[AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and Attack discovery scheduling feature flags by default#228327
Merged
andrew-goldstein merged 9 commits intoelastic:mainfrom Jul 18, 2025
Conversation
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
4eaf3a5 to
bf3873d
Compare
Contributor
Author
Files by Code Ownerelastic/kibana-presentation
elastic/response-ops
|
21a4377 to
41861c6
Compare
nreese
approved these changes
Jul 17, 2025
Contributor
nreese
left a comment
There was a problem hiding this comment.
kibana-presentation changes to functional test expects - LGTM
code review only
…and _Attack discovery scheduling_ feature flags by default This PR programmatically enables (by default) the [Attack discovery alerts](elastic#218906) and [Attack discovery scheduling](elastic#217917) feature flags. Together, these features enable: - Persistence of Attack discoveries as alerts - Scheduling Attack discoveries, with support for actions, and cases integration - Open | Acknowledged | Closed workflow statuses for Attack discoveries - A new UI for searching and sharing previously created Attack discoveries This PR enables the feature flags by default, as illustrated by the following screenshot:  _Above: Attack discovery alerts and scheduling are enabled by default_ When the feature flags are manually _disabled_, the Attack discovery page looks like the following screenshot:  _Above: The feature flags are manually disabled in the screenshot above_ ### Desk testing 1) **Remove** any old feature flag entries that may be present in `config/kibana.dev.yml`, like the following example: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: false securitySolution.assistantAttackDiscoverySchedulingEnabled: false ``` 2) Start a local development instance of Kibana 3) Navigate to Security > Attack discovery **Expected result** - The call to action buttons at the top of the page include the `Run` and `Schedule` buttons, as illustrated by the following animated gif:  - The layout of page is similar to the following screenshot:  4) Disable the feature flags by adding the following entries to `config/kibana.dev.yml`: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: false securitySolution.assistantAttackDiscoverySchedulingEnabled: false ``` 5) Once again, navigate to Security > Attack discovery **Expected results** - The call to action button at the top of the page is `Generate` - The `Schedule` call to action button does NOT appear - The layout of the page is similar to the following screenshot: 
…flags service with the correct attributes
…rule types list up to date
…uld return the correct telemetry values for map saved objects
…hould list all registered rule types
…with priority definitions
…es should check changes on all registered task types
…y.ts to fix FTR Configs elastic#116 / Maps endpoints apis maps_telemetry should return the correct telemetry values for map saved objects
13e169f to
9740a39
Compare
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]
History
|
pmuellr
approved these changes
Jul 18, 2025
Contributor
pmuellr
left a comment
There was a problem hiding this comment.
ResponseOps changes LGTM
Contributor
|
Starting backport for target branches: 8.19, 9.1 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 18, 2025
…ttack discovery scheduling feature flags by default (elastic#228327) ## [AI4DSOC] [Attack discovery] Enable the _Attack discovery alerts_ and _Attack discovery scheduling_ feature flags by default This PR programmatically enables (by default) the [Attack discovery alerts](elastic#218906) and [Attack discovery scheduling](elastic#217917) feature flags. Together, these features enable: - Persistence of Attack discoveries as alerts - Scheduling Attack discoveries, with support for actions, and cases integration - Open | Acknowledged | Closed workflow statuses for Attack discoveries - A new UI for searching and sharing previously created Attack discoveries This PR enables the feature flags by default, as illustrated by the following screenshot:  _Above: Attack discovery alerts and scheduling are enabled by default_ When the feature flags are manually _disabled_, the Attack discovery page looks like the following screenshot:  _Above: The feature flags are manually disabled in the screenshot above_ ### Desk testing 1) **Remove** any old feature flag entries that may be present in `config/kibana.dev.yml`, like the following example: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: false securitySolution.assistantAttackDiscoverySchedulingEnabled: false ``` 2) Start a local development instance of Kibana 3) Navigate to Security > Attack discovery **Expected result** - The call to action buttons at the top of the page include the `Run` and `Schedule` buttons, as illustrated by the following animated gif:  - The layout of page is similar to the following screenshot:  4) Disable the feature flags by adding the following entries to `config/kibana.dev.yml`: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: false securitySolution.assistantAttackDiscoverySchedulingEnabled: false ``` 5) Once again, navigate to Security > Attack discovery **Expected results** - The call to action button at the top of the page is `Generate` - The `Schedule` call to action button does NOT appear - The layout of the page is similar to the following screenshot:  (cherry picked from commit 90ed7a1)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 18, 2025
…ttack discovery scheduling feature flags by default (elastic#228327) ## [AI4DSOC] [Attack discovery] Enable the _Attack discovery alerts_ and _Attack discovery scheduling_ feature flags by default This PR programmatically enables (by default) the [Attack discovery alerts](elastic#218906) and [Attack discovery scheduling](elastic#217917) feature flags. Together, these features enable: - Persistence of Attack discoveries as alerts - Scheduling Attack discoveries, with support for actions, and cases integration - Open | Acknowledged | Closed workflow statuses for Attack discoveries - A new UI for searching and sharing previously created Attack discoveries This PR enables the feature flags by default, as illustrated by the following screenshot:  _Above: Attack discovery alerts and scheduling are enabled by default_ When the feature flags are manually _disabled_, the Attack discovery page looks like the following screenshot:  _Above: The feature flags are manually disabled in the screenshot above_ ### Desk testing 1) **Remove** any old feature flag entries that may be present in `config/kibana.dev.yml`, like the following example: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: false securitySolution.assistantAttackDiscoverySchedulingEnabled: false ``` 2) Start a local development instance of Kibana 3) Navigate to Security > Attack discovery **Expected result** - The call to action buttons at the top of the page include the `Run` and `Schedule` buttons, as illustrated by the following animated gif:  - The layout of page is similar to the following screenshot:  4) Disable the feature flags by adding the following entries to `config/kibana.dev.yml`: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: false securitySolution.assistantAttackDiscoverySchedulingEnabled: false ``` 5) Once again, navigate to Security > Attack discovery **Expected results** - The call to action button at the top of the page is `Generate` - The `Schedule` call to action button does NOT appear - The layout of the page is similar to the following screenshot:  (cherry picked from commit 90ed7a1)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jul 18, 2025
… and Attack discovery scheduling feature flags by default (#228327) (#228678) # Backport This will backport the following commits from `main` to `9.1`: - [[AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and Attack discovery scheduling feature flags by default (#228327)](#228327) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Andrew Macri","email":"andrew.macri@elastic.co"},"sourceCommit":{"committedDate":"2025-07-18T20:51:39Z","message":"[AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and Attack discovery scheduling feature flags by default (#228327)\n\n## [AI4DSOC] [Attack discovery] Enable the _Attack discovery alerts_ and _Attack discovery scheduling_ feature flags by default\n\nThis PR programmatically enables (by default) the [Attack discovery alerts](#218906) and [Attack discovery scheduling](#217917) feature flags.\n\nTogether, these features enable:\n\n- Persistence of Attack discoveries as alerts\n- Scheduling Attack discoveries, with support for actions, and cases integration\n- Open | Acknowledged | Closed workflow statuses for Attack discoveries\n- A new UI for searching and sharing previously created Attack discoveries\n\nThis PR enables the feature flags by default, as illustrated by the following screenshot:\n\n\n\n_Above: Attack discovery alerts and scheduling are enabled by default_\n\nWhen the feature flags are manually _disabled_, the Attack discovery page looks like the following screenshot:\n\n\n\n_Above: The feature flags are manually disabled in the screenshot above_\n\n### Desk testing\n\n1) **Remove** any old feature flag entries that may be present in `config/kibana.dev.yml`, like the following example:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: false\n securitySolution.assistantAttackDiscoverySchedulingEnabled: false\n```\n\n2) Start a local development instance of Kibana\n\n3) Navigate to Security > Attack discovery\n\n**Expected result**\n\n- The call to action buttons at the top of the page include the `Run` and `Schedule` buttons, as illustrated by the following animated gif:\n\n\n\n- The layout of page is similar to the following screenshot:\n\n\n\n4) Disable the feature flags by adding the following entries to `config/kibana.dev.yml`:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: false\n securitySolution.assistantAttackDiscoverySchedulingEnabled: false\n```\n\n5) Once again, navigate to Security > Attack discovery\n\n**Expected results**\n\n- The call to action button at the top of the page is `Generate`\n- The `Schedule` call to action button does NOT appear\n- The layout of the page is similar to the following screenshot:\n\n","sha":"90ed7a1f6d6330222d681773f722d4dea2f485e8","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team: SecuritySolution","Team:Security Generative AI","backport:version","v9.1.0","v8.19.0","v9.2.0"],"title":"[AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and Attack discovery scheduling feature flags by default","number":228327,"url":"https://github.com/elastic/kibana/pull/228327","mergeCommit":{"message":"[AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and Attack discovery scheduling feature flags by default (#228327)\n\n## [AI4DSOC] [Attack discovery] Enable the _Attack discovery alerts_ and _Attack discovery scheduling_ feature flags by default\n\nThis PR programmatically enables (by default) the [Attack discovery alerts](#218906) and [Attack discovery scheduling](#217917) feature flags.\n\nTogether, these features enable:\n\n- Persistence of Attack discoveries as alerts\n- Scheduling Attack discoveries, with support for actions, and cases integration\n- Open | Acknowledged | Closed workflow statuses for Attack discoveries\n- A new UI for searching and sharing previously created Attack discoveries\n\nThis PR enables the feature flags by default, as illustrated by the following screenshot:\n\n\n\n_Above: Attack discovery alerts and scheduling are enabled by default_\n\nWhen the feature flags are manually _disabled_, the Attack discovery page looks like the following screenshot:\n\n\n\n_Above: The feature flags are manually disabled in the screenshot above_\n\n### Desk testing\n\n1) **Remove** any old feature flag entries that may be present in `config/kibana.dev.yml`, like the following example:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: false\n securitySolution.assistantAttackDiscoverySchedulingEnabled: false\n```\n\n2) Start a local development instance of Kibana\n\n3) Navigate to Security > Attack discovery\n\n**Expected result**\n\n- The call to action buttons at the top of the page include the `Run` and `Schedule` buttons, as illustrated by the following animated gif:\n\n\n\n- The layout of page is similar to the following screenshot:\n\n\n\n4) Disable the feature flags by adding the following entries to `config/kibana.dev.yml`:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: false\n securitySolution.assistantAttackDiscoverySchedulingEnabled: false\n```\n\n5) Once again, navigate to Security > Attack discovery\n\n**Expected results**\n\n- The call to action button at the top of the page is `Generate`\n- The `Schedule` call to action button does NOT appear\n- The layout of the page is similar to the following screenshot:\n\n","sha":"90ed7a1f6d6330222d681773f722d4dea2f485e8"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","8.19"],"targetPullRequestStates":[{"branch":"9.1","label":"v9.1.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/228327","number":228327,"mergeCommit":{"message":"[AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and Attack discovery scheduling feature flags by default (#228327)\n\n## [AI4DSOC] [Attack discovery] Enable the _Attack discovery alerts_ and _Attack discovery scheduling_ feature flags by default\n\nThis PR programmatically enables (by default) the [Attack discovery alerts](#218906) and [Attack discovery scheduling](#217917) feature flags.\n\nTogether, these features enable:\n\n- Persistence of Attack discoveries as alerts\n- Scheduling Attack discoveries, with support for actions, and cases integration\n- Open | Acknowledged | Closed workflow statuses for Attack discoveries\n- A new UI for searching and sharing previously created Attack discoveries\n\nThis PR enables the feature flags by default, as illustrated by the following screenshot:\n\n\n\n_Above: Attack discovery alerts and scheduling are enabled by default_\n\nWhen the feature flags are manually _disabled_, the Attack discovery page looks like the following screenshot:\n\n\n\n_Above: The feature flags are manually disabled in the screenshot above_\n\n### Desk testing\n\n1) **Remove** any old feature flag entries that may be present in `config/kibana.dev.yml`, like the following example:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: false\n securitySolution.assistantAttackDiscoverySchedulingEnabled: false\n```\n\n2) Start a local development instance of Kibana\n\n3) Navigate to Security > Attack discovery\n\n**Expected result**\n\n- The call to action buttons at the top of the page include the `Run` and `Schedule` buttons, as illustrated by the following animated gif:\n\n\n\n- The layout of page is similar to the following screenshot:\n\n\n\n4) Disable the feature flags by adding the following entries to `config/kibana.dev.yml`:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: false\n securitySolution.assistantAttackDiscoverySchedulingEnabled: false\n```\n\n5) Once again, navigate to Security > Attack discovery\n\n**Expected results**\n\n- The call to action button at the top of the page is `Generate`\n- The `Schedule` call to action button does NOT appear\n- The layout of the page is similar to the following screenshot:\n\n","sha":"90ed7a1f6d6330222d681773f722d4dea2f485e8"}}]}] BACKPORT--> Co-authored-by: Andrew Macri <andrew.macri@elastic.co>
4 tasks
delanni
pushed a commit
that referenced
this pull request
Jul 21, 2025
…s and Attack discovery scheduling feature flags by default (#228327) (#228677) # Backport This will backport the following commits from `main` to `8.19`: - [[AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and Attack discovery scheduling feature flags by default (#228327)](#228327) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Andrew Macri","email":"andrew.macri@elastic.co"},"sourceCommit":{"committedDate":"2025-07-18T20:51:39Z","message":"[AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and Attack discovery scheduling feature flags by default (#228327)\n\n## [AI4DSOC] [Attack discovery] Enable the _Attack discovery alerts_ and _Attack discovery scheduling_ feature flags by default\n\nThis PR programmatically enables (by default) the [Attack discovery alerts](#218906) and [Attack discovery scheduling](#217917) feature flags.\n\nTogether, these features enable:\n\n- Persistence of Attack discoveries as alerts\n- Scheduling Attack discoveries, with support for actions, and cases integration\n- Open | Acknowledged | Closed workflow statuses for Attack discoveries\n- A new UI for searching and sharing previously created Attack discoveries\n\nThis PR enables the feature flags by default, as illustrated by the following screenshot:\n\n\n\n_Above: Attack discovery alerts and scheduling are enabled by default_\n\nWhen the feature flags are manually _disabled_, the Attack discovery page looks like the following screenshot:\n\n\n\n_Above: The feature flags are manually disabled in the screenshot above_\n\n### Desk testing\n\n1) **Remove** any old feature flag entries that may be present in `config/kibana.dev.yml`, like the following example:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: false\n securitySolution.assistantAttackDiscoverySchedulingEnabled: false\n```\n\n2) Start a local development instance of Kibana\n\n3) Navigate to Security > Attack discovery\n\n**Expected result**\n\n- The call to action buttons at the top of the page include the `Run` and `Schedule` buttons, as illustrated by the following animated gif:\n\n\n\n- The layout of page is similar to the following screenshot:\n\n\n\n4) Disable the feature flags by adding the following entries to `config/kibana.dev.yml`:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: false\n securitySolution.assistantAttackDiscoverySchedulingEnabled: false\n```\n\n5) Once again, navigate to Security > Attack discovery\n\n**Expected results**\n\n- The call to action button at the top of the page is `Generate`\n- The `Schedule` call to action button does NOT appear\n- The layout of the page is similar to the following screenshot:\n\n","sha":"90ed7a1f6d6330222d681773f722d4dea2f485e8","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team: SecuritySolution","Team:Security Generative AI","backport:version","v9.1.0","v8.19.0","v9.2.0"],"title":"[AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and Attack discovery scheduling feature flags by default","number":228327,"url":"https://github.com/elastic/kibana/pull/228327","mergeCommit":{"message":"[AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and Attack discovery scheduling feature flags by default (#228327)\n\n## [AI4DSOC] [Attack discovery] Enable the _Attack discovery alerts_ and _Attack discovery scheduling_ feature flags by default\n\nThis PR programmatically enables (by default) the [Attack discovery alerts](#218906) and [Attack discovery scheduling](#217917) feature flags.\n\nTogether, these features enable:\n\n- Persistence of Attack discoveries as alerts\n- Scheduling Attack discoveries, with support for actions, and cases integration\n- Open | Acknowledged | Closed workflow statuses for Attack discoveries\n- A new UI for searching and sharing previously created Attack discoveries\n\nThis PR enables the feature flags by default, as illustrated by the following screenshot:\n\n\n\n_Above: Attack discovery alerts and scheduling are enabled by default_\n\nWhen the feature flags are manually _disabled_, the Attack discovery page looks like the following screenshot:\n\n\n\n_Above: The feature flags are manually disabled in the screenshot above_\n\n### Desk testing\n\n1) **Remove** any old feature flag entries that may be present in `config/kibana.dev.yml`, like the following example:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: false\n securitySolution.assistantAttackDiscoverySchedulingEnabled: false\n```\n\n2) Start a local development instance of Kibana\n\n3) Navigate to Security > Attack discovery\n\n**Expected result**\n\n- The call to action buttons at the top of the page include the `Run` and `Schedule` buttons, as illustrated by the following animated gif:\n\n\n\n- The layout of page is similar to the following screenshot:\n\n\n\n4) Disable the feature flags by adding the following entries to `config/kibana.dev.yml`:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: false\n securitySolution.assistantAttackDiscoverySchedulingEnabled: false\n```\n\n5) Once again, navigate to Security > Attack discovery\n\n**Expected results**\n\n- The call to action button at the top of the page is `Generate`\n- The `Schedule` call to action button does NOT appear\n- The layout of the page is similar to the following screenshot:\n\n","sha":"90ed7a1f6d6330222d681773f722d4dea2f485e8"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","8.19"],"targetPullRequestStates":[{"branch":"9.1","label":"v9.1.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/228327","number":228327,"mergeCommit":{"message":"[AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and Attack discovery scheduling feature flags by default (#228327)\n\n## [AI4DSOC] [Attack discovery] Enable the _Attack discovery alerts_ and _Attack discovery scheduling_ feature flags by default\n\nThis PR programmatically enables (by default) the [Attack discovery alerts](#218906) and [Attack discovery scheduling](#217917) feature flags.\n\nTogether, these features enable:\n\n- Persistence of Attack discoveries as alerts\n- Scheduling Attack discoveries, with support for actions, and cases integration\n- Open | Acknowledged | Closed workflow statuses for Attack discoveries\n- A new UI for searching and sharing previously created Attack discoveries\n\nThis PR enables the feature flags by default, as illustrated by the following screenshot:\n\n\n\n_Above: Attack discovery alerts and scheduling are enabled by default_\n\nWhen the feature flags are manually _disabled_, the Attack discovery page looks like the following screenshot:\n\n\n\n_Above: The feature flags are manually disabled in the screenshot above_\n\n### Desk testing\n\n1) **Remove** any old feature flag entries that may be present in `config/kibana.dev.yml`, like the following example:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: false\n securitySolution.assistantAttackDiscoverySchedulingEnabled: false\n```\n\n2) Start a local development instance of Kibana\n\n3) Navigate to Security > Attack discovery\n\n**Expected result**\n\n- The call to action buttons at the top of the page include the `Run` and `Schedule` buttons, as illustrated by the following animated gif:\n\n\n\n- The layout of page is similar to the following screenshot:\n\n\n\n4) Disable the feature flags by adding the following entries to `config/kibana.dev.yml`:\n\n```yaml\nfeature_flags.overrides:\n securitySolution.attackDiscoveryAlertsEnabled: false\n securitySolution.assistantAttackDiscoverySchedulingEnabled: false\n```\n\n5) Once again, navigate to Security > Attack discovery\n\n**Expected results**\n\n- The call to action button at the top of the page is `Generate`\n- The `Schedule` call to action button does NOT appear\n- The layout of the page is similar to the following screenshot:\n\n","sha":"90ed7a1f6d6330222d681773f722d4dea2f485e8"}}]}] BACKPORT--> Co-authored-by: Andrew Macri <andrew.macri@elastic.co>
Bluefinger
pushed a commit
to Bluefinger/kibana
that referenced
this pull request
Jul 22, 2025
…ttack discovery scheduling feature flags by default (elastic#228327) ## [AI4DSOC] [Attack discovery] Enable the _Attack discovery alerts_ and _Attack discovery scheduling_ feature flags by default This PR programmatically enables (by default) the [Attack discovery alerts](elastic#218906) and [Attack discovery scheduling](elastic#217917) feature flags. Together, these features enable: - Persistence of Attack discoveries as alerts - Scheduling Attack discoveries, with support for actions, and cases integration - Open | Acknowledged | Closed workflow statuses for Attack discoveries - A new UI for searching and sharing previously created Attack discoveries This PR enables the feature flags by default, as illustrated by the following screenshot:  _Above: Attack discovery alerts and scheduling are enabled by default_ When the feature flags are manually _disabled_, the Attack discovery page looks like the following screenshot:  _Above: The feature flags are manually disabled in the screenshot above_ ### Desk testing 1) **Remove** any old feature flag entries that may be present in `config/kibana.dev.yml`, like the following example: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: false securitySolution.assistantAttackDiscoverySchedulingEnabled: false ``` 2) Start a local development instance of Kibana 3) Navigate to Security > Attack discovery **Expected result** - The call to action buttons at the top of the page include the `Run` and `Schedule` buttons, as illustrated by the following animated gif:  - The layout of page is similar to the following screenshot:  4) Disable the feature flags by adding the following entries to `config/kibana.dev.yml`: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: false securitySolution.assistantAttackDiscoverySchedulingEnabled: false ``` 5) Once again, navigate to Security > Attack discovery **Expected results** - The call to action button at the top of the page is `Generate` - The `Schedule` call to action button does NOT appear - The layout of the page is similar to the following screenshot: 
kertal
pushed a commit
to kertal/kibana
that referenced
this pull request
Jul 25, 2025
…ttack discovery scheduling feature flags by default (elastic#228327) ## [AI4DSOC] [Attack discovery] Enable the _Attack discovery alerts_ and _Attack discovery scheduling_ feature flags by default This PR programmatically enables (by default) the [Attack discovery alerts](elastic#218906) and [Attack discovery scheduling](elastic#217917) feature flags. Together, these features enable: - Persistence of Attack discoveries as alerts - Scheduling Attack discoveries, with support for actions, and cases integration - Open | Acknowledged | Closed workflow statuses for Attack discoveries - A new UI for searching and sharing previously created Attack discoveries This PR enables the feature flags by default, as illustrated by the following screenshot:  _Above: Attack discovery alerts and scheduling are enabled by default_ When the feature flags are manually _disabled_, the Attack discovery page looks like the following screenshot:  _Above: The feature flags are manually disabled in the screenshot above_ ### Desk testing 1) **Remove** any old feature flag entries that may be present in `config/kibana.dev.yml`, like the following example: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: false securitySolution.assistantAttackDiscoverySchedulingEnabled: false ``` 2) Start a local development instance of Kibana 3) Navigate to Security > Attack discovery **Expected result** - The call to action buttons at the top of the page include the `Run` and `Schedule` buttons, as illustrated by the following animated gif:  - The layout of page is similar to the following screenshot:  4) Disable the feature flags by adding the following entries to `config/kibana.dev.yml`: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: false securitySolution.assistantAttackDiscoverySchedulingEnabled: false ``` 5) Once again, navigate to Security > Attack discovery **Expected results** - The call to action button at the top of the page is `Generate` - The `Schedule` call to action button does NOT appear - The layout of the page is similar to the following screenshot: 
crespocarlos
pushed a commit
to crespocarlos/kibana
that referenced
this pull request
Jul 25, 2025
…ttack discovery scheduling feature flags by default (elastic#228327) ## [AI4DSOC] [Attack discovery] Enable the _Attack discovery alerts_ and _Attack discovery scheduling_ feature flags by default This PR programmatically enables (by default) the [Attack discovery alerts](elastic#218906) and [Attack discovery scheduling](elastic#217917) feature flags. Together, these features enable: - Persistence of Attack discoveries as alerts - Scheduling Attack discoveries, with support for actions, and cases integration - Open | Acknowledged | Closed workflow statuses for Attack discoveries - A new UI for searching and sharing previously created Attack discoveries This PR enables the feature flags by default, as illustrated by the following screenshot:  _Above: Attack discovery alerts and scheduling are enabled by default_ When the feature flags are manually _disabled_, the Attack discovery page looks like the following screenshot:  _Above: The feature flags are manually disabled in the screenshot above_ ### Desk testing 1) **Remove** any old feature flag entries that may be present in `config/kibana.dev.yml`, like the following example: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: false securitySolution.assistantAttackDiscoverySchedulingEnabled: false ``` 2) Start a local development instance of Kibana 3) Navigate to Security > Attack discovery **Expected result** - The call to action buttons at the top of the page include the `Run` and `Schedule` buttons, as illustrated by the following animated gif:  - The layout of page is similar to the following screenshot:  4) Disable the feature flags by adding the following entries to `config/kibana.dev.yml`: ```yaml feature_flags.overrides: securitySolution.attackDiscoveryAlertsEnabled: false securitySolution.assistantAttackDiscoverySchedulingEnabled: false ``` 5) Once again, navigate to Security > Attack discovery **Expected results** - The call to action button at the top of the page is `Generate` - The `Schedule` call to action button does NOT appear - The layout of the page is similar to the following screenshot: 
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and Attack discovery scheduling feature flags by default
This PR programmatically enables (by default) the Attack discovery alerts and Attack discovery scheduling feature flags.
Together, these features enable:
This PR enables the feature flags by default, as illustrated by the following screenshot:
Above: Attack discovery alerts and scheduling are enabled by default
When the feature flags are manually disabled, the Attack discovery page looks like the following screenshot:
Above: The feature flags are manually disabled in the screenshot above
Desk testing
config/kibana.dev.yml, like the following example:Start a local development instance of Kibana
Navigate to Security > Attack discovery
Expected result
RunandSchedulebuttons, as illustrated by the following animated gif:config/kibana.dev.yml:Expected results
GenerateSchedulecall to action button does NOT appear