Skip to content

[8.19] [AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and Attack discovery scheduling feature flags by default (#228327)#228677

Merged
delanni merged 1 commit intoelastic:8.19from
kibanamachine:backport/8.19/pr-228327
Jul 21, 2025
Merged

[8.19] [AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and Attack discovery scheduling feature flags by default (#228327)#228677
delanni merged 1 commit intoelastic:8.19from
kibanamachine:backport/8.19/pr-228327

Conversation

@kibanamachine
Copy link
Copy Markdown
Contributor

@kibanamachine kibanamachine commented Jul 18, 2025

@andrew-goldstein
[AI4DSOC] [Attack discovery] Enable the Attack discovery alerts and A…
b07fcd6 
…ttack discovery scheduling feature flags by default (elastic#228327)

## [AI4DSOC] [Attack discovery] Enable the _Attack discovery alerts_ and _Attack discovery scheduling_ feature flags by default

This PR programmatically enables (by default) the [Attack discovery alerts](elastic#218906) and [Attack discovery scheduling](elastic#217917) feature flags.

Together, these features enable:

- Persistence of Attack discoveries as alerts
- Scheduling Attack discoveries, with support for actions, and cases integration
- Open | Acknowledged | Closed workflow statuses for Attack discoveries
- A new UI for searching and sharing previously created Attack discoveries

This PR enables the feature flags by default, as illustrated by the following screenshot:

![attack_discovery_after](https://github.com/user-attachments/assets/b3ace302-d641-4fde-9848-a00603d7c46c)

_Above: Attack discovery alerts and scheduling are enabled by default_

When the feature flags are manually _disabled_, the Attack discovery page looks like the following screenshot:

![feature_flag_off](https://github.com/user-attachments/assets/bdc9e4c1-26be-4b01-83d0-2f0cef59c863)

_Above: The feature flags are manually disabled in the screenshot above_

### Desk testing

1) **Remove** any old feature flag entries that may be present in `config/kibana.dev.yml`, like the following example:

```yaml
feature_flags.overrides:
  securitySolution.attackDiscoveryAlertsEnabled: false
  securitySolution.assistantAttackDiscoverySchedulingEnabled: false
```

2) Start a local development instance of Kibana

3) Navigate to Security > Attack discovery

**Expected result**

- The call to action buttons at the top of the page include the `Run` and `Schedule` buttons, as illustrated by the following animated gif:

![03_cta_tooltips](https://github.com/user-attachments/assets/f43b39dc-a184-43db-a812-16e97798186f)

- The layout of page is similar to the following screenshot:

![attack_discovery_after](https://github.com/user-attachments/assets/b3ace302-d641-4fde-9848-a00603d7c46c)

4) Disable the feature flags by adding the following entries to `config/kibana.dev.yml`:

```yaml
feature_flags.overrides:
  securitySolution.attackDiscoveryAlertsEnabled: false
  securitySolution.assistantAttackDiscoverySchedulingEnabled: false
```

5) Once again, navigate to Security > Attack discovery

**Expected results**

- The call to action button at the top of the page is `Generate`
- The `Schedule` call to action button does NOT appear
- The layout of the page is similar to the following screenshot:

![feature_flag_off](https://github.com/user-attachments/assets/bdc9e4c1-26be-4b01-83d0-2f0cef59c863)

(cherry picked from commit 90ed7a1)
@kibanamachine kibanamachine added the backport This PR is a backport of another PR label Jul 18, 2025
@kibanamachine kibanamachine enabled auto-merge (squash) July 18, 2025 20:58
@kibanamachine kibanamachine mentioned this pull request Jul 18, 2025
Merged
@andrew-goldstein
Copy link
Copy Markdown
Contributor

andrew-goldstein commented Jul 18, 2025

/ci

1 similar comment
@andrew-goldstein
Copy link
Copy Markdown
Contributor

andrew-goldstein commented Jul 18, 2025

/ci

@andrew-goldstein
Copy link
Copy Markdown
Contributor

andrew-goldstein commented Jul 18, 2025

@elasticmachine merge upstream

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jul 18, 2025

There are no new commits on the base branch.

@andrew-goldstein
Copy link
Copy Markdown
Contributor

andrew-goldstein commented Jul 18, 2025

/ci

@andrew-goldstein
Copy link
Copy Markdown
Contributor

andrew-goldstein commented Jul 21, 2025

@elasticmachine merge upstream

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jul 21, 2025

There are no new commits on the base branch.

@andrew-goldstein
Copy link
Copy Markdown
Contributor

andrew-goldstein commented Jul 21, 2025

/ci

@delanni delanni disabled auto-merge July 21, 2025 13:39
@delanni delanni merged commit 80063e0 into elastic:8.19 Jul 21, 2025
9 of 11 checks passed
@andrew-goldstein
Copy link
Copy Markdown
Contributor

andrew-goldstein commented Jul 21, 2025

This backport was admin merged, per the details in https://elastic.slack.com/archives/C5UDAFZQU/p1753103271596779

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jul 21, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] Jest Integration Tests #1 / Task priority checks detects tasks with priority definitions
  • [job] [logs] Jest Integration Tests #1 / Task priority checks detects tasks with priority definitions

The CI Stats report is too large to be displayed here, check out the CI build annotation for this information.

History

cc @andrew-goldstein

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

@andrew-goldstein andrew-goldstein

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kibanamachine @andrew-goldstein @elasticmachine @delanni