Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.14] [Security Solution] - Security solution ES|QL configurable via advanced setting (#181616) #182430

Closed
wants to merge 4 commits into from
Closed

[8.14] [Security Solution] - Security solution ES|QL configurable via advanced setting (#181616) #182430

wants to merge 4 commits into from

Conversation

kibanamachine
Copy link
Contributor

Backport

This will backport the following commits from main to 8.14:

Questions ?

Please refer to the Backport tool documentation

@michaelolo24
[Security Solution] - Security solution ES|QL configurable via advanc…
4619e3a 
…ed setting (elastic#181616)

## Summary

This PR links the ESQL functionality in security solution to the
`discover:enableESQL` advanced setting. The advanced setting will only
be present in ESS, but not serverless

The way this should work to maintain parity with the rest of Kibana such
as discover and stack rules:

- By default ES|QL will be enabled across all Kibana
- When the ES|QL advanced setting is disabled:
  - Timeline
    - ES|QL tab should not be accessible on any newly created timelines
- Existing Timelines with an ES|QL query should still have the tab
accessible
  - Rules
- New ES|QL rule should not be available to be created in the *Rule
Creation* workflow
    - Existing ES|QL rules should still run and be able to be edited

**Timeline Demo Video:**

https://github.com/elastic/kibana/assets/17211684/d5429be9-de37-43e2-882d-687b3371beb4

**Rules Demo Video:**

https://github.com/elastic/kibana/assets/17211684/7df2fd11-bd2b-4e50-ad97-b6e1d0f7867a

---------

Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit 963391e)
@kibanamachine kibanamachine enabled auto-merge (squash) May 2, 2024 17:07
@kibanamachine kibanamachine mentioned this pull request May 2, 2024
Merged
@michaelolo24
Copy link
Contributor

@elasticmachine merge upstream

@michaelolo24
Copy link
Contributor

@elasticmachine merge upstream

@michaelolo24
Copy link
Contributor

@elasticmachine merge upstream

auto-merge was automatically disabled May 2, 2024 20:05

Pull request was closed

@kibana-ci
Copy link
Collaborator

kibana-ci commented May 2, 2024
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] Serverless Detection Engine - Exceptions - Security Solution Cypress Tests #2 / Add exception using data views from rule details "before each" hook for "Creates an exception item and close all matching alerts" "before each" hook for "Creates an exception item and close all matching alerts"
  • [job] [logs] Serverless Detection Engine - Exceptions - Security Solution Cypress Tests #2 / Add multiple conditions and validate the generated exceptions Use multipe AND conditions and validate it generates one exception Use multipe AND conditions and validate it generates one exception
  • [job] [logs] Serverless Detection Engine - Exceptions - Security Solution Cypress Tests #2 / Add multiple conditions and validate the generated exceptions Use multipe OR conditions and validate it generates multiple exceptions Use multipe OR conditions and validate it generates multiple exceptions
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #8 / Agent Policy Settings - Complete Agent Tamper Protection is available with no upselling component present "before all" hook for "should display upselling section for protections" "before all" hook for "should display upselling section for protections"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #9 / Agent Policy Settings - Essentials Agent Tamper Protection is unavailable with upselling component present "before all" hook for "should display upselling section for protections" "before all" hook for "should display upselling section for protections"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #6 / Agent policy settings API operations on Complete Agent tamper protections "before all" hook for "allow enabling the feature" "before all" hook for "allow enabling the feature"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #7 / Agent policy settings API operations on Essentials Agent tamper protections "before all" hook for "throw error when trying to update agent policy settings" "before all" hook for "throw error when trying to update agent policy settings"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #2 / App Features for Security Complete PLI Endpoint Operations Analyst "before all" hook for "should allow access to Endpoint list page" "before all" hook for "should allow access to Endpoint list page"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #3 / App Features for Security Complete PLI with Endpoint Complete Addon Endpoint Operations Analyst "before all" hook for "should allow access to Endpoint list page" "before all" hook for "should allow access to Endpoint list page"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #4 / App Features for Security Essential PLI Endpoint Operations Analyst "before all" hook for "should allow access to Endpoint list page" "before all" hook for "should allow access to Endpoint list page"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #5 / App Features for Security Essentials PLI with Endpoint Essentials Addon Endpoint Operations Analyst "before all" hook for "should allow access to Endpoint list page" "before all" hook for "should allow access to Endpoint list page"
  • [job] [logs] Defend Workflows Cypress Tests #3 / Artifact tabs in Policy Details page Trusted applications tab "before all" hook for "[NONE] User cannot see the tab for Trusted applications" "before all" hook for "[NONE] User cannot see the tab for Trusted applications"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #2 / Artifact tabs in Policy Details page Trusted applications tab Given there are no Trusted applications entries "before all" hook for "[ALL] User can add Trusted applications artifact" "before all" hook for "[ALL] User can add Trusted applications artifact"
  • [job] [logs] Defend Workflows Cypress Tests #4 / Artifacts pages When on the Trusted applications entries list "before all" hook for "no access - should show no privileges callout" "before all" hook for "no access - should show no privileges callout"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #3 / Artifacts pages When on the Trusted applications entries list "before all" hook for "no access - should show no privileges callout" "before all" hook for "no access - should show no privileges callout"
  • [job] [logs] Defend Workflows Cypress Tests #5 / Automated Response Actions From alerts "before all" hook for "should have generated endpoint and rule" "before all" hook for "should have generated endpoint and rule"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #4 / Automated Response Actions From alerts "before all" hook for "should have generated endpoint and rule" "before all" hook for "should have generated endpoint and rule"
  • [job] [logs] FTR Configs #48 / Cloud Security Posture Findings Page - Alerts Rule details The rule page contains the expected matching data
  • [job] [logs] FTR Configs #48 / Cloud Security Posture Findings Page - Alerts Rule details The rule page contains the expected matching data
  • [job] [logs] Defend Workflows Cypress Tests #14 / Document signing: "before all" hook for "should fail if data tampered" "before all" hook for "should fail if data tampered"
  • [job] [logs] FTR Configs #52 / endpoint Endpoint Exceptions "before all" hook for "should add event.module=endpoint to entry if only wildcard operator is present"
  • [job] [logs] FTR Configs #90 / endpoint Endpoint Exceptions "before all" hook for "should add event.module=endpoint to entry if only wildcard operator is present"
  • [job] [logs] FTR Configs #52 / endpoint Endpoint Exceptions "before all" hook for "should add event.module=endpoint to entry if only wildcard operator is present"
  • [job] [logs] FTR Configs #90 / endpoint Endpoint Exceptions "before all" hook for "should add event.module=endpoint to entry if only wildcard operator is present"
  • [job] [logs] Defend Workflows Cypress Tests #1 / Endpoint generated alerts "before all" hook for "should create a Detection Engine alert from an endpoint alert" "before all" hook for "should create a Detection Engine alert from an endpoint alert"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #1 / Endpoint generated alerts "before all" hook for "should create a Detection Engine alert from an endpoint alert" "before all" hook for "should create a Detection Engine alert from an endpoint alert"
  • [job] [logs] Defend Workflows Cypress Tests #10 / Endpoints page "before all" hook for "Loads the endpoints page" "before all" hook for "Loads the endpoints page"
  • [job] [logs] Defend Workflows Cypress Tests #6 / Form User with no access can not create an endpoint response action "before all" hook for "no endpoint response action option during rule creation" "before all" hook for "no endpoint response action option during rule creation"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #5 / Form User with no access can not create an endpoint response action "before all" hook for "no endpoint response action option during rule creation" "before all" hook for "no endpoint response action option during rule creation"
  • [job] [logs] Defend Workflows Cypress Tests #16 / Isolate command from Manage "before all" hook for "should allow filtering endpoint by Isolated status" "before all" hook for "should allow filtering endpoint by Isolated status"
  • [job] [logs] Defend Workflows Cypress Tests #8 / No License User cannot use endpoint action in form "before all" hook for "response actions are disabled" "before all" hook for "response actions are disabled"
  • [job] [logs] Defend Workflows Cypress Tests #11 / Policy Details Protection updates Renders and saves protection updates "before all" hook for "should render the protection updates tab content" "before all" hook for "should render the protection updates tab content"
  • [job] [logs] Defend Workflows Cypress Tests #12 / Policy List Renders policy list with outdated policies "before all" hook for "should render the policy list" "before all" hook for "should render the policy list"
  • [job] [logs] Defend Workflows Cypress Tests #7 / Response actions history page "before all" hook for "enable filtering by type" "before all" hook for "enable filtering by type"
  • [job] [logs] Defend Workflows Cypress Tests #18 / Response actions history page "before all" hook for "retains expanded action details on page reload" "before all" hook for "retains expanded action details on page reload"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #8 / Response actions history page "before all" hook for "retains expanded action details on page reload" "before all" hook for "retains expanded action details on page reload"
  • [job] [logs] Defend Workflows Cypress Tests #4 / Response console execute command "before all" hook for "should execute a command from response console" "before all" hook for "should execute a command from response console"
  • [job] [logs] Defend Workflows Cypress Tests #5 / Response console get-file command "before all" hook for "should get file from response console" "before all" hook for "should get file from response console"
  • [job] [logs] Defend Workflows Cypress Tests #6 / Response console isolate command "before all" hook for "should isolate host from response console" "before all" hook for "should isolate host from response console"
  • [job] [logs] Defend Workflows Cypress Tests #7 / Response console kill-process command "before all" hook for "should kill process from response console" "before all" hook for "should kill process from response console"
  • [job] [logs] Defend Workflows Cypress Tests #8 / Response console processes command "before all" hook for "should return processes from response console" "before all" hook for "should return processes from response console"
  • [job] [logs] Defend Workflows Cypress Tests #9 / Response console release command "before all" hook for "should release host from response console" "before all" hook for "should release host from response console"
  • [job] [logs] Defend Workflows Cypress Tests #10 / Response console suspend-process command "before all" hook for "should suspend process from response console" "before all" hook for "should suspend process from response console"
  • [job] [logs] Defend Workflows Cypress Tests #19 / Response console Execute operations: "before all" hook for ""execute --command" - should execute a command" "before all" hook for ""execute --command" - should execute a command"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #11 / Response console Execute operations: "before all" hook for ""execute --command" - should execute a command" "before all" hook for ""execute --command" - should execute a command"
  • [job] [logs] Defend Workflows Cypress Tests #20 / Response console File operations: "before all" hook for ""get-file --path" - should retrieve a file" "before all" hook for ""get-file --path" - should retrieve a file"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #12 / Response console File operations: "before all" hook for ""get-file --path" - should retrieve a file" "before all" hook for ""get-file --path" - should retrieve a file"
  • [job] [logs] Defend Workflows Cypress Tests #15 / Response console From endpoint list "before all" hook for "should open responder" "before all" hook for "should open responder"
  • [job] [logs] Defend Workflows Cypress Tests #1 / Response console Host Isolation: "before all" hook for "should isolate a host from response console" "before all" hook for "should isolate a host from response console"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #13 / Response console Host Isolation: "before all" hook for "should isolate a host from response console" "before all" hook for "should isolate a host from response console"
  • [job] [logs] Defend Workflows Cypress Tests #3 / Response console Host Isolation: "before all" hook for "should release an isolated host via response console" "before all" hook for "should release an isolated host via response console"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #1 / Response console Host Isolation: "before all" hook for "should release an isolated host via response console" "before all" hook for "should release an isolated host via response console"
  • [job] [logs] Defend Workflows Cypress Tests #2 / Response console Processes operations: "before all" hook for ""processes" - should obtain a list of processes" "before all" hook for ""processes" - should obtain a list of processes"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #14 / Response console Processes operations: "before all" hook for ""processes" - should obtain a list of processes" "before all" hook for ""processes" - should obtain a list of processes"
  • [job] [logs] Defend Workflows Cypress Tests #13 / Response console: From Alerts "before all" hook for "should open responder from alert details flyout" "before all" hook for "should open responder from alert details flyout"
  • [job] [logs] Defend Workflows Cypress Tests #9 / Results see results when has RBAC "before all" hook for "see endpoint action" "before all" hook for "see endpoint action"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #6 / Results see results when has RBAC "before all" hook for "see endpoint action" "before all" hook for "see endpoint action"
  • [job] [logs] FTR Configs #59 / Screenshots - serverless security UI response ops docs security cases list view case settings screenshot
  • [job] [logs] FTR Configs #59 / Screenshots - serverless security UI response ops docs security cases list view case settings screenshot
  • [job] [logs] FTR Configs #4 / serverless security UI navigation breadcrumbs reflect navigation state
  • [job] [logs] FTR Configs #4 / serverless security UI navigation breadcrumbs reflect navigation state
  • [job] [logs] Defend Workflows Cypress Tests #17 / Unenroll agent from fleet changing agent policy when agent tamper protection is enabled but then is switched to a policy with it also enabled "before all" hook for "should unenroll from fleet without issues" "before all" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #16 / Unenroll agent from fleet changing when agent tamper protection is enabled but then is switched to a policy with it disabled "before all" hook for "should unenroll from fleet without issues" "before all" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #15 / Unenroll agent from fleet when agent tamper protection is disabled but then is switched to a policy with it enabled "before all" hook for "should unenroll from fleet without issues" "before all" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #13 / Unenroll agent from fleet when agent tamper protection is enabled "before all" hook for "should unenroll from fleet without issues" "before all" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #11 / Unenroll agent from fleet with agent tamper protection is disabled "before all" hook for "should unenroll from fleet without issues" "before all" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #18 / Uninstall agent from host changing agent policy when agent tamper protection is disabled but then is switched to a policy with it enabled "before all" hook for "should uninstall from host without issues" "before all" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #20 / Uninstall agent from host changing agent policy when agent tamper protection is enabled but then is switched to a policy with it also enabled "before all" hook for "should uninstall from host without issues" "before all" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #19 / Uninstall agent from host changing agent policy when agent tamper protection is enabled but then is switched to a policy with it disabled "before all" hook for "should uninstall from host without issues" "before all" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #12 / Uninstall agent from host when agent tamper protection is disabled "before all" hook for "should uninstall from host without issues" "before all" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #14 / Uninstall agent from host when agent tamper protection is enabled "before all" hook for "should uninstall from host with the uninstall token" "before all" hook for "should uninstall from host with the uninstall token"
  • [job] [logs] Defend Workflows Cypress Tests #17 / When accessing Endpoint Response Console from Cases "before all" hook for "should display responder option in take action menu" "before all" hook for "should display responder option in take action menu"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #7 / When accessing Endpoint Response Console from Cases "before all" hook for "should display responder option in take action menu" "before all" hook for "should display responder option in take action menu"
  • [job] [logs] Defend Workflows Cypress Tests #2 / When defining a kibana role for Endpoint security access "before all" hook for "should display RBAC entries with expected controls" "before all" hook for "should display RBAC entries with expected controls"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #11 / When displaying the Policy Details in Endpoint Essentials PLI "before all" hook for "should display upselling section for protection updates" "before all" hook for "should display upselling section for protection updates"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #10 / When displaying the Policy Details in Endpoint Essentials PLI "before all" hook for "should display upselling section for protection updates" "before all" hook for "should display upselling section for protection updates"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #10 / When displaying the Policy Details in Security Essentials PLI "before all" hook for "should display upselling section for protections" "before all" hook for "should display upselling section for protections"
  • [job] [logs] Defend Workflows Cypress Tests on Serverless #9 / When on the Endpoint List in Security Essentials PLI and Isolated hosts exist "before all" hook for "should display release options in host row actions" "before all" hook for "should display release options in host row actions"
  • [job] [logs] FTR Configs #42 / X-Pack Accessibility Tests - Group 3 Security Solution Accessibility Detections Create Rule Flow Custom Query Rule Define Step default view meets a11y requirements
  • [job] [logs] FTR Configs #42 / X-Pack Accessibility Tests - Group 3 Security Solution Accessibility Detections Create Rule Flow Custom Query Rule Define Step default view meets a11y requirements

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 5455 5454 -1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 13.6MB 13.6MB +2.6KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 82.2KB 82.2KB -15.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @michaelolo24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions GitHub Actions GitHub Actions approved these changes

Assignees

@michaelolo24 michaelolo24

Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kibanamachine @michaelolo24 @kibana-ci