Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Fields for Indicator alerts are not displayed under highlighted fields section of alert flyout #125473

Closed
ghost opened this issue Feb 14, 2022 · 18 comments
Closed

[Security Solution] Fields for Indicator alerts are not displayed under highlighted fields section of alert flyout #125473

ghost opened this issue Feb 14, 2022 · 18 comments
Assignees
@janmonschke @michaelolo24
Labels
bug Fixes for quality problems that affect the customer experience QA:Validated Issue has been validated by QA Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team v8.1.0

Comments

@ghost
Copy link

ghost commented Feb 14, 2022

Describe the bug
Fields for Indicator alerts are not displayed under highlighted fields section of alert flyout

Build Details:

Version: 8.1.0 BC2
Commit:ee89ebfddeda3baaf6cd87c0299247c5248cb952
Build:50222

Browser Details:
N/A

Preconditions

  1. Indicator alerts should be triggered

Steps to Reproduce

  1. Click on Indicator alerts flyout
  2. Observe that no information is displayed under highlighted fields section

Actual Result
Fields for Indicator alerts are not displayed under highlighted fields section of alert flyout

Expected Result

  • For Indicator Rule
    indicator index pattern and indicator index query fields should be displayed under highlighted fields section

image

What's Working

  • N/A

What's Not Working

  • N/A

Screen-Shot
image
@ghost ghost added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Feb 14, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ghost ghost added the v8.1.0 label Feb 14, 2022
@ghost ghost assigned MadameSheema Feb 14, 2022
@MadameSheema
Copy link
Member

Thanks @deepikakeshav-qasource!! :)

Can you please attach the json of the alert and the json of the rule? moreover, which version of filebeat you were using to generate the alert?

@ghost
Copy link
Author

ghost commented Feb 14, 2022

Sorry for the confusion @MadameSheema ,

Please find the attached json of Rule and alert

Rule
Indicator rule.zip

Alerts Json
indicator_rule_alert_json.txt

We are using filebeat 8.1.0

Thanks!!

@MadameSheema MadameSheema added the Team:Threat Hunting:Investigations Security Solution Investigations Team label Feb 14, 2022
@ghost
Copy link
Author

ghost commented Feb 15, 2022

Hi @MadameSheema ,

We have observed that fields are displaying for indicator alert but with wrong fields under highlighted section after upgrade the build to 8.1.0.

Build Details:

Version: 8.1.0-BC2
Commit:ee89ebfddeda3baaf6cd87c0299247c5248cb952
Build:50222

Screenshots
image

Rule
upgrade indicator.zip

Alert Json
upgrade_indicator.txt

Thanks!

@janmonschke janmonschke mentioned this issue Feb 17, 2022
Merged
1 task
@janmonschke
Copy link
Contributor

This just merged and should be part of the next BC

@MindyRS MindyRS added the Team:Threat Hunting Security Solution Threat Hunting Team label Feb 23, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@ghost
Copy link
Author

ghost commented Feb 24, 2022

Hi @MadameSheema

We have validated this issue on 8.1.0 BC4 and observed that issue is Still Occurring. 🔴

Please find below the testing details:

Build Details:

Version: 8.1.0
Commit: 015578b81c26a5843747ba53b2fd92d40f0453cb
Build: 50428

Screenshot:

image

Thanks !!

@MadameSheema
Copy link
Member

@janmonschke can you please take a look at this? Thanks!

@janmonschke
Copy link
Contributor

@deepikakeshav-qasource Could you provide the JSON of the alert please? And could you confirm that this issue only occurs after an upgrade to 8.x?

@ghost
Copy link
Author

ghost commented Feb 28, 2022
edited by ghost
Loading

Hi @janmonschke ,

@deepikakeshav-qasource Could you provide the JSON of the alert please? And could you confirm that this issue only occurs after an upgrade to 8.x?

@janmonschke This is occurring only for new alerts.

fields are displaying for indicator alerts after upgrade to 8.x #125473 (comment)

Please find the below Alert JSON for Indicator alerts.

indicator alerts.txt

image

Please let us know if anything else is required from our end!!

Thanks!!

@ghost ghost mentioned this issue Feb 28, 2022
Closed
@janmonschke janmonschke mentioned this issue Feb 28, 2022
Merged
1 task
@MadameSheema
Copy link
Member

@deepikakeshav-qasource can you please check if this is still happening on the latest 8.1.0BC? Thanks :)

@ghost
Copy link
Author

ghost commented Mar 2, 2022

Hi @MadameSheema

We have validated this issue on 8.1.0 BC5 On-Prem and observed that issue is still occurring 🔴

Please find below the testing details:

Build Details:

Version: 8.1.0 BC5
Commit: 23423b0db7d5ffae1d0578e8d9e2c1afab90cdcf
Build: 50459

Screenshot:
image

Thanks !!

@janmonschke
Copy link
Contributor

Hey @deepikakeshav-qasource, could you share the alert's JSON here?

Has this alert been migrated to 8.x?

@ghost
Copy link
Author

ghost commented Mar 2, 2022

Hi @janmonschke ,

Please find the below alert JSON:

indicator alerts json.txt

Has this alert been migrated to 8.x?

No, This is the fresh build 8.1.0 BC5

image

Please let us know if anything else is required from end!!

Thanks!!

@MadameSheema
Copy link
Member

@deepikakeshav-qasource can you please validate this on 8.1.0BC6? Thanks!

@ghost
Copy link
Author

ghost commented Mar 4, 2022
edited by ghost
Loading

Hi @MadameSheema

We have validated this issue on 8.1.0 BC6 On-Prem and Observed that issue is Fixed 🟢

Please find below the testing details:

Build Details:

Version: 8.1.0 BC6
Commit: 4aaeda23aea9c3bf29698878c70a0107ea3c1659
Build: 50485

Screenshot:
image

Query : Field name kibana.alert.rule.parameters.threat_index and kibana.alert.rule.parameters.threat_query is displaying for Indicator rule. could you please confirm if the name of fields are expected.

Moreover, We will validate the upgrade scenario once the cloud build is available.

Also, We have seen that the fields under highlighted fields for Indicator rule are not correctly formatted. We have open the issue for same here.

Thanks !!

@janmonschke
Copy link
Contributor

@deepikakeshav-qasource yes, those are the correct names. Thanks for testing this again!

@ghost
Copy link
Author

ghost commented Mar 4, 2022

Hi @MadameSheema

We have validated this issue on 8.1.0 BC6 with Upgrade scenario and Observed that issue is Fixed 🟢

Please find below the testing details:

Build Details:

Version: 8.1.0 BC6
Commit: 4aaeda23aea9c3bf29698878c70a0107ea3c1659
Build: 50485

Screenshot:
image

Thanks!!

@ghost ghost added the QA:Validated Issue has been validated by QA label Mar 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@janmonschke janmonschke

@michaelolo24 michaelolo24

Labels
bug Fixes for quality problems that affect the customer experience QA:Validated Issue has been validated by QA Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team v8.1.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@janmonschke @MindyRS @elasticmachine @michaelolo24 @MadameSheema