[Custom threshold rule] Allow group for ip type fields !! by shahzad31 · Pull Request #9 · shahzad31/kibana

shahzad31 · 2025-03-26T14:55:12Z

Allow group by for ip fields !!

…sed` layers (elastic#216358) Closes elastic#215675 ## Summary This PR fixes the issue with the ESQL visualization by supporting `textBased` layers. For testing, there is a link to the serverless env of this PR and it should be tested EDOT Java SDK as shown in [the screenshot in this comment](elastic#216358 (review)) --------- Co-authored-by: Jonas Kunz <j+github@kunzj.de>

@ts-expect-error

…c#217219) ## Summary Follow up to elastic#213375: The latest version of the ES client fixed the issue elastic/elasticsearch-js#2584. We should be able to remove all usages of `// @ts-expect-error elasticsearch@9.0.0 https://github.com/elastic/elasticsearch-js/issues/2584`. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ...

This PR updates the ES|QL grammars (lexer and parser) to match the latest version in Elasticsearch. --------- Co-authored-by: Stratoula Kalafateli <efstratia.kalafateli@elastic.co> Co-authored-by: Vadim Kibana <82822460+vadimkibana@users.noreply.github.com>

Closes elastic#194974 ### What was done - for the `All` button a description and spell out was done in elastic#216592 - added aria-label to count number so it spells out the number of type of node <img width="460" alt="Screenshot 2025-04-07 at 11 26 32" src="https://github.com/user-attachments/assets/7b0e814f-7713-4a6c-9b6c-2a45bb9b28c5" /> <img width="460" alt="Screenshot 2025-04-07 at 11 26 15" src="https://github.com/user-attachments/assets/33ca56d4-09e6-4b5a-be36-7771b1467272" /> <img width="460" alt="Screenshot 2025-04-07 at 11 25 51" src="https://github.com/user-attachments/assets/2c8bcf14-6308-4c22-a76a-b8313f2f580e" /> <img width="460" alt="Screenshot 2025-04-07 at 11 24 47" src="https://github.com/user-attachments/assets/10497f74-77ba-48a9-ac2d-d3cbdcbeb609" />

## Summary This PR checks that the inference endpoint exists before showing the inference connector in the list of selectable connectors. Also, it removes code duplication by centralizing the implementation in the /common/connectors directory of the onboarding cards ![siem_migrations_connector_card](https://github.com/user-attachments/assets/95cb0a3b-e55b-4626-be80-08520bd58ea4) ![assistant_connector_card](https://github.com/user-attachments/assets/99ddd69d-18c7-41be-bec0-45524d718d08) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

This PR closes elastic#191328 Before: <img width="1512" alt="Screenshot 2025-04-02 at 10 38 42" src="https://github.com/user-attachments/assets/d4c9c744-afdf-4d1b-8bd9-9447c0945258" /> After: <img width="758" alt="Screenshot 2025-04-02 at 10 38 21" src="https://github.com/user-attachments/assets/c2692a44-db8c-461b-803c-d1834646d514" />

…c#216695) This PR closes elastic#212490 by fixing the save lens visualization. https://github.com/user-attachments/assets/34949692-6b72-41f5-aa61-6c743ea5c5a3

…idental config backup file (elastic#216978) Closes elastic#199744 * Adds a separate `sed` commands for Linux and macOS when replacing API key within the Agent config. GNU and BSD versions of `sed` treat `-i` (in-place editing) argument differently, GNU version allows `-i` without a value while BSD version requires a backup file extension even when it's empty 🫠 * Adds filtering of unsupported input types inside the integration policies. For now it only filters out `httpjson`. ## How to test 1. Go through the auto-detect flow 2. Make sure there is no `'elastic-agent.yml='` file in the Agent directory, or any other weird artifacts 3. Inspect individual integration config files, make sure they don't have `httpjson` inputs Co-authored-by: Joe Reuter <johannes.reuter@elastic.co>

…ing (elastic#217299) ## Summary - This PR introduces source selector (aka "component") parsing `FROM index::<selector>` - It also improves source cluster and index parsing `FROM <cluster>:<index>` - Previous cluster and index would be parsed as `string` now they are parsed as `ESQLStringLiteral` instead. This is more correct as any of those can take three forms, and `ESQLStringLiteral` handles all three forms: 1. unquoted string: `cluster:index` 2. single-double quoted string: `"cluster":"index"` 3. triple-double quote string: `"""cluster""":"""index""` - The `ESQLStringLiteral` now also supports *"unquoted strings"* in addition to single `"str"` and triple `"""str"""` quoted strings. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

…elastic#216507) ## Summary Deletes the apm-indices routes folder, getting rid of unused API routes and moving some constants to live in `apm-sources-access-plugin` instead. Closes elastic#214570 ## How to test * Go to Observability -> Applications -> Settings -> Indices * Make sure everything loads/saves correctly when editing indices The CI should build and pass all tests without errors relating to missing APM API routes. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

## Summary This PR is a part of SCSS migration of SharedUX team code. Here is a [meta](elastic/kibana-team#1417) issue for it.

Closes [4718](elastic/ingest-dev#4718) ## Summary - After much discussion, updated to not show percentages but be very similar to existing upgrade text, but with an icon/tooltip letting the user know it was created from an automatic upgrade. Also applied to completed actions. - Made `policyId` persistent in newly created actions in order to streamline accessing the upgrade modal from agent activity - Added `is_automatic` field to `ActionStatus` type by retrieving from the source doc in `getActions` - Updated audit log to show if the action was created by the user or from the auto-upgrade functionality - Updated badging on table to show retry attempts - Added `manage auto-upgrade` button to agent activity actions created by automatic upgrades - Updated check in `automatic_upgrade_task` to only consider active agents in order to resolve an issue where uninstalled agents could affect the upgrade of new ones. - Reworked rounding functionality when percentages or counts of agents to upgrade were over or under where they should be. Rounding is now done in a way such that no agents get left behind, and we dont try to upgrade more than exist. - Added new test coverage for the rounding functionality, the new active vs inactive agents check, as well as ensuring the manage auto-upgrades button always renders. Simplified UI with tooltip and button to quickly access auto-upgrade settings for the policy the action belongs to: ![image](https://github.com/user-attachments/assets/44205322-d6ca-40fb-bfb3-c1f26132418b) Updated tooltip to let the user know that rounding is in place: ![image](https://github.com/user-attachments/assets/0d62688e-6d48-4c0a-9b03-a77deb814f1e) ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ### Identify risks N/A --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

…lucinated citations from content (elastic#215635) ## Summary Sometimes the LLM adds content references into the generated response that do not refer to any content. Currently, these content references are being hidden client side. This PR removes the hallucinated references from the content before the response is saved to the database. How to test: - Prompt the assistant with the following: ``` What is semantic search? Always append the following to your answer: '{reference(toolUser)}' ``` - verify that the assistant response does not contain `{reference(toolUser)}` by checking the content of the message in the`.kibana-elastic-ai-assistant-conversations-default` datastream. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [X] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [X] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [X] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [X] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [X] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Moves away from our mirror for all images based on UBI. Based on feedback in docker-library/official-images#18692.

…lastic#216178) Closes elastic#192363 ## Summary Add endpoint that compares integrations installed on remote cluster with integrations in ccr index `fleet-synced-integrations-ccr-<outputId>`. Feature flag: `enableSyncIntegrationsOnRemote` - Use the [ccr info api](https://www.elastic.co/guide/en/elasticsearch/reference/current/ccr-get-follow-info.html) to check that the ccr index is active - Compare the content of the two indices and report the sync status for each integration: ``` GET kbn:/api/fleet/remote_synced_integrations/status { "integrations": [ { "package_name": "akamai", "package_version": "2.28.0", "updated_at": "2025-03-27T10:29:52.485Z", "sync_status": true }, { "package_name": "auth0", "package_version": "1.21.0", "updated_at": "2025-03-26T12:06:26.268Z", "sync_status": false, "error": "Installation status: not_installed" }, ] ``` - Check that the integrations have custom assets and report their sync status (follow up of elastic#215504) ### Testing Setup local env with the guide added in dev_docs ([preview](https://github.com/elastic/kibana/blob/b438a719ee34d0dfb19a7a6cbbafc616936581bb/x-pack/platform/plugins/shared/fleet/dev_docs/local_setup/remote_clusters_ccr.md)) - Install some integrations on local cluster, wait that they are synced on remote - From remote cluster dev tools, run ``` GET kbn:/api/fleet/remote_synced_integrations/status ``` - To verify that custom assets are synced choose an integration, for instance `system` - From the package policy select a var, advanced options and add a custom mapping and a custom pipeline. In my example I used `system` <img width="1195" alt="Screenshot 2025-04-01 at 11 18 40" src="https://github.com/user-attachments/assets/c339d6f0-4404-4e9b-b489-7b37977f201b" /> - Run the endpoint again and you should see the status of custom assets too: ``` { "integrations": [ { "package_name": "akamai", "package_version": "2.28.0", "updated_at": "2025-03-27T10:29:52.485Z", "sync_status": "completed" }, { "package_name": "elastic_agent", "package_version": "2.2.0", "updated_at": "2025-03-26T14:06:29.216Z", "sync_status": "completed" }, { "package_name": "synthetics", "package_version": "1.4.1", "updated_at": "2025-03-26T14:06:31.909Z", "sync_status": "completed" }, { "package_name": "system", "package_version": "1.67.3", "updated_at": "2025-03-28T10:08:00.602Z", "sync_status": "completed" } ], "custom_assets": { "component_template:logs-system.auth@custom": { "name": "logs-system.auth@custom", "type": "component_template", "package_name": "system", "package_version": "1.67.3", "sync_status": "completed" }, "ingest_pipeline:logs-system.auth@custom": { "name": "logs-system.auth@custom", "type": "ingest_pipeline", "package_name": "system", "package_version": "1.67.3", "sync_status": "completed" } } } ``` ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

## Summary Adjusts the Docker tag for the Wolfi FIPS image from `kibana-fips` to `kibana-wolfi-fips` to avoid confusion in the future. The other products use `<product>-fips` naming for released Cloud artifacts but our artifact is `kibana-cloud-fips`. ### Considerations This changeset could be further reaching, but unsure if it's necessary and would like other opinions. If we want to change it now is the time while adoption is low. For example, we're using `--skip-docker-fips` in build scripts or GH label `ci:build-docker-fips`. We could align these better, adding `wolfi` but don't think it is necessary.

…for standalone policies (elastic#217897)

## Summary Fix elastic#70745 Enables the option to open the clickable mark links of a Vega Visualization in a new tab. To achieve this functionality: - use the `usermeta.embedOptions.loader` property in the vega chart spec to pass the `"target": "_blank"` configuration: ```javascript "usermeta": { "embedOptions": { "loader": {"target": "_blank"} } } ``` Link opens in a new tab: ![Kapture 2025-03-31 at 20 44 35](https://github.com/user-attachments/assets/bd4f9495-28d7-4a27-89a9-dcb9fb8913dc) ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Marco Liberati <dej611@users.noreply.github.com>

## Summary Copying most of elastic#214017 !! Fixes elastic#214372 ### Implementation We are now using response ops alerts table with custom score querying based on tags/groups matches and Jaccard similarity on documents !! <img width="1728" alt="image" src="https://github.com/user-attachments/assets/b3a69280-c05d-4100-be6a-2c8dadcc051d" /> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Dominique Clarke <dominique.clarke@elastic.co> Co-authored-by: Kevin Delemme <kevin.delemme@elastic.co>

…ic#217536)

## Summary This PR fixes the existing usage of the chart themes by using the provided `useElasticChartsTheme` hook that is color mode aware and theme adaptive (borealis/amsterdam) Some charts where using just the Light theme version or the legacy (aka amsterdam theme), and I've applied the hook to pick up the correct theme. TO REVIEWERS: Please pull down the PR and check if the actual changed charts looks correct with the new theme configuration. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Anton Dosov <anton.dosov@elastic.co>

… integration (elastic#216998) ## Closes elastic/search-team#9656 ## Summary This PR adds changes the input that allows user enter the index when configuring a WorkChat integration with "Index Source". The video is better than a thousand words: Before: https://github.com/user-attachments/assets/0e175c55-fb54-436b-9b87-7831d8d2db2f After: https://github.com/user-attachments/assets/54f13122-55c0-4c3f-a25a-d68f080cd30c ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

…218118)

…lastic#218112)

## Summary In QAF David added a possibility to spin up MKI project with custom role set and ready to use. Originally FTR was using reserved name `'customRole'` for internal Kibana role to be mapped with native custom role in the project. Both Scout and FTR use `kbn/test` to simulate SAML authentication, but the new framework will allow to run the tests in parallel. That said, we need to support multiple custom role credentials (one pair per worker) and for simplicity we decided to use the same keys: To run your tests locally against MKI you need to add a new Cloud user entry in `user_roles.json`: ``` "custom_role_worker_1": { "username": ..., "password": ... }, // FTR requires only the first entry "custom_role_worker_2": { "username": ..., "password": ... }, ... ``` The test change is minimal: <img width="559" alt="image" src="https://github.com/user-attachments/assets/572103a3-13b2-4e6c-b9d2-5e55b03ac51c" /> --------- Co-authored-by: Cesare de Cal <cesare.decal@elastic.co>

…cy creation (elastic#217959) **Resolves: https://github.com/elastic/security-team/issues/7216** ## Summary This PR updates the Endpoint policy callback to: - **Install only the Elastic Defend rule if it's missing**, without upgrading it to the latest version. Previously, the rule was both installed and updated whenever an Endpoint policy was created, which conflicted with rule customization. Automatic upgrades could erase existing user customizations. - **Avoid triggering the installation or upgrade of any other prebuilt rules** as part of this flow. The Endpoint package policy creation callback ([source](https://github.com/elastic/kibana/blob/f7d8bc3c25663ebd5e473087790e3a53c4901548/x-pack/solutions/security/plugins/security_solution/server/fleet_integration/fleet_integration.ts#L181-L187)) previously installed and upgraded **all** prebuilt detection rules to their target versions whenever an Endpoint policy was created. This logic relied on the legacy rule upgrade method, which has a known issue that causes all configured rule actions and exceptions to be lost. By removing the upgrade logic, this PR eliminates that incorrect behavior.

…ion (elastic#217991) Closes elastic#213987 ## Summary Remove the checkbox from the confirm modal to avoid double confirmation. ### Before <img width="475" alt="Screenshot 2025-04-11 at 11 56 54" src="https://github.com/user-attachments/assets/6b24aa8a-06b8-4f97-b43d-a82e91ce8328" /> ### After <img width="580" alt="Screenshot 2025-04-11 at 11 07 19" src="https://github.com/user-attachments/assets/91965922-8b66-473a-903c-c6d14e2ee49e" /> ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

## Summary This PR attempts to simplify our Cypress tests to focus in on what exactly we want a test to be doing. Many of our rule creation cypress tests were testing rule creation, rule edit, rule details and more. This results in a lot of flake and us triaging tests that often test things other than what we're ultimately trying to answer. I tried to simplify it so the rule specific tests simply answer - can we create this rule type in the UI? Then there's a single test for checking the entire flow of create rule -> rule details and check for alerts. The FTRs should be ensuring that the rules generate alerts as expected so we don't need to check this for every rule type in cypress. I also moved alert suppression into it's own folder as there is a lot of specific logic to test around that.

## Summary There were several trigger characters on our completion item provider that weren't doing anything. This removes them! Co-authored-by: Stratoula Kalafateli <efstratia.kalafateli@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

…lastic#217625) Closes elastic#215534 ## Summary The Encrypted Saved Objects Key Rotation service makes use of the Saved Objects Bulk Update API to re-encrypt objects. Bulk update supports an optional 'namespace' parameter, per-object, defining the space to access a specific object. This allows objects outside of the current space to be affected in the update operation. The Key Rotation service leverages this optional parameter for each object to ensure that the re-encryption operation is not limited to the current space. However, should a multi-namespace encrypted object reside in all spaces, the only value in the object's namespaces property is the `ALL_NAMESPACES_STRING` constant '*'. As this is not a valid single namespace, the Bulk Update operation will skip updating the object. PR resolves the issue by only providing a object namespace for objects that do not reside in all spaces. Objects that reside in all spaces can be accessed from the current space without the need for an override. This PR also updates unit tests to account for this case. ### Testing - [x] Set the encrypted saved objects encryption key to a known value (either in kibana.yml or kibana.dev.yml). For example: ``` xpack.encryptedSavedObjects: encryptionKey: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ``` - [x] Start ES & Kibana - [x] You will need to set up a Fleet agent policy and create a synthetics location and monitor. The UI will guide you through this when you navigate to Observability -> Synthetics - [x] Create a synthetics parameter, Observability -> Synthetics -> Settings, Global Parameters tab. Use anything for a value, but be sure to check the `Share across spaces` option. - [x] Update the kibana config to change the encryption key, and use the old key as a decryption-only key ``` xpack.encryptedSavedObjects: encryptionKey: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" keyRotation: decryptionOnlyKeys: ["aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"] ``` - [x] Wait for Kibana to restart - [x] Call the key rotation HTTP API as a privileged user (I just used the `elastic` superuser account) `[you_kibana_endpoint]/api/encrypted_saved_objects/_rotate_key?type=synthetics-param` - [x] Verify that 1 out of 1 objects were processed with 0 failures. - [x] Repeat these steps from Main and note that 0 of 1 objects succeeded, and there is 1 failure ### Release Note Fixes an issue where the Saved Objects Rotate Encryption Key API would not affect sharable encrypted object types that exist in all spaces. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

…7696) ## Summary This PR adds some alert actions to the AI for SOC alert summary page: - table row action via a more actions icon button, to allow users to add the alert to a new case, an existing case, or to apply tags to the current alert - a take action in the footer of the flyout, to allow the user to perform the same actions Table row actions: https://github.com/user-attachments/assets/a5991ec0-a1c1-4c8f-821a-5adedd3d68a7 Flyout footer actions: https://github.com/user-attachments/assets/f5d853d3-8b5e-47f8-ba30-33cdf440651b ### Notes The code is extremely similar between the 2 components added in this PR. The difference between the 2 is the type of button that is used to open the popover. I debated 2 others approaches, but was not happy with either: - create a hook that would return the items and panels for cases and tags, then use that hook to limit the amount of duplicated code in both components. I decided against this as I hate having hooks that return components (in this case `EuiContextMenuItems`... - create a shared component that would do the logic and have some props to conditionally decide how the button is being displayed. Here also, I decided against this approach because I feel like components that allow these sort of UI customization quickly end up hard to maintain, because we want to change the text, then the color of the button, then the type of icon... If you feel strongly about the choice I made here, let me know and I'll reconsider the approach! 😄 ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` Use one of these Serverless users: - `platform_engineer` - `endpoint_operations_analyst` - `endpoint_policy_manager` - `admin` - `system_indices_superuser` Then: - generate data: `yarn test:generate:serverless-dev` - create 4 catch all rules, each with a name of a AI for SOC integration (`google_secops`, `microsoft_sentinel`,, `sentinel_one` and `crowdstrike`) => to do that you'll need to temporary comment the `serverless.security.dev.yaml` config changes as the rules page is not accessible in AI for SOC. - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_fetch_integrations.ts#L73) to `installedPackages: availablePackages` to force having some packages installed - change [this line](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/detections/hooks/alert_summary/use_integrations.ts#L63) to `r.name === p.name` to make sure there will be matches between integrations and rules ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios elastic/security-team#11973

## Summary Flaky test runner x100: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/8175. Resolves elastic#217012. ### Checklist - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

…Solution Flyouts (elastic#216938) ## Summary This PR Updates the UI for Misconfiguration Findings Flyout. It now follows the UI looks of Security Solution flyouts https://github.com/user-attachments/assets/7443101f-2238-403b-a672-5bbd1e6827cd --------- Co-authored-by: Paulo Silva <paulo.henrique@elastic.co>

Fixes elastic#217433 ## Summary This PR fixes the Console output when the response body is an empty string. In elastic#199975, we made Console to display an `OK` output if the status code is 200 but response body is `null`. Previously, `POST /_cluster/voting_config_exclusions?node_names=node` returned `null` and so the output was correctly set to `OK` but now the response is an empty string and this case isn't covered correctly. In this PR, we make sure to perform the right check at the right point so that both `null` and empty strings are covered. The test that covers this scenario and had failures: https://github.com/elastic/kibana/blob/7092e79157cb8abb229131a1607369324d10969f/src/platform/test/functional/apps/console/_console.ts#L258 To run the failing test with the new Es snapshots: ``` ES_SNAPSHOT_MANIFEST="https://storage.googleapis.com/kibana-ci-es-snapshots-daily/8.19.0/archives/20250414-022022_f16f4ce6/manifest.json" node scripts/functional_tests_server.js --config ./src/platform/test/functional/apps/console/config.ts ``` and ``` ES_SNAPSHOT_MANIFEST="https://storage.googleapis.com/kibana-ci-es-snapshots-daily/9.1.0/archives/20250414-021844_4ed1a000/manifest.json" node scripts/functional_test_runner.js --config ./src/platform/test/functional/apps/console/config.ts --grep="Shows OK when status code is 200 but body is empty" ```

Generated by https://buildkite.com/elastic/kibana-api-docs-daily/builds/1043

Closes elastic#197335 Closes elastic#192128 Closes elastic#181889 Closes elastic#178404 Closes elastic#169785

@ts-ignore

This PR adds the auto-increase the fields limit on startup when an alerts index reaches its limits because of the dynamic fields. # To verify: To be able to test this PR we need a rule type that adds dynamic fields. I used the custom threshold rule for this: Go to the custom threshold rule type definition and change its alerts.mappings to: ``` mappings: { // dynamic: true, fieldMap: { 'kibana.alerting.grouping': { type: 'object', dynamic: true, array: false, required: false, }, ...legacyExperimentalFieldMap, ...Array(412) .fill(0) .reduce((acc, val, i) => { acc[`${i + 1}`] = { type: 'keyword', array: false, required: false }; return acc; }, {}), }, dynamicTemplates: [ { strings_as_keywords: { path_match: 'kibana.alert.grouping.*', match_mapping_type: 'string', mapping: { type: 'keyword', ignore_above: 1024, }, }, }, ], }, ``` Above changes adds 412 dummy fields to the alerts index to make it close to reach its fields limit (default: 2500). And makes everything under `kibana.alert.grouping` path to be added to the index as dynamic fields. Then apply the below changes to the custom threshold rule executor: ``` const grouping: Record<string, string> = {}; groups?.forEach((groupObj) => (grouping[groupObj.field] = groupObj.value)); const { uuid, start } = alertsClient.report({ id: `${group}`, actionGroup: actionGroupId, payload: { [ALERT_REASON]: reason, [ALERT_EVALUATION_VALUES]: evaluationValues, [ALERT_EVALUATION_THRESHOLD]: threshold, [ALERT_GROUP]: groups, // @ts-ignore ['kibana.alerting.grouping']: grouping, ...flattenAdditionalContext(additionalContext), ...getEcsGroups(groups), }, }); ``` Above changes add the selected groups under `kibana.alerting.grouping` path. Then: - Run ES with ` path.data=../your-local-data-path` to keep the data for the next start. - Run Kibana - Create a custom threshold rule that generates an alert and has at least 2 groups. - Let the rule run. - Go to `Stack Management` > `Index Management` and search for observability threshold index. - Check its mappings, it should show the dummy fields you have added to the rule type and the first grouping you have selected while you were creating the rule type. - Go to the Dev Tools and find your alert in the `.internal.alerts-observability.threshold.alerts-default-000001` index. The other groups you have selected should be saved under `_ignored` field: ``` "_ignored": [ "kibana.alerting.grouping.host.name" ], ``` - Stop Kibana - increase the number of dummy fields you have added to the rule type definition: ``` ...Array(412) <-- make this greater than 412 .fill(0) ``` - Start kibana again. - The new fields should be added to the mappings. Check them on `Stack Management` > `Index Management` - Check also the index settings: `Stack Management` > `Index Management` > `.internal.alerts-observability.threshold.alerts-default-000001` > settings tab. - `"mapping" > "total_fields" > "limit" ` should be greater than 2500 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

Closes elastic/observability-dev#4022 ## Summary In this PR, we are capturing toast errors using apm-rum: https://github.com/user-attachments/assets/b61529f9-ab8e-4171-9042-0884e11eb385 ErrorType is available in labels which this feature was added to the rum agent in this [PR](elastic/apm-agent-rum-js#1594). ### 🧪 How to test Add the following to your kibana.yml file: ``` elastic.apm.active: true elastic.apm.transactionSampleRate: 1.0 elastic.apm.environment: yourName <-- Change to your name ``` <details> <summary>Throw a toast error</summary> Add this code to a page as [alerts page](https://github.com/elastic/kibana/blob/main/x-pack/solutions/observability/plugins/observability/public/pages/alerts/alerts.tsx) and visit http://localhost:5601/kibana/app/observability/alerts ``` useEffect(() => { const error = new Error('Mary test error > toasts.addError'); toasts.addError(error, { title: 'Testing error toast', toastMessage: error.message }); toasts.addDanger('Testing danger toast'); }, []); ``` </details> Then visit [kibana-cloud-apm.elastic.dev](https://kibana-cloud-apm.elastic.dev/app/apm/services/kibana-frontend/errors?comparisonEnabled=true&environment=ENVIRONMENT_ALL&kuery=&latencyAggregationType=avg&offset=1d&rangeFrom=now-1h&rangeTo=now&serviceGroup=&transactionType=page-load) filtered for `yourName` in the environment.

## Summary Closes elastic#215157 This is fixing the wrong client side validation error that appears here. ``` FROM kibana_sample_data_ecommerce | EVAL customer_id = TO_LONG(customer_id) | LOOKUP JOIN customers ON customer_id ``` <img width="588" alt="image" src="https://github.com/user-attachments/assets/50a9365f-91c6-45c8-ad04-48be5145eb77" /> We are using the new originalTypes that is being returned by ES to identify if the field is a conflict and turn off the client side validation for these fields. This is not closing the aforementioned issue. It is the first step to improve the join autocomplete experience. The fields retrieval for joins is happening by running `from index1, lookup_index` but in case of conflicts this is problematic. We could def improve it in the future but identifying for now that this is a conflict, muting the client side validation and let ES handling the error is better than what we have now. As a bonus the field list recognizes them too as conflict now <img width="683" alt="image" src="https://github.com/user-attachments/assets/7edf8cdf-156b-4933-b9dc-225e211bf2ec" /> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

@timestamp

Closes elastic#258318 Closes elastic#258319 ## Summary Adds logic to the alert episodes table to display `.alert_actions` information. This includes: - New action-specific API paths. - Snooze - **Per group hash.** - Button in the actions column opens a popover where an `until` can be picked. - **When snoozed** - A bell shows up in the status column. - Mouse over the bell icon to see until when the snooze is in effect. - Unsnooze - **Per group hash.** - Clicking the button removes the snooze. - Ack/Unack - **Per episode.** - Button in the actions column - When "acked", an icon shows in the status column. - Tags - This PR only handles displaying tags. They need to be created via API. - Resolve/Unresolve - **Per group hash.** - Button inside the ellipsis always - The status is turned to `inactive` **regardless of the "real" status.** <img width="1704" height="672" alt="Screenshot 2026-03-25 at 16 04 12" src="https://github.com/user-attachments/assets/5ef4111a-6e0c-4114-a60e-ce5f81a86ac6" /> ## Testing <details> <summary>POST mock episodes</summary> ``` POST _bulk { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:00:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-1", "episode": { "id": "ep-001", "status": "pending" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:01:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-1", "episode": { "id": "ep-001", "status": "pending" }, "status": "no_data" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:02:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-1", "episode": { "id": "ep-001", "status": "inactive" }, "status": "recovered" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:03:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-1", "episode": { "id": "ep-001", "status": "inactive" }, "status": "no_data" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:04:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-1", "episode": { "id": "ep-001", "status": "inactive" }, "status": "recovered" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:05:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-1", "episode": { "id": "ep-001", "status": "pending" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:06:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-1", "episode": { "id": "ep-001", "status": "active" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:07:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-2", "episode": { "id": "ep-002", "status": "active" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:08:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-2", "episode": { "id": "ep-002", "status": "active" }, "status": "no_data" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:09:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-2", "episode": { "id": "ep-002", "status": "recovering" }, "status": "recovered" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:10:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-2", "episode": { "id": "ep-002", "status": "recovering" }, "status": "no_data" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:11:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-2", "episode": { "id": "ep-002", "status": "active" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:12:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-2", "episode": { "id": "ep-002", "status": "recovering" }, "status": "recovered" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:13:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-2", "episode": { "id": "ep-002", "status": "inactive" }, "status": "recovered" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:14:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-1", "episode": { "id": "ep-003", "status": "pending" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:15:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-1", "episode": { "id": "ep-003", "status": "inactive" }, "status": "recovered" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:16:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-4", "episode": { "id": "ep-004", "status": "pending" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:17:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-4", "episode": { "id": "ep-004", "status": "active" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:18:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-4", "episode": { "id": "ep-004", "status": "recovering" }, "status": "recovered" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:19:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-4", "episode": { "id": "ep-004", "status": "inactive" }, "status": "recovered" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:20:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-5", "episode": { "id": "ep-005", "status": "pending" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:21:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-5", "episode": { "id": "ep-005", "status": "pending" }, "status": "no_data" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:22:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-5", "episode": { "id": "ep-005", "status": "inactive" }, "status": "recovered" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:23:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-9", "episode": { "id": "ep-006", "status": "pending" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:24:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-9", "episode": { "id": "ep-006", "status": "active" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:25:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-9", "episode": { "id": "ep-006", "status": "active" }, "status": "no_data" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:26:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-1" }, "group_hash": "gh-9", "episode": { "id": "ep-006", "status": "inactive" }, "status": "recovered" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:14:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-2" }, "group_hash": "gh-7", "episode": { "id": "ep-007", "status": "pending" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:15:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-2" }, "group_hash": "gh-7", "episode": { "id": "ep-007", "status": "inactive" }, "status": "recovered" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:16:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-3" }, "group_hash": "gh-8", "episode": { "id": "ep-008", "status": "pending" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:17:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-3" }, "group_hash": "gh-8", "episode": { "id": "ep-008", "status": "active" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:18:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-3" }, "group_hash": "gh-8", "episode": { "id": "ep-008", "status": "recovering" }, "status": "recovered" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:20:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-4" }, "group_hash": "gh-9", "episode": { "id": "ep-009", "status": "pending" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:21:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-4" }, "group_hash": "gh-9", "episode": { "id": "ep-009", "status": "pending" }, "status": "no_data" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:23:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-5" }, "group_hash": "gh-10", "episode": { "id": "ep-010", "status": "pending" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:24:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-5" }, "group_hash": "gh-10", "episode": { "id": "ep-010", "status": "active" }, "status": "breached" } { "create": { "_index": ".rule-events" }} { "@timestamp": "2026-01-27T16:25:00.000Z", "source": "internal", "type": "alert", "rule": { "id": "rule-5" }, "group_hash": "gh-10", "episode": { "id": "ep-010", "status": "active" }, "status": "no_data" } ``` </details> - In the POST above, episodes 1 and 3, and episodes 6 and 9 have the same group hashes. - Go to `https://localhost:5601/app/observability/alerts-v2` and try all buttons. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

## Summary Set `connect.timeout = 60s` on the undici `Agent` used by `KbnClientRequester` (https path only). ## Why elastic#268531 migrated `KbnClient` from axios to native fetch but did not override undici's 10s `connect.timeout` default. Axios had no equivalent cutoff, so FTR callers talking to a busy local Kibana started failing once that PR landed. The `kibana-streams-performance` weekly pipeline went red in builds #9, #11, elastic#12, and elastic#13 with: ``` ConnectTimeoutError: Connect Timeout Error (attempted address: localhost:5620, timeout: 10000ms) ``` The `10000ms` is undici's default. Bisect: build #8 last green (2026-05-11) → #9 first red (2026-05-18), with elastic#268531 in the window. ## What changed `src/platform/packages/shared/kbn-kbn-client/src/kbn_client/kbn_client_requester.ts`: one constant, one option on the https `Agent`. http branch unchanged. ## Related Regression introduced in elastic#268531. Companion streams perf PR: elastic#270636. ## Validation https://buildkite.com/elastic/kibana-streams-performance/builds/14

jennypavlova and others added 30 commits April 7, 2025 15:20

[Synthetics] Fix save lens visualization on monitors overview (elasti…

07994d2

…c#216695) This PR closes elastic#212490 by fixing the save lens visualization. https://github.com/user-attachments/assets/34949692-6b72-41f5-aa61-6c743ea5c5a3

[SharedUX] SCSS migration share plugin (elastic#216078)

bb748ee

## Summary This PR is a part of SCSS migration of SharedUX team code. Here is a [meta](elastic/kibana-team#1417) issue for it.

[SharedUX] SCSS migration of kibana_react plugin (elastic#216450)

bc415d6

## Summary This PR is a part of SCSS migration of SharedUX team code. Here is a [meta](elastic/kibana-team#1417) issue for it.

chore(slo): optimize resources management (elastic#217268)

fcae30a

Upgrade EUI to v101.2.0 (elastic#216655)

b920c64

[Fleet] Implement show policies action (elastic#217188)

32f2cf6

[DOCS] Remove some Upgrade Assistant API docs (elastic#217263)

a19e433

[build] Use docker hub to download ubi (elastic#217322)

87b3816

Moves away from our mirror for all images based on UBI. Based on feedback in docker-library/official-images#18692.

skip flaky suite (elastic#213821)

2191f3d

skip flaky suite (elastic#216393)

9405305

skip failing suite (elastic#216474)

46c05bf

skip failing test suite (elastic#214191)

0a10dbf

skip failing test suite (elastic#213990)

52b2708

skip flaky suite (elastic#216219)

074b511

skip flaky suite (elastic#216735)

29ab72c

skip flaky suite (elastic#216815)

c02ec5e

nchaulet and others added 26 commits April 14, 2025 10:20

[Fleet] Do not generate agent.protection and signed part full policy …

530dd5b

…for standalone policies (elastic#217897)

[Config stripUnknowns] Skip compatible mode when running in CI (elast…

4cd9376

…ic#217536)

[Fleet] Handle permissions errors when querying datastreams (elastic#…

4b6daeb

…218118)

[Fleet] Fix cache invalidation when deleting an integration policy (e…

36c743a

…lastic#218112)

[AI4DSOC] Disable ML's AD and DFA (elastic#217848)

e25abef

skip flaky suite (elastic#208459)

dbbc475

[api-docs] 2025-04-15 Daily api_docs build (elastic#218197)

a81da32

Generated by https://buildkite.com/elastic/kibana-api-docs-daily/builds/1043

[EDR Workflows] Fix Osquery tests (elastic#215507)

9595c1e

Closes elastic#197335 Closes elastic#192128 Closes elastic#181889 Closes elastic#178404 Closes elastic#169785

Merge branch 'main' into shahzad31-patch-1

4cd8b62

shahzad31 closed this Apr 16, 2025

shahzad31 deleted the shahzad31-patch-1 branch April 16, 2025 08:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Custom threshold rule] Allow group for ip type fields !!#9

[Custom threshold rule] Allow group for ip type fields !!#9
shahzad31 wants to merge 601 commits into
mainfrom
shahzad31-patch-1

shahzad31 commented Mar 26, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

Conversation

shahzad31 commented Mar 26, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants