[8.19] [AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the kibana.alert.workflow_status of alerts (#227326)#227720
Merged
kibanamachine merged 2 commits intoelastic:8.19from Jul 14, 2025
Conversation
…er to update the `kibana.alert.workflow_status` of alerts (elastic#227326) ## [AI4DSOC] [Attack discovery] In AI4DSOC projects, don't prompt the user to update the `kibana.alert.workflow_status` of alerts This PR updates Attack discovery for AI4DSOC projects, such that it does NOT prompt the user with a modal to [optionally update the kibana.alert.workflow_status of alerts associated with Attack discoveries](elastic#225029), as illustrated by the animated gif below:  _Above: AI4DSOC: The modal is NOT displayed, and the associated alerts are NOT updated_ The animated gif above illustrates that in AI4DSOC projects: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is NOT displayed - Only the workflow status of the Attack discovery is updated ### All other serverless projects All other (non-AI4DSOC) serverless projects display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:  _Above: All other serverless projects: The modal is displayed, and the associated alerts are updated_ The animated gif above illustrates that for all other serverless projects: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed - The workflow status of the Attack discovery is (optionally) updated ### Elastic Cloud and self manged Elastic Cloud and self manged deployments display the modal, and optionally update the workflow status of the alerts, as illustrated by the animated gif below:  _Above: Self managed: The modal is displayed, and the associated alerts are updated_ The animated gif above illustrates that for Elastic cloud and self manged: - The modal prompting the user to update the `kibana.alert.workflow_status` of alerts is displayed - The workflow status of the Attack discovery is (optionally) updated ### Feature flags Enable the required and recommended `assistantAttackDiscoverySchedulingEnabled` features flag in `config/kibana.dev.yml`: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: true securitySolution.assistantAttackDiscoverySchedulingEnabled: true ``` ### AI4DSOC - To test with an AI4DSOC project, add the following setting to `config/serverless.security.dev.yaml`: ```yaml xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` ### Desk testing 1) Navigate to Security > Attack discovery 2) Click `Generate` to generate attack discoveries 3) Click the `Take action` dropdown on an Attack discovery 4) Click `Mark as acknowledged` **Expected result** The modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below: | Deployment | Modal displayed | Alerts (optionally) updated | |-------------------------------|-----------------|-----------------------------| | AI4DSOC | ❌ | ❌ | | All other serverless projects | ✅ | ✅ | | Elastic Cloud and self manged | ✅ | ✅ | 5) Select (at least) 2 discoveries via their checkboxes 6) Click the `Selected 2 Attack discoveries` popover menu 7) Click `Mark as closed` from the popover menu **Expected result** Once again, the modal is displayed, and alerts are (optionally) updated for the deployment, for the deployment-type in the table below: | Deployment | Modal displayed | Alerts (optionally) updated | |-------------------------------|-----------------|-----------------------------| | AI4DSOC | ❌ | ❌ | | All other serverless projects | ✅ | ✅ | | Elastic Cloud and self manged | ✅ | ✅ | (cherry picked from commit a4aa6a0)
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
|
@elasticmachine merge upstream |
Contributor
💚 Build Succeeded
Metrics [docs]Async chunks
History
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto8.19:kibana.alert.workflow_statusof alerts (#227326)Questions ?
Please refer to the Backport tool documentation