Skip to content

[Security Solution][Attacks/Alerts][Setup and miscellaneous] Advanced setting to control feature visibility (#250157)#250830

Merged
e40pud merged 3 commits intoelastic:mainfrom
e40pud:security/attack-alerts-alignment/250157-advanced-setting
Jan 30, 2026
Merged

[Security Solution][Attacks/Alerts][Setup and miscellaneous] Advanced setting to control feature visibility (#250157)#250830
e40pud merged 3 commits intoelastic:mainfrom
e40pud:security/attack-alerts-alignment/250157-advanced-setting

Conversation

@e40pud
Copy link
Copy Markdown
Contributor

@e40pud e40pud commented Jan 28, 2026

Summary

Closes #250157

Added a new Advanced Setting Enable alerts and attacks alignment (securitySolution:enableAlertsAndAttacksAlignment) to control the visibility of the new Attacks page and the alignment of Alerts page under the Detections navigation item.

Architecture and Feature Flags

This PR introduces a layered approach to feature visibility:

  1. Experimental Feature Flag (enableAlertsAndAttacksAlignment):

    • Defined in experimental_features.ts and configured via xpack.securitySolution.enableExperimental in kibana.yml.
    • Purpose: Controls the registration and visibility of the new Advanced Setting itself. If this flag is disabled, the Advanced Setting is not registered and cannot be seen or toggled by users.

  2. Advanced Setting (Enable alerts and attacks alignment):

    • Registered only when the experimental feature flag is enabled.
    • Purpose: Controls the actual feature visibility in the UI.
      • Enabled: The navigation structure changes to show a "Detections" item containing both "Alerts" and "Attacks" sub-items.
      • Disabled: The navigation shows the standard "Alerts" item only.

This replaces the previous implementation that relied on the attacksAlertsAlignment feature flag (via the featureFlags service) and the ATTACKS_ALERTS_ALIGNMENT_ENABLED constant, which have been removed.

Test plan

  1. Enable the enableAlertsAndAttacksAlignment experimental feature flag in kibana.dev.yml or kibana.yml: 
    xpack.securitySolution.enableExperimental: ['enableAlertsAndAttacksAlignment']
  2. Navigate to Stack Management > Advanced Settings > Space Settings > Security Solution.
  3. Find the setting Enable alerts and attacks alignment.
  4. Enable the setting and save.
  5. Verify that the Detections navigation item now contains Attacks and Alerts sub-items.
  6. Disable the setting and save.
  7. Verify that the navigation shows the Alerts item directly, and the Attacks page is not visible (reverting to the standard navigation structure).

PR developed with Cursor + Gemini 3 Pro

@e40pud e40pud self-assigned this Jan 28, 2026
@e40pud e40pud added the release_note:skip Skip the PR/issue when compiling release notes label Jan 28, 2026
@e40pud e40pud requested a review from a team as a code owner January 28, 2026 22:21
@e40pud e40pud added the backport:skip This PR does not require backporting label Jan 28, 2026
@e40pud e40pud requested review from a team as code owners January 28, 2026 22:21
@e40pud e40pud added Team:Threat Hunting Security Solution Threat Hunting Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Threat Hunting Investigations Team labels Jan 28, 2026
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jan 28, 2026

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jan 28, 2026

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jan 28, 2026

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jan 29, 2026

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 10.8MB 10.8MB -87.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 171.8KB 171.9KB +18.0B
securitySolutionEss 35.7KB 35.7KB -5.0B
securitySolutionServerless 47.4KB 47.4KB -5.0B
total +8.0B

History

cc @e40pud

@e40pud e40pud merged commit 5f7fec5 into elastic:main Jan 30, 2026
16 checks passed
mbondyra added a commit to mbondyra/kibana that referenced this pull request Jan 30, 2026
@mbondyra
Merge commit '5f7fec57cb01883038810bd735a0666683b49904' into copy_rev…
f813ed6 
…iew_cps

* commit '5f7fec57cb01883038810bd735a0666683b49904': (116 commits)
  [Security Solution][Attacks/Alerts][Setup and miscellaneous] Advanced setting to control feature visibility (elastic#250157) (elastic#250830)
  Fix synthtrace `fetch` usage (elastic#250950)
  [APM] Add Nodes and Edges components and selection logic (elastic#250937)
  [Docs] Update alerting-settings.md and add serverless value for one parameter (elastic#250842)
  [Agent Builder] filestore: initial implementation (elastic#250043)
  [CPS] Support CPS in Vega ESQL (elastic#250693)
  Adjustments to cascade document esql helpers (elastic#250560)
  [Security Solutions] Trial Companion - adds ai chat and elastic agent detectors (elastic#250908)
  [Obs Presentation] Code Scanning Alert Fixes (elastic#250858)
  [performance] add return and refresh render scenarios to dashboard journeys (elastic#250939)
  skip failing test suite (elastic#245458)
  Add Cloud Forwarder onboarding tile to O11y Solution (elastic#250325)
  [Traces] Remove APM unified trace waterall embeddable registration (elastic#250808)
  [Discover] [Metrics] Fix: metrics grid titles do not update on order change (elastic#250963)
  [a11y] Fix Eui modal title annoucment (elastic#250459)
  [Cloud Security] [Fleet] Add cloud connector access scope for input or package level credential definitions (elastic#250280)
  [WorkplaceAI] SharePoint Online stack connector (elastic#248737)
  [Response Ops][Task Manager] Update functions do not handle API key invalidation (elastic#249109)
  [Osquery] Remove @kbn/timelines-plugin dependency from osquery plugin (elastic#250055)
  [One Discover][Logs UX] Update OpenTelemetry Semantic Conventions (elastic#250346)
  ...
hannahbrooks pushed a commit to hannahbrooks/kibana that referenced this pull request Jan 30, 2026
@e40pud @hannahbrooks
[Security Solution][Attacks/Alerts][Setup and miscellaneous] Advanced…
e16428e 
… setting to control feature visibility (elastic#250157) (elastic#250830)

## Summary

Closes elastic#250157

Added a new Advanced Setting `Enable alerts and attacks alignment`
(`securitySolution:enableAlertsAndAttacksAlignment`) to control the
visibility of the new Attacks page and the alignment of Alerts page
under the Detections navigation item.

### Architecture and Feature Flags

This PR introduces a layered approach to feature visibility:

1.  **Experimental Feature Flag (`enableAlertsAndAttacksAlignment`)**:

- Defined in `experimental_features.ts` and configured via
`xpack.securitySolution.enableExperimental` in `kibana.yml`.
- **Purpose**: Controls the _registration_ and visibility of the new
Advanced Setting itself. If this flag is disabled, the Advanced Setting
is not registered and cannot be seen or toggled by users.

2.  **Advanced Setting (`Enable alerts and attacks alignment`)**:
    - Registered only when the experimental feature flag is enabled.
    - **Purpose**: Controls the _actual feature visibility_ in the UI.
- **Enabled**: The navigation structure changes to show a "Detections"
item containing both "Alerts" and "Attacks" sub-items.
- **Disabled**: The navigation shows the standard "Alerts" item only.

This replaces the previous implementation that relied on the
`attacksAlertsAlignment` feature flag (via the `featureFlags` service)
and the `ATTACKS_ALERTS_ALIGNMENT_ENABLED` constant, which have been
removed.

## Test plan

1. Enable the `enableAlertsAndAttacksAlignment` experimental feature
flag in `kibana.dev.yml` or `kibana.yml`:
    ```yaml
xpack.securitySolution.enableExperimental:
['enableAlertsAndAttacksAlignment']
    ```
2. Navigate to **Stack Management > Advanced Settings > Space Settings >
Security Solution**.
3.  Find the setting **Enable alerts and attacks alignment**.
4.  Enable the setting and save.
5. Verify that the **Detections** navigation item now contains
**Attacks** and **Alerts** sub-items.
6.  Disable the setting and save.
7. Verify that the navigation shows the **Alerts** item directly, and
the **Attacks** page is not visible (reverting to the standard
navigation structure).

---

_PR developed with Cursor + Gemini 3 Pro_
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrew-goldstein andrew-goldstein andrew-goldstein approved these changes

@NicholasPeretti NicholasPeretti NicholasPeretti approved these changes

Assignees

@e40pud e40pud

Labels

backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Threat Hunting Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team v9.4.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security Solution][Attacks/Alerts][Setup and miscellaneous] Advanced setting to control feature visibility

5 participants

@e40pud @elasticmachine @andrew-goldstein @NicholasPeretti @kibanamachine