Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Detections][Security Solution] Values are not populated on exceptions dialog #104371

Closed
MadameSheema opened this issue Jul 6, 2021 · 16 comments
Closed

[Detections][Security Solution] Values are not populated on exceptions dialog #104371

MadameSheema opened this issue Jul 6, 2021 · 16 comments
Assignees
@FrankHassanabad
Labels
bug Fixes for quality problems that affect the customer experience impact:critical This issue should be addressed immediately due to a critical level of impact on the product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.14.0

Comments

@MadameSheema
Copy link
Member

Describe the bug:

  • Values are not populated on exceptions dialog

Kibana/Elasticsearch Stack version:
7.14.0 - BC1

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

  • Detections
  • Exceptions

Steps to reproduce:

  1. Create a rule
  2. Generate alerts for that rule
  3. Open the add exception dialog

Current behavior:

  • The value list is not populated

Screenshot 2021-07-06 at 07 33 39

Expected behavior:

  • The value list should be populated
@MadameSheema MadameSheema added bug Fixes for quality problems that affect the customer experience triage_needed Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Jul 6, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@MadameSheema
Copy link
Member Author

@peluja1012 @spong can you please help to prioritise this bug? for me is critical/high.

@deepikakeshav-qasource @mandeepkaur-qasource please take into consideration this during your testing.

Thanks :)

@ghost ghost mentioned this issue Jul 6, 2021
Closed
@spong
Copy link
Member

spong commented Jul 6, 2021

++ @MadameSheema, this is critical/high and will need to be addressed for 7.14.

@spong spong added impact:critical This issue should be addressed immediately due to a critical level of impact on the product. and removed triage_needed labels Jul 6, 2021
@MadameSheema
Copy link
Member Author

Thanks @spong!

@MikePaquette this issue was listed in your ticket: elastic/security-team#1412 and has been raised to Critical. Thanks :)

@spong
Copy link
Member

spong commented Jul 7, 2021

In reviewing #104559 (review), a stack trace was identified coming from the auto-complete service, and seemingly related to #100174, so will want to cross-check the changes there with this issue is well.

@FrankHassanabad FrankHassanabad self-assigned this Jul 8, 2021
@MikePaquette
Copy link

Here's a bit more information:
There seems to be a difference in behavior, based on the rule type.

I just tried three cases:

  1. custom rule - exception field autocomplete OK - value autocomplete NG
  2. prebuilt rule - exception field autocomplete OK - value autocomplete OK
  3. endpoint rule - exception field autocomplete NG

cc: @FrankHassanabad

@MadameSheema
Copy link
Member Author

@deepikakeshav-qasource can you please try to reproduce the issue on BC2? Thanks! :)

@ghost
Copy link

ghost commented Jul 9, 2021

Hi @MadameSheema ,

We have validated this ticket on 7.14.0 BC2 build and observed that issue is Not occurring. Values are populated on Rule exception for both in custom rule as well as elastic rule.

Build Details:

VERSION: 7.14.0 BC2
BUILD: 42401
COMMIT: 9826a943dc2e47f26ec6de94816e7d297b752994
ARTIFACT: https://staging.elastic.co/7.14.0-e99135ef/summary-7.14.0.html

Screenshot:
Custom Rule
https://user-images.githubusercontent.com/61860752/125057942-61de3b80-e0c7-11eb-8af5-2e650ff49a9e.mp4

Elastic Rule:

Malware_exception.mp4

Please let us know if anything else is required from our end

Thanks!!

@FrankHassanabad
Copy link
Contributor

I have also validated this for BC2, but to leave a note here, this issue was due to problems with autocomplete and a newer algorithm called terms_enum being used. So all of auto complete across the application was malfunctioning.

As of BC2, you still can see autocomplete malfunctioning with one usecase which is if you use logs-* it will give errors in the network panel since logs-* adds this extra string, logs-*,*-elasticlcoud-logs-*
Screen Shot 2021-07-07 at 5 23 39 PM

However, they fixed that here and it should be ready by BC3:
elastic/elasticsearch#75155

And Kibana has a ticket opened to bubble up the error rather than a 500 internal server error so we can get more information from here:
#104974

That is a work in progress but hopefully makes it by the next BC.

@FrankHassanabad
Copy link
Contributor

Another open issue for the terms_enum fyi:
elastic/elasticsearch#75190

which auto-complete has changed its algorithm to

@ghost
Copy link

ghost commented Jul 12, 2021

Hi @FrankHassanabad ,

We have validated this on 7.14.0 BC2 build and We are able to reproduce this issue. Error is displaying in dev tool network.

Build Details:

VERSION: 7.14.0 BC2
BUILD: 42401
COMMIT: 9826a943dc2e47f26ec6de94816e7d297b752994
ARTIFACT: https://staging.elastic.co/7.14.0-e99135ef/summary-7.14.0.html

Screenshot:
image

Thanks!!

cc: @MadameSheema

@FrankHassanabad
Copy link
Contributor

Thanks, let's wait for BC3 and see if it's fixed there. I expect this part to still be broken BC2 but fixed BC3 🤞 as the issue is further down the stack from the security solutions team and within ElasticSearch.

@MadameSheema
Copy link
Member Author

@deepikakeshav-qasource can you please validate this issue on BC3? Thanks

@ghost
Copy link

ghost commented Jul 16, 2021
edited by ghost
Loading

Hi @MadameSheema,

We have validated this ticket on 7.14.0 BC3 build and observed that issue is Fixed. Please find the our below observations:

Build Details:

VERSION: 7.14.0 BC3
BUILD: 42545
COMMIT: c314921a9893e0b46d9a3958f5520e3d6b1ce7d5
ARTIFACT: https://staging.elastic.co/7.14.0-682a8012/summary-7.14.0.html

Observation 1: No error is displaying in dev tool network when enter the query in search under host tab.

Screen Recording:

host_network_error.mp4

Observation 2: Values are populated on Rule exception.

Screenshot:
exception

Please let us know if we are missing anything and anything else is required from our end.

Thanks!!

@ghost
Copy link

ghost commented Aug 19, 2021

Bug Conversion:

01 Test-Case updated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FrankHassanabad FrankHassanabad

Labels
bug Fixes for quality problems that affect the customer experience impact:critical This issue should be addressed immediately due to a critical level of impact on the product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.14.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@FrankHassanabad @spong @elasticmachine @MadameSheema @MikePaquette