Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Preview results limit not respected for Last hour #129025

Closed
MadameSheema opened this issue Mar 31, 2022 · 3 comments
Closed

[Security Solution] Preview results limit not respected for Last hour #129025

MadameSheema opened this issue Mar 31, 2022 · 3 comments
Assignees
@dplumlee
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rule Preview Security Solution Rule Preview fixed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.2.0

Comments

@MadameSheema
Copy link
Member

Describe the bug:

  • When previewing the results during the creation of a rule, in the histogram legend it can be read Note: This preview excludes effects of rule exceptions and timestamp overrides, and is limited to 100 results.

Kibana/Elasticsearch Stack version:

Initial precondition:

  • I had ingested auditbeat and packetbeat data, both with more than 100 events ingested.

Steps to reproduce:

  1. Navigate to Rules
  2. Click on Create new rule
  3. On index patterns just leave packetbeat-*
  4. Enter a valid custom query i.e. *:*
  5. Click on Preview reuslts

Current behavior:

Screenshot 2022-03-31 at 11 37 22

Expected behavior:

  • Just 100 hits are displayed

Additional information:

  • Same when auditbeat index pattern is added, the number of hits returned, gets increased:

Screenshot 2022-03-31 at 11 39 22

  • When you have just auditbeat as index pattern, the number of hits returned is also above 100

Screenshot 2022-03-31 at 11 42 42

  • This is just happening for Last hour, Last day and Last month limits the number of hits to 100
Preview results response 
{
   "previewId":"383e1f37-8ecd-4d2d-842d-ea7a7f7ba0d7",
   "logs":[
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T08:10:53.751Z",
         "duration":14
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T08:15:53.751Z",
         "duration":9
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T08:20:53.751Z",
         "duration":9
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T08:25:53.751Z",
         "duration":10
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T08:30:53.751Z",
         "duration":8
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T08:35:53.751Z",
         "duration":9
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T08:40:53.751Z",
         "duration":9
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T08:45:53.751Z",
         "duration":8
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T08:50:53.751Z",
         "duration":8
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T08:55:53.751Z",
         "duration":8
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T09:00:53.751Z",
         "duration":9
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T09:05:53.751Z",
         "duration":9
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T09:10:53.751Z",
         "duration":10
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T09:15:53.751Z",
         "duration":10
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T09:20:53.751Z",
         "duration":263
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T09:25:53.751Z",
         "duration":252
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T09:30:53.751Z",
         "duration":311
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T09:35:53.751Z",
         "duration":206
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T09:40:53.751Z",
         "duration":227
      },
      {
         "errors":[
            
         ],
         "warnings":[
            
         ],
         "startedAt":"2022-03-31T09:45:53.751Z",
         "duration":161
      }
   ],
   "isAborted":false
}
@MadameSheema MadameSheema added bug Fixes for quality problems that affect the customer experience triage_needed Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Alerts Security Detection Alerts Area Team labels Mar 31, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@peluja1012 peluja1012 added impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Feature:Detection Rule Preview Security Solution Rule Preview labels Apr 1, 2022
@dplumlee dplumlee mentioned this issue Apr 5, 2022
Merged
20 tasks
@ghost
Copy link

ghost commented Apr 14, 2022

Hi Team,

We have validated above issue on 8.2.0 BC3 and it's working fine. 🟢

Build Details:
Version : 8.2.0 BC3
Build : 51885
Commit : 2ea6dc82752506d6f7aa34bda747f99c6fbfd152

Screenshots:

image

Thanks !

@ghost ghost closed this as completed Apr 14, 2022
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dplumlee dplumlee

Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rule Preview Security Solution Rule Preview fixed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.2.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@peluja1012 @elasticmachine @MadameSheema @marshallmain @dplumlee