[Cases] Enable auto-extract observables in alerts table #235433
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
christineweng added backport:skip 6 tasks
christineweng force-pushed the cases-extract-observables-in-alert-table branch from e50319f to ced2f44 Compare christineweng force-pushed the cases-extract-observables-in-alert-table branch 2 times, most recently from 2217a04 to 760557f Compare 10 tasks
christineweng force-pushed the cases-extract-observables-in-alert-table branch 3 times, most recently from 6bc1dfb to 0a8b410 Compare 
michaelolo24 force-pushed the cases-extract-observables-in-alert-table branch from ab6391b to 2f88eea Compare 
Contributor
| Pinging @elastic/kibana-cases (Team:Cases) |
PhilippeOberti approved these changes Sep 30, 2025
Contributor
PhilippeOberti left a comment
PhilippeOberti left a comment There was a problem hiding this comment.
Code review only for the files impacting the @elastic/security-threat-hunting-investigations team.
This code really motivates me to cleanup those ecsData and all objects. We're manipulating these so many times over and over again, we need to find a more performant approach. I know it's a huge effort and will impact so many places within Security Solution...
One day! 😆
janmonschke approved these changes Sep 30, 2025
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]
History
|
umbopepato reviewed Oct 1, 2025
| ): TimelineItem[] => { | ||
| return Array.from(rowSelection.keys()).map((rowIndex: number) => { | ||
| const alert = alerts[rowIndex]; | ||
| const data = Object.entries(alert).map(([key, value]) => ({ |
Member
There was a problem hiding this comment.
nit: how about adding the fallback values for the well known fields here instead of iterating on the fields array each time?
Suggested change
| const data = Object.entries(alert).map(([key, value]) => ({ | |
| const data = Object.entries({ | |
| [ALERT_CASE_IDS]: [], | |
| [ALERT_WORKFLOW_TAGS]: [], | |
| [ALERT_WORKFLOW_ASSIGNEE_IDS]: [], | |
| ...alert, | |
| }).map(([key, value]) => ({ |
Contributor
There was a problem hiding this comment.
Apologies, missed this comment before I merged. Made a tiny pr to fix here: #237307
umbopepato approved these changes Oct 1, 2025
Member
umbopepato left a comment
umbopepato left a comment There was a problem hiding this comment.
RO code changes LGTM! Thanks for changing the alert format locally 🙏 🚀
michaelolo24 force-pushed the cases-extract-observables-in-alert-table branch from 2f88eea to a0825e1 Compare 
michaelolo24 added a commit that referenced this pull request Oct 6, 2025
## Summary Fix based on feedback [here](#235433 (comment))
jmikell821 added the Team: SecuritySolution Contributor
| Pinging @elastic/security-solution (Team: SecuritySolution) |
3 tasks
rylnd pushed a commit to rylnd/kibana that referenced this pull request Oct 17, 2025
## Summary Dependency: elastic#233027 to be merged first. This PR enables auto-extract toggle in alerts table when user adds alerts to a case. This applies to row actions and bulk actions. To enable the feature in security update the [case configuration](https://github.com/elastic/kibana/blob/50299491246af6cc8055a1ff8a975ce82b114495/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/index.tsx#L143) to `extractObservables: true,` <img width="1490" height="730" alt="image" src="https://github.com/user-attachments/assets/1c31cfee-a086-490b-b2d8-69306eb3ae4c" /> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
rylnd pushed a commit to rylnd/kibana that referenced this pull request Oct 17, 2025
…37307) ## Summary Fix based on feedback [here](elastic#235433 (comment))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Summary
Dependency: #233027 to be merged first.
This PR enables auto-extract toggle in alerts table when user adds alerts to a case. This applies to row actions and bulk actions.
To enable the feature in security update the case configuration to
extractObservables: true,Checklist
release_note:*label is applied per the guidelinesbackport:*labels.