Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] The agent.status highlighted field should not have an Alert prevalence action #132652

Closed
andrew-goldstein opened this issue May 20, 2022 · 2 comments
Closed

[Security Solution] The agent.status highlighted field should not have an Alert prevalence action #132652

andrew-goldstein opened this issue May 20, 2022 · 2 comments
Labels
bug Fixes for quality problems that affect the customer experience duplicate Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team

Comments

@andrew-goldstein
Copy link
Contributor

[Security Solution] The agent.status highlighted field should not have an Alert prevalence action

The agent.status highlighted field should not have an Alert prevalence action, because it's not possible to filter alerts via agent.status.

Kibana/Elasticsearch Stack version:

main v8.3.0

Steps to reproduce:

  1. Navigate to Security > Alerts

  2. Enter the following KQL in the search bar:

agent.type: "endpoint"

Expected result

  • Only alerts for endpoints are displayed

  1. Click the View details row action on an alert

  2. Hover over the Agent status field in the flyout

Expected result

  • There is no Investigate in Timeline action for the Agent status field

Actual results

  • An Investigate in Timeline action is displayed for the Agent status field, per the screenshot below:

agent_status_alert_prevalence_button

  • Clicking the action opens a timeline with an agent.status: "<uuid>", e.g. agent.status: "f0b84e9e-5ff7-4a83-b8f3-8315d34d039b", which is not expected to match any results, per the screenshot below:

agent_status_uuid
@andrew-goldstein andrew-goldstein added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team labels May 20, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@andrew-goldstein andrew-goldstein mentioned this issue May 20, 2022
Merged
@janmonschke
Copy link
Contributor

Thanks for opening up an issue for this. We definitely don't want that interaction there. I think we can close this one though because QA already opened up an issue for that behaviour: #132095

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience duplicate Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@janmonschke @andrew-goldstein @elasticmachine @michaelolo24