[Cases] Enable auto-extract observables in alerts table#235433
Merged
michaelolo24 merged 4 commits intoelastic:mainfrom Oct 1, 2025
Merged
[Cases] Enable auto-extract observables in alerts table#235433michaelolo24 merged 4 commits intoelastic:mainfrom
michaelolo24 merged 4 commits intoelastic:mainfrom
Conversation
christineweng
added
backport:skip
6 tasks
christineweng
force-pushed
the
cases-extract-observables-in-alert-table
branch
from
e50319f to
ced2f44
Compare
christineweng
force-pushed
the
cases-extract-observables-in-alert-table
branch
2 times, most recently
from
2217a04 to
760557f
Compare
10 tasks
christineweng
force-pushed
the
cases-extract-observables-in-alert-table
branch
3 times, most recently
from
6bc1dfb to
0a8b410
Compare
michaelolo24
force-pushed
the
cases-extract-observables-in-alert-table
branch
from
ab6391b to
2f88eea
Compare
Contributor
|
Pinging @elastic/kibana-cases (Team:Cases) |
PhilippeOberti
approved these changes
Sep 30, 2025
Contributor
PhilippeOberti
left a comment
PhilippeOberti
left a comment
There was a problem hiding this comment.
Code review only for the files impacting the @elastic/security-threat-hunting-investigations team.
This code really motivates me to cleanup those ecsData and all objects. We're manipulating these so many times over and over again, we need to find a more performant approach. I know it's a huge effort and will impact so many places within Security Solution...
One day! 😆
janmonschke
approved these changes
Sep 30, 2025
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]
History
|
umbopepato
reviewed
Oct 1, 2025
| ): TimelineItem[] => { | ||
| return Array.from(rowSelection.keys()).map((rowIndex: number) => { | ||
| const alert = alerts[rowIndex]; | ||
| const data = Object.entries(alert).map(([key, value]) => ({ |
Member
There was a problem hiding this comment.
nit: how about adding the fallback values for the well known fields here instead of iterating on the fields array each time?
Suggested change
| const data = Object.entries(alert).map(([key, value]) => ({ | |
| const data = Object.entries({ | |
| [ALERT_CASE_IDS]: [], | |
| [ALERT_WORKFLOW_TAGS]: [], | |
| [ALERT_WORKFLOW_ASSIGNEE_IDS]: [], | |
| ...alert, | |
| }).map(([key, value]) => ({ |
Contributor
There was a problem hiding this comment.
Apologies, missed this comment before I merged. Made a tiny pr to fix here: #237307
umbopepato
approved these changes
Oct 1, 2025
Member
umbopepato
left a comment
umbopepato
left a comment
There was a problem hiding this comment.
RO code changes LGTM! Thanks for changing the alert format locally 🙏 🚀
michaelolo24
force-pushed
the
cases-extract-observables-in-alert-table
branch
from
2f88eea to
a0825e1
Compare
michaelolo24
added a commit
that referenced
this pull request
Oct 6, 2025
## Summary Fix based on feedback [here](#235433 (comment))
jmikell821
added
the
Team: SecuritySolution
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
3 tasks
rylnd
pushed a commit
to rylnd/kibana
that referenced
this pull request
Oct 17, 2025
## Summary Dependency: elastic#233027 to be merged first. This PR enables auto-extract toggle in alerts table when user adds alerts to a case. This applies to row actions and bulk actions. To enable the feature in security update the [case configuration](https://github.com/elastic/kibana/blob/50299491246af6cc8055a1ff8a975ce82b114495/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/index.tsx#L143) to `extractObservables: true,` <img width="1490" height="730" alt="image" src="https://github.com/user-attachments/assets/1c31cfee-a086-490b-b2d8-69306eb3ae4c" /> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
rylnd
pushed a commit
to rylnd/kibana
that referenced
this pull request
Oct 17, 2025
…37307) ## Summary Fix based on feedback [here](elastic#235433 (comment))
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Dependency: #233027 to be merged first.
This PR enables auto-extract toggle in alerts table when user adds alerts to a case. This applies to row actions and bulk actions.
To enable the feature in security update the case configuration to
extractObservables: true,Checklist
release_note:*label is applied per the guidelinesbackport:*labels.