Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution]Agent status investigation in timeline issue #127010

Closed
ghost opened this issue Mar 7, 2022 · 11 comments
Closed

[Security Solution]Agent status investigation in timeline issue #127010

ghost opened this issue Mar 7, 2022 · 11 comments
Assignees
@janmonschke @michaelolo24
Labels
bug Fixes for quality problems that affect the customer experience fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team v8.2.0

Comments

@ghost
Copy link

ghost commented Mar 7, 2022

Describe the bug
Agent status investigation in timeline issue

Build Details

Version:8.1.0 BC5
Commit:4aaeda23aea9c3bf29698878c70a0107ea3c1659
Build:50485

Preconditions

  • Kibana 8.1.0-BC6 should exist
  • Alerts from any rule should be present on the build

Steps

  • Login to Kibana
  • Navigate to Alert Page and click on any alert to view the alert details
  • hover the mouse over the Agent.Status field
  • Click on Add to timeline
  • Observed that agent.status random value instead of actual status got added in the timeline and due to which timeline does return result

Screen-Cast

agent-status.mp4

Alert Details:
Alert_Json.zip
@ghost ghost added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Mar 7, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ghost ghost added the impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. label Mar 7, 2022
@manishgupta-qasource
Copy link

Reviewed & assigned to @MadameSheema

@MadameSheema MadameSheema added Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team labels Mar 7, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@michaelolo24
Copy link
Contributor

@janmonschke can you take a look at this when you have time when you look at the securityPermissions around opening,acknowledging,and closing a case?

@ghost
Copy link
Author

ghost commented Mar 28, 2022

more to add, copy to clipboard behavior for agent.status is also unexpected . Currently it is copying the Agent.Id rahher than healthy text.

image

Actual : agent.status: "486f2091-d884-48f0-bbf0-6603569f1d94"
Expected : agent.status: "Healthy"

@michaelolo24
Copy link
Contributor

@monina-n Agent status isn't really a field users can take action on. Would it be better for us to hide the actions for this field or make it a card? Thanks!

@janmonschke
Copy link
Contributor

I just looked into this issue as well and think that @michaelolo24 has a good point here. I think it makes sense to remove the actions from that field. I spun up a 7.17 instance and the field interaction is the same there:

Screenshot 2022-04-12 at 14 40 37

@janmonschke
Copy link
Contributor

We run into the same issue for isolated hosts: #123193

@monina-n
Copy link

@janmonschke @michaelolo24 thanks for bring to my attention! I agree with your suggestions of removing the hover actions for the agent status. I think that's the best course of action. Right now, I don't think there's enough information to justify making a new card but we can reconsider in the future.

Thanks!

janmonschke added a commit to janmonschke/kibana that referenced this issue Apr 12, 2022
@janmonschke
fix: remove the cell actions for agent status
2f1bd4d 
As discussed in elastic#127010, the agent.status should not have hover actions
@janmonschke janmonschke mentioned this issue Apr 12, 2022
Merged
1 task
michaelolo24 pushed a commit that referenced this issue Apr 12, 2022
@janmonschke
[SecuritySolution] Remove the cell hovers actions for agent status (#…
9f37de5 
…130042)

* fix: remove the cell actions for agent status

As discussed in #127010, the agent.status should not have hover actions

* chore: use object-lookup instead of array.includes
kibanamachine pushed a commit that referenced this issue Apr 12, 2022
@janmonschke
[SecuritySolution] Remove the cell hovers actions for agent status (#…
e452556 
…130042)

* fix: remove the cell actions for agent status

As discussed in #127010, the agent.status should not have hover actions

* chore: use object-lookup instead of array.includes

(cherry picked from commit 9f37de5)
kibanamachine added a commit that referenced this issue Apr 12, 2022
@kibanamachine @janmonschke
[SecuritySolution] Remove the cell hovers actions for agent status (#…
c61787f 
…130042) (#130056)

* fix: remove the cell actions for agent status

As discussed in #127010, the agent.status should not have hover actions

* chore: use object-lookup instead of array.includes

(cherry picked from commit 9f37de5)

Co-authored-by: Jan Monschke <[email protected]>
@janmonschke
Copy link
Contributor

This issue has been fixed in #130042 and should be part of the next BC

@ghost
Copy link
Author

ghost commented Apr 14, 2022
edited by ghost
Loading

Hi @janmonschke

we have validated this issue on 8.2.0 BC3 and found that issue is fixed ✔️ as now no hover action are present for Agent.Status.

Build Details:

Version:8.2.0 BC3
Commit:2ea6dc82752506d6f7aa34bda747f99c6fbfd152
Build:51885

Snap-Shoot/Screen-Cast:

  • Alert Flyout
Alerts.-.Kibana.Mozilla.Firefox.2022-04-14.12-33-32.mp4
  • Host Details Page
Hosts.-.Kibana.Mozilla.Firefox.2022-04-14.12-34-17.mp4
  • Timeline / Alert Flyout : hover is present and also it is working as expected
Alerts.-.Kibana.Mozilla.Firefox.2022-04-14.12-36-43.mp4
  • Case / Alert fly out
Karan.s.Case.-.Cases.-.Security.-.Elastic.Mozilla.Firefox.2022-04-14.12-39-09.mp4

Hence we are closing this issue and adding "QA:Validated" label to it.

thanks !!

c.c @MadameSheema

@ghost ghost closed this as completed Apr 14, 2022
@ghost ghost mentioned this issue May 12, 2022
Closed
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@janmonschke janmonschke

@michaelolo24 michaelolo24

Labels
bug Fixes for quality problems that affect the customer experience fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team v8.2.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@janmonschke @elasticmachine @michaelolo24 @MadameSheema @manishgupta-qasource @monina-n