kibana icon indicating copy to clipboard operation
kibana copied to clipboard

Published 20 hours ago verified publisher icon elastic

[Security Solution] [Query] User risk and Host risk score are not available under Entity Analytics Dashboard even when Entity risk score is enabled but Entity store is disabled

Open muskangulati-qasource opened this issue 1 year ago • 6 comments

Describe the bug User risk and Host risk score are not available under Entity Analytics Dashboard even when Entity risk score is enabled but Entity store is disabled

Kibana/Elasticsearch Stack version

VERSION: 8.16.0
BUILD: 79269
COMMIT: 574ec2fc5f383da6bff0d506cc6ab76803119dae

Steps

  1. Kibana version 8.16.0 or above should exist without endpoints
  2. Navigate to the Management >> Stack Management
  3. Navigate to the Entity Store under Alerts and Insights section
  4. Disable the Entity Store
  5. Navigate to the Entity risk score under Alerts and Insights section
  6. Enable the Entity risk score
  7. Navigate to the Entity Analytics Dashboard under the Dashboards tab of security
  8. Observe the tables for host risk score, user risk score and Entities are all missing

Question Why are we disabling host risk score, user risk score even when Entity Risk Score is enabled. Even when we clear data for entity, it disabled entity store then only Entities table is hidden, but host risk score and user risk score is still enabled.

https://github.com/user-attachments/assets/19519200-673a-4ebb-9a93-eadee6050b71

Screenshots

  • Entity Risk Score is enabled Image

  • Entity Store is disabled Image

  • Risk Score and User score is not visible on the Entity Analytics Dashboard Image

muskangulati-qasource avatar Oct 17 '24 09:10 muskangulati-qasource

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine avatar Oct 17 '24 09:10 elasticmachine

@amolnater-qasource please review!

muskangulati-qasource avatar Oct 17 '24 09:10 muskangulati-qasource

Pinging @elastic/security-entity-analytics (Team:Entity Analytics)

elasticmachine avatar Oct 17 '24 09:10 elasticmachine

Reviewed & assigned to @MadameSheema

amolnater-qasource avatar Oct 17 '24 09:10 amolnater-qasource

This is a higher priority due to the Serverless release upcoming, will assess.

jaredburgettelastic avatar Oct 17 '24 20:10 jaredburgettelastic

Tested and confirmed that this problem does not yet exist in Serverless, because the Entity Store is completely unavailable in Serverless, and the dashboard view correctly shows the Risk Enablement. Still a high priority ticket, but not required for Monday's Serverless release.

jaredburgettelastic avatar Oct 18 '24 05:10 jaredburgettelastic

PR: https://github.com/elastic/kibana/pull/198645

machadoum avatar Nov 01 '24 10:11 machadoum

Marked as done, waiting for QA review

jaredburgettelastic avatar Nov 01 '24 14:11 jaredburgettelastic

Hi @jaredburgettelastic,

We have validated this ticket on the latest 8.16.0 BC3 build and found the issue is now Fixed.

Please find below the testing details:

Build details:

VERSION: 8.16.0
BUILD: 79556
COMMIT: f02d1303b5230c357ac7e4c49c8adadd5f66af38

Screen Recording

https://github.com/user-attachments/assets/c5a6bb2a-45f9-403b-bdf8-fd04a834d2fc

Hence, we are closing this issue and marking it as 'QA Validated'.

Thanks!!

muskangulati-qasource avatar Nov 04 '24 10:11 muskangulati-qasource