Dynamic ecs

[ymao1]

Summary

Summarize your PR. If it involves visual changes include a screenshot or gif.

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Flaky Test Runner was used on any tests changed
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk	Probability	Severity	Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space.	Low	High	Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks.	High	Low	Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled.	Medium	High	Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

• This was checked for breaking API changes and was labeled appropriately
• This will appear in the Release Notes and follow the guidelines

[elasticmachine]

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

• Click to trigger kibana-pull-request for this PR!
• Click to trigger kibana-deploy-project-from-pr for this PR!

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: d7f1596

Failed CI Steps

• Jest Tests #8
• FTR Configs #17
• FTR Configs #17
• FTR Configs #32
• FTR Configs #32
• FTR Configs #41
• FTR Configs #41
• FTR Configs #56
• FTR Configs #56
• FTR Configs #57
• FTR Configs #57
• FTR Configs #78
• FTR Configs #78
• FTR Configs #100
• FTR Configs #100
• FTR Configs #101
• FTR Configs #101
• Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution #2
• Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution #2
• Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution #6
• Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution #6
• Serverless Detection Engine - Security Solution Cypress Tests #2
• Detection Engine - Security Solution Cypress Tests #1
• Detection Engine - Security Solution Cypress Tests #2
• Investigations - Security Solution Cypress Tests #4
• Serverless Investigations - Security Solution Cypress Tests #5

Test Failures

• [job] [logs] Investigations - Security Solution Cypress Tests #4 / Alert details expandable flyout right panel table tab should display and filter the table should display and filter the table
• [job] [logs] Serverless Investigations - Security Solution Cypress Tests #5 / Alert details expandable flyout right panel table tab should display and filter the table should display and filter the table
• [job] [logs] FTR Configs #101 / Alerting alerts_as_data install alerts as data resources should install common alerts as data resources on startup
• [job] [logs] FTR Configs #101 / Alerting alerts_as_data install alerts as data resources should install common alerts as data resources on startup
• [job] [logs] FTR Configs #32 / ESQL execution logic API @ess @serverless ES|QL rule type ECS fields validation non-ecs creates alert if non ECS field has multifields
• [job] [logs] FTR Configs #41 / ESQL execution logic API @ess @serverless ES|QL rule type ECS fields validation non-ecs creates alert if non ECS field has multifields
• [job] [logs] FTR Configs #41 / ESQL execution logic API @ess @serverless ES|QL rule type ECS fields validation non-ecs creates alert if non ECS field has multifields
• [job] [logs] FTR Configs #32 / ESQL execution logic API @ess @serverless ES|QL rule type ECS fields validation non-ecs creates alert if non ECS field has multifields
• [job] [logs] Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution #2 / indicator match Detection rules, Indicator Match Generating signals Investigate alert in timeline Investigate alert in timeline
• [job] [logs] Serverless Detection Engine - Security Solution Cypress Tests #2 / indicator match Detection rules, Indicator Match Generating signals Investigate alert in timeline Investigate alert in timeline
• [job] [logs] Detection Engine - Security Solution Cypress Tests #1 / indicator match Detection rules, Indicator Match Generating signals Investigate alert in timeline Investigate alert in timeline
• [job] [logs] Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution #2 / indicator match Detection rules, Indicator Match Generating signals Investigate alert in timeline Investigate alert in timeline
• [job] [logs] FTR Configs #78 / Maps endpoints apis maps_telemetry should return the correct telemetry values for map saved objects
• [job] [logs] FTR Configs #78 / Maps endpoints apis maps_telemetry should return the correct telemetry values for map saved objects
• [job] [logs] FTR Configs #17 / Query rule execution logic API @ess @serverless @serverlessQA Query type rules with suppression enabled unsuppressed alerts should create unsuppressed alerts for single host.name field when all the documents have missing values
• [job] [logs] FTR Configs #17 / Query rule execution logic API @ess @serverless @serverlessQA Query type rules with suppression enabled unsuppressed alerts should create unsuppressed alerts for single host.name field when all the documents have missing values
• [job] [logs] FTR Configs #56 / Rule execution logic API @ess @serverless @serverlessQA Non ECS fields in alert document source should strip invalid boolean values and left valid ones
• [job] [logs] FTR Configs #100 / Rule execution logic API @ess @serverless @serverlessQA Non ECS fields in alert document source should strip invalid boolean values and left valid ones
• [job] [logs] FTR Configs #100 / Rule execution logic API @ess @serverless @serverlessQA Non ECS fields in alert document source should strip invalid boolean values and left valid ones
• [job] [logs] FTR Configs #56 / Rule execution logic API @ess @serverless @serverlessQA Non ECS fields in alert document source should strip invalid boolean values and left valid ones
• [job] [logs] FTR Configs #57 / rules security and spaces enabled: basic Alert - Get browser fields by featureId Users: obs_only_all_spaces_all should be able to get browser fields for o11y featureIds
• [job] [logs] FTR Configs #57 / rules security and spaces enabled: basic Alert - Get browser fields by featureId Users: obs_only_all_spaces_all should be able to get browser fields for o11y featureIds
• [job] [logs] Jest Tests #8 / StepSelectHosts should display dropdown with agent policy selected when Existing hosts selected
• [job] [logs] Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution #6 / Threat Match Enrichment Displays persisted enrichments on the Table tab Displays persisted enrichments on the Table tab
• [job] [logs] Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution #6 / Threat Match Enrichment Displays persisted enrichments on the Table tab Displays persisted enrichments on the Table tab
• [job] [logs] Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution #6 / Threat Match Enrichment Displays threat indicator details on the threat intel tab Displays threat indicator details on the threat intel tab
• [job] [logs] Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution #6 / Threat Match Enrichment Displays threat indicator details on the threat intel tab Displays threat indicator details on the threat intel tab
• [job] [logs] Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution #6 / Threat Match Enrichment with additional indicators Displays matched fields from both indicator match rules and investigation time enrichments on Threat Intel tab Displays matched fields from both indicator match rules and investigation time enrichments on Threat Intel tab
• [job] [logs] Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution #6 / Threat Match Enrichment with additional indicators Displays matched fields from both indicator match rules and investigation time enrichments on Threat Intel tab Displays matched fields from both indicator match rules and investigation time enrichments on Threat Intel tab

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
alerting	848	847	-1

Unknown metric groups

API count

id	before	after	diff
alerting	880	879	-1

History

• 💔 Build #254519 failed ecd44f9
• 💔 Build #254281 failed b39879a
• 💔 Build #254249 failed 65a97fc
• 💔 Build #254241 failed ec00d60