[Cases] Auto-extract cases observables in add to case workflow #233027
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
christineweng
force-pushed
the
cases-extract-observables
branch
from
3dad123 to
efb3103
Compare
christineweng
force-pushed
the
cases-extract-observables
branch
from
efb3103 to
a78f5bb
Compare
christineweng
changed the title
christineweng
added
backport:skip
christineweng
commented
Sep 11, 2025
| } as const; | ||
|
|
||
| export const OBSERVABLE_TYPE_HOSTNAME = { | ||
| label: 'Host name', |
Contributor
Author
There was a problem hiding this comment.
Updated label from Hostname to Host name. this should be fine, right? @lgestc
christineweng
added
ci:cloud-deploy
christineweng
force-pushed
the
cases-extract-observables
branch
4 times, most recently
from
9a5172e to
c358fe4
Compare
christineweng
commented
Sep 15, 2025
| alerts: { sync: casesConfiguration?.syncAlerts ?? false }, | ||
| observables: { | ||
| enabled: true, | ||
| autoExtract: false, |
Contributor
Author
There was a problem hiding this comment.
Use this flag to enable/disable auto extract observables in alerts table. Currently add to case from row action is working as expected, but bulk action isn't working yet and will be tackled in a separate PR
christineweng
force-pushed
the
cases-extract-observables
branch
from
2a0cb68 to
3723204
Compare
Contributor
|
Cloud deployment initiated, see credentials at: https://buildkite.com/elastic/kibana-deploy-cloud-from-pr/builds/416 |
christineweng
removed
the
ci:cloud-persist-deployment
10 tasks
|
|
||
| export const convertCaseToCamelCase = (theCase: Case): CaseUI => { | ||
| const { comments, ...restCase } = theCase; | ||
| const settings = restCase.settings; |
Contributor
There was a problem hiding this comment.
I understand why you would do this here, but I would actually create it's own dedicated function for it rather than making the mutation a side effect of a separate function.
Technically, we shouldn't need this anymore with the backfill, but this is a safeguard?
Contributor
Author
There was a problem hiding this comment.
yeah it was added pre-backfill. removed and confirm it's not breaking anything
| history: History; | ||
| } | ||
|
|
||
| const features = { observables: { enabled: true, autoExtract: false } } as const; |
Contributor
There was a problem hiding this comment.
Suggestion. Create a case config file or similar in security that exports
const observablesFeatureConfig = { observables: { enabled: true, autoExtract: false } } as const and use everywhere in security where you have to pass that config currently
It looks like it's only 2 places. Here and cases/pages/index.tsx
| featureId: CASES_FEATURE_ID, | ||
| owner: [APP_ID], | ||
| syncAlerts: true, | ||
| extractObservables: true, |
Contributor
There was a problem hiding this comment.
should this be set to false until the other alerts table pr is resolved?
VladimirFilonov
pushed a commit
to VladimirFilonov/kibana
that referenced
this pull request
Sep 26, 2025
…236028) ## Summary This is part 1 of introducing auto-extract observables in cases. This PR adds mapping and default value of false to a new setting called `extractObservables`. Part 2 that introduces the actual feature is in elastic#233027 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ...
christineweng
force-pushed
the
cases-extract-observables
branch
from
efc88aa to
b6d91e9
Compare
| ); | ||
| }); | ||
|
|
||
| it('shows an info toast when the api call is successful and the maximum number of observables is reached', async () => { |
| }, | ||
| }); | ||
|
|
||
| const res = flattenCaseSavedObject({ |
Contributor
There was a problem hiding this comment.
future enhancement: We can return the Observables that weren't added, so users can decide if they're important or not
| observablesMap.set(key, { | ||
| ...observable, | ||
| id: v4(), | ||
| createdAt: new Date().toISOString(), |
Contributor
There was a problem hiding this comment.
nit: can just run this once and use the same value for both.
michaelolo24
approved these changes
Sep 26, 2025
Contributor
michaelolo24
left a comment
michaelolo24
left a comment
There was a problem hiding this comment.
Awesome work with this @christineweng 👏🏾 👏🏾 . Only had a few minor nits left, but nothing blocking.
niros1
pushed a commit
that referenced
this pull request
Sep 30, 2025
## Summary This is part 1 of introducing auto-extract observables in cases. This PR adds mapping and default value of false to a new setting called `extractObservables`. Part 2 that introduces the actual feature is in #233027 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ...
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Module Count
Public APIs missing comments
Async chunks
Page load bundle
Unknown metric groupsAPI count
async chunk count
History
|
michaelolo24
pushed a commit
that referenced
this pull request
Oct 1, 2025
## Summary Dependency: #233027 to be merged first. This PR enables auto-extract toggle in alerts table when user adds alerts to a case. This applies to row actions and bulk actions. To enable the feature in security update the [case configuration](https://github.com/elastic/kibana/blob/b37878b28188ba72f42f2d0fd1271024dc3a6fd9/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/index.tsx#L143) to `extractObservables: true,` <img width="1490" height="730" alt="image" src="https://github.com/user-attachments/assets/1c31cfee-a086-490b-b2d8-69306eb3ae4c" /> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: kibanamachine <[email protected]>
rylnd
pushed a commit
to rylnd/kibana
that referenced
this pull request
Oct 17, 2025
…236028) ## Summary This is part 1 of introducing auto-extract observables in cases. This PR adds mapping and default value of false to a new setting called `extractObservables`. Part 2 that introduces the actual feature is in elastic#233027 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ...
rylnd
pushed a commit
to rylnd/kibana
that referenced
this pull request
Oct 17, 2025
…ic#233027) ## Summary This is part 2 of the auto-extract observables work. Dependency: elastic#236028 to be merged first. This PR adds functionality to auto-extract case observables when attaching alerts to a case via alert flyout. This is enabled in security solution cases only. The toggle should not appear in Observability and Stack cases. With platinum+ license, users in security can now: - See a toggle to auto-extract observables when attaching alert to a case - Configure the toggle in case templates - Access the toggle in case view - Access the default observables type to ecs mapping via the gear icon This feature is disabled by default, to enable it, revert this commit efc88aa Fixes elastic#234513 https://github.com/user-attachments/assets/d74eb7bc-feb7-4208-8f4c-a99495563609 #### Not in scope in this PR - Adding toggle in alerts table (bulk actions and row actions) - Observable actions in activity (X observables were extracted) - Currently the case setting activity include both sync alert and auto-extract observables, they can be split into their own user actions - When user toggle it on in case view, perform a look back and extract all the net new observables ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: Michael Olorunnisola <[email protected]> Co-authored-by: lgestc <[email protected]>
rylnd
pushed a commit
to rylnd/kibana
that referenced
this pull request
Oct 17, 2025
## Summary Dependency: elastic#233027 to be merged first. This PR enables auto-extract toggle in alerts table when user adds alerts to a case. This applies to row actions and bulk actions. To enable the feature in security update the [case configuration](https://github.com/elastic/kibana/blob/50299491246af6cc8055a1ff8a975ce82b114495/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/index.tsx#L143) to `extractObservables: true,` <img width="1490" height="730" alt="image" src="https://github.com/user-attachments/assets/1c31cfee-a086-490b-b2d8-69306eb3ae4c" /> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: kibanamachine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This is part 2 of the auto-extract observables work. Dependency: #236028 to be merged first.
This PR adds functionality to auto-extract case observables when attaching alerts to a case via alert flyout. This is enabled in security solution cases only. The toggle should not appear in Observability and Stack cases.
With platinum+ license, users in security can now:
This feature is disabled by default, to enable it, revert this commit efc88aa
Fixes #234513
Screen.Recording.2025-09-10.at.11.53.14.PM.mov
Not in scope in this PR
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
release_note:*label is applied per the guidelinesbackport:*labels.