[Security Solution][Timeline Templates] KQLSyntaxError when Template Field
is not present on Alert document
#129958
Labels
8.3 candidate
bug
Fixes for quality problems that affect the customer experience
Feature:Timeline
Security Solution Timeline feature
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:Threat Hunting:Investigations
Security Solution Investigations Team
Team:Threat Hunting
Security Solution Threat Hunting Team
Summary
Observed in
8.2
when using theInvestigate in Timeline
action, if the configured Timeline Template has a Template Field that is not present in the Alert document, the Timeline will throw a KQLSyntaxError.Steps to recreate
Investigate in Timeline
action show KQLSyntaxError as belowNote: May be helpful to use this sample Timeline Template, as it works out of the box with the
node x-pack/plugins/security_solution/scripts/endpoint/resolver_generator.js
data generation scripts.Sample Template
Error
Data Provider disabled as expected
cc @paulewing @kqualters-elastic @andrew-goldstein
The text was updated successfully, but these errors were encountered: