Skip to content

[Attack discovery] Enable the Attack discovery and Attack discovery schedules public API feature flag by default #239024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[Attack discovery] Enable the Attack discovery and Attack discovery schedules public API feature flag by default #239024

wants to merge 3 commits into from
+16 −10

Conversation

andrew-goldstein
Copy link
Contributor

[Attack discovery] Enable the Attack discovery and Attack discovery schedules public API feature flag by default

This PR enables the feature flag for the Attack discovery and Attack discovery schedules public APIs by default.

  • The securitySolution.attackDiscoveryPublicApiEnabled, feature flag now defaults to true; it may be overridden in config/kibana.yml:
feature_flags.overrides:
  securitySolution.attackDiscoveryPublicApiEnabled: true

In addition to the above:

  • The compressed={true} style is applied to the EuiSuperDatePicker in the Attack discovery settings and Create new schedule flyout
  • The GET /api/attack_discovery/generations route now includes a default for the size parameter

Desk testing

  1. Remove any references to the securitySolution.attackDiscoveryPublicApiEnabled in the feature_flags.overrides in section of your local config/kibana.dev.yml or config/kibana.yml.

Expected result

  • The feature flag is NOT present in config/kibana.dev.yml or config/kibana.yml

  1. Navigate to Security > Attack discovery

  2. Open the browser's dev tools, and click the Network tab

  3. Filter the network tab by _generate

  4. In the header of the Attack discovery page, click the Run button

Expected result

  • A POST request is made to the public API route: /api/attack_discovery/_generate
  1. In the header of the Attack discovery page, click the Settings button

Expected results

  • The Attack discovery settings flyout appears
  • The Custom query KQL bar and date picker appear to have the same height, as illustrated by the following screenshot:

date_picker_after

  1. Click Cancel to close the Attack discovery settings flyout

  2. In the header of the Attack discovery page, click the Schedule button

  3. Click the Create new schedule button

Expected results

  • The Create new schedule flyout appears
  • The Custom query KQL bar and date picker appear to have the same height

  1. Navigate to the Dev Tools > Console page

  2. Execute the following query:

GET kbn:/api/attack_discovery/generations

Expected result

  • The API returns previous generation results
  • The API does NOT return an error
  1. Disable the securitySolution.attackDiscoveryPublicApiEnabled feature flag in your local config/kibana.dev.yml or config/kibana.yml, like the following example:
feature_flags.overrides:
  securitySolution.attackDiscoveryPublicApiEnabled: false

  1. After Kibana server finishes restarting, do a full page refresh of your browser

  2. Navigate to Security > Attack discovery

  3. Once again, in the header of the Attack discovery page, click the Run button

Expected result

  • In the browsers dev tools, the network tab is still filtered by _generate
  • A POST request is NOT made to the public API route: /api/attack_discovery/_generate
  1. In the browsers dev tools, filter the network tab by /internal/elastic_assistant/attack_discovery

Expected result

  • A POST request was made to /internal/elastic_assistant/attack_discovery

  1. Once again, Navigate to the Dev Tools > Console page

  2. Execute the following query:

GET kbn:/api/attack_discovery/generations

Expected result

  • The API returns results an error indicating the public API is disabled
{
  "message": "Attack discovery public API is disabled",
  "status_code": 403
}

@andrew-goldstein
## [Attack discovery] Enable the Attack discovery and Attack discover…
52ae09d 
…y schedules public APIs feature flag by default

This PR enables the feature flag for the [Attack discovery and Attack discovery schedules public APIs](elastic#236736) by default.

- The `securitySolution.attackDiscoveryPublicApiEnabled`, feature flag now defaults to `true`; it may be overridden in `config/kibana.yml`:

```yaml
feature_flags.overrides:
  securitySolution.attackDiscoveryPublicApiEnabled: true
```

In addition to the above:

- The `compressed={true}` style is applied to the `EuiSuperDatePicker` in the `Attack discovery settings` and `Create new schedule` flyout
- The `GET` `/api/attack_discovery/generations` route now includes a default for the size parameter

### Desk testing

1) _Remove_ any references to the `securitySolution.attackDiscoveryPublicApiEnabled` in the `feature_flags.overrides` in section of your local `config/kibana.dev.yml` or `config/kibana.yml`.

**Expected result**

- The feature flag is **NOT** present in `config/kibana.dev.yml` or `config/kibana.yml`

2) Navigate to Security > Attack discovery

3) Open the browser's dev tools, and click the Network tab

4) Filter the network tab by `_generate`

5) In the header of the Attack discovery page, click the `Run` button

**Expected result**

- A `POST` request is made to the public API route: `/api/attack_discovery/_generate`

6) In the header of the Attack discovery page, click the `Settings` button

**Expected results**

- The `Attack discovery settings` flyout appears
- The `Custom query` KQL bar and date picker appear to have the same height, as illustrated by the following screenshot:

![date_picker_after](https://github.com/user-attachments/assets/cd42cc51-b36f-43c2-ac93-cd680969bb12)

7) Click `Cancel` to close the `Attack discovery settings` flyout

8) In the header of the Attack discovery page, click the `Schedule` button

9) Click the `Create new schedule` button

**Expected results**

- The `Create new schedule` flyout appears
- The `Custom query` KQL bar and date picker appear to have the same height

10) Navigate to the Dev Tools > Console page

11) Execute the following query:

```sh
GET kbn:/api/attack_discovery/generations
```

**Expected result**

- The API returns previous generation results
- The API does NOT return an error

12) Disable the `securitySolution.attackDiscoveryPublicApiEnabled` feature flag in your local `config/kibana.dev.yml` or `config/kibana.yml`, like the following example:

```yaml
feature_flags.overrides:
  securitySolution.attackDiscoveryPublicApiEnabled: false
```

13) **After Kibana server finishes restarting**, do a full page refresh of your browser

14) Navigate to Security > Attack discovery

15) Once again, in the header of the Attack discovery page, click the `Run` button

**Expected result**

- In the browsers dev tools, the network tab is still filtered by `_generate`
- A `POST` request is NOT made to the public API route: `/api/attack_discovery/_generate`

16) In the browsers dev tools, filter the network tab by `/internal/elastic_assistant/attack_discovery`

**Expected result**

- A `POST` request was made to `/internal/elastic_assistant/attack_discovery`

17) Once again, Navigate to the Dev Tools > Console page

18) Execute the following query:

```sh
GET kbn:/api/attack_discovery/generations
```

**Expected result**

- The API returns results an error indicating the public API is disabled

```json
{
  "message": "Attack discovery public API is disabled",
  "status_code": 403
}
```
@andrew-goldstein andrew-goldstein self-assigned this Oct 14, 2025
@andrew-goldstein andrew-goldstein added the release_note:skip Skip the PR/issue when compiling release notes label Oct 14, 2025
@andrew-goldstein andrew-goldstein requested a review from a team as a code owner October 14, 2025 23:02
@andrew-goldstein andrew-goldstein added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Security Generative AI Security Generative AI backport:version Backport to applied version labels v9.2.0 v9.3.0 labels Oct 14, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

andrew-goldstein
andrew-goldstein commented Oct 14, 2025
View reviewed changes
...ublic/attack_discovery/pages/settings_flyout/alert_selection/alert_selection_query/index.tsx
>
<EuiSuperDatePicker
commonlyUsedRanges={commonlyUsedRanges}
compressed={true}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

before:

date_picker_before

after:

date_picker_after

@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod bot requested a review from a team as a code owner October 14, 2025 23:28
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 11.1MB 11.1MB +14.0B

cc @andrew-goldstein

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benironside benironside benironside approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

@andrew-goldstein andrew-goldstein

Labels

backport:version Backport to applied version labels release_note:skip Skip the PR/issue when compiling release notes Team:Security Generative AI Security Generative AI Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v9.2.0 v9.3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@andrew-goldstein @elasticmachine @benironside @kibanamachine