: Tomasz Kajtoch <tomasz.kajtoch@elastic.co>
Date: Tue Sep 9 15:08:22 2025 +0200
Revert conditional switching between EUI releases logic (#233087)
This reverts commit ac3fc27a5397456630f974f84bee64f597500b55.
Resolves https://github.com/elastic/kibana/issues/221593
Resolves https://github.com/elastic/eui-private/issues/398
## Summary
This PR reverts the logic of conditional switching between
`@elastic/eui` (the original package) and `@elastic/eui-amsterdam` (an
Amsterdam-only build of EUI). Since Kibana 8.19 is already out and the
EUI team no longer releases Amsterdam-specific versions of EUI, this
functionality can be removed.
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
commit 8b384ffc5ed7fe11802ce3649f7b6a3a5b09b0b1
Author: Konrad Szwarc <konrad.szwarc@elastic.co>
Date: Tue Sep 9 15:04:08 2025 +0200
[EDR Workflows][Insights] Add infrastructure support for policy_response_failure workflow insights (#233703)
Implements server-side plumbing and client hooks to support
`policy_response_failure` insight type alongside existing
incompatible_antivirus.
Updates schema validation, adds feature flag gating
(`defendInsightsPolicyResponseFailure`), and enhances `useTriggerScan`
hook for multi-type parallel processing.
Minimal changes required due to type-agnostic architecture: only
generation uses insight types, while all polling and fetching operations
are endpoint ID-based and work generically with any insight structure.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
commit c67b28343ba2495c63a5f0d2a196af4ec8020e4a
Author: Nathan Reese <reese.nathan@elastic.co>
Date: Tue Sep 9 06:57:15 2025 -0600
[dashboards as code] expose transformEnhancements functions from embeddable public and server setup contracts (#234225)
PR adds `transformEnhancementsIn` and `transformEnhancementsOut`
functions to embeddable public and server setup contracts. Plugins can
use these functions in their transforms to extract and inject references
into enhancements state.
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
commit e2fb58bd00f2d3a8b6aaa6b81c23e1dea4b701ee
Author: Dzmitry Lemechko <dzmitry.lemechko@elastic.co>
Date: Tue Sep 9 14:35:15 2025 +0200
[ci] enable scout tests in kibana pipelines (#234031)
## Summary
This PR enables Scout Tests execution in kibana BK pipelines by default:
any scout test failure will block merge action.
Pipelines currently updated:
- [x] `pull_request`
- [x] `on_merge.yml`
- [x] `chrome_forward_testing.yml`
- [x] `es_snapshots/verify.yml`
- [x] `fleet/package_registry.yml`
- [x] `pointer_compression.yml`
Cleanup:
* Removed the conditional logic and inclusion of the Scout test pipeline
(`scout_tests.yml`) from the pull request pipeline script
(`pipeline.ts`)
* Deleted the dedicated "Scout Test Run Builder" step from
`on_merge_unsupported_ftrs.yml`, as its functionality is now covered by
the regular runs.
commit 19a2ee0b3e615106511e04a6c133a0153615c109
Author: Joe Reuter <johannes.reuter@elastic.co>
Date: Tue Sep 9 14:28:04 2025 +0200
🌊 Streams: Disallow [ and ] for field names (#234264)
Currently, accessing fields by their array index does not work in all
cases. However, we might want to add this functionality later on. This
PR adds validation to reject field names with `[` and `]` so this won't
become a breaking change.
This PR adds the validation to the API level, which is the most
important place. I looked into adding it to the UI as well for immediate
validation but decided against because it would require a pretty big
refactoring. I can create a separate issue for this. The behavior right
now is that it's not possible to save the stream:
<img width="379" height="226" alt="Screenshot 2025-09-08 at 09 52 20"
src="https://github.com/user-attachments/assets/8f9c926f-bba2-40ab-9489-f0f8fa40a43d"
/>
I think it's OK for now because this is probably a very rare occurrence
in practice - cc @LucaWintergerst
commit c206506df0d818298e63513196e3c75c676bed96
Author: mohamedhamed-ahmed <mohamed.ahmed@elastic.co>
Date: Tue Sep 9 14:22:55 2025 +0200
[Streams] Change tab names and sync with url (#234273)
closes https://github.com/elastic/kibana/issues/233321
## 📋 Summary
This PR updates the Streams UI tab names to align URL paths with their
display names as outlined in [issue
#233321](https://github.com/elastic/kibana/issues/233321).
## 🔄 Tab Name Changes
| Previous URL | Display Name | New URL |
|--------------|--------------|---------|
| `lifecycle` | Retention | `retention` |
| `route` | Partitioning | `partitioning` |
| `enrich` | Processing | `processing` |
| `schemaEditor` | Schema | `schema`|
## Backwards Compatibility
- **Redirects**: Added redirect mappings in
[`tabRedirects`](https://github.com/elastic/kibana/pull/234273/files#diff-54f977f18cfc0f4f9ab90f615f52f522d281a3d4e388a5027cb52df59737a2f6R33)
for all changed tab names
commit c248a6052d7db5071b2269231572715633821846
Author: Tal <talboren2@gmail.com>
Date: Tue Sep 9 15:15:36 2025 +0300
[One Workflow] 13763 ensure step names are unique (#234266)
Introduce validation for uniqueness of step names in workflows.
https://github.com/user-attachments/assets/4b015050-d512-4bec-ba78-9a7ce4185afa
https://github.com/user-attachments/assets/d5ad3d52-db1d-40de-9425-6339e7947597
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
commit 6a29262eb393497ecaac15fdf4525e30e17db338
Author: Ievgen Sorokopud <ievgen.sorokopud@elastic.co>
Date: Tue Sep 9 14:15:17 2025 +0200
[Automatic migrations][UI] Migrations navigation item (#13759) (#233760)
## Summary
Part of: https://github.com/elastic/security-team/issues/13759
With this PR, I added a new dashboards migrations navigation item which
lands on a empty migrations page. Next PRs will add the table showing
translated dashboards.
As part of this PR, the automated **rules migrations** nav item is moved
outside of the **Rule** nav item and put together with the **dashboards
migrations** into a separate nav item - **"Migrations"**.
### Classical navigation
https://github.com/user-attachments/assets/4f13762c-7f4c-4cce-be8e-0fed0eca24ce
### UPDATE
After discussing this [in
slack](https://elastic.slack.com/archives/C07MUMVUZ5E/p1756818283096289)
with the team, we decided to proceed with changes in the Classic
navigation only. The new navigation will contain a separate item which
will incorporate both rules and dashboards migrations pages.
commit fb951a1c0dcb77c8b2292cffc7b56e459f28949d
Author: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>
Date: Tue Sep 9 13:13:24 2025 +0100
[Security Solution][Detection Engine] fixes flaky EQL suppression "does not suppress alerts outside of duration" (#233900)
## Summary
- addresses https://github.com/elastic/kibana/issues/232064
- existing test was using small rule interval + loolback period causing
some of the events falling out of interval due to longer rule updates
through patch APIs. Converted to preview API
commit 980469abd01528b8c3ad6959fe35f240d95e3584
Author: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>
Date: Tue Sep 9 13:03:12 2025 +0100
[Security Solution][Detection Engine] removes FTR "deletes the underlying migration task" test (#233995)
## Summary
- addresses https://github.com/elastic/kibana/issues/179593
- removes FTR "deletes the underlying migration task" test
- test was skipped from the moment it was introduced, 5 yers ago -
https://github.com/elastic/kibana/pull/85690/files#diff-d3ab7ab5d42b0e7dfe7a3162188693eb420f0a819444aa36380148f2a450a6dbR166-R185,
so was never functional
- While looked at code of [finalize migration
util](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/migrations/finalize_migration.ts),
I did not see any indications, it actually deletes underlying migration
task
- since this API is deprecated anyway, the most reasonable approach
seems just to remove that test
commit 288ae1b6cbea41a7589b1f8d833265116541f108
Author: James Gowdy <jgowdy@elastic.co>
Date: Tue Sep 9 12:04:46 2025 +0100
[ML] File upload: include existing doc count when checking for ingested doc count (#234333)
When checking to see of all ingested docs are now searchable, it should
take into account existing docs as we could be uploading to an existing
index.
commit 99c57c28c93c1d9310058ebb1aff4af130371eb0
Author: Pablo Machado <pablo.nevesmachado@elastic.co>
Date: Tue Sep 9 13:04:02 2025 +0200
[SecuritySolution] Create a Security Risk Scoring AI Assistant tool (#233647)
## Summary
* Introduces a new AI Assistant tool that retrieves entity risk score
data.
* Enhances the alert contribution and anonymises it.
* Adds a button to the risk score contribution flyout tab that opens the
assistant with a preconfigured context and suggested query.
* Add an experimental flag: `riskScoreAssistantToolEnabled`
<img width="600" alt="Screenshot 2025-09-03 at 14 23 00"
src="https://github.com/user-attachments/assets/d8f93d4b-a058-403b-9d74-ee78a7abdd0e"
/>
<img width="600" alt="Screenshot 2025-09-03 at 14 41 24"
src="https://github.com/user-attachments/assets/24bcad0d-65b4-4e29-94c7-320678519380"
/>
<img width="600" alt="Screenshot 2025-09-03 at 14 22 31"
src="https://github.com/user-attachments/assets/f747ca1d-2c9a-4400-91ab-1d020b3e89d6"
/>
### How to test it?
**Basic scenario**
* Kibana installed with alerts data and AI connectors (Please reach out
if you need to configure a connector)
* Experimental flag enabled `riskScoreAssistantToolEnabled`
* Enable risk engine
* Open an entity flyout and expand the risk contributions tab
* Click "Explain with AI Assistant"
* It should open the flyout with a pre-configure prompt and context
* Send the prompt, and the Assistant should answer your question
**Asset that fields are properly anonymised**
* Kibana installed with alerts data and AI connectors (Please reach out
if you need to configure a connector)
* Experimental flag enabled `riskScoreAssistantToolEnabled`
* Enable risk engine
* Run Docker for Desktop
* Run phoenix `node scripts/phoenix.js`
* Open an entity flyout and expand the risk contributions tab
* Click "Explain with AI Assistant"
* It should open the flyout with a pre-configure prompt and context
* Send the prompt, and the Assistant should answer your question
* Open Phoenix web and assert that we don't send the entity data
(user.name, host.name) to the LLM
* You can also disable `user.name` and `host.name` fields anonymisation.
Please test different scenarios
**Disable scenario**
* Kibana installed with alerts data and AI connectors (Please reach out
if you need to configure a connector)
* Enable risk engine
* When the feature is disabled:
* Option 1: Disable the AI assistant in the advanced settings
* Option 2: Test with basic license
* Option 3: Experimental flag is disabled
`riskScoreAssistantToolEnabled`
* It should not display the button
*** To generate realistic risky alerts, you can use the Attack discovery
datascript: `node
x-pack/solutions/security/plugins/security_solution/scripts/load_attack_discovery_data.js`
*** Phoenix local config
```
# OTelemetry
# `node scripts/phoenix` from kibana root
telemetry.enabled: true
telemetry.tracing.enabled: true
telemetry.tracing.exporters.phoenix.base_url: "http://0.0.0.0:6006"
telemetry.tracing.exporters.phoenix.public_url: "http://0.0.0.0:6006"
```
### Checklist
Reviewers should verify this PR satisfies this list as well.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
eleonoramicozzi
pushed a commit
to eleonoramicozzi/kibana
that referenced
this pull request
Sep 10, 2025
elastic#233533) Resolves: elastic/ingest-dev#5901 Relates: elastic#233214 Largely re-works the changes from this PR: elastic#226085 * Adds support for installing alerting_rule_template assets from packages * Adds tagging support for `alerting_rule_template` Requires the feature flag `'enableAgentStatusAlerting'` added to the `xpack.fleet.enableExperimental` array ## Release Notes * Adds support for installing alerting_rule_template assets from packages * Adds tagging support for alerting_rule_template --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
KodeRad
pushed a commit
to KodeRad/kibana
that referenced
this pull request
Sep 15, 2025
elastic#233533) Resolves: elastic/ingest-dev#5901 Relates: elastic#233214 Largely re-works the changes from this PR: elastic#226085 * Adds support for installing alerting_rule_template assets from packages * Adds tagging support for `alerting_rule_template` Requires the feature flag `'enableAgentStatusAlerting'` added to the `xpack.fleet.enableExperimental` array ## Release Notes * Adds support for installing alerting_rule_template assets from packages * Adds tagging support for alerting_rule_template --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Sep 24, 2025
elastic#233533) Resolves: elastic/ingest-dev#5901 Relates: elastic#233214 Largely re-works the changes from this PR: elastic#226085 * Adds support for installing alerting_rule_template assets from packages * Adds tagging support for `alerting_rule_template` Requires the feature flag `'enableAgentStatusAlerting'` added to the `xpack.fleet.enableExperimental` array ## Release Notes * Adds support for installing alerting_rule_template assets from packages * Adds tagging support for alerting_rule_template --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
niros1
pushed a commit
that referenced
this pull request
Sep 30, 2025
#233533) Resolves: elastic/ingest-dev#5901 Relates: #233214 Largely re-works the changes from this PR: #226085 * Adds support for installing alerting_rule_template assets from packages * Adds tagging support for `alerting_rule_template` Requires the feature flag `'enableAgentStatusAlerting'` added to the `xpack.fleet.enableExperimental` array ## Release Notes * Adds support for installing alerting_rule_template assets from packages * Adds tagging support for alerting_rule_template --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Resolves in part: #221633
Related to: elastic/package-spec#918
To manually test:
good_contenttest packagetest/packages/good_contentin another terminalELASTIC_PACKAGE_KIBANA_HOSTto point to your locally running kibana instance eg:export ELASTIC_PACKAGE_KIBANA_HOST="http://0.0.0.0:5601/kibana"elastic-package build --skip-validationthenelastic-package install --zip ../../../build/packages/good_content-1.0.0.zip --skip-validationChecklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
release_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesbackport:*labels.Identify risks
Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging.