[ML] Anomaly Explorer: New severity colors alignment & New UX for filtering anomalies#221081
Merged
rbrtj merged 84 commits intoelastic:mainfrom Jun 24, 2025
Merged
[ML] Anomaly Explorer: New severity colors alignment & New UX for filtering anomalies#221081rbrtj merged 84 commits intoelastic:mainfrom
rbrtj merged 84 commits intoelastic:mainfrom
Conversation
Contributor
Author
Done in ddca03c |
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Count of Enzyme imports
Public APIs missing exports
Page load bundle
Unknown metric groupsAPI count
async chunk count
References to deprecated APIs
History
cc @rbrtj |
This was referenced Jun 24, 2025
akowalska622
pushed a commit
to akowalska622/kibana
that referenced
this pull request
Jun 25, 2025
…tering anomalies (elastic#221081) Closes elastic#217508, elastic#217510, elastic#217521 This pull request introduces significant updates to the ML anomaly detection utilities and components. The changes focus on improving theme-aware severity color handling, refining severity thresholds, and deprecating legacy severity-related utilities. ## New Anomalies filtering UX and Influencers badges: <img width="1361" alt="image" src="https://github.com/user-attachments/assets/0f7e0aa3-310f-4f59-95aa-f74c576d0f91" /> ## New Single Metric Viewer base colors <img width="929" alt="image" src="https://github.com/user-attachments/assets/9b3e33cf-23b4-4163-b274-f911ef9321e4" /> ### Theme-aware severity color handling: * Added `useSeverityColor` hook and `getThemeResolvedSeverityColor` utility to provide theme-aware severity colors, replacing legacy fixed colors. These utilities ensure better integration with the EUI theme. `x-pack/platform/packages/shared/ml/anomaly_utils/use_severity_color.ts` * Deprecated legacy severity color constants (`ML_SEVERITY_COLORS`) and methods (`getSeverityColor`) in favor of theme-aware alternatives. `x-pack/platform/packages/shared/ml/anomaly_utils/severity_colors.ts` `x-pack/platform/packages/shared/ml/anomaly_utils/get_severity_color.ts` ### Severity thresholds and ramp: * Removed the legacy `ML_SEVERITY_COLOR_RAMP` constant and introduced `getMlSeverityColorRampValue` utility to dynamically generate theme-aware severity ramps. `x-pack/platform/packages/shared/ml/anomaly_utils/severity_ramp.ts` ### Type and interface updates: * Introduced a new `SeverityThreshold` type to represent severity ranges, replacing the previous numeric severity representation in `ExplorerAppState`. `x-pack/platform/plugins/shared/ml/common/types/anomalies.ts` `x-pack/platform/plugins/shared/ml/common/types/locator.ts` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
11 tasks
8 tasks
abhishekbhatia1710
added a commit
that referenced
this pull request
Jul 1, 2025
…ileged User Monitoring Dashboard flyout error fix (#225757) ## Summary The privileged user monitoring dashboard was recently released as Technical preview as part of 9.1 feature freeze. The flyout, when accessed from the privileged user table, gave an error as below :   https://github.com/user-attachments/assets/f5882e74-7088-4f4f-86d2-ec0f2988a96c Following the ML platform changes in PR #221081, the API endpoint `/internal/ml/results/anomalies_table_data` was updated to accept the [threshold] field as an array of [SeverityThreshold] objects instead of a single number. This change was part of a larger refactoring to support more sophisticated anomaly severity filtering with minimum and maximum threshold ranges. However, the Security Solution's anomalies table data integration was still sending the old format, causing a 400 Bad Request error: ``` [request body.threshold]: expected value of type [array] but got [number] ``` ### Root Cause Backend expectation (new): [threshold: [{ min: number, max?: number }]] Frontend sending (old): [threshold: number] The ML backend schema was updated in [results_service_schema.ts] threshold: schema.number(), threshold: schema.arrayOf(severityThresholdSchema), ### Fix 1. Updated type definitions [anomalies_table_data.ts] 2. Updated API call [use_anomalies_table_data.ts] ### Testing Steps : 1. Check out the main branch of [security-documents-generator](https://github.com/elastic/security-documents-generator). 3. Run: `yarn start privileged-user-monitoring` 4. After this completes, a CSV file should be generated. 5. Navigate to the Privileged User Monitoring dashboard page. 6. Click "Import file", or if you’ve already imported data before, click "Manage data sources" and then "Import file". 7. Select the CSV file generated in step 3. 8. On the dashboard, scroll down to the table titled "Privileged Users". 9. Click the double-headed arrow next to any user name — this should open a flyout. 10. Ensure that no errors appear when the flyout opens. 11. Alternatively, open your browser’s DevTools Network tab and verify that the API call to `/internal/ml/results/anomalies_table_data` does not return a 400 status code. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels.
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 1, 2025
…ileged User Monitoring Dashboard flyout error fix (elastic#225757) ## Summary The privileged user monitoring dashboard was recently released as Technical preview as part of 9.1 feature freeze. The flyout, when accessed from the privileged user table, gave an error as below :   https://github.com/user-attachments/assets/f5882e74-7088-4f4f-86d2-ec0f2988a96c Following the ML platform changes in PR elastic#221081, the API endpoint `/internal/ml/results/anomalies_table_data` was updated to accept the [threshold] field as an array of [SeverityThreshold] objects instead of a single number. This change was part of a larger refactoring to support more sophisticated anomaly severity filtering with minimum and maximum threshold ranges. However, the Security Solution's anomalies table data integration was still sending the old format, causing a 400 Bad Request error: ``` [request body.threshold]: expected value of type [array] but got [number] ``` ### Root Cause Backend expectation (new): [threshold: [{ min: number, max?: number }]] Frontend sending (old): [threshold: number] The ML backend schema was updated in [results_service_schema.ts] threshold: schema.number(), threshold: schema.arrayOf(severityThresholdSchema), ### Fix 1. Updated type definitions [anomalies_table_data.ts] 2. Updated API call [use_anomalies_table_data.ts] ### Testing Steps : 1. Check out the main branch of [security-documents-generator](https://github.com/elastic/security-documents-generator). 3. Run: `yarn start privileged-user-monitoring` 4. After this completes, a CSV file should be generated. 5. Navigate to the Privileged User Monitoring dashboard page. 6. Click "Import file", or if you’ve already imported data before, click "Manage data sources" and then "Import file". 7. Select the CSV file generated in step 3. 8. On the dashboard, scroll down to the table titled "Privileged Users". 9. Click the double-headed arrow next to any user name — this should open a flyout. 10. Ensure that no errors appear when the flyout opens. 11. Alternatively, open your browser’s DevTools Network tab and verify that the API call to `/internal/ml/results/anomalies_table_data` does not return a 400 status code. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. (cherry picked from commit 5d2f0f8)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 1, 2025
…ileged User Monitoring Dashboard flyout error fix (elastic#225757) ## Summary The privileged user monitoring dashboard was recently released as Technical preview as part of 9.1 feature freeze. The flyout, when accessed from the privileged user table, gave an error as below :   https://github.com/user-attachments/assets/f5882e74-7088-4f4f-86d2-ec0f2988a96c Following the ML platform changes in PR elastic#221081, the API endpoint `/internal/ml/results/anomalies_table_data` was updated to accept the [threshold] field as an array of [SeverityThreshold] objects instead of a single number. This change was part of a larger refactoring to support more sophisticated anomaly severity filtering with minimum and maximum threshold ranges. However, the Security Solution's anomalies table data integration was still sending the old format, causing a 400 Bad Request error: ``` [request body.threshold]: expected value of type [array] but got [number] ``` ### Root Cause Backend expectation (new): [threshold: [{ min: number, max?: number }]] Frontend sending (old): [threshold: number] The ML backend schema was updated in [results_service_schema.ts] threshold: schema.number(), threshold: schema.arrayOf(severityThresholdSchema), ### Fix 1. Updated type definitions [anomalies_table_data.ts] 2. Updated API call [use_anomalies_table_data.ts] ### Testing Steps : 1. Check out the main branch of [security-documents-generator](https://github.com/elastic/security-documents-generator). 3. Run: `yarn start privileged-user-monitoring` 4. After this completes, a CSV file should be generated. 5. Navigate to the Privileged User Monitoring dashboard page. 6. Click "Import file", or if you’ve already imported data before, click "Manage data sources" and then "Import file". 7. Select the CSV file generated in step 3. 8. On the dashboard, scroll down to the table titled "Privileged Users". 9. Click the double-headed arrow next to any user name — this should open a flyout. 10. Ensure that no errors appear when the flyout opens. 11. Alternatively, open your browser’s DevTools Network tab and verify that the API call to `/internal/ml/results/anomalies_table_data` does not return a 400 status code. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. (cherry picked from commit 5d2f0f8)
kibanamachine
added a commit
that referenced
this pull request
Jul 1, 2025
…g]Privileged User Monitoring Dashboard flyout error fix (#225757) (#225955) # Backport This will backport the following commits from `main` to `9.1`: - [[Security Solution][Entity Analytics][Privileged User Monitoring]Privileged User Monitoring Dashboard flyout error fix (#225757)](#225757) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Abhishek Bhatia","email":"117628830+abhishekbhatia1710@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-07-01T08:42:08Z","message":"[Security Solution][Entity Analytics][Privileged User Monitoring]Privileged User Monitoring Dashboard flyout error fix (#225757)\n\n## Summary\n\n\nThe privileged user monitoring dashboard was recently released as\nTechnical preview as part of 9.1 feature freeze.\nThe flyout, when accessed from the privileged user table, gave an error\nas below :\n\n\n\n\n\n\nhttps://github.com/user-attachments/assets/f5882e74-7088-4f4f-86d2-ec0f2988a96c\n\nFollowing the ML platform changes in PR #221081, the API endpoint\n`/internal/ml/results/anomalies_table_data` was updated to accept the\n[threshold] field as an array of [SeverityThreshold] objects instead of\na single number. This change was part of a larger refactoring to support\nmore sophisticated anomaly severity filtering with minimum and maximum\nthreshold ranges.\n\nHowever, the Security Solution's anomalies table data integration was\nstill sending the old format, causing a 400 Bad Request error:\n```\n[request body.threshold]: expected value of type [array] but got [number]\n```\n\n### Root Cause\nBackend expectation (new): [threshold: [{ min: number, max?: number }]]\nFrontend sending (old): [threshold: number]\n\nThe ML backend schema was updated in [results_service_schema.ts]\n\nthreshold: schema.number(),\n\nthreshold: schema.arrayOf(severityThresholdSchema),\n\n### Fix\n1. Updated type definitions [anomalies_table_data.ts]\n2. Updated API call [use_anomalies_table_data.ts]\n\n### Testing Steps : \n\n1. Check out the main branch of\n[security-documents-generator](https://github.com/elastic/security-documents-generator).\n3. Run: `yarn start privileged-user-monitoring`\n4. After this completes, a CSV file should be generated.\n5. Navigate to the Privileged User Monitoring dashboard page.\n6. Click \"Import file\", or if you’ve already imported data before, click\n\"Manage data sources\" and then \"Import file\".\n7. Select the CSV file generated in step 3.\n8. On the dashboard, scroll down to the table titled \"Privileged Users\".\n9. Click the double-headed arrow next to any user name — this should\nopen a flyout.\n10. Ensure that no errors appear when the flyout opens.\n11. Alternatively, open your browser’s DevTools Network tab and verify\nthat the API call to\n`/internal/ml/results/anomalies_table_data` does not return a 400 status\ncode.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"5d2f0f8621724219dd1b9d91bc7444a1ec722456","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Entity Analytics","backport:version","v9.1.0","v9.2.0"],"title":"[Security Solution][Entity Analytics][Privileged User Monitoring]Privileged User Monitoring Dashboard flyout error fix","number":225757,"url":"https://github.com/elastic/kibana/pull/225757","mergeCommit":{"message":"[Security Solution][Entity Analytics][Privileged User Monitoring]Privileged User Monitoring Dashboard flyout error fix (#225757)\n\n## Summary\n\n\nThe privileged user monitoring dashboard was recently released as\nTechnical preview as part of 9.1 feature freeze.\nThe flyout, when accessed from the privileged user table, gave an error\nas below :\n\n\n\n\n\n\nhttps://github.com/user-attachments/assets/f5882e74-7088-4f4f-86d2-ec0f2988a96c\n\nFollowing the ML platform changes in PR #221081, the API endpoint\n`/internal/ml/results/anomalies_table_data` was updated to accept the\n[threshold] field as an array of [SeverityThreshold] objects instead of\na single number. This change was part of a larger refactoring to support\nmore sophisticated anomaly severity filtering with minimum and maximum\nthreshold ranges.\n\nHowever, the Security Solution's anomalies table data integration was\nstill sending the old format, causing a 400 Bad Request error:\n```\n[request body.threshold]: expected value of type [array] but got [number]\n```\n\n### Root Cause\nBackend expectation (new): [threshold: [{ min: number, max?: number }]]\nFrontend sending (old): [threshold: number]\n\nThe ML backend schema was updated in [results_service_schema.ts]\n\nthreshold: schema.number(),\n\nthreshold: schema.arrayOf(severityThresholdSchema),\n\n### Fix\n1. Updated type definitions [anomalies_table_data.ts]\n2. Updated API call [use_anomalies_table_data.ts]\n\n### Testing Steps : \n\n1. Check out the main branch of\n[security-documents-generator](https://github.com/elastic/security-documents-generator).\n3. Run: `yarn start privileged-user-monitoring`\n4. After this completes, a CSV file should be generated.\n5. Navigate to the Privileged User Monitoring dashboard page.\n6. Click \"Import file\", or if you’ve already imported data before, click\n\"Manage data sources\" and then \"Import file\".\n7. Select the CSV file generated in step 3.\n8. On the dashboard, scroll down to the table titled \"Privileged Users\".\n9. Click the double-headed arrow next to any user name — this should\nopen a flyout.\n10. Ensure that no errors appear when the flyout opens.\n11. Alternatively, open your browser’s DevTools Network tab and verify\nthat the API call to\n`/internal/ml/results/anomalies_table_data` does not return a 400 status\ncode.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"5d2f0f8621724219dd1b9d91bc7444a1ec722456"}},"sourceBranch":"main","suggestedTargetBranches":["9.1"],"targetPullRequestStates":[{"branch":"9.1","label":"v9.1.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/225757","number":225757,"mergeCommit":{"message":"[Security Solution][Entity Analytics][Privileged User Monitoring]Privileged User Monitoring Dashboard flyout error fix (#225757)\n\n## Summary\n\n\nThe privileged user monitoring dashboard was recently released as\nTechnical preview as part of 9.1 feature freeze.\nThe flyout, when accessed from the privileged user table, gave an error\nas below :\n\n\n\n\n\n\nhttps://github.com/user-attachments/assets/f5882e74-7088-4f4f-86d2-ec0f2988a96c\n\nFollowing the ML platform changes in PR #221081, the API endpoint\n`/internal/ml/results/anomalies_table_data` was updated to accept the\n[threshold] field as an array of [SeverityThreshold] objects instead of\na single number. This change was part of a larger refactoring to support\nmore sophisticated anomaly severity filtering with minimum and maximum\nthreshold ranges.\n\nHowever, the Security Solution's anomalies table data integration was\nstill sending the old format, causing a 400 Bad Request error:\n```\n[request body.threshold]: expected value of type [array] but got [number]\n```\n\n### Root Cause\nBackend expectation (new): [threshold: [{ min: number, max?: number }]]\nFrontend sending (old): [threshold: number]\n\nThe ML backend schema was updated in [results_service_schema.ts]\n\nthreshold: schema.number(),\n\nthreshold: schema.arrayOf(severityThresholdSchema),\n\n### Fix\n1. Updated type definitions [anomalies_table_data.ts]\n2. Updated API call [use_anomalies_table_data.ts]\n\n### Testing Steps : \n\n1. Check out the main branch of\n[security-documents-generator](https://github.com/elastic/security-documents-generator).\n3. Run: `yarn start privileged-user-monitoring`\n4. After this completes, a CSV file should be generated.\n5. Navigate to the Privileged User Monitoring dashboard page.\n6. Click \"Import file\", or if you’ve already imported data before, click\n\"Manage data sources\" and then \"Import file\".\n7. Select the CSV file generated in step 3.\n8. On the dashboard, scroll down to the table titled \"Privileged Users\".\n9. Click the double-headed arrow next to any user name — this should\nopen a flyout.\n10. Ensure that no errors appear when the flyout opens.\n11. Alternatively, open your browser’s DevTools Network tab and verify\nthat the API call to\n`/internal/ml/results/anomalies_table_data` does not return a 400 status\ncode.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.","sha":"5d2f0f8621724219dd1b9d91bc7444a1ec722456"}}]}] BACKPORT--> Co-authored-by: Abhishek Bhatia <117628830+abhishekbhatia1710@users.noreply.github.com>
rbrtj
added a commit
that referenced
this pull request
Jul 1, 2025
…es (#225845) (#226006) # Backport This will backport the following commits from `main` to `9.1`: - [[ML] Anomaly Swimlane: Fixes incorrectly formatted tooltip values (#225845)](#225845) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Robert Jaszczurek","email":"92210485+rbrtj@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-07-01T13:27:28Z","message":"[ML] Anomaly Swimlane: Fixes incorrectly formatted tooltip values (#225845)\n\nIn a recent PR\nhttps://github.com//pull/221081/commits/ddca03c9b8b2c69d9feba524cb10fd3bfdc3d847\nwe removed the formatter, which caused tooltip values to no longer be\ntruncated. This PR fixes that.","sha":"1f3f8da6d79c17e2c2f8a104b6a6b503fa69f0b0","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug",":ml","release_note:skip","Team:ML","backport:version","v9.1.0","v8.19.0","v9.2.0"],"title":"[ML] Anomaly Swimlane: Fixes incorrectly formatted tooltip values","number":225845,"url":"https://github.com/elastic/kibana/pull/225845","mergeCommit":{"message":"[ML] Anomaly Swimlane: Fixes incorrectly formatted tooltip values (#225845)\n\nIn a recent PR\nhttps://github.com//pull/221081/commits/ddca03c9b8b2c69d9feba524cb10fd3bfdc3d847\nwe removed the formatter, which caused tooltip values to no longer be\ntruncated. This PR fixes that.","sha":"1f3f8da6d79c17e2c2f8a104b6a6b503fa69f0b0"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","8.19"],"targetPullRequestStates":[{"branch":"9.1","label":"v9.1.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/225845","number":225845,"mergeCommit":{"message":"[ML] Anomaly Swimlane: Fixes incorrectly formatted tooltip values (#225845)\n\nIn a recent PR\nhttps://github.com//pull/221081/commits/ddca03c9b8b2c69d9feba524cb10fd3bfdc3d847\nwe removed the formatter, which caused tooltip values to no longer be\ntruncated. This PR fixes that.","sha":"1f3f8da6d79c17e2c2f8a104b6a6b503fa69f0b0"}}]}] BACKPORT--> Co-authored-by: Robert Jaszczurek <92210485+rbrtj@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #217508, #217510, #217521
This pull request introduces significant updates to the ML anomaly detection utilities and components. The changes focus on improving theme-aware severity color handling, refining severity thresholds, and deprecating legacy severity-related utilities.
New Anomalies filtering UX and Influencers badges:
New Single Metric Viewer base colors
Theme-aware severity color handling:
useSeverityColorhook andgetThemeResolvedSeverityColorutility to provide theme-aware severity colors, replacing legacy fixed colors. These utilities ensure better integration with the EUI theme.x-pack/platform/packages/shared/ml/anomaly_utils/use_severity_color.tsML_SEVERITY_COLORS) and methods (getSeverityColor) in favor of theme-aware alternatives.x-pack/platform/packages/shared/ml/anomaly_utils/severity_colors.tsx-pack/platform/packages/shared/ml/anomaly_utils/get_severity_color.tsSeverity thresholds and ramp:
ML_SEVERITY_COLOR_RAMPconstant and introducedgetMlSeverityColorRampValueutility to dynamically generate theme-aware severity ramps.x-pack/platform/packages/shared/ml/anomaly_utils/severity_ramp.tsType and interface updates:
SeverityThresholdtype to represent severity ranges, replacing the previous numeric severity representation inExplorerAppState.x-pack/platform/plugins/shared/ml/common/types/anomalies.tsx-pack/platform/plugins/shared/ml/common/types/locator.ts