Merge branch 'main' into 175558-infra-add-collapsible-sections

docs/management/action-types.asciidoc

@@ -47,6 +47,10 @@ a| <<pagerduty-action-type,PagerDuty>>
 
 | Send an event in PagerDuty.
 
+a| <<sentinelone-action-type,SentinelOne>>
+
+| Send a request to SentinelOne.
+
 a| <<server-log-action-type,ServerLog>>
 
 | Add a message to a Kibana log.

docs/management/connectors/action-types/sentinelone.asciidoc

@@ -0,0 +1,39 @@
+[[sentinelone-action-type]]
+== SentinelOne connector
+++++
+<titleabbrev>SentinelOne</titleabbrev>
+++++
+:frontmatter-description: Add a connector that can use the SentinelOne API to send actions.
+:frontmatter-tags-products: [kibana] 
+:frontmatter-tags-content-type: [how-to] 
+:frontmatter-tags-user-goals: [configure]
+
+preview::[]
+
+The SentinelOne connector communicates with SentinelOne Management Console via REST API.
+
+[float]
+[[define-sentinelone-ui]]
+=== Create connectors in {kib}
+
+You can create connectors in *{stack-manage-app} > {connectors-ui}*. For example:
+
+[role="screenshot"]
+image::management/connectors/images/sentinelone-connector.png[SentinelOne connector]
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+[float]
+[[sentinelone-connector-configuration]]
+==== Connector configuration
+
+SentinelOne connectors have the following configuration properties:
+
+API token::  A SentinelOne API token created by the user.
+URL:: The SentinelOne tenant URL. If you are using the <<action-settings,`xpack.actions.allowedHosts`>> setting, make sure the hostname is added to the allowed hosts.
+
+
+[float]
+[[sentinelone-action-parameters]]
+=== Test connectors
+
+At this time, you cannot test the SentinelOne connector.

docs/management/connectors/index.asciidoc

@@ -8,6 +8,7 @@ include::action-types/teams.asciidoc[leveloffset=+1]
 include::action-types/openai.asciidoc[leveloffset=+1]
 include::action-types/opsgenie.asciidoc[leveloffset=+1]
 include::action-types/pagerduty.asciidoc[leveloffset=+1]
+include::action-types/sentinelone.asciidoc[leveloffset=+1]
 include::action-types/server-log.asciidoc[leveloffset=+1]
 include::action-types/servicenow.asciidoc[leveloffset=+1]
 include::action-types/servicenow-sir.asciidoc[leveloffset=+1]

docs/settings/alert-action-settings.asciidoc

@@ -142,6 +142,15 @@ A list of action types that are enabled. It defaults to `["*"]`, enabling all ty
 +
 Disabled action types will not appear as an option when creating new connectors, but existing connectors and actions of that type will remain in {kib} and will not function.
 
+`xpack.actions.microsoftExchangeUrl`::
+The URL for the Microsoft Azure Active Directory endpoint to use for MS Exchange email authentication. Default: `https://login.microsoftonline.com`.
+
+`xpack.actions.microsoftGraphApiUrl`::
+The URL for the Microsoft Graph API endpoint to use for MS Exchange email authentication. Default: `https://graph.microsoft.com/v1.0`.
+
+`xpack.actions.microsoftGraphApiScope`::
+The URL for the Microsoft Graph API scope endpoint to use for MS Exchange email authentication. Default: `https://graph.microsoft.com/.default`.
+
 `xpack.actions.proxyUrl` {ess-icon}::
 Specifies the proxy URL to use, if using a proxy for actions. By default, no proxy is used.
 +

packages/kbn-monaco/src/esql/lib/ast/ast_factory.ts

@@ -120,8 +120,7 @@ export class AstListener implements ESQLParserListener {
     if (metadataContext) {
       const option = createOption(metadataContext.METADATA().text.toLowerCase(), metadataContext);
       commandAst.args.push(option);
-      // skip for the moment as there's no easy way to get meta fields right now
-      // option.args.push(...collectAllColumnIdentifiers(metadataContext));
+      option.args.push(...collectAllColumnIdentifiers(metadataContext));
     }
   }
 

packages/kbn-monaco/src/esql/lib/ast/ast_helpers.ts

@@ -100,7 +100,7 @@ export function createLiteralString(token: Token): ESQLLiteral {
   };
 }
 
-function isMissingText(text: string) {
+export function isMissingText(text: string) {
   return /<missing /.test(text);
 }
 
@@ -180,6 +180,13 @@ export function computeLocationExtends(fn: ESQLFunction) {
     location.min = walkFunctionStructure(fn.args, location, 'min', () => 0);
     // get max location navigating in depth keeping the right/last arg
     location.max = walkFunctionStructure(fn.args, location, 'max', (args) => args.length - 1);
+    // in case of empty array as last arg, bump the max location by 3 chars (empty brackets)
+    if (
+      Array.isArray(fn.args[fn.args.length - 1]) &&
+      !(fn.args[fn.args.length - 1] as ESQLAstItem[]).length
+    ) {
+      location.max += 3;
+    }
   }
   return location;
 }

packages/kbn-monaco/src/esql/lib/ast/ast_walker.ts

@@ -76,6 +76,7 @@ import {
   createPolicy,
   createSettingTuple,
   createLiteralString,
+  isMissingText,
 } from './ast_helpers';
 import { getPosition } from './ast_position_utils';
 import type {
@@ -206,11 +207,16 @@ function visitLogicalAndsOrs(ctx: LogicalBinaryContext) {
 function visitLogicalIns(ctx: LogicalInContext) {
   const fn = createFunction(ctx.NOT() ? 'not_in' : 'in', ctx);
   const [left, ...list] = ctx.valueExpression();
-  const values = [visitValueExpression(left), list.map((ve) => visitValueExpression(ve))];
-  for (const arg of values) {
-    if (arg) {
-      const filteredArgs = Array.isArray(arg) ? arg.filter(nonNullable) : [arg];
-      fn.args.push(filteredArgs);
+  const leftArg = visitValueExpression(left);
+  if (leftArg) {
+    fn.args.push(...(Array.isArray(leftArg) ? leftArg : [leftArg]));
+    const values = list.map((ve) => visitValueExpression(ve));
+    const listArgs = values
+      .filter(nonNullable)
+      .flatMap((arg) => (Array.isArray(arg) ? arg.filter(nonNullable) : arg));
+    // distinguish between missing brackets (missing text error) and an empty list
+    if (!isMissingText(ctx.text)) {
+      fn.args.push(listArgs);
     }
   }
   // update the location of the assign based on arguments
@@ -244,6 +250,9 @@ function getComparisonName(ctx: ComparisonOperatorContext) {
 }
 
 function visitValueExpression(ctx: ValueExpressionContext) {
+  if (isMissingText(ctx.text)) {
+    return [];
+  }
   if (ctx instanceof ValueExpressionDefaultContext) {
     return visitOperatorExpression(ctx.operatorExpression());
   }
@@ -538,16 +547,18 @@ export function visitDissect(ctx: DissectCommandContext) {
   const pattern = ctx.string().tryGetToken(esql_parser.STRING, 0);
   return [
     visitPrimaryExpression(ctx.primaryExpression()),
-    createLiteral('string', pattern),
-    ...visitDissectOptions(ctx.commandOptions()),
+    ...(pattern && !isMissingText(pattern.text)
+      ? [createLiteral('string', pattern), ...visitDissectOptions(ctx.commandOptions())]
+      : []),
   ].filter(nonNullable);
 }
 
 export function visitGrok(ctx: GrokCommandContext) {
   const pattern = ctx.string().tryGetToken(esql_parser.STRING, 0);
-  return [visitPrimaryExpression(ctx.primaryExpression()), createLiteral('string', pattern)].filter(
-    nonNullable
-  );
+  return [
+    visitPrimaryExpression(ctx.primaryExpression()),
+    ...(pattern && !isMissingText(pattern.text) ? [createLiteral('string', pattern)] : []),
+  ].filter(nonNullable);
 }
 
 function visitDissectOptions(ctx: CommandOptionsContext | undefined) {