[AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the kibana.alert.workflow_status of alerts#227326
Merged
andrew-goldstein merged 2 commits intoelastic:mainfrom Jul 11, 2025
Conversation
andrew-goldstein
added
release_note:skip
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
andrew-goldstein
force-pushed
the
disable_alerts_modal_ai4dsoc
branch
from
b8765dd to
65f7165
Compare
...curity/plugins/security_solution/public/attack_discovery/pages/results/take_action/index.tsx
Outdated
Show resolved
Hide resolved
stephmilovic
approved these changes
Jul 11, 2025
Contributor
stephmilovic
left a comment
stephmilovic
left a comment
There was a problem hiding this comment.
LGTM! Desk tested and all works as expected. Left one comment re: the check for aiForSoc. LGTM!
…oes NOT prompt the user with a modal to [optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries](elastic#225029), as illustrated by the animated gif below:  _Above: AI4DSOC: The modal is NOT displayed, and the associated alerts are NOT updated_ The animated gif above illustrates that in AI4DSOC projects: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is NOT displayed - Only the workflow status of the Attack discovery is updated All other (non-AI4DSOC) serverless projects display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:  _Above: All other serverless projects: The modal is displayed, and the associated alerts are updated_ The animated gif above illustrates that for all other serverless projects: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed - The workflow status of the Attack discovery is (optionally) updated Elastic Cloud and self manged deployments display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:  _Above: Self managed: The modal is displayed, and the associated alerts are updated_ The animated gif above illustrates that for Elastic cloud and self manged: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed - The workflow status of the Attack discovery is (optionally) updated Enable the required and recommended `assistantAttackDiscoverySchedulingEnabled` features flag in `config/kibana.dev.yml`: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: true securitySolution.assistantAttackDiscoverySchedulingEnabled: true ``` - To test with an AI4DSOC project, add the following setting to `config/serverless.security.dev.yaml`: ```yaml xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` 1) Navigate to Security > Attack discovery 2) Click `Generate` to generate attack discoveries 3) Click the `Take action` dropdown on an Attack discovery 4) Click `Mark as acknowledged` **Expected result** The modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below: | Deployment | Modal displayed | Alerts (optionally) updated | |-------------------------------|-----------------|-----------------------------| | AI4DSOC | ❌ | ❌ | | All other serverless projects | ✅ | ✅ | | Elastic Cloud and self manged | ✅ | ✅ | 5) Select (at least) 2 discoveries via their checkboxes 6) Click the `Selected 2 Attack discoveries` popover menu 7) Click `Mark as closed` from the popover menu **Expected result** Once again, the modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below: | Deployment | Modal displayed | Alerts (optionally) updated | |-------------------------------|-----------------|-----------------------------| | AI4DSOC | ❌ | ❌ | | All other serverless projects | ✅ | ✅ | | Elastic Cloud and self manged | ✅ | ✅ |
andrew-goldstein
force-pushed
the
disable_alerts_modal_ai4dsoc
branch
from
65f7165 to
e6df9cc
Compare
Contributor
💚 Build Succeeded
Metrics [docs]Async chunks
History
|
Contributor
|
Starting backport for target branches: 8.19, 9.1 https://github.com/elastic/kibana/actions/runs/16228952304 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 11, 2025
…er to update the `kibana.alert.workflow_status` of alerts (elastic#227326) ## [AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts This PR updates Attack discovery for AI4DSOC projects, such that it does NOT prompt the user with a modal to [optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries](elastic#225029), as illustrated by the animated gif below:  _Above: AI4DSOC: The modal is NOT displayed, and the associated alerts are NOT updated_ The animated gif above illustrates that in AI4DSOC projects: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is NOT displayed - Only the workflow status of the Attack discovery is updated ### All other serverless projects All other (non-AI4DSOC) serverless projects display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:  _Above: All other serverless projects: The modal is displayed, and the associated alerts are updated_ The animated gif above illustrates that for all other serverless projects: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed - The workflow status of the Attack discovery is (optionally) updated ### Elastic Cloud and self manged Elastic Cloud and self manged deployments display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:  _Above: Self managed: The modal is displayed, and the associated alerts are updated_ The animated gif above illustrates that for Elastic cloud and self manged: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed - The workflow status of the Attack discovery is (optionally) updated ### Feature flags Enable the required and recommended `assistantAttackDiscoverySchedulingEnabled` features flag in `config/kibana.dev.yml`: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: true securitySolution.assistantAttackDiscoverySchedulingEnabled: true ``` ### AI4DSOC - To test with an AI4DSOC project, add the following setting to `config/serverless.security.dev.yaml`: ```yaml xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` ### Desk testing 1) Navigate to Security > Attack discovery 2) Click `Generate` to generate attack discoveries 3) Click the `Take action` dropdown on an Attack discovery 4) Click `Mark as acknowledged` **Expected result** The modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below: | Deployment | Modal displayed | Alerts (optionally) updated | |-------------------------------|-----------------|-----------------------------| | AI4DSOC | ❌ | ❌ | | All other serverless projects | ✅ | ✅ | | Elastic Cloud and self manged | ✅ | ✅ | 5) Select (at least) 2 discoveries via their checkboxes 6) Click the `Selected 2 Attack discoveries` popover menu 7) Click `Mark as closed` from the popover menu **Expected result** Once again, the modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below: | Deployment | Modal displayed | Alerts (optionally) updated | |-------------------------------|-----------------|-----------------------------| | AI4DSOC | ❌ | ❌ | | All other serverless projects | ✅ | ✅ | | Elastic Cloud and self manged | ✅ | ✅ | (cherry picked from commit a4aa6a0)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 11, 2025
…er to update the `kibana.alert.workflow_status` of alerts (elastic#227326) ## [AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts This PR updates Attack discovery for AI4DSOC projects, such that it does NOT prompt the user with a modal to [optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries](elastic#225029), as illustrated by the animated gif below:  _Above: AI4DSOC: The modal is NOT displayed, and the associated alerts are NOT updated_ The animated gif above illustrates that in AI4DSOC projects: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is NOT displayed - Only the workflow status of the Attack discovery is updated ### All other serverless projects All other (non-AI4DSOC) serverless projects display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:  _Above: All other serverless projects: The modal is displayed, and the associated alerts are updated_ The animated gif above illustrates that for all other serverless projects: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed - The workflow status of the Attack discovery is (optionally) updated ### Elastic Cloud and self manged Elastic Cloud and self manged deployments display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:  _Above: Self managed: The modal is displayed, and the associated alerts are updated_ The animated gif above illustrates that for Elastic cloud and self manged: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed - The workflow status of the Attack discovery is (optionally) updated ### Feature flags Enable the required and recommended `assistantAttackDiscoverySchedulingEnabled` features flag in `config/kibana.dev.yml`: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: true securitySolution.assistantAttackDiscoverySchedulingEnabled: true ``` ### AI4DSOC - To test with an AI4DSOC project, add the following setting to `config/serverless.security.dev.yaml`: ```yaml xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` ### Desk testing 1) Navigate to Security > Attack discovery 2) Click `Generate` to generate attack discoveries 3) Click the `Take action` dropdown on an Attack discovery 4) Click `Mark as acknowledged` **Expected result** The modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below: | Deployment | Modal displayed | Alerts (optionally) updated | |-------------------------------|-----------------|-----------------------------| | AI4DSOC | ❌ | ❌ | | All other serverless projects | ✅ | ✅ | | Elastic Cloud and self manged | ✅ | ✅ | 5) Select (at least) 2 discoveries via their checkboxes 6) Click the `Selected 2 Attack discoveries` popover menu 7) Click `Mark as closed` from the popover menu **Expected result** Once again, the modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below: | Deployment | Modal displayed | Alerts (optionally) updated | |-------------------------------|-----------------|-----------------------------| | AI4DSOC | ❌ | ❌ | | All other serverless projects | ✅ | ✅ | | Elastic Cloud and self manged | ✅ | ✅ | (cherry picked from commit a4aa6a0)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jul 11, 2025
…the user to update the `kibana.alert.workflow_status` of alerts (#227326) (#227721) # Backport This will backport the following commits from `main` to `9.1`: - [[AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts (#227326)](#227326) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Andrew Macri","email":"andrew.macri@elastic.co"},"sourceCommit":{"committedDate":"2025-07-11T20:16:59Z","message":"[AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts (#227326)\n\n## [AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts\n\nThis PR updates Attack discovery for AI4DSOC projects, such that it does NOT prompt the user with a modal to [optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries](#225029), as illustrated by the animated gif below:\n\n\n\n_Above: AI4DSOC: The modal is NOT displayed, and the associated alerts are NOT updated_\n\nThe animated gif above illustrates that in AI4DSOC projects:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is NOT displayed\n- Only the workflow status of the Attack discovery is updated\n\n### All other serverless projects\n\nAll other (non-AI4DSOC) serverless projects display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:\n\n\n\n_Above: All other serverless projects: The modal is displayed, and the associated alerts are updated_\n\nThe animated gif above illustrates that for all other serverless projects:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed\n- The workflow status of the Attack discovery is (optionally) updated\n\n### Elastic Cloud and self manged\n\nElastic Cloud and self manged deployments display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:\n\n\n\n_Above: Self managed: The modal is displayed, and the associated alerts are updated_\n\nThe animated gif above illustrates that for Elastic cloud and self manged:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed\n- The workflow status of the Attack discovery is (optionally) updated\n\n### Feature flags\n\nEnable the required and recommended `assistantAttackDiscoverySchedulingEnabled` features flag in `config/kibana.dev.yml`:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: true\n securitySolution.assistantAttackDiscoverySchedulingEnabled: true\n```\n\n### AI4DSOC\n\n- To test with an AI4DSOC project, add the following setting to `config/serverless.security.dev.yaml`:\n\n```yaml\nxpack.securitySolutionServerless.productTypes:\n[\n { product_line: 'ai_soc', product_tier: 'search_ai_lake' },\n]\n```\n\n### Desk testing\n\n1) Navigate to Security > Attack discovery\n\n2) Click `Generate` to generate attack discoveries\n\n3) Click the `Take action` dropdown on an Attack discovery\n\n4) Click `Mark as acknowledged`\n\n**Expected result**\n\nThe modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below:\n\n| Deployment | Modal displayed | Alerts (optionally) updated |\n|-------------------------------|-----------------|-----------------------------|\n| AI4DSOC | ❌ | ❌ |\n| All other serverless projects | ✅ | ✅ |\n| Elastic Cloud and self manged | ✅ | ✅ |\n\n5) Select (at least) 2 discoveries via their checkboxes\n\n6) Click the `Selected 2 Attack discoveries` popover menu\n\n7) Click `Mark as closed` from the popover menu\n\n**Expected result**\n\nOnce again, the modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below:\n\n| Deployment | Modal displayed | Alerts (optionally) updated |\n|-------------------------------|-----------------|-----------------------------|\n| AI4DSOC | ❌ | ❌ |\n| All other serverless projects | ✅ | ✅ |\n| Elastic Cloud and self manged | ✅ | ✅ |","sha":"a4aa6a04c3db7d793e334fd1b38273cfca141c09","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team: SecuritySolution","Team:Security Generative AI","backport:version","v9.1.0","v8.19.0","v9.2.0"],"title":"[AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts","number":227326,"url":"https://github.com/elastic/kibana/pull/227326","mergeCommit":{"message":"[AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts (#227326)\n\n## [AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts\n\nThis PR updates Attack discovery for AI4DSOC projects, such that it does NOT prompt the user with a modal to [optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries](#225029), as illustrated by the animated gif below:\n\n\n\n_Above: AI4DSOC: The modal is NOT displayed, and the associated alerts are NOT updated_\n\nThe animated gif above illustrates that in AI4DSOC projects:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is NOT displayed\n- Only the workflow status of the Attack discovery is updated\n\n### All other serverless projects\n\nAll other (non-AI4DSOC) serverless projects display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:\n\n\n\n_Above: All other serverless projects: The modal is displayed, and the associated alerts are updated_\n\nThe animated gif above illustrates that for all other serverless projects:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed\n- The workflow status of the Attack discovery is (optionally) updated\n\n### Elastic Cloud and self manged\n\nElastic Cloud and self manged deployments display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:\n\n\n\n_Above: Self managed: The modal is displayed, and the associated alerts are updated_\n\nThe animated gif above illustrates that for Elastic cloud and self manged:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed\n- The workflow status of the Attack discovery is (optionally) updated\n\n### Feature flags\n\nEnable the required and recommended `assistantAttackDiscoverySchedulingEnabled` features flag in `config/kibana.dev.yml`:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: true\n securitySolution.assistantAttackDiscoverySchedulingEnabled: true\n```\n\n### AI4DSOC\n\n- To test with an AI4DSOC project, add the following setting to `config/serverless.security.dev.yaml`:\n\n```yaml\nxpack.securitySolutionServerless.productTypes:\n[\n { product_line: 'ai_soc', product_tier: 'search_ai_lake' },\n]\n```\n\n### Desk testing\n\n1) Navigate to Security > Attack discovery\n\n2) Click `Generate` to generate attack discoveries\n\n3) Click the `Take action` dropdown on an Attack discovery\n\n4) Click `Mark as acknowledged`\n\n**Expected result**\n\nThe modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below:\n\n| Deployment | Modal displayed | Alerts (optionally) updated |\n|-------------------------------|-----------------|-----------------------------|\n| AI4DSOC | ❌ | ❌ |\n| All other serverless projects | ✅ | ✅ |\n| Elastic Cloud and self manged | ✅ | ✅ |\n\n5) Select (at least) 2 discoveries via their checkboxes\n\n6) Click the `Selected 2 Attack discoveries` popover menu\n\n7) Click `Mark as closed` from the popover menu\n\n**Expected result**\n\nOnce again, the modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below:\n\n| Deployment | Modal displayed | Alerts (optionally) updated |\n|-------------------------------|-----------------|-----------------------------|\n| AI4DSOC | ❌ | ❌ |\n| All other serverless projects | ✅ | ✅ |\n| Elastic Cloud and self manged | ✅ | ✅ |","sha":"a4aa6a04c3db7d793e334fd1b38273cfca141c09"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","8.19"],"targetPullRequestStates":[{"branch":"9.1","label":"v9.1.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/227326","number":227326,"mergeCommit":{"message":"[AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts (#227326)\n\n## [AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts\n\nThis PR updates Attack discovery for AI4DSOC projects, such that it does NOT prompt the user with a modal to [optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries](#225029), as illustrated by the animated gif below:\n\n\n\n_Above: AI4DSOC: The modal is NOT displayed, and the associated alerts are NOT updated_\n\nThe animated gif above illustrates that in AI4DSOC projects:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is NOT displayed\n- Only the workflow status of the Attack discovery is updated\n\n### All other serverless projects\n\nAll other (non-AI4DSOC) serverless projects display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:\n\n\n\n_Above: All other serverless projects: The modal is displayed, and the associated alerts are updated_\n\nThe animated gif above illustrates that for all other serverless projects:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed\n- The workflow status of the Attack discovery is (optionally) updated\n\n### Elastic Cloud and self manged\n\nElastic Cloud and self manged deployments display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:\n\n\n\n_Above: Self managed: The modal is displayed, and the associated alerts are updated_\n\nThe animated gif above illustrates that for Elastic cloud and self manged:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed\n- The workflow status of the Attack discovery is (optionally) updated\n\n### Feature flags\n\nEnable the required and recommended `assistantAttackDiscoverySchedulingEnabled` features flag in `config/kibana.dev.yml`:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: true\n securitySolution.assistantAttackDiscoverySchedulingEnabled: true\n```\n\n### AI4DSOC\n\n- To test with an AI4DSOC project, add the following setting to `config/serverless.security.dev.yaml`:\n\n```yaml\nxpack.securitySolutionServerless.productTypes:\n[\n { product_line: 'ai_soc', product_tier: 'search_ai_lake' },\n]\n```\n\n### Desk testing\n\n1) Navigate to Security > Attack discovery\n\n2) Click `Generate` to generate attack discoveries\n\n3) Click the `Take action` dropdown on an Attack discovery\n\n4) Click `Mark as acknowledged`\n\n**Expected result**\n\nThe modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below:\n\n| Deployment | Modal displayed | Alerts (optionally) updated |\n|-------------------------------|-----------------|-----------------------------|\n| AI4DSOC | ❌ | ❌ |\n| All other serverless projects | ✅ | ✅ |\n| Elastic Cloud and self manged | ✅ | ✅ |\n\n5) Select (at least) 2 discoveries via their checkboxes\n\n6) Click the `Selected 2 Attack discoveries` popover menu\n\n7) Click `Mark as closed` from the popover menu\n\n**Expected result**\n\nOnce again, the modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below:\n\n| Deployment | Modal displayed | Alerts (optionally) updated |\n|-------------------------------|-----------------|-----------------------------|\n| AI4DSOC | ❌ | ❌ |\n| All other serverless projects | ✅ | ✅ |\n| Elastic Cloud and self manged | ✅ | ✅ |","sha":"a4aa6a04c3db7d793e334fd1b38273cfca141c09"}}]}] BACKPORT--> Co-authored-by: Andrew Macri <andrew.macri@elastic.co>
kibanamachine
added a commit
that referenced
this pull request
Jul 14, 2025
… the user to update the `kibana.alert.workflow_status` of alerts (#227326) (#227720) # Backport This will backport the following commits from `main` to `8.19`: - [[AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts (#227326)](#227326) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Andrew Macri","email":"andrew.macri@elastic.co"},"sourceCommit":{"committedDate":"2025-07-11T20:16:59Z","message":"[AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts (#227326)\n\n## [AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts\n\nThis PR updates Attack discovery for AI4DSOC projects, such that it does NOT prompt the user with a modal to [optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries](#225029), as illustrated by the animated gif below:\n\n\n\n_Above: AI4DSOC: The modal is NOT displayed, and the associated alerts are NOT updated_\n\nThe animated gif above illustrates that in AI4DSOC projects:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is NOT displayed\n- Only the workflow status of the Attack discovery is updated\n\n### All other serverless projects\n\nAll other (non-AI4DSOC) serverless projects display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:\n\n\n\n_Above: All other serverless projects: The modal is displayed, and the associated alerts are updated_\n\nThe animated gif above illustrates that for all other serverless projects:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed\n- The workflow status of the Attack discovery is (optionally) updated\n\n### Elastic Cloud and self manged\n\nElastic Cloud and self manged deployments display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:\n\n\n\n_Above: Self managed: The modal is displayed, and the associated alerts are updated_\n\nThe animated gif above illustrates that for Elastic cloud and self manged:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed\n- The workflow status of the Attack discovery is (optionally) updated\n\n### Feature flags\n\nEnable the required and recommended `assistantAttackDiscoverySchedulingEnabled` features flag in `config/kibana.dev.yml`:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: true\n securitySolution.assistantAttackDiscoverySchedulingEnabled: true\n```\n\n### AI4DSOC\n\n- To test with an AI4DSOC project, add the following setting to `config/serverless.security.dev.yaml`:\n\n```yaml\nxpack.securitySolutionServerless.productTypes:\n[\n { product_line: 'ai_soc', product_tier: 'search_ai_lake' },\n]\n```\n\n### Desk testing\n\n1) Navigate to Security > Attack discovery\n\n2) Click `Generate` to generate attack discoveries\n\n3) Click the `Take action` dropdown on an Attack discovery\n\n4) Click `Mark as acknowledged`\n\n**Expected result**\n\nThe modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below:\n\n| Deployment | Modal displayed | Alerts (optionally) updated |\n|-------------------------------|-----------------|-----------------------------|\n| AI4DSOC | ❌ | ❌ |\n| All other serverless projects | ✅ | ✅ |\n| Elastic Cloud and self manged | ✅ | ✅ |\n\n5) Select (at least) 2 discoveries via their checkboxes\n\n6) Click the `Selected 2 Attack discoveries` popover menu\n\n7) Click `Mark as closed` from the popover menu\n\n**Expected result**\n\nOnce again, the modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below:\n\n| Deployment | Modal displayed | Alerts (optionally) updated |\n|-------------------------------|-----------------|-----------------------------|\n| AI4DSOC | ❌ | ❌ |\n| All other serverless projects | ✅ | ✅ |\n| Elastic Cloud and self manged | ✅ | ✅ |","sha":"a4aa6a04c3db7d793e334fd1b38273cfca141c09","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team: SecuritySolution","Team:Security Generative AI","backport:version","v9.1.0","v8.19.0","v9.2.0"],"title":"[AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts","number":227326,"url":"https://github.com/elastic/kibana/pull/227326","mergeCommit":{"message":"[AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts (#227326)\n\n## [AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts\n\nThis PR updates Attack discovery for AI4DSOC projects, such that it does NOT prompt the user with a modal to [optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries](#225029), as illustrated by the animated gif below:\n\n\n\n_Above: AI4DSOC: The modal is NOT displayed, and the associated alerts are NOT updated_\n\nThe animated gif above illustrates that in AI4DSOC projects:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is NOT displayed\n- Only the workflow status of the Attack discovery is updated\n\n### All other serverless projects\n\nAll other (non-AI4DSOC) serverless projects display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:\n\n\n\n_Above: All other serverless projects: The modal is displayed, and the associated alerts are updated_\n\nThe animated gif above illustrates that for all other serverless projects:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed\n- The workflow status of the Attack discovery is (optionally) updated\n\n### Elastic Cloud and self manged\n\nElastic Cloud and self manged deployments display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:\n\n\n\n_Above: Self managed: The modal is displayed, and the associated alerts are updated_\n\nThe animated gif above illustrates that for Elastic cloud and self manged:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed\n- The workflow status of the Attack discovery is (optionally) updated\n\n### Feature flags\n\nEnable the required and recommended `assistantAttackDiscoverySchedulingEnabled` features flag in `config/kibana.dev.yml`:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: true\n securitySolution.assistantAttackDiscoverySchedulingEnabled: true\n```\n\n### AI4DSOC\n\n- To test with an AI4DSOC project, add the following setting to `config/serverless.security.dev.yaml`:\n\n```yaml\nxpack.securitySolutionServerless.productTypes:\n[\n { product_line: 'ai_soc', product_tier: 'search_ai_lake' },\n]\n```\n\n### Desk testing\n\n1) Navigate to Security > Attack discovery\n\n2) Click `Generate` to generate attack discoveries\n\n3) Click the `Take action` dropdown on an Attack discovery\n\n4) Click `Mark as acknowledged`\n\n**Expected result**\n\nThe modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below:\n\n| Deployment | Modal displayed | Alerts (optionally) updated |\n|-------------------------------|-----------------|-----------------------------|\n| AI4DSOC | ❌ | ❌ |\n| All other serverless projects | ✅ | ✅ |\n| Elastic Cloud and self manged | ✅ | ✅ |\n\n5) Select (at least) 2 discoveries via their checkboxes\n\n6) Click the `Selected 2 Attack discoveries` popover menu\n\n7) Click `Mark as closed` from the popover menu\n\n**Expected result**\n\nOnce again, the modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below:\n\n| Deployment | Modal displayed | Alerts (optionally) updated |\n|-------------------------------|-----------------|-----------------------------|\n| AI4DSOC | ❌ | ❌ |\n| All other serverless projects | ✅ | ✅ |\n| Elastic Cloud and self manged | ✅ | ✅ |","sha":"a4aa6a04c3db7d793e334fd1b38273cfca141c09"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","8.19"],"targetPullRequestStates":[{"branch":"9.1","label":"v9.1.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/227326","number":227326,"mergeCommit":{"message":"[AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts (#227326)\n\n## [AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts\n\nThis PR updates Attack discovery for AI4DSOC projects, such that it does NOT prompt the user with a modal to [optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries](#225029), as illustrated by the animated gif below:\n\n\n\n_Above: AI4DSOC: The modal is NOT displayed, and the associated alerts are NOT updated_\n\nThe animated gif above illustrates that in AI4DSOC projects:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is NOT displayed\n- Only the workflow status of the Attack discovery is updated\n\n### All other serverless projects\n\nAll other (non-AI4DSOC) serverless projects display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:\n\n\n\n_Above: All other serverless projects: The modal is displayed, and the associated alerts are updated_\n\nThe animated gif above illustrates that for all other serverless projects:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed\n- The workflow status of the Attack discovery is (optionally) updated\n\n### Elastic Cloud and self manged\n\nElastic Cloud and self manged deployments display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:\n\n\n\n_Above: Self managed: The modal is displayed, and the associated alerts are updated_\n\nThe animated gif above illustrates that for Elastic cloud and self manged:\n\n- The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed\n- The workflow status of the Attack discovery is (optionally) updated\n\n### Feature flags\n\nEnable the required and recommended `assistantAttackDiscoverySchedulingEnabled` features flag in `config/kibana.dev.yml`:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: true\n securitySolution.assistantAttackDiscoverySchedulingEnabled: true\n```\n\n### AI4DSOC\n\n- To test with an AI4DSOC project, add the following setting to `config/serverless.security.dev.yaml`:\n\n```yaml\nxpack.securitySolutionServerless.productTypes:\n[\n { product_line: 'ai_soc', product_tier: 'search_ai_lake' },\n]\n```\n\n### Desk testing\n\n1) Navigate to Security > Attack discovery\n\n2) Click `Generate` to generate attack discoveries\n\n3) Click the `Take action` dropdown on an Attack discovery\n\n4) Click `Mark as acknowledged`\n\n**Expected result**\n\nThe modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below:\n\n| Deployment | Modal displayed | Alerts (optionally) updated |\n|-------------------------------|-----------------|-----------------------------|\n| AI4DSOC | ❌ | ❌ |\n| All other serverless projects | ✅ | ✅ |\n| Elastic Cloud and self manged | ✅ | ✅ |\n\n5) Select (at least) 2 discoveries via their checkboxes\n\n6) Click the `Selected 2 Attack discoveries` popover menu\n\n7) Click `Mark as closed` from the popover menu\n\n**Expected result**\n\nOnce again, the modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below:\n\n| Deployment | Modal displayed | Alerts (optionally) updated |\n|-------------------------------|-----------------|-----------------------------|\n| AI4DSOC | ❌ | ❌ |\n| All other serverless projects | ✅ | ✅ |\n| Elastic Cloud and self manged | ✅ | ✅ |","sha":"a4aa6a04c3db7d793e334fd1b38273cfca141c09"}}]}] BACKPORT--> Co-authored-by: Andrew Macri <andrew.macri@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
kertal
pushed a commit
to kertal/kibana
that referenced
this pull request
Jul 25, 2025
…er to update the `kibana.alert.workflow_status` of alerts (elastic#227326) ## [AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts This PR updates Attack discovery for AI4DSOC projects, such that it does NOT prompt the user with a modal to [optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries](elastic#225029), as illustrated by the animated gif below:  _Above: AI4DSOC: The modal is NOT displayed, and the associated alerts are NOT updated_ The animated gif above illustrates that in AI4DSOC projects: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is NOT displayed - Only the workflow status of the Attack discovery is updated ### All other serverless projects All other (non-AI4DSOC) serverless projects display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:  _Above: All other serverless projects: The modal is displayed, and the associated alerts are updated_ The animated gif above illustrates that for all other serverless projects: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed - The workflow status of the Attack discovery is (optionally) updated ### Elastic Cloud and self manged Elastic Cloud and self manged deployments display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:  _Above: Self managed: The modal is displayed, and the associated alerts are updated_ The animated gif above illustrates that for Elastic cloud and self manged: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed - The workflow status of the Attack discovery is (optionally) updated ### Feature flags Enable the required and recommended `assistantAttackDiscoverySchedulingEnabled` features flag in `config/kibana.dev.yml`: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: true securitySolution.assistantAttackDiscoverySchedulingEnabled: true ``` ### AI4DSOC - To test with an AI4DSOC project, add the following setting to `config/serverless.security.dev.yaml`: ```yaml xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` ### Desk testing 1) Navigate to Security > Attack discovery 2) Click `Generate` to generate attack discoveries 3) Click the `Take action` dropdown on an Attack discovery 4) Click `Mark as acknowledged` **Expected result** The modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below: | Deployment | Modal displayed | Alerts (optionally) updated | |-------------------------------|-----------------|-----------------------------| | AI4DSOC | ❌ | ❌ | | All other serverless projects | ✅ | ✅ | | Elastic Cloud and self manged | ✅ | ✅ | 5) Select (at least) 2 discoveries via their checkboxes 6) Click the `Selected 2 Attack discoveries` popover menu 7) Click `Mark as closed` from the popover menu **Expected result** Once again, the modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below: | Deployment | Modal displayed | Alerts (optionally) updated | |-------------------------------|-----------------|-----------------------------| | AI4DSOC | ❌ | ❌ | | All other serverless projects | ✅ | ✅ | | Elastic Cloud and self manged | ✅ | ✅ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the
kibana.alert.workflow_statusof alertsThis PR updates Attack discovery for AI4DSOC projects, such that it does NOT prompt the user with a modal to optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries, as illustrated by the animated gif below:
Above: AI4DSOC: The modal is NOT displayed, and the associated alerts are NOT updated
The animated gif above illustrates that in AI4DSOC projects:
kibana.alert.workflow_statusof alerts is NOT displayedAll other serverless projects
All other (non-AI4DSOC) serverless projects display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:
Above: All other serverless projects: The modal is displayed, and the associated alerts are updated
The animated gif above illustrates that for all other serverless projects:
kibana.alert.workflow_statusof alerts is displayedElastic Cloud and self manged
Elastic Cloud and self manged deployments display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:
Above: Self managed: The modal is displayed, and the associated alerts are updated
The animated gif above illustrates that for Elastic cloud and self manged:
kibana.alert.workflow_statusof alerts is displayedFeature flags
Enable the required and recommended
assistantAttackDiscoverySchedulingEnabledfeatures flag inconfig/kibana.dev.yml:AI4DSOC
config/serverless.security.dev.yaml:Desk testing
Navigate to Security > Attack discovery
Click
Generateto generate attack discoveriesClick the
Take actiondropdown on an Attack discoveryClick
Mark as acknowledgedExpected result
The modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below:
Select (at least) 2 discoveries via their checkboxes
Click the
Selected 2 Attack discoveriespopover menuClick
Mark as closedfrom the popover menuExpected result
Once again, the modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below: