elastic
Improve tables at small resolutions
Elevator pitch
There are tables all over Kibana that look awful at small resolutions. We should fix this globally.
Is your feature request related to a problem? Please describe.
When looking at usage of EUI tables throughout Kibana and Cloud UI, you can observe the majority of tables in use breaking in the same way.
To be clear, I don't believe this is a bug with EUI. We have features available to handle small resolutions, and these tables are likely not using them.
The list of known tables that have this issue: Kibana > Machine learning Notifications Kibana> Machine Learning Overview Kibana > Security Cases Cloud UI > Cloud Home page Cloud UI > Cloud Activity
Describe the solution you'd like The solution could come in two forms here:
- Provide clearer table guidance instructing folks how to deal with tables at small resolutions
- Provide some sort of guardrails in EUI tables that would prevent this automatically.
Some example guidance suggested by Cee:
- Play with
columns.width- try either switching between%based widths or static pixel widths to see what works best for the content in the cell - Set a minimum width on the table and its wrapper and have the table scroll horizontally if it goes below that width
- Use the
responsiveBreakpoint="s|m|l|xl"prop to collapse the table down into cards sooner (see docs for responsive/mobile tables here).
Describe alternatives you've considered No other alternatives considered.
Desired timeline No desired timeline, it's been an issue for years, so I don't believe there is a ton of urgency, but it would also be great to clean up.
Additional context
@seanthegeek : Can you provide an example log? It's just easier to think about stuff when I can use some visual help.
@phantinuss Here's an example CrowdStrike Falcon log entry in JSON format, with identifying information redacted. The FileFix approach is used to launch ping via cmd as a child process of msedge.exe.
{
"#event_simpleName": "ProcessRollup2",
"#humioAutoShard": 14,
"#repo": "base_sensor",
"#repo.cid": "REDACTED",
"#type": "falcon-raw-data",
"@id": "REDACTED",
"@ingesttimestamp": 1752721485716,
"@source": "PlatformEvents",
"@sourcetype": "xdr/xdr-base-parsers:falcon-raw-data",
"@timestamp": 1752700531757,
"@timestamp.nanos": 0,
"@timezone": "Z",
"Agent IP": "REDACTED",
"AuthenticationId": 70902049,
"AuthenticodeHashData": "63b7011fe73c0f33106972b3da8587db042dee75",
"CallStackModuleNames": "0<-1>\\Device\\HarddiskVolume4\\Windows\\System32\\ntdll.dll+0x163984:0x266000:0x1d4ecf98|\\Device\\HarddiskVolume4\\Windows\\System32\\KernelBase.dll+0xfc66a:0x3cc000:0xe6128e90|1+0xf9da6|\\Device\\HarddiskVolume4\\Windows\\System32\\kernel32.dll+0x3c6d4:0xc9000:0x35202ecf|\\Device\\HarddiskVolume4\\Windows\\System32\\windows.storage.dll+0x16feac:0x856000:0xf7e71a4b|4+0x16ef2e|4+0x264115|4+0xc602e|4+0xc6b5d|4+0xc2a09|4+0xc270d|4+0xc6dbd|4+0x24f1d3|4+0x24eb9a|\\Device\\HarddiskVolume4\\Windows\\System32\\shell32.dll+0x115c37:0x72d000:0xfb79c30d|14+0x1159ce|14+0x139fd2|14+0x2336ba|4+0x2f4dae|4+0x599beb|4+0x350414|4+0x596bbb|\\Device\\HarddiskVolume4\\Windows\\System32\\SHCore.dll+0x4805a:0xef000:0xeef44c00|3+0x2e8d7|0+0x9c5dc",
"CallStackModuleNamesVersion": 8,
"CommandLine": "\"C:\\Windows\\System32\\cmd.exe\" /c ping example.com",
"ComputerName": "REDACTED",
"ConfigBuild": "1007.3.0019508.15",
"ConfigStateHash": 67393663,
"CreateProcessType": 1,
"EffectiveTransmissionClass": 3,
"Entitlements": 15,
"EventOrigin": 1,
"FileName": "cmd.exe",
"FilePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\",
"ImageFileName": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe",
"ImageSubsystem": 3,
"IntegrityLevel": 8192,
"LocalAddressIP4": "REDACTED",
"LocalIP": "REDACTED",
"MD5HashData": "e86a8609fea011c240950f5369d12714",
"ParentAuthenticationId": 70902049,
"ParentBaseFileName": "msedge.exe",
"ParentProcessId": 1207580822080,
"ProcessCreateFlags": 67634196,
"ProcessEndTime": "",
"ProcessParameterFlags": 24577,
"ProcessStartTime": 1752700531.170,
"ProcessSxsFlags": 64,
"RawProcessId": 17572,
"SHA1HashData": 0000000000000000000000000000000000000000,
"SHA256HashData": "83c991bf32bbc3546eb62f45f9b3fd35abbf5bbb7e57ef8ea298822bfd4788ab",
"SessionId": 2,
"ShowWindowFlags": 1,
"SignInfoFlags": 8683538,
"SourceProcessId": 1207580822080,
"SourceThreadId": 69359417953148,
"Tactic": "Execution",
"Tags": "REDACTED",
"TargetProcessId": 1207584520471,
"Technique": "User Execution",
"TokenType": 1,
"UserName": "REDACTED",
"UserSid": "REDACTED",
"WindowFlags": 1025,
"aid": "REDACTED",
"aip": "REDACTED",
"cid": "REDACTED",
"event_platform": "Win",
"id": "REDACTED",
"name": "ProcessRollup2V19",
"timestamp": 1752700531757
}
And here is a log entry for the Adobe Acrobat Google Chrome extension that would generate thousands of false positive alerts without the double quotes anchored at the beginning in the command line regex.
{
"#event_simpleName": "ProcessRollup2",
"#humioAutoShard": 19,
"#repo": "base_sensor",
"#repo.cid": "REDACTED",
"#type": "falcon-raw-data",
"@id": "REDACTED",
"@ingesttimestamp": 1752771139530,
"@source": "PlatformEvents",
"@sourcetype": "xdr/xdr-base-parsers:falcon-raw-data",
"@timestamp": 1752771137989,
"@timestamp.nanos": 0,
"@timezone": "Z",
"Agent IP": "REDACTED",
"AuthenticationId": 2410301,
"AuthenticodeHashData": "d2608be9ff73fa04b0c0afd148be3a12f28579ac",
"CallStackModuleNames": "0<-1>\\Device\\HarddiskVolume4\\Windows\\System32\\ntdll.dll+0x163514:0x265000:0x9194561f|\\Device\\HarddiskVolume4\\Windows\\System32\\KernelBase.dll+0xfcf8a:0x3e8000:0xfc5b8f29|1+0xfa6c6|\\Device\\HarddiskVolume4\\Windows\\System32\\kernel32.dll+0x3c6d4:0xc9000:0xd3aca5a1|\\Device\\HarddiskVolume4\\Program Files\\Google\\Chrome\\Application\\138.0.7204.97\\chrome.dll+0xa91f50:0xf403000:0x6862375f|4+0x76e6394|4+0x76e004d|4+0x76e0ce0|4+0x76e114f|4+0x4dd9292|4+0x3aeba1b|4+0x3aeb7bb|4+0x3222329|4+0x3221a8f|4+0x321fdaf|4+0x321dc86|4+0x8ad18|4+0x728d88|3+0x2e8d7|0+0x3c34c",
"CallStackModuleNamesVersion": 8,
"CommandLine": "C:\\WINDOWS\\system32\\cmd.exe /d /s /c \"\"C:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Browser\\WCChromeExtn\\WCChromeNativeMessagingHost.exe\" chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/ --parent-window=0\" < \\\\.\\pipe\\chrome.nativeMessaging.in.30ca1ee3f95dc961 > \\\\.\\pipe\\chrome.nativeMessaging.out.30ca1ee3f95dc961",
"ComputerName": "LWJT99DY3",
"ConfigBuild": "1007.3.0019508.15",
"ConfigStateHash": 1670357323,
"CreateProcessType": 1,
"EffectiveTransmissionClass": 3,
"Entitlements": 15,
"EventOrigin": 1,
"FileName": "cmd.exe",
"FilePath": "\\Device\\HarddiskVolume4\\Windows\\System32\\",
"ImageFileName": "\\Device\\HarddiskVolume4\\Windows\\System32\\cmd.exe",
"ImageSubsystem": 3,
"IntegrityLevel": 8192,
"LocalAddressIP4": "REDACTED",
"LocalIP": "REDACTED",
"MD5HashData": "59a3f41dd84517fcf809bd65fff5e721",
"ParentAuthenticationId": 2410301,
"ParentBaseFileName": "chrome.exe",
"ParentProcessId": 6628223996890,
"ProcessCreateFlags": 0,
"ProcessEndTime": "",
"ProcessParameterFlags": 24577,
"ProcessStartTime": 1752771138.058,
"ProcessSxsFlags": 64,
"RawProcessId": 16348,
"SHA1HashData": 0000000000000000000000000000000000000000,
"SHA256HashData": "ae4943e5f3f763688e10601f090b4cae3ce19f0b427007884b40d27d7fb9274d",
"SessionId": 1,
"ShowWindowFlags": 0,
"SignInfoFlags": 8683538,
"SourceProcessId": 6628223996890,
"SourceThreadId": 721733025460206,
"Tactic": "Execution",
"Tags": "REDACTED",
"TargetProcessId": 6628243768936,
"Technique": "User Execution",
"TokenType": 1,
"UserName": "REDACTED",
"UserSid": "REDACTED",
"WindowFlags": 1,
"aid": "REDACTED",
"aip": "REDACTED",
"cid": "REDACTED",
"event_platform": "Win",
"id": "REDACTED",
"name": "ProcessRollup2V19",
"timestamp": 1752771137989
}
Actually, that regex matches the Sysmon log from the original PR without #, so I removed #. The # is used when opening a decoy file, but the attack can be used without it:
<Data Name="CommandLine">"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c ping example.com # C:\company\internal-secure\filedrive\HRPolicy.docx</Data>