[One Workflow] Add alert state checkbox UI for workflow connector#259770
Merged
talboren merged 8 commits intoelastic:mainfrom Apr 14, 2026
Merged
[One Workflow] Add alert state checkbox UI for workflow connector#259770talboren merged 8 commits intoelastic:mainfrom
talboren merged 8 commits intoelastic:mainfrom
Conversation
Add the UI portion of the alertStates feature — a "Run workflow for" checkbox group (New / Ongoing / Recovered alerts) in the rule action form, between the workflow selector and the action frequency switch. This is the second part of the intermediate release for elastic#257363: - Part 1 (merged): backend schema + adapter logic (elastic#257363) - Part 2 (this PR): UI to set alertStates on rule actions - Add AlertStates type and alertStates? to public WorkflowsActionParams - Render EuiCheckboxGroup with New/Ongoing/Recovered options - Use single editAction call in useEffect for initialization (addresses Copilot review feedback from elastic#256289) - Use "New alerts" terminology (not "Firing") per review feedback - Add 6 new tests for checkbox rendering, defaults, and toggling Closes elastic/security-team#16239 Made-with: Cursor
talboren
added
release_note:enhancement
backport:skip
Contributor
There was a problem hiding this comment.
Pull request overview
Adds UI support in the workflow connector action form for configuring which alert states trigger workflow execution via an alertStates checkbox group.
Changes:
- Introduces
AlertStatesand adds optionalalertStatestoWorkflowsActionParams - Renders an
EuiCheckboxGroupfor New/Ongoing/Recovered alert states and wires it toeditAction - Extends tests to cover rendering, defaults, toggling, and initialization behavior for
alertStates
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| src/platform/plugins/shared/workflows_management/public/connectors/workflows/workflows_params.tsx | Adds alert state checkbox UI, defaulting/initialization logic, and wiring to action params |
| src/platform/plugins/shared/workflows_management/public/connectors/workflows/workflows_params.test.tsx | Adds/updates tests to validate alertStates defaults, rendering, and updates |
| src/platform/plugins/shared/workflows_management/public/connectors/workflows/types.ts | Extends public action params type with AlertStates / alertStates |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
semd
reviewed
Mar 26, 2026
- Replace AlertStates interface with AlertStateId union + Record type, removing the string index signature (@semd, Copilot) - Add normalizeAlertStates helper to merge partial states with defaults, handling cases where alertStates exists but is missing keys (Copilot) - Add hidden legend prop to EuiCheckboxGroup for accessibility (Copilot) - Remove unnecessary useMemo for idToSelectedMap, use alertStates directly (@semd) - Type optionId as AlertStateId in handleAlertStateChange (Copilot) Made-with: Cursor
Security detection rules (siem.*) only generate new alerts and don't have ongoing/recovered states. Hide the "Run workflow for" checkbox group when ruleTypeId starts with 'siem.' since the setting is not applicable. Per feedback from @semd and @marshall.main Made-with: Cursor
Replace the inline `siem.` prefix check with the canonical `isSiemRuleType` helper, which also covers attack-discovery rules. Made-with: Cursor
Contributor
💚 Build Succeeded
Metrics [docs]Async chunks
History
|
mbondyra
added a commit
to mbondyra/kibana
that referenced
this pull request
Apr 14, 2026
* commit '11ed3645c5ededae2a6e29f2a79b31f52208b441': (157 commits) remove sync register uiAction methods (elastic#254590) [performance] Apply minimal auth to the search route (elastic#257497) [ES|QL] Reports correctly the controls server side errors (elastic#263020) [SecuritySolution][Navigation] Enable classic nav updates (elastic#262358) [Inference] Use pretty name and logo on feature settings page (elastic#262531) [Security Solution] fix AT-AB cypress test (elastic#262991) [SigEvents] Seed sigevents env script (elastic#261172) Adjust conditions for validating no refetch for expanded row (elastic#262978) [Agent Builder] update copy for the announcement modal (elastic#263034) [Search] Hide index management links for users without privileges (elastic#262627) Simplify OAS schema for GET `/api/spaces/space` query params (elastic#260831) Fix fleet output OAS regressions: SSL type explosion and Kafka union wrappers (elastic#260842) [Dashboards in chat] fix agent confusing the axes in a horizontal chat (elastic#263064) [One Workflow] Add alert state checkbox UI for workflow connector (elastic#259770) [One Workflow] Deprecate legacy Cases step types in workflow authoring (elastic#262070) skip failing test suite (elastic#248090) fix flaky test: MonitorDetails filter apply button not enabled (elastic#260788) fix: propagate AbortSignal to executeAsReasoningAgent for task cancellation (elastic#262811) [Security Solution][Alert KPI] Fix white space bug in alert KPIs (elastic#260803) [Streams] Move helpers and format_size_unit to utils folder (elastic#262550) ... # Conflicts: # x-pack/platform/plugins/shared/dashboard_agent/public/attachment_types/canvas_integration/dashboard_canvas_content.test.tsx # x-pack/platform/plugins/shared/dashboard_agent/public/attachment_types/canvas_integration/dashboard_canvas_content.tsx # x-pack/platform/plugins/shared/dashboard_agent/public/attachment_types/canvas_integration/use_register_canvas_action_buttons.ts # x-pack/platform/plugins/shared/dashboard_agent/public/attachment_types/index.test.tsx # x-pack/platform/plugins/shared/dashboard_agent/public/attachment_types/index.tsx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a "Run workflow for" checkbox group (New / Ongoing / Recovered alerts) to the workflow connector rule action form, allowing users to configure which alert states trigger workflow execution.
This is the second part of the intermediate release for alertStates support:
alertStateson rule actionsChanges
AlertStatestype and optionalalertStatesto publicWorkflowsActionParamsEuiCheckboxGroupwith New alerts / Ongoing alerts / Recovered alerts options between the workflow selector and the action frequency switcheditActioncall inuseEffectfor initializing bothsummaryModeandalertStatesdefaults (addresses Copilot review feedback from [One Workflow] Support triggering workflows for recovered and ongoing alerts #256289){ new: true, ongoing: false, recovered: false }— existing rules continue to work without migrationBackground
The original PR #256289 included both backend and UI changes but was closed to follow the intermediate release pattern for serverless. The backend changes landed first in #257363, and this PR completes the feature by enabling the UI.
References
Closes elastic/security-team#16239
Made with Cursor