Merge branch 'main' into flash1293/unskip-flaky-test

.github/CODEOWNERS

@@ -965,6 +965,7 @@ x-pack/solutions/search/plugins/search_playground @elastic/search-kibana
 x-pack/solutions/search/plugins/search_solution/search_navigation @elastic/search-kibana
 x-pack/solutions/search/plugins/search_synonyms @elastic/search-kibana
 x-pack/solutions/search/plugins/serverless_search @elastic/search-kibana
+x-pack/solutions/security/packages/connectors @elastic/security-threat-hunting-explore
 x-pack/solutions/security/packages/data_table @elastic/security-threat-hunting-investigations
 x-pack/solutions/security/packages/data-stream-adapter @elastic/security-threat-hunting
 x-pack/solutions/security/packages/distribution_bar @elastic/kibana-cloud-security-posture

examples/guided_onboarding_example/public/components/main.tsx

@@ -37,7 +37,6 @@ interface MainProps {
 }
 
 const exampleGuideIds: GuideId[] = [
-  'appSearch',
   'websiteSearch',
   'databaseSearch',
   'siem',

oas_docs/output/kibana.serverless.yaml

@@ -9721,6 +9721,8 @@ paths:
             schema:
               type: object
               properties:
+                enrichPolicyExecutionInterval:
+                  $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval'
                 entityTypes:
                   items:
                     $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
@@ -9840,6 +9842,8 @@ paths:
             schema:
               type: object
               properties:
+                enrichPolicyExecutionInterval:
+                  $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval'
                 fieldHistoryLength:
                   default: 10
                   description: The number of historical values to keep for each field.
@@ -50543,6 +50547,11 @@ components:
       required:
         - dsl
         - response
+    Security_Entity_Analytics_API_Interval:
+      description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour.
+      example: 1h
+      pattern: ^[1-9]\d*[smh]$
+      type: string
     Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse:
       type: object
       properties:

oas_docs/output/kibana.yaml

@@ -11892,6 +11892,8 @@ paths:
             schema:
               type: object
               properties:
+                enrichPolicyExecutionInterval:
+                  $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval'
                 entityTypes:
                   items:
                     $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
@@ -12007,6 +12009,8 @@ paths:
             schema:
               type: object
               properties:
+                enrichPolicyExecutionInterval:
+                  $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval'
                 fieldHistoryLength:
                   default: 10
                   description: The number of historical values to keep for each field.
@@ -57418,6 +57422,11 @@ components:
       required:
         - dsl
         - response
+    Security_Entity_Analytics_API_Interval:
+      description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour.
+      example: 1h
+      pattern: ^[1-9]\d*[smh]$
+      type: string
     Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse:
       type: object
       properties:

package.json

@@ -822,6 +822,7 @@
     "@kbn/security-plugin-types-public": "link:x-pack/platform/packages/shared/security/plugin_types_public",
     "@kbn/security-plugin-types-server": "link:x-pack/platform/packages/shared/security/plugin_types_server",
     "@kbn/security-role-management-model": "link:x-pack/platform/packages/private/security/role_management_model",
+    "@kbn/security-solution-connectors": "link:x-pack/solutions/security/packages/connectors",
     "@kbn/security-solution-distribution-bar": "link:x-pack/solutions/security/packages/distribution_bar",
     "@kbn/security-solution-ess": "link:x-pack/solutions/security/plugins/security_solution_ess",
     "@kbn/security-solution-features": "link:x-pack/solutions/security/packages/features",

src/platform/packages/shared/kbn-cases-components/src/status/config.ts

@@ -12,12 +12,12 @@ import { CaseStatuses } from './types';
 
 export const getStatusConfiguration = () => ({
   [CaseStatuses.open]: {
-    color: 'primary',
+    color: 'success',
     label: i18n.OPEN,
     icon: 'folderOpen' as const,
   },
   [CaseStatuses['in-progress']]: {
-    color: 'warning',
+    color: 'primary',
     label: i18n.IN_PROGRESS,
     icon: 'folderExclamation' as const,
   },

src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts

@@ -575,6 +575,9 @@ export const getDocLinks = ({ kibanaBranch, buildFlavor }: GetDocLinkOptions): D
         ? `${SERVERLESS_DOCS}observability-synthetics-get-started-project.html`
         : `${OBSERVABILITY_DOCS}synthetic-run-tests.html#synthetic-monitor-choose-project`,
       syntheticsMigrateFromIntegration: `${OBSERVABILITY_DOCS}synthetics-migrate-from-integration.html`,
+      slo: isServerless
+        ? `${SERVERLESS_DOCS}observability-slos.html`
+        : `${OBSERVABILITY_DOCS}slo.html`,
       sloBurnRateRule: isServerless
         ? `${SERVERLESS_DOCS}observability-create-slo-burn-rate-alert-rule.html`
         : `${OBSERVABILITY_DOCS}slo-burn-rate-alert.html`,

src/platform/packages/shared/kbn-doc-links/src/types.ts

@@ -390,6 +390,7 @@ export interface DocLinks {
     syntheticsCommandReference: string;
     syntheticsProjectMonitors: string;
     syntheticsMigrateFromIntegration: string;
+    slo: string;
     sloBurnRateRule: string;
     aiAssistant: string;
   }>;

src/platform/packages/shared/kbn-esql-ast/src/ast/helpers.ts

@@ -8,6 +8,7 @@
  */
 
 import type {
+  BinaryExpressionRenameOperator,
   BinaryExpressionWhereOperator,
   ESQLAstNode,
   ESQLBinaryExpression,
@@ -47,6 +48,11 @@ export const isWhereExpression = (
 ): node is ESQLBinaryExpression<BinaryExpressionWhereOperator> =>
   isBinaryExpression(node) && node.name === 'where';
 
+export const isAsExpression = (
+  node: unknown
+): node is ESQLBinaryExpression<BinaryExpressionRenameOperator> =>
+  isBinaryExpression(node) && node.name === 'as';
+
 export const isFieldExpression = (
   node: unknown
 ): node is ESQLBinaryExpression<BinaryExpressionWhereOperator> =>

src/platform/packages/shared/kbn-esql-ast/src/mutate/README.md

@@ -65,6 +65,10 @@ console.log(src); // FROM index METADATA _lang, _id
     - `.byIndex()` — Find a `STATS` command by index.
     - `.summarize()` — Summarize all `STATS` commands.
     - `.summarizeCommand()` — Summarize a specific `STATS` command.
+  - `.join`
+    - `.list()` — List all `JOIN` commands.
+    - `.byIndex()` — Find a `JOIN` command by index.
+    - `.summarize()` — Summarize all `JOIN` commands.
 
 
 ## Examples

src/platform/packages/shared/kbn-esql-ast/src/mutate/commands/index.ts

@@ -12,5 +12,6 @@ import * as limit from './limit';
 import * as sort from './sort';
 import * as stats from './stats';
 import * as where from './where';
+import * as join from './join';
 
-export { from, limit, sort, stats, where };
+export { from, limit, sort, stats, where, join };

src/platform/packages/shared/kbn-esql-ast/src/mutate/commands/join/index.test.ts

@@ -0,0 +1,166 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import * as commands from '..';
+import { EsqlQuery } from '../../../query';
+
+describe('commands.where', () => {
+  describe('.list()', () => {
+    it('lists all "JOIN" commands', () => {
+      const src =
+        'FROM index | LIMIT 1 | JOIN join_index1 ON join_field1 | WHERE b == 2 | JOIN join_index2 ON join_field2 | LIMIT 1';
+      const query = EsqlQuery.fromSrc(src);
+
+      const nodes = [...commands.join.list(query.ast)];
+
+      expect(nodes).toMatchObject([
+        {
+          type: 'command',
+          name: 'join',
+          args: [
+            {
+              type: 'identifier',
+              name: 'join_index1',
+            },
+            {},
+          ],
+        },
+        {
+          type: 'command',
+          name: 'join',
+          args: [
+            {
+              type: 'identifier',
+              name: 'join_index2',
+            },
+            {},
+          ],
+        },
+      ]);
+    });
+  });
+
+  describe('.byIndex()', () => {
+    it('retrieves the specific "WHERE" command by index', () => {
+      const src =
+        'FROM index | LIMIT 1 | JOIN join_index1 ON join_field1 | WHERE b == 2 | JOIN join_index2 ON join_field2 | LIMIT 1';
+      const query = EsqlQuery.fromSrc(src);
+
+      const node1 = commands.join.byIndex(query.ast, 1);
+      const node2 = commands.join.byIndex(query.ast, 0);
+
+      expect(node1).toMatchObject({
+        type: 'command',
+        name: 'join',
+        args: [
+          {
+            type: 'identifier',
+            name: 'join_index2',
+          },
+          {},
+        ],
+      });
+      expect(node2).toMatchObject({
+        type: 'command',
+        name: 'join',
+        args: [
+          {
+            type: 'identifier',
+            name: 'join_index1',
+          },
+          {},
+        ],
+      });
+    });
+  });
+
+  describe('.summarize', () => {
+    it('returns target index fields', () => {
+      const src =
+        'FROM index | LIMIT 1 | JOIN join_index1 ON join_field1 | WHERE b == 2 | JOIN join_index2 ON join_field2 | LIMIT 1';
+      const query = EsqlQuery.fromSrc(src);
+      const summary = commands.join.summarize(query.ast);
+
+      expect(summary).toMatchObject([
+        {
+          target: {
+            index: {
+              type: 'identifier',
+              name: 'join_index1',
+            },
+          },
+        },
+        {
+          target: {
+            index: {
+              type: 'identifier',
+              name: 'join_index2',
+            },
+          },
+        },
+      ]);
+    });
+
+    it('returns target aliases', () => {
+      const src =
+        'FROM index | LIMIT 1 | JOIN join_index1 AS a ON join_field1 | WHERE b == 2 | JOIN join_index2 AS b ON join_field2 | LIMIT 1';
+      const query = EsqlQuery.fromSrc(src);
+      const summary = commands.join.summarize(query.ast);
+
+      expect(summary).toMatchObject([
+        {
+          target: {
+            alias: {
+              type: 'identifier',
+              name: 'a',
+            },
+          },
+        },
+        {
+          target: {
+            alias: {
+              type: 'identifier',
+              name: 'b',
+            },
+          },
+        },
+      ]);
+    });
+
+    it('captures join conditions', () => {
+      const src =
+        'FROM index | LIMIT 1 | JOIN join_index1 AS a ON join_field1 | WHERE b == 2 | JOIN join_index2 AS b ON join_field2, join_field3 | LIMIT 1';
+      const query = EsqlQuery.fromSrc(src);
+      const summary = commands.join.summarize(query.ast);
+
+      expect(summary).toMatchObject([
+        {
+          conditions: [
+            {
+              type: 'column',
+              name: 'join_field1',
+            },
+          ],
+        },
+        {
+          conditions: [
+            {
+              type: 'column',
+              name: 'join_field2',
+            },
+            {
+              type: 'column',
+              name: 'join_field3',
+            },
+          ],
+        },
+      ]);
+    });
+  });
+});