kibana
kibana copied to clipboard
elastic
[Security Solution]Insight Data not visible under timeline investigation of session alert
Describe the bug Insight Data not visible under timeline investigation of session alert
Build Details:
VERSION: 8.5.0-SNAPSHOT
commit:436b2874794a6ffc05ad3b9ef28c298ff5384ca4
build:55993
Steps
- Login to kibana deployment
- Go to session table
- investigate the session alert inside the timeline
- go to alert view side panel
- Observed that insight data is not viewable however insight of same alert is visible under session view
Screen-Cast:
https://user-images.githubusercontent.com/59917825/188577987-415239e2-1fc8-4ae0-bc89-63eec08aa767.mp4
@karanbirsingh-qasource Can you please confirm that the same error occurs if you open the details panel from the alert table rather than the session view component?
Hi @michaelolo24 please find below observation for above comment
Issue is not occuring from below areas
- Alert Table
- Investigate Session Alert from Alert Table
- Session Table
https://user-images.githubusercontent.com/59917825/188770467-a960b3c3-2acf-46aa-9b64-11b42b2b92f2.mp4
Issue is Occurring : when we investigate the session alert under timeline and then check insight of alert details panel
- Investigate Session Alert from session table
https://user-images.githubusercontent.com/59917825/188770481-0f683ac9-ed51-496b-8ad2-70e71b1dc383.mp4
@qcorporation do you know if your team has capacity to look into this? Not sure if anything changed on your end recently that may have caused this
@qcorporation do you know if your team has the capacity to look into this? Not sure if anything changed on your end recently that may have caused this
It seems that the issue has to do with the insights view and fetching alerts. Possibly there's a misalignment between that query and the query from the alerts within the details panel.
@mitodrummer @zizhouW @opauloh @animehart for visibility
After investigating this issue here, here are the findings:
The insights data is not available because an alert comes after an event has been created. When clicking the investigate in timeline icon button, we are using the original event'sstarted time for the to date field in the time range selector. At the event's started time, alerts events will not exist, hence why see the failure to load alerts.
To see Insights alert data from a timeline view, we can change to date field in the time range to the next data. See video which will show the before and after changing the time range
https://user-images.githubusercontent.com/17135495/190521111-10752fed-6129-4a88-a221-4fbb929ed9a5.mov
The issue occurs on the filter property line 113 in the user_alert_prevalence.ts hook. If we commented on the filter property out, then Insights data will be visible. @michaelolo24 I don’t believe any Session View changes caused this issue. Is there anyone who take a further look at filter object to date field in time range?
@michaelolo24 @qcorporation @mitodrummer for visibility
Thanks for the writeup @Omolola-Akinleye ! This is super helpful. We've run into similar issues with analyzer and had to ignore the timerange in scenarios where we don't have data. We may have to do similarly here.
Hi @MadameSheema
we have validated this issue on 8.5.0 BC3 and found the issue to be fixed now ✔️ .
Build Details:
VERSION: 8.5.0
BUILD: 56932
COMMIT: 1bb0d052c8d6842b88665c8c489f3a2d4cf4b46a
Screen-Cast:
https://user-images.githubusercontent.com/59917825/194480726-5b5f2e8a-a1ba-4e5b-8d43-cc6e947be5ba.mp4
Hence we are closing this issue and adding "QA:Validated" tag to it.
thanks !!