Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution]Cases information not available under preview result alert flyout #129288

Closed
ghost opened this issue Apr 4, 2022 · 14 comments
Closed

[Security Solution]Cases information not available under preview result alert flyout #129288

ghost opened this issue Apr 4, 2022 · 14 comments
Assignees
@MadameSheema
Labels
bug Fixes for quality problems that affect the customer experience fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team v8.3.0

Comments

@ghost
Copy link

ghost commented Apr 4, 2022

Describe the bug
Cases information not available under preview result alert flyout

Build Details

Version:8.2.0-BC1
Commit : d18a093a2cf03991b93ea3de6a1054d580d3e82f
Build:51685

Steps

  • Login to Kibana
  • Create a Rule and generate some alert
  • Attach new case to the alert and remember the alert entry ( in our case we noted the process.pid)
  • Edit the Rule and click on preview
  • Click on Alert details for above alert entry which is attached with case
  • Observed that updated case information is not showing in the flyout of the preview rule

Expected Result

As per our observation the expected result should be either of the following

  • Stop showing the case count under flyout
  • Correct Count as per the Alert Table Flyout under Alert Page

Screen-Cast

Rules.-.Kibana.Mozilla.Firefox.2022-04-04.13-12-50.mp4
@ghost ghost added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Apr 4, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ghost ghost added the impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. label Apr 4, 2022
@manishgupta-qasource
Copy link

Reviewed & assigned to @MadameSheema

@MadameSheema MadameSheema added Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team labels Apr 4, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@janmonschke
Copy link
Contributor

After syncing with @MadameSheema we found out that this is a genuine issue. Luckily it is not an issue with the data model but rather a UX issue. The alert is not attached to a case because it's not an alert that comes from the same index as the previously attached alert. The alert from the table comes from the preview index and therefore has a different ID. So on paper the issue appears to be expected behaviour.

However, I think this is a genuine issue because it is a confusing UX to display the case count when opening the flyout from the preview table. IMO, not displaying the case count would be the better UX. Wdyt @michaelolo24 ?

@michaelolo24
Copy link
Contributor

I agree that it is a genuine issue, but not sure what the potential fix is here. If the alert in the preview index has a different id, then it won't appear in the flyout no matter what we do unless there's a way to do a look up in the back end from the preview table and return the id of the matching alert from the alerts index. Alternative is to not show the cases section from the flyout, but we should talk to @paulewing and @monina-n about that

@michaelolo24
Copy link
Contributor

Also @marshallmain wanted to link this issue with: #129286 as a general question of How should the preview table behave relative to the full fledged alert table?

@MadameSheema MadameSheema added Team:Detections and Resp Security Detection Response Team Team:Detection Alerts Security Detection Alerts Area Team labels Apr 6, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@janmonschke janmonschke removed their assignment Apr 6, 2022
@marshallmain
Copy link
Contributor

@michaelolo24 Generally the preview table should behave as a "read only" version of the full alerts table. The table supports paging, sorting, choosing columns, and viewing alert details, but does not support any stateful actions on alerts. Users can't add exceptions, add preview alerts to cases, or open/close preview alerts.

@marshallmain
Copy link
Contributor

I think we should remove the cases info from the preview flyout. cc @dplumlee

@michaelolo24
Copy link
Contributor

@dplumlee I assigned you here because I think you're working on this already as part of the other preview fixes? Lmk if I assumed incorrectly!

@MadameSheema MadameSheema mentioned this issue May 24, 2022
Merged
@MadameSheema MadameSheema self-assigned this May 24, 2022
@MadameSheema
Copy link
Member

@deepikakeshav-qasource @karanbirsingh-qasource can you please help to coordinate the test of this? Thanks!

@ghost
Copy link

ghost commented Jun 3, 2022

Hi @MadameSheema,

We have validated this issue on 8.3.0 BC2 and observed that issue is now Still Occurring. 🔴

Please find below the testing details:

  • Cases information not available under preview result alert flyout

Build Details:

Version : 8.3.0 BC2
Build : 53231
Commit : 25476b531ba9f32292bde85508d342aa5e1c29eb

Screencast

cases.mp4

Thanks!!

@MadameSheema
Copy link
Member

Thanks @deepikakeshav-qasource!! Looks like it is missing the backport to 8.3 branch. Please make sure it is properly retested on next BC!!

@ghost
Copy link

ghost commented Jun 8, 2022

Hi @MadameSheema

We have validated this issue on 8.3.0 BC3 and observed that issue is Fixed. 🟢

Please find below the testing details:

Build Details:

Version : 8.3.0 BC3
Build : 53272
Commit : 7a0df2bca36ced2a898420cbb193a9dba0782a7a

Screencast

Preview.Results.mp4

Hence, We are closing this issue and marking as QA Validated!!

cc: @MadameSheema

Thanks!!

@ghost ghost added the QA:Validated Issue has been validated by QA label Jun 8, 2022
@ghost ghost closed this as completed Jun 8, 2022
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MadameSheema MadameSheema

Labels
bug Fixes for quality problems that affect the customer experience fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team v8.3.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@janmonschke @elasticmachine @michaelolo24 @MadameSheema @marshallmain @dplumlee @manishgupta-qasource