[Security Solution] Change alerts page data view and add help text#231374
Merged
christineweng merged 4 commits intoelastic:mainfrom Aug 15, 2025
Merged
[Security Solution] Change alerts page data view and add help text#231374christineweng merged 4 commits intoelastic:mainfrom
christineweng merged 4 commits intoelastic:mainfrom
Conversation
christineweng
changed the title
christineweng
force-pushed
the
fix-alerts-page-dataview
branch
from
c8f3e25 to
82162ad
Compare
christineweng
added
release_note:skip
Contributor
|
Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations) |
jughosta
reviewed
Aug 13, 2025
| if (dataViewId === defaultDataViewId) { | ||
| return i18n.translate('xpack.securitySolution.dataViewManager.indexHelpText', { | ||
| defaultMessage: | ||
| 'Security default indices are managed in advanced settings. To change the indices permanently, edit the indices in advanced settings.', |
Contributor
There was a problem hiding this comment.
Suggested change
| 'Security default indices are managed in advanced settings. To change the indices permanently, edit the indices in advanced settings.', | |
| 'Security default indices are managed in Advanced Settings. To change the indices permanently, edit the indices in Advanced Settings.', |
| isRollup: boolean; | ||
| matchedIndices: MatchedItem[]; | ||
| rollupIndicesCapabilities: RollupIndicesCapsResponse; | ||
| indexHelpText?: string; |
Contributor
There was a problem hiding this comment.
Or indexPatternHelpText everywhere as it can be more than one index.
Contributor
Author
There was a problem hiding this comment.
I changed it to titleHelpText, as it sits closer to getTitleConfig and TitleField. let me know what you think :)
| /** | ||
| * Message to show when editing a managed data view | ||
| */ | ||
| indexHelpText?: string; |
Contributor
There was a problem hiding this comment.
For this component it might be more generic to rather have it as a callback getDataViewPatternHelpTextWhenEditing(<dataView as a param>) so a help label can be derived based on active data view.
Contributor
There was a problem hiding this comment.
++ to changing parameter to a callback to allow data view context to influence help text. Maybe a shorter name though - something like getDataViewHelpText.
Contributor
Author
There was a problem hiding this comment.
thank you both, updated
christineweng
force-pushed
the
fix-alerts-page-dataview
branch
2 times, most recently
from
6179a4c to
a2baee2
Compare
jughosta
approved these changes
Aug 14, 2025
Contributor
jughosta
left a comment
jughosta
left a comment
There was a problem hiding this comment.
Data Discovery changes LGTM, thanks!
nreese
approved these changes
Aug 14, 2025
Contributor
nreese
left a comment
nreese
left a comment
There was a problem hiding this comment.
kibana-presentation changes LGTM
code review only
| if (dv.id === defaultDataViewId) { | ||
| return i18n.translate('xpack.securitySolution.dataViewManager.getDataViewHelpText', { | ||
| defaultMessage: | ||
| 'Security default indices are managed in Advanced Settings. To change the indices permanently, edit the indices in Advanced Settings.', |
Contributor
There was a problem hiding this comment.
How does this sound:
"Changes made here won’t be saved permanently. To update the default Security indices, edit securitySolution:defaultIndex in Advanced Settings."
christineweng
force-pushed
the
fix-alerts-page-dataview
branch
from
a2baee2 to
4154203
Compare
PhilippeOberti
approved these changes
Aug 15, 2025
Contributor
PhilippeOberti
left a comment
PhilippeOberti
left a comment
There was a problem hiding this comment.
Thanks for making this change, code LGTM and desk tested, looks good :)
christineweng
force-pushed
the
fix-alerts-page-dataview
branch
from
4154203 to
f77f3f9
Compare
Contributor
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Async chunks
Page load bundle
Unknown metric groupsAPI count
History
|
NicholasPeretti
pushed a commit
to NicholasPeretti/kibana
that referenced
this pull request
Aug 18, 2025
…lastic#231374) ## Summary **Security changes** Security users have been able to add run time fields to the security default data view. While implementing the managed data view feature elastic#223451, the conflict arise where we want the default data view to be kibana managed, but we do not want to take away user's ability to add run time fields. As a result, it was decided to exclude security default data view as `managed`, and the data view in alerts page is changed to security default. With these changes, users can see run time fields created before they upgrade to `9.2`, and they will be able to continue adding run time fields. <img width="488" height="306" alt="image" src="https://github.com/user-attachments/assets/9026ef05-3adb-4b23-9abf-b5e12d6d95d9" /> **Discover / Data view picker changes** Even though we can't have the default data view as `managed`, we want to bring awareness of the security advanced setting to users. Currently, indices in advanced settings always override user changes in editor flyout. To minimize confusion, this PR added an optional prop `getDataViewHelpText` in the data view picker component. This will allow a help text to be shown when user is editing the security default data view. <img width="987" height="470" alt="image" src="https://github.com/user-attachments/assets/f2cfb169-c0f6-4e32-8081-f186b010d0ee" /> ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Aug 26, 2025
…lastic#231374) ## Summary **Security changes** Security users have been able to add run time fields to the security default data view. While implementing the managed data view feature elastic#223451, the conflict arise where we want the default data view to be kibana managed, but we do not want to take away user's ability to add run time fields. As a result, it was decided to exclude security default data view as `managed`, and the data view in alerts page is changed to security default. With these changes, users can see run time fields created before they upgrade to `9.2`, and they will be able to continue adding run time fields. <img width="488" height="306" alt="image" src="https://github.com/user-attachments/assets/9026ef05-3adb-4b23-9abf-b5e12d6d95d9" /> **Discover / Data view picker changes** Even though we can't have the default data view as `managed`, we want to bring awareness of the security advanced setting to users. Currently, indices in advanced settings always override user changes in editor flyout. To minimize confusion, this PR added an optional prop `getDataViewHelpText` in the data view picker component. This will allow a help text to be shown when user is editing the security default data view. <img width="987" height="470" alt="image" src="https://github.com/user-attachments/assets/f2cfb169-c0f6-4e32-8081-f186b010d0ee" /> ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.
2 tasks
PhilippeOberti
added a commit
that referenced
this pull request
Oct 10, 2025
…and Security solution alerts data views when needed (#238354) ## Summary This PR aims at fixing a UI issue related to the data view picker changes we made recently in Security Solution. After enabling the `dataViewPickerEnabled` feature flag (see [this PR](#234101)) we realized that the `Security solution default` and `Security solution alerts` aren't displayed properly. This is only visible within an environment that had those data view existing before turning on the feature flag. Instead of showing `Security solution default` we show this <img width="562" height="366" alt="Screenshot 2025-10-09 at 4 10 40 PM" src="https://github.com/user-attachments/assets/3b59501e-f1ae-460d-b26c-b46f876ea772" /> And instead of showing `Security solution alerts` we show this <img width="558" height="404" alt="Screenshot 2025-10-09 at 4 10 18 PM" src="https://github.com/user-attachments/assets/f50a0eb7-a5f2-41e0-8018-28d9ddf92ee6" /> Looking at the Data Views screen under Stack Management, we indeed see that the names are matching what we see in the data view picker <img width="734" height="655" alt="Screenshot 2025-10-09 at 4 11 46 PM" src="https://github.com/user-attachments/assets/ebc743e8-91d9-4ac1-8992-85290db59f10" /> For the `Security solution default` data view, we added the name in [this PR](#224333). For the `Security solution alerts` data view, we created the alert index and the corresponding data view in [this PR](#224144). But we changed both names in [this PR](#231374) (from `Default security data view` to `Security solution default` and from `Security alert data view` to `Security solution alerts` respectively). This means that if one of these data views was created either without a name or with an old name, that name would persist and be visible within the new data view picker. ## The fix This PR makes a simple fix: if the names of the saved object differ from what we expect (only for the `default` and `alerts` data views), we update the saved object. Here's en example of the data view being updated after a refresh https://github.com/user-attachments/assets/4ef8c623-3e45-4a57-93bb-0464c3189f67 ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Oct 10, 2025
…and Security solution alerts data views when needed (elastic#238354) ## Summary This PR aims at fixing a UI issue related to the data view picker changes we made recently in Security Solution. After enabling the `dataViewPickerEnabled` feature flag (see [this PR](elastic#234101)) we realized that the `Security solution default` and `Security solution alerts` aren't displayed properly. This is only visible within an environment that had those data view existing before turning on the feature flag. Instead of showing `Security solution default` we show this <img width="562" height="366" alt="Screenshot 2025-10-09 at 4 10 40 PM" src="https://github.com/user-attachments/assets/3b59501e-f1ae-460d-b26c-b46f876ea772" /> And instead of showing `Security solution alerts` we show this <img width="558" height="404" alt="Screenshot 2025-10-09 at 4 10 18 PM" src="https://github.com/user-attachments/assets/f50a0eb7-a5f2-41e0-8018-28d9ddf92ee6" /> Looking at the Data Views screen under Stack Management, we indeed see that the names are matching what we see in the data view picker <img width="734" height="655" alt="Screenshot 2025-10-09 at 4 11 46 PM" src="https://github.com/user-attachments/assets/ebc743e8-91d9-4ac1-8992-85290db59f10" /> For the `Security solution default` data view, we added the name in [this PR](elastic#224333). For the `Security solution alerts` data view, we created the alert index and the corresponding data view in [this PR](elastic#224144). But we changed both names in [this PR](elastic#231374) (from `Default security data view` to `Security solution default` and from `Security alert data view` to `Security solution alerts` respectively). This means that if one of these data views was created either without a name or with an old name, that name would persist and be visible within the new data view picker. ## The fix This PR makes a simple fix: if the names of the saved object differ from what we expect (only for the `default` and `alerts` data views), we update the saved object. Here's en example of the data view being updated after a refresh https://github.com/user-attachments/assets/4ef8c623-3e45-4a57-93bb-0464c3189f67 ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. (cherry picked from commit 4f30b77)
kibanamachine
added a commit
that referenced
this pull request
Oct 10, 2025
…fault and Security solution alerts data views when needed (#238354) (#238525) # Backport This will backport the following commits from `main` to `9.2`: - [[Security Solution] update the name of the Security solution default and Security solution alerts data views when needed (#238354)](#238354) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Philippe Oberti","email":"philippe.oberti@elastic.co"},"sourceCommit":{"committedDate":"2025-10-10T17:27:38Z","message":"[Security Solution] update the name of the Security solution default and Security solution alerts data views when needed (#238354)\n\n## Summary\n\nThis PR aims at fixing a UI issue related to the data view picker\nchanges we made recently in Security Solution. After enabling the\n`dataViewPickerEnabled` feature flag (see [this\nPR](#234101)) we realized that the\n`Security solution default` and `Security solution alerts` aren't\ndisplayed properly.\nThis is only visible within an environment that had those data view\nexisting before turning on the feature flag.\n\nInstead of showing `Security solution default` we show this\n<img width=\"562\" height=\"366\" alt=\"Screenshot 2025-10-09 at 4 10 40 PM\"\nsrc=\"https://github.com/user-attachments/assets/3b59501e-f1ae-460d-b26c-b46f876ea772\"\n/>\n\nAnd instead of showing `Security solution alerts` we show this\n<img width=\"558\" height=\"404\" alt=\"Screenshot 2025-10-09 at 4 10 18 PM\"\nsrc=\"https://github.com/user-attachments/assets/f50a0eb7-a5f2-41e0-8018-28d9ddf92ee6\"\n/>\n\nLooking at the Data Views screen under Stack Management, we indeed see\nthat the names are matching what we see in the data view picker\n<img width=\"734\" height=\"655\" alt=\"Screenshot 2025-10-09 at 4 11 46 PM\"\nsrc=\"https://github.com/user-attachments/assets/ebc743e8-91d9-4ac1-8992-85290db59f10\"\n/>\n\nFor the `Security solution default` data view, we added the name in\n[this PR](https://github.com/elastic/kibana/pull/224333).\nFor the `Security solution alerts` data view, we created the alert index\nand the corresponding data view in [this\nPR](https://github.com/elastic/kibana/pull/224144).\nBut we changed both names in [this\nPR](#231374) (from `Default\nsecurity data view` to `Security solution default` and from `Security\nalert data view` to `Security solution alerts` respectively).\n\nThis means that if one of these data views was created either without a\nname or with an old name, that name would persist and be visible within\nthe new data view picker.\n\n## The fix\n\nThis PR makes a simple fix: if the names of the saved object differ from\nwhat we expect (only for the `default` and `alerts` data views), we\nupdate the saved object.\n\nHere's en example of the data view being updated after a refresh\n\n\nhttps://github.com/user-attachments/assets/4ef8c623-3e45-4a57-93bb-0464c3189f67\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"4f30b775602edd56a04e600b50d8a1f948ab8acc","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Threat Hunting:Investigations","backport:version","v9.2.0","v9.3.0"],"title":"[Security Solution] update the name of the Security solution default and Security solution alerts data views when needed","number":238354,"url":"https://github.com/elastic/kibana/pull/238354","mergeCommit":{"message":"[Security Solution] update the name of the Security solution default and Security solution alerts data views when needed (#238354)\n\n## Summary\n\nThis PR aims at fixing a UI issue related to the data view picker\nchanges we made recently in Security Solution. After enabling the\n`dataViewPickerEnabled` feature flag (see [this\nPR](#234101)) we realized that the\n`Security solution default` and `Security solution alerts` aren't\ndisplayed properly.\nThis is only visible within an environment that had those data view\nexisting before turning on the feature flag.\n\nInstead of showing `Security solution default` we show this\n<img width=\"562\" height=\"366\" alt=\"Screenshot 2025-10-09 at 4 10 40 PM\"\nsrc=\"https://github.com/user-attachments/assets/3b59501e-f1ae-460d-b26c-b46f876ea772\"\n/>\n\nAnd instead of showing `Security solution alerts` we show this\n<img width=\"558\" height=\"404\" alt=\"Screenshot 2025-10-09 at 4 10 18 PM\"\nsrc=\"https://github.com/user-attachments/assets/f50a0eb7-a5f2-41e0-8018-28d9ddf92ee6\"\n/>\n\nLooking at the Data Views screen under Stack Management, we indeed see\nthat the names are matching what we see in the data view picker\n<img width=\"734\" height=\"655\" alt=\"Screenshot 2025-10-09 at 4 11 46 PM\"\nsrc=\"https://github.com/user-attachments/assets/ebc743e8-91d9-4ac1-8992-85290db59f10\"\n/>\n\nFor the `Security solution default` data view, we added the name in\n[this PR](https://github.com/elastic/kibana/pull/224333).\nFor the `Security solution alerts` data view, we created the alert index\nand the corresponding data view in [this\nPR](https://github.com/elastic/kibana/pull/224144).\nBut we changed both names in [this\nPR](#231374) (from `Default\nsecurity data view` to `Security solution default` and from `Security\nalert data view` to `Security solution alerts` respectively).\n\nThis means that if one of these data views was created either without a\nname or with an old name, that name would persist and be visible within\nthe new data view picker.\n\n## The fix\n\nThis PR makes a simple fix: if the names of the saved object differ from\nwhat we expect (only for the `default` and `alerts` data views), we\nupdate the saved object.\n\nHere's en example of the data view being updated after a refresh\n\n\nhttps://github.com/user-attachments/assets/4ef8c623-3e45-4a57-93bb-0464c3189f67\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"4f30b775602edd56a04e600b50d8a1f948ab8acc"}},"sourceBranch":"main","suggestedTargetBranches":["9.2"],"targetPullRequestStates":[{"branch":"9.2","label":"v9.2.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/238354","number":238354,"mergeCommit":{"message":"[Security Solution] update the name of the Security solution default and Security solution alerts data views when needed (#238354)\n\n## Summary\n\nThis PR aims at fixing a UI issue related to the data view picker\nchanges we made recently in Security Solution. After enabling the\n`dataViewPickerEnabled` feature flag (see [this\nPR](#234101)) we realized that the\n`Security solution default` and `Security solution alerts` aren't\ndisplayed properly.\nThis is only visible within an environment that had those data view\nexisting before turning on the feature flag.\n\nInstead of showing `Security solution default` we show this\n<img width=\"562\" height=\"366\" alt=\"Screenshot 2025-10-09 at 4 10 40 PM\"\nsrc=\"https://github.com/user-attachments/assets/3b59501e-f1ae-460d-b26c-b46f876ea772\"\n/>\n\nAnd instead of showing `Security solution alerts` we show this\n<img width=\"558\" height=\"404\" alt=\"Screenshot 2025-10-09 at 4 10 18 PM\"\nsrc=\"https://github.com/user-attachments/assets/f50a0eb7-a5f2-41e0-8018-28d9ddf92ee6\"\n/>\n\nLooking at the Data Views screen under Stack Management, we indeed see\nthat the names are matching what we see in the data view picker\n<img width=\"734\" height=\"655\" alt=\"Screenshot 2025-10-09 at 4 11 46 PM\"\nsrc=\"https://github.com/user-attachments/assets/ebc743e8-91d9-4ac1-8992-85290db59f10\"\n/>\n\nFor the `Security solution default` data view, we added the name in\n[this PR](https://github.com/elastic/kibana/pull/224333).\nFor the `Security solution alerts` data view, we created the alert index\nand the corresponding data view in [this\nPR](https://github.com/elastic/kibana/pull/224144).\nBut we changed both names in [this\nPR](#231374) (from `Default\nsecurity data view` to `Security solution default` and from `Security\nalert data view` to `Security solution alerts` respectively).\n\nThis means that if one of these data views was created either without a\nname or with an old name, that name would persist and be visible within\nthe new data view picker.\n\n## The fix\n\nThis PR makes a simple fix: if the names of the saved object differ from\nwhat we expect (only for the `default` and `alerts` data views), we\nupdate the saved object.\n\nHere's en example of the data view being updated after a refresh\n\n\nhttps://github.com/user-attachments/assets/4ef8c623-3e45-4a57-93bb-0464c3189f67\n\n### Checklist\n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"4f30b775602edd56a04e600b50d8a1f948ab8acc"}}]}] BACKPORT--> Co-authored-by: Philippe Oberti <philippe.oberti@elastic.co>
rylnd
pushed a commit
to rylnd/kibana
that referenced
this pull request
Oct 17, 2025
…and Security solution alerts data views when needed (elastic#238354) ## Summary This PR aims at fixing a UI issue related to the data view picker changes we made recently in Security Solution. After enabling the `dataViewPickerEnabled` feature flag (see [this PR](elastic#234101)) we realized that the `Security solution default` and `Security solution alerts` aren't displayed properly. This is only visible within an environment that had those data view existing before turning on the feature flag. Instead of showing `Security solution default` we show this <img width="562" height="366" alt="Screenshot 2025-10-09 at 4 10 40 PM" src="https://github.com/user-attachments/assets/3b59501e-f1ae-460d-b26c-b46f876ea772" /> And instead of showing `Security solution alerts` we show this <img width="558" height="404" alt="Screenshot 2025-10-09 at 4 10 18 PM" src="https://github.com/user-attachments/assets/f50a0eb7-a5f2-41e0-8018-28d9ddf92ee6" /> Looking at the Data Views screen under Stack Management, we indeed see that the names are matching what we see in the data view picker <img width="734" height="655" alt="Screenshot 2025-10-09 at 4 11 46 PM" src="https://github.com/user-attachments/assets/ebc743e8-91d9-4ac1-8992-85290db59f10" /> For the `Security solution default` data view, we added the name in [this PR](elastic#224333). For the `Security solution alerts` data view, we created the alert index and the corresponding data view in [this PR](elastic#224144). But we changed both names in [this PR](elastic#231374) (from `Default security data view` to `Security solution default` and from `Security alert data view` to `Security solution alerts` respectively). This means that if one of these data views was created either without a name or with an old name, that name would persist and be visible within the new data view picker. ## The fix This PR makes a simple fix: if the names of the saved object differ from what we expect (only for the `default` and `alerts` data views), we update the saved object. Here's en example of the data view being updated after a refresh https://github.com/user-attachments/assets/4ef8c623-3e45-4a57-93bb-0464c3189f67 ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.
nickpeihl
pushed a commit
to nickpeihl/kibana
that referenced
this pull request
Oct 23, 2025
…and Security solution alerts data views when needed (elastic#238354) ## Summary This PR aims at fixing a UI issue related to the data view picker changes we made recently in Security Solution. After enabling the `dataViewPickerEnabled` feature flag (see [this PR](elastic#234101)) we realized that the `Security solution default` and `Security solution alerts` aren't displayed properly. This is only visible within an environment that had those data view existing before turning on the feature flag. Instead of showing `Security solution default` we show this <img width="562" height="366" alt="Screenshot 2025-10-09 at 4 10 40 PM" src="https://github.com/user-attachments/assets/3b59501e-f1ae-460d-b26c-b46f876ea772" /> And instead of showing `Security solution alerts` we show this <img width="558" height="404" alt="Screenshot 2025-10-09 at 4 10 18 PM" src="https://github.com/user-attachments/assets/f50a0eb7-a5f2-41e0-8018-28d9ddf92ee6" /> Looking at the Data Views screen under Stack Management, we indeed see that the names are matching what we see in the data view picker <img width="734" height="655" alt="Screenshot 2025-10-09 at 4 11 46 PM" src="https://github.com/user-attachments/assets/ebc743e8-91d9-4ac1-8992-85290db59f10" /> For the `Security solution default` data view, we added the name in [this PR](elastic#224333). For the `Security solution alerts` data view, we created the alert index and the corresponding data view in [this PR](elastic#224144). But we changed both names in [this PR](elastic#231374) (from `Default security data view` to `Security solution default` and from `Security alert data view` to `Security solution alerts` respectively). This means that if one of these data views was created either without a name or with an old name, that name would persist and be visible within the new data view picker. ## The fix This PR makes a simple fix: if the names of the saved object differ from what we expect (only for the `default` and `alerts` data views), we update the saved object. Here's en example of the data view being updated after a refresh https://github.com/user-attachments/assets/4ef8c623-3e45-4a57-93bb-0464c3189f67 ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.
NicholasPeretti
pushed a commit
to NicholasPeretti/kibana
that referenced
this pull request
Oct 27, 2025
…and Security solution alerts data views when needed (elastic#238354) ## Summary This PR aims at fixing a UI issue related to the data view picker changes we made recently in Security Solution. After enabling the `dataViewPickerEnabled` feature flag (see [this PR](elastic#234101)) we realized that the `Security solution default` and `Security solution alerts` aren't displayed properly. This is only visible within an environment that had those data view existing before turning on the feature flag. Instead of showing `Security solution default` we show this <img width="562" height="366" alt="Screenshot 2025-10-09 at 4 10 40 PM" src="https://github.com/user-attachments/assets/3b59501e-f1ae-460d-b26c-b46f876ea772" /> And instead of showing `Security solution alerts` we show this <img width="558" height="404" alt="Screenshot 2025-10-09 at 4 10 18 PM" src="https://github.com/user-attachments/assets/f50a0eb7-a5f2-41e0-8018-28d9ddf92ee6" /> Looking at the Data Views screen under Stack Management, we indeed see that the names are matching what we see in the data view picker <img width="734" height="655" alt="Screenshot 2025-10-09 at 4 11 46 PM" src="https://github.com/user-attachments/assets/ebc743e8-91d9-4ac1-8992-85290db59f10" /> For the `Security solution default` data view, we added the name in [this PR](elastic#224333). For the `Security solution alerts` data view, we created the alert index and the corresponding data view in [this PR](elastic#224144). But we changed both names in [this PR](elastic#231374) (from `Default security data view` to `Security solution default` and from `Security alert data view` to `Security solution alerts` respectively). This means that if one of these data views was created either without a name or with an old name, that name would persist and be visible within the new data view picker. ## The fix This PR makes a simple fix: if the names of the saved object differ from what we expect (only for the `default` and `alerts` data views), we update the saved object. Here's en example of the data view being updated after a refresh https://github.com/user-attachments/assets/4ef8c623-3e45-4a57-93bb-0464c3189f67 ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security changes
Security users have been able to add run time fields to the security default data view. While implementing the managed data view feature #223451, the conflict arise where we want the default data view to be kibana managed, but we do not want to take away user's ability to add run time fields.
As a result, it was decided to exclude security default data view as
managed, and the data view in alerts page is changed to security default. With these changes, users can see run time fields created before they upgrade to9.2, and they will be able to continue adding run time fields.Discover / Data view picker changes
Even though we can't have the default data view as
managed, we want to bring awareness of the security advanced setting to users. Currently, indices in advanced settings always override user changes in editor flyout. To minimize confusion, this PR added an optional propgetDataViewHelpTextin the data view picker component. This will allow a help text to be shown when user is editing the security default data view.Checklist
release_note:*label is applied per the guidelinesbackport:*labels.