Merge branch '8.x' into backport/8.x/pr-204278

.buildkite/pipelines/pull_request/renovate.yml

@@ -0,0 +1,20 @@
+steps:
+  - command: .buildkite/scripts/lifecycle/pre_build.sh
+    label: Pre-Build
+    timeout_in_minutes: 10
+    agents:
+      machineType: n2-standard-2
+
+  - wait
+
+  - command: .buildkite/scripts/steps/renovate.sh
+    label: 'Renovate validation'
+    agents:
+      machineType: n2-highcpu-8
+      preemptible: true
+    key: renovate_validation
+    timeout_in_minutes: 60
+    retry:
+      automatic:
+        - exit_status: '-1'
+          limit: 3

.buildkite/scripts/pipelines/pull_request/pipeline.ts

@@ -39,6 +39,14 @@ const getPipeline = (filename: string, removeSteps = true) => {
       return;
     }
 
+    const onlyRunQuickChecks = await areChangesSkippable([/^renovate\.json$/], REQUIRED_PATHS);
+    if (onlyRunQuickChecks) {
+      pipeline.push(getPipeline('.buildkite/pipelines/pull_request/renovate.yml', false));
+      pipeline.push(getPipeline('.buildkite/pipelines/pull_request/post_build.yml'));
+      console.log('Isolated changes to renovate.json. Skipping main PR pipeline.');
+      return;
+    }
+
     pipeline.push(getAgentImageConfig({ returnYaml: true }));
     pipeline.push(getPipeline('.buildkite/pipelines/pull_request/base.yml', false));
 
@@ -364,7 +372,7 @@ const getPipeline = (filename: string, removeSteps = true) => {
     if (
       (await doAnyChangesMatch([
         /^x-pack\/packages\/kbn-cloud-security-posture/,
-        /^x-pack\/plugins\/cloud_security_posture/,
+        /^x-pack\/solutions\/security\/plugins\/cloud_security_posture/,
         /^x-pack\/solutions\/security\/plugins\/security_solution/,
         /^x-pack\/test\/security_solution_cypress/,
       ])) ||

.buildkite/scripts/steps/renovate.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+echo '--- Renovate: validation'
+.buildkite/scripts/steps/checks/renovate.sh

.eslintrc.js

@@ -764,7 +764,6 @@ module.exports = {
         ],
       },
     },
-
     /**
      * Jest specific rules
      */
@@ -1966,7 +1965,7 @@ module.exports = {
      * Cloud Security Team overrides
      */
     {
-      files: ['x-pack/plugins/cloud_security_posture/**/*.{js,mjs,ts,tsx}'],
+      files: ['x-pack/solutions/security/plugins/cloud_security_posture/**/*.{js,mjs,ts,tsx}'],
       plugins: ['testing-library'],
       rules: {
         'testing-library/await-async-utils': 'error',

.github/CODEOWNERS

@@ -51,7 +51,7 @@ packages/kbn-apm-types @elastic/obs-ux-infra_services-team
 packages/kbn-apm-utils @elastic/obs-ux-infra_services-team
 test/plugin_functional/plugins/app_link_test @elastic/kibana-core
 x-pack/test/usage_collection/plugins/application_usage_test @elastic/kibana-core
-x-pack/plugins/asset_inventory @elastic/kibana-cloud-security-posture
+x-pack/solutions/security/plugins/asset_inventory @elastic/kibana-cloud-security-posture
 x-pack/test/security_api_integration/plugins/audit_log @elastic/kibana-security
 src/platform/packages/shared/kbn-avc-banner @elastic/security-defend-workflows
 packages/kbn-axe-config @elastic/kibana-qa
@@ -85,16 +85,16 @@ packages/kbn-cli-dev-mode @elastic/kibana-operations
 packages/cloud @elastic/kibana-core
 x-pack/plugins/cloud_integrations/cloud_chat @elastic/kibana-core
 x-pack/platform/plugins/private/cloud_integrations/cloud_data_migration @elastic/kibana-management
-x-pack/plugins/cloud_defend @elastic/kibana-cloud-security-posture
+x-pack/solutions/security/plugins/cloud_defend @elastic/kibana-cloud-security-posture
 x-pack/plugins/cloud_integrations/cloud_experiments @elastic/kibana-core
 x-pack/plugins/cloud_integrations/cloud_full_story @elastic/kibana-core
 x-pack/test/cloud_integration/plugins/saml_provider @elastic/kibana-core
 x-pack/plugins/cloud_integrations/cloud_links @elastic/kibana-core
 x-pack/plugins/cloud @elastic/kibana-core
-x-pack/packages/kbn-cloud-security-posture/public @elastic/kibana-cloud-security-posture
-x-pack/packages/kbn-cloud-security-posture/common @elastic/kibana-cloud-security-posture
-x-pack/packages/kbn-cloud-security-posture/graph @elastic/kibana-cloud-security-posture
-x-pack/plugins/cloud_security_posture @elastic/kibana-cloud-security-posture
+x-pack/solutions/security/packages/kbn-cloud-security-posture/public @elastic/kibana-cloud-security-posture
+x-pack/platform/packages/shared/kbn-cloud-security-posture/common @elastic/kibana-cloud-security-posture
+x-pack/solutions/security/packages/kbn-cloud-security-posture/graph @elastic/kibana-cloud-security-posture
+x-pack/solutions/security/plugins/cloud_security_posture @elastic/kibana-cloud-security-posture
 packages/shared-ux/code_editor/impl @elastic/appex-sharedux
 packages/shared-ux/code_editor/mocks @elastic/appex-sharedux
 packages/kbn-code-owners @elastic/appex-qa
@@ -426,6 +426,7 @@ packages/kbn-es-query @elastic/kibana-data-discovery
 packages/kbn-es-types @elastic/kibana-core @elastic/obs-knowledge-team
 src/platform/plugins/shared/es_ui_shared @elastic/kibana-management
 packages/kbn-eslint-config @elastic/kibana-operations
+packages/kbn-eslint-plugin-css @elastic/appex-sharedux
 packages/kbn-eslint-plugin-disable @elastic/kibana-operations
 packages/kbn-eslint-plugin-eslint @elastic/kibana-operations
 packages/kbn-eslint-plugin-i18n @elastic/obs-knowledge-team @elastic/kibana-operations
@@ -566,7 +567,7 @@ src/plugins/kibana_overview @elastic/appex-sharedux
 src/plugins/kibana_react @elastic/appex-sharedux
 src/plugins/kibana_usage_collection @elastic/kibana-core
 src/plugins/kibana_utils @elastic/appex-sharedux
-x-pack/plugins/kubernetes_security @elastic/kibana-cloud-security-posture
+x-pack/solutions/security/plugins/kubernetes_security @elastic/kibana-cloud-security-posture
 x-pack/platform/packages/shared/kbn-langchain @elastic/security-generative-ai
 src/platform/packages/private/kbn-language-documentation @elastic/kibana-esql
 x-pack/examples/lens_config_builder_example @elastic/kibana-visualizations
@@ -777,6 +778,7 @@ src/plugins/saved_objects_tagging_oss @elastic/appex-sharedux
 x-pack/plugins/saved_objects_tagging @elastic/appex-sharedux
 packages/kbn-saved-search-component @elastic/obs-ux-logs-team
 src/plugins/saved_search @elastic/kibana-data-discovery
+packages/kbn-scout @elastic/appex-qa
 examples/screenshot_mode_example @elastic/appex-sharedux
 src/plugins/screenshot_mode @elastic/appex-sharedux
 x-pack/examples/screenshotting_example @elastic/appex-sharedux
@@ -859,7 +861,7 @@ src/platform/packages/shared/serverless/settings/security_project @elastic/secur
 packages/serverless/storybook/config @elastic/appex-sharedux
 packages/serverless/types @elastic/appex-sharedux
 test/plugin_functional/plugins/session_notifications @elastic/kibana-core
-x-pack/plugins/session_view @elastic/kibana-cloud-security-posture
+x-pack/solutions/security/plugins/session_view @elastic/kibana-cloud-security-posture
 packages/kbn-set-map @elastic/kibana-operations
 examples/share_examples @elastic/appex-sharedux
 src/plugins/share @elastic/appex-sharedux
@@ -1010,7 +1012,7 @@ x-pack/test/security_api_integration/plugins/user_profiles_consumer @elastic/kib
 packages/kbn-utility-types @elastic/kibana-core
 packages/kbn-utility-types-jest @elastic/kibana-operations
 packages/kbn-utils @elastic/kibana-operations
-x-pack/solutions/observability/plugins/ux @elastic/obs-ux-infra_services-team
+x-pack/solutions/observability/plugins/ux @elastic/obs-ux-management-team
 examples/v8_profiler_examples @elastic/response-ops
 packages/kbn-validate-next-docs-cli @elastic/kibana-operations
 src/plugins/vis_default_editor @elastic/kibana-visualizations
@@ -1423,7 +1425,7 @@ x-pack/test/**/deployment_agnostic/ @elastic/appex-qa #temporarily to monitor te
 #CC# /x-pack/plugins/global_search_providers/ @elastic/kibana-core
 
 # AppEx AI Infra
-/x-pack/plugins/inference @elastic/appex-ai-infra @elastic/obs-ai-assistant @elastic/security-generative-ai
+/x-pack/platform/plugins/shared/inference @elastic/appex-ai-infra @elastic/obs-ai-assistant @elastic/security-generative-ai
 /x-pack/test/functional_gen_ai/inference @elastic/appex-ai-infra
 
 # AppEx Platform Services Security

.github/codeql/codeql-config.yml

@@ -74,7 +74,7 @@ paths-ignore:
   - scripts
   - test
   - x-pack/plugins/canvas/scripts
-  - x-pack/plugins/cloud_security_posture/common/scripts
+  - x-pack/solutions/security/plugins/cloud_security_posture/common/scripts
   - x-pack/solutions/security/plugins/elastic_assistant/scripts
   - x-pack/plugins/event_log/scripts
   - x-pack/plugins/fleet/scripts

.gitignore

@@ -143,6 +143,8 @@ x-pack/test/security_api_integration/plugins/audit_log/audit.log
 .ftr
 role_users.json
 
+# ignore Scout temp directory
+.scout
 
 .devcontainer/.env
 

.i18nrc.json

@@ -119,7 +119,12 @@
     "searchIndexDocuments": "packages/kbn-search-index-documents",
     "searchResponseWarnings": "packages/kbn-search-response-warnings",
     "searchTypes": "packages/kbn-search-types",
-    "securitySolutionPackages": "x-pack/solutions/security/packages",
+    "securitySolutionPackages": [
+      "x-pack/solutions/security/packages"
+    ],
+    "sharedPlatformPackages": [
+      "x-pack/platform/packages/shared/kbn-cloud-security-posture"
+    ],
     "serverlessPackages": "packages/serverless",
     "sse": ["src/platform/packages/shared/kbn-sse-utils"],
     "coloring": "packages/kbn-coloring/src",

docs/developer/plugin-list.asciidoc

@@ -470,7 +470,7 @@ The plugin exposes the static DefaultEditorController class to consume.
 |WARNING: Missing README.
 
 
-|{kib-repo}blob/{branch}/x-pack/plugins/asset_inventory/README.md[assetInventory]
+|{kib-repo}blob/{branch}/x-pack/solutions/security/plugins/asset_inventory/README.md[assetInventory]
 |Centralized asset inventory experience within the Elastic Security solution. A central place for users to view and manage all their assets from different environments.
 
 
@@ -499,7 +499,7 @@ It was removed, but the plugin was left behind to register no longer used config
 |Static migration page where self-managed users can see text/copy about migrating to Elastic Cloud
 
 
-|{kib-repo}blob/{branch}/x-pack/plugins/cloud_defend/README.md[cloudDefend]
+|{kib-repo}blob/{branch}/x-pack/solutions/security/plugins/cloud_defend/README.md[cloudDefend]
 |This plugin currently only exists to provide custom fleet policy UX for a set of new BPF LSM features. The first feature being container "drift prevention".
 
 
@@ -516,7 +516,7 @@ This plugin no-longer exposes any evaluation APIs. Refer to <DocLink id="kibFeat
 |Adds all the links to the Elastic Cloud console.
 
 
-|{kib-repo}blob/{branch}/x-pack/plugins/cloud_security_posture/README.md[cloudSecurityPosture]
+|{kib-repo}blob/{branch}/x-pack/solutions/security/plugins/cloud_security_posture/README.md[cloudSecurityPosture]
 |Cloud Posture automates the identification and remediation of risks across cloud infrastructures
 
 
@@ -673,7 +673,7 @@ the infrastructure monitoring use-case within Kibana.
 |undefined
 
 
-|{kib-repo}blob/{branch}/x-pack/plugins/kubernetes_security/README.md[kubernetesSecurity]
+|{kib-repo}blob/{branch}/x-pack/solutions/security/plugins/kubernetes_security/README.md[kubernetesSecurity]
 |This plugin provides interactive visualizations of your Kubernetes workload and session data.
 
 
@@ -890,7 +890,7 @@ This plugin is only enabled when the application is built for serverless project
 |This plugin contains configuration and code used to create a Serverless Search project. It leverages universal configuration and other APIs in the serverless plugin to configure Kibana.
 
 
-|{kib-repo}blob/{branch}/x-pack/plugins/session_view/README.md[sessionView]
+|{kib-repo}blob/{branch}/x-pack/solutions/security/plugins/session_view/README.md[sessionView]
 |Session View is meant to provide a visualization into what is going on in a particular Linux environment where the agent is running. It looks likes a terminal emulator; however, it is a tool for introspecting process activity and understanding user and service behaviour in your Linux servers and infrastructure. It is a time-ordered series of process executions displayed in a tree over time.
 
 

docs/management/cases/setup-cases.asciidoc

@@ -24,7 +24,7 @@ The *{connectors-feature}* feature privilege is required to create, add,
 delete, and modify case connectors and to send updates to external systems.
 
 By default, `All` for the *Cases* feature includes authority to delete cases
-and comments and edit case settings unless you customize the sub-feature privileges.
+and comments, edit case settings, add case comments and attachments, and re-open cases unless you customize the sub-feature privileges.
 ====
 
 | Give assignee access to cases
@@ -41,7 +41,7 @@ This privilege is also required to add <<cases-action-type,case actions>> to rul
 | Give view-only access to cases
 a| `Read` for the *Cases* feature under *Management*.
 
-NOTE: By default, `Read` for the *Cases* feature does not include authority to delete cases and comments or edit case settings. You can grant this authority by customizing the sub-feature privileges.
+NOTE: You can customize sub-feature privileges for deleting cases and comments, editing case settings, adding case comments and attachments, and re-opening cases.
 
 | Revoke all access to cases | `None` for the *Cases* feature under *Management*.
 

docs/settings/reporting-settings.asciidoc

@@ -68,17 +68,27 @@ are allowed to generate reports.
 
 [NOTE]
 ============================================================================
-The `xpack.reporting.roles` settings are for a deprecated system of access control in Reporting. Turning off
-this feature allows API keys to generate reports, and allows reporting access through {kib} application
-privileges. We recommend that you explicitly turn off reporting's deprecated access control feature by adding
-`xpack.reporting.roles.enabled: false` to kibana.yml. This will enable you to create custom roles that provide
-application privileges for reporting, as described in <<grant-user-access, granting users access to
+In Kibana 8.x, the `xpack.reporting.roles.enabled` setting controls the model of access control features used for Reporting, which defaults to `true`.
+This enables an older access control model separate from {kib} application privileges, and grants any user with the built-in
+`reporting_user` role the ability to create any type of report in Kibana. But as this model is not based on {kib} application privileges, users that do
+not have permission to create reports will still see {report-features} in Kibana, but will actually receive an error if they attempt to request a report. The default
+model also does not allow API keys or authentication tokens to authorize report generation. 
+
+We recommend that you explicitly opt-out of the default access control model by adding `xpack.reporting.roles.enabled: false` to kibana.yml. This will
+enable you to create custom roles that provide application privileges for reporting, as described in <<grant-user-access, granting users access to
 reporting>>.
+
+In version 9.0, the `xpack.reporting.roles.enabled` setting will be ignored. {kib} will only use the access control model based on application
+privileges, and the built-in `reporting_user` role will have the necessary privileges to generate reports everywhere that Reporting is supported in
+{kib} as of version 9.0. We still recommend that you create custom roles with granular application privileges, in order to grant the least amount of
+privilege that users need.
 ============================================================================
 
 [[xpack-reporting-roles-enabled]] `xpack.reporting.roles.enabled`::
-deprecated:[7.14.0,The default for this setting will be `false` in an upcoming version of {kib}.] Sets access
-control to a set of assigned reporting roles, specified by `xpack.reporting.roles.allow`. Defaults to `true`.
+deprecated:[7.14.0,This setting will be ignored in an upcoming version of {kib}.] Sets access
+control to allow users to generate reports when they are assigned the built-in `reporting_user`
+role. This also grants privileges to users that have a role from a set of assigned reporting
+roles, specified by `xpack.reporting.roles.allow`. Defaults to `true`.
 
 `xpack.reporting.roles.allow`::
 deprecated:[7.14.0] In addition to superusers, specifies the roles that can generate reports using the

docs/setup/configuring-reporting.asciidoc

@@ -35,16 +35,20 @@ to enable the {kib} server to have screenshotting capabilities.
 [float]
 [[grant-user-access]]
 === Grant users access to reporting
-When security is enabled, you grant users access to {report-features} with <<kibana-privileges, {kib} application privileges>>, which allow you to create custom roles that control the spaces and applications where users generate reports.
+When security is enabled, the preferred method to grant users access to {report-features} is with <<kibana-privileges, {kib} application privileges>>. This will allow you to create custom roles that control the spaces and applications where users may generate reports.
 
-. Enable application privileges in Reporting. To enable, turn off the default user access control features in `kibana.yml`:
+. We recommend you explicitly opt-out of the default access control model, which will enable application privileges in Reporting. To do this, change a setting that controls the Reporting access control model in `kibana.yml`:
 +
 [source,yaml]
 ------------------------------------
 xpack.reporting.roles.enabled: false
 ------------------------------------
 +
-NOTE: If you use the default settings, you can still create a custom role that grants reporting privileges. The default role is `reporting_user`. This behavior is being deprecated and does not allow application-level access controls for {report-features}, and does not allow API keys or authentication tokens to authorize report generation. Refer to <<reporting-advanced-settings, reporting security settings>> for information and caveats about the deprecated access control features.
+NOTE: In Kibana 8.x versions, the default `xpack.reporting.roles.enabled: true` setting uses an older access control model separate from {kib} application
+privileges. The default model grants users with the built-in `reporting_user` role access to create any type of report in Kibana. Since the default model
+is not based on {kib} application privileges, users that do not have permission to create reports will see {report-features} in Kibana, but will receive an
+error if they attempt to request a report. The default model also does not allow API keys or authentication tokens to authorize report generation. Refer to
+<<reporting-advanced-settings, reporting security settings>> for information and caveats about the `xpack.reporting.roles.enabled` settings.
 
 . Create the reporting role.
 

examples/controls_example/public/app/react_control_example/react_control_example.tsx

@@ -371,10 +371,10 @@ export const ReactControlExample = ({
             </EuiFlexItem>
             <EuiFlexItem grow={false}>
               <EuiButton
-                onClick={async () => {
+                onClick={() => {
                   if (controlGroupApi) {
                     saveNotification$.next();
-                    setControlGroupSerializedState(await controlGroupApi.serializeState());
+                    setControlGroupSerializedState(controlGroupApi.serializeState());
                   }
                 }}
               >

examples/embeddable_examples/public/app/presentation_container_example/page_api.ts

@@ -9,7 +9,6 @@
 
 import { BehaviorSubject, Subject, combineLatest, map, merge } from 'rxjs';
 import { v4 as generateId } from 'uuid';
-import { asyncForEach } from '@kbn/std';
 import { TimeRange } from '@kbn/es-query';
 import {
   PanelPackage,
@@ -146,14 +145,14 @@ export function getPageApi() {
       },
       onSave: async () => {
         const panelsState: LastSavedState['panelsState'] = [];
-        await asyncForEach(panels$.value, async ({ id, type }) => {
+        panels$.value.forEach(({ id, type }) => {
           try {
             const childApi = children$.value[id];
             if (apiHasSerializableState(childApi)) {
               panelsState.push({
                 id,
                 type,
-                panelState: await childApi.serializeState(),
+                panelState: childApi.serializeState(),
               });
             }
           } catch (error) {