kibana icon indicating copy to clipboard operation
kibana copied to clipboard

Published 20 hours ago verified publisher icon elastic

[Security Solution] Related alerts by process ancestry in infinite loading state

Open MadameSheema opened this issue 2 years ago • 2 comments

Describe the bug:

  • Related alerts by process ancestry are displayed in an infinite loading state for an alert where it should not be displayed at all.

Kibana/Elasticsearch Stack version:

  • kibana is latest main (b95485e28ddbf44553b385d2240094f334a8800e)
  • Data is ingested using auditbeat 8.3.0

Initial status:

Alerts are generated by the following rule 
{"id":"5d27db40-3365-11ed-a2d6-7f641248f243","updated_at":"2022-09-13T13:17:35.818Z","updated_by":"elastic","created_at":"2022-09-13T13:09:58.357Z","created_by":"elastic","name":"test","tags":[],"interval":"5m","enabled":false,"description":"descr","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"http://localhost:5620/app/security"},"author":[],"false_positives":[],"from":"now-360s","rule_id":"f83e749b-a258-48f2-ae2c-acea8d938aa7","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"*:*","filters":[],"throttle":"no_actions","actions":[]}
{"exported_count":1,"exported_rules_count":1,"missing_rules":[],"missing_rules_count":0,"exported_exception_list_count":0,"exported_exception_list_item_count":0,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0}

Steps to reproduce:

  1. Navigate to one of the alerts table
  2. Open the alert details flyout
  3. Expand the related alerts by process ancestry dropdown

Current behavior:

Screenshot 2022-09-13 at 15 47 49

-It is displayed as it is loading, but never finishes the process

Expected behavior:

  • Per the characteristics of the alert, I believe the Related alerts by process ancestry dropdown should not be displayed

Additional information:

  • Alert to reproduce the above issue: https://p.elstc.co/paste/1XyBoH67#+EDS4EohxV-si5eYZo4yAoMR3nEysj++wSa3GMoA+yV
  • Alert generated with the same rule after a second execution that does not present the issue: https://p.elstc.co/paste/JRR5SLpI#KCi4ZHICE+jqs6uLU47WPTxTBCxgJd9SCcMLRg4aO6q

MadameSheema avatar Sep 13 '22 15:09 MadameSheema

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

elasticmachine avatar Sep 13 '22 15:09 elasticmachine

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine avatar Sep 13 '22 15:09 elasticmachine

This piece of code could be helpful: https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/investigate_in_resolver.tsx

janmonschke avatar Sep 22 '22 14:09 janmonschke

The fix has been deployed and should be part of the next BC

janmonschke avatar Sep 27 '22 14:09 janmonschke

@karanbirsingh-qasource @deepikakeshav-qasource can you please validate this issue on BC2 making sure you use the same alert characteristics? Thanks!

MadameSheema avatar Sep 27 '22 14:09 MadameSheema

Hi @MadameSheema

we have validated this issue on 8.5 and found the issue to be fixed now alert process ancestry drop-down is not showing in alert with no related process data.

Build Details:

Version:8.5.0-BC2
Commit:dc769f45a5a6dafb0a8c8f0c0cabcced4df45e11
Build:56806

Screen-Cast:

https://user-images.githubusercontent.com/59917825/193550838-d1721cfd-cf67-407d-83fb-90d3e21e544e.mp4

Hence we are closing this issue and adding "QA:Validated" tag to it.

thanks !!!

karanbirsingh-qasource avatar Oct 03 '22 10:10 karanbirsingh-qasource