[Security Solution] Alerts table is empty on Rule Details page

[banderror]

Summary

Reported by @aarju:

I just found a bug where I created a new detection rule for testing, then I tried to view the alerts but none were showing. Eventually I found that there was an invisible 'global filter' being applied to the rule page preventing the viewing of any alerts. When I tried to view the filters there wasn't anything there. For a bit there I thought the 8.6 detection engine wasn't working at all because I couldn't see any of the alerts since the upgrade.

Screen.Recording.2023-01-11.at.10.17.47.mov

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[banderror]

Could be related to #141010 (comment)

[banderror]

Could be related to elastic/security-docs#3046 as well, but chances are lower

[nikitaindik]

After doing an investigation, I think I know what happens here. Once you create a rule, it gets queued for execution, and then you are redirected to the Rule Details page. Execution and writing alerts to DB takes from a couple hundred ms to a few seconds depending on rule type/query. If the Rule Details page finishes loading before alerts are generated, the Alerts table will be empty. Then if you would switch to another tab, like Execution Events, and then return to the Alerts tab, a new request to read alerts is made, and if rule execution is finished by this moment, you'll see alerts.

@aarju Do you think this might be the issue here?

[banderror]

Hey @MadameSheema, may I please ask someone from the QA team to help with reproducing this bug and figuring out the exact steps? This is not urgent and could be done when/if folks have enough bandwidth.

@nikitaindik described the possible reason for this behavior in the comment above, and this behavior is not a bug. However, I have a suspicion that the bug could still be there caused by a different reason. I was under the impression that alerts sometimes are not shown even for rules that were created a long time ago and have generated some alerts before the user opens the Rule Details page, which means this would not be related to the case described by Nikita.

Please let me know if you can help us with this. I'll move this bug back to the backlog for now.

[MadameSheema]

Hey @MadameSheema, may I please ask someone from the QA team to help with reproducing this bug and figuring out the exact steps? This is not urgent and could be done when/if folks have enough bandwidth.

Sure!! :)

@karanbirsingh-qasource @sukhwindersingh-qasource can you please help with the above task? Please do it when you have a free gap, 8.9 test plan preparation and testing should be top priority. Thanks!

[cybersecdiva]

Tested in 8.9.0 BC5

Kibana/Elasticsearch version:*
VERSION: 8.9.0 BC5

Build Details:

VERSION: 8.9.0 BC5
BUILD: 64715
COMMIT: beb56356c5c037441f89264361302513ff5bd9f8

Preconditions:

Kibana must be running

Describe the bug:

Alerts details is empty on rule details page

Steps to reproduce:

1. Navigate to Security —> Manage —> Rules -> Create new rule
2. Wait until rules executions and view rules in Rules Details page
3. Validate if alerts are generated and display in Alerts table

Expected behavior:
Alerts are generated and display in alerts table and on Rules details page

Screenshots of behavior:

Screen share recording:

Alerts.table.test.mp4

Conclusion:

Behavior is showing as expected and alerts table display alerts and values.
Validation ✅ that bug 🐛 is fixed in 8.9.0 BC5

[cybersecdiva]

@MadameSheema and @nikitaindik QA Validated bug 🐛 fixed ✅

[MadameSheema]

@cybersecdiva which global filter did you have apply? From which version did you perform the upgrade? Thanks! :)

[cybersecdiva]

@MadameSheema I've updated my findings after performing additional checks. The test rule initially was performed on from 8.8.2 upgrade version to the current version 8.9.0which the alerts generated and showed in the alerts table without issues per the screenshare in prior comment.

• The global filter in the deployment that was upgraded and tested in the prior comment from 8.8.2 to 8.9.0, was not applied in the execution tab in the Rules Details Page.

• The Alerts table with empty values have been observed in both 8.5.3 and 8.6.2, in which a global filter is applied to show values in the Alerts table.

Action Steps:

• I have re-tested in a deployment created on 8.5.3 that was upgraded to 8.6.2and to8.9.0`and compared for analysis to double check my findings of the behavior.
• In the deployment that was an upgrade from 8.5.3 -> 8.6.2-> 8.9 and the issue is still occurring.
• Please see next comment for Updated findings path for complete details.

[cybersecdiva]

Tested in 8.5.3 upgraded to 8.9.0

Kibana/Elasticsearch version:*
VERSION: 8.5.3 0 upgraded to 8.9.0

Build Details:

VERSION: 8.9.0 BC5
BUILD: 64715
COMMIT: beb56356c5c037441f89264361302513ff5bd9f8

Preconditions:

• Kibana must be running
• Deployment 8.6 version upgraded to 8.9.0

Describe the bug:

Alerts details is empty on rule details page

Steps to reproduce:

1. Navigate to Security —> Manage —> Rules -> Create new rule
2. Wait until rules executions and view rules in Rules Details page
3. Validate if alerts are generated and display in Alerts table

Expected behavior:
Alerts are generated and displayed in alerts table and on Rules details page

Observations:

• After a newly created rule, alerts table is empty on Rules Details page. Alerts will only show when a global filter is applied in the Executions tab
• The behavior is observed in 8.5.3 8.6x versions and deployments upgraded from these versions to 8.9.0
• When behavior was tested in a deployment upgraded from 8.8.2 to 8.9.0, the behavior did not occur and the alerts table values displayed without having to apply global filters in the execution tab

Screenshots of behavior:

8.5.3 Empty Alerts Table Value after rule creation:

8.5.3 Empty Table Value after global filter applied:

8.9.0 Upgraded Deployment Empty Table Value after rule creation:

8.9.0 Upgraded Deployment Empty Table Value after global filter applied:

Screen share recording:

Alertsrulestable.-.Kibana.mp4

Conclusion:

Behavior is still showing in deployments upgraded from prior version releases and alerts table display no values.
@MadameSheema FYI Updated observations

[banderror]

Hey @cybersecdiva, thanks for the repro. In your video, when you click Save on the Rule Creation page (0:25), you get navigated to the Rule Details page, and there's a filter applied right away. The filter is by some rule execution uuid. Did you apply this filter earlier on the Details page of another rule? This would explain why the page showed an empty Alerts table - the rule you just created did not execute with this particular execution id:

[cybersecdiva]

@banderror Thank you for following up. I performed an additional test to adjust the time period to match the rule additional look back time of 30 seconds for testing. I've also performed additional time frames to test.

My conclusion is this could be a delayed timing execution issue and is why initially when I performed the tests in 8.9.0 BC5 behavior performed as expected in comment#1661185466

Even if the time frame is set with a start time for Today to end date time of now, the rule executes and will show up after a brief refresh period and selection of the refresh button.

When the additional look back time of 30 seconds matches the start time, you get the same results in the Rules Details of the Alerts table being empty until selecting the refresh then the values show up as shown in the screen recording (0:39-0:43)) and screenshot below:

Screen recording of Start Date Time Last 30 seconds for Empty Alerts Table Test:

ruletabletestvarious.time.frames.mp4

Screenshot of Start Date Time Last 30 seconds for Empty Alerts Table Test:

My determination is this is not a bug 🐛 , as I've observed after several tests that values will show-up after a refresh period and even when the additional look back time and start time matches

Another test, the values show up when the start date time is Today without the additional look back time match as indicated in the screen recording and screenshot.

Screenshot of Start fDate Time Today for Empty Alerts Table Test:

Screen recording of Start Date Time Today for Empty Alerts Table Test:

Rules.Empty.Table.Test.mp4

Conclusion:

This is not a bug 🐛 , however, it is behavior that needs to be re-checked and tested in 8.10.0 to observe and compare behavior results before closing it out.

@banderror and @MadameSheema FYI, Updated observations QA Validation and leaving open for recheck ✅ and test in the next release.

[cybersecdiva]

Tested in 8.10.2

Kibana/Elasticsearch version:*
VERSION: 8.10.2

Build Details:

Build Details:
VERSION: 8.10.2
BUILD: 66404
COMMIT: 29555604d9c1721a91c9b948fd3ae1193e944ce4

Preconditions:

Kibana must be running

Describe the bug:

Alerts details is empty on rule details page

Steps to reproduce:

1. In 8.10+ versions, Navigate to Security —> Detection rules (SIEM) —>Create new rule
2. Fill in required fields
3. Click on Create & enable Rule

Expected behavior:
Alerts are generated and display in alerts table and on Rules details page

Screenshots of Rules Details Page with different Additional look-back times:

Runs every 15 seconds with Additional look-back time of 15s:

Runs every 5 minutes with Additional look-back time of 30s:

Screenshot of Rule after creation and execution:

Screen share recording:

Rules.Details.Page.Empty.Rule.test.mp4

Conclusion:

Behavior is showing as expected and alerts table display alerts and values.
QA Validation ✅ that bug 🐛 is fixed in 8.10.2.

cc: @MadameSheema @banderror @yctercero FYI Updated observations marking as fixed and closing.