Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Rule Execution Log can display conflicting status when there is a mis-match between platform and solution statuses #136138

Open
spong opened this issue Jul 11, 2022 · 3 comments
Open

[Security Solution] Rule Execution Log can display conflicting status when there is a mis-match between platform and solution statuses #136138

spong opened this issue Jul 11, 2022 · 3 comments
Labels
bug Fixes for quality problems that affect the customer experience Feature:Rule Monitoring Security Solution Detection Rule Monitoring area impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@spong
Copy link
Member

spong commented Jul 11, 2022
edited by banderror
Loading

Related to: #137935, #139889

Summary

Identified in the review of #131675, if there is a mis-match between platform status and solution status, we display the solution status, which may be in conflict with the filters that the user has selected:

Since we query against event.outcome and kibana.alert.rule.execution.status, but display the solution status on the UI (and only fallback to the platform status if there is no solution status), this is where any sort of mis-match is going to surface.

This is impact:low as solution/platform statuses should only mis-match in a few rare cases, like in this instance, when a circuit breaker error interrupts the overall execution, but only after the solution logic was successful.

I'm thinking the best place to fix this is at the UI layer, and if there's a mismatch between platform/solution status, then just fall back to the platform status and switch to error.message instead of message if it's an error. It would be ideal if we could just get #130966 worked, and swap to querying single execution events via the find API (instead of the current complex agg), but we'll at least have this issue for tracking if that takes a bit.

Additional details:

Full set of documents for affected execution UUID:
@spong spong added bug Fixes for quality problems that affect the customer experience triage_needed impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Rule Monitoring Security Solution Detection Rule Monitoring area Team:Detection Rule Management Security Detection Rule Management Team labels Jul 11, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@spong spong mentioned this issue Jul 11, 2022
Merged
@banderror
Copy link
Contributor

This is impact:low as solution/platform statuses should only mis-match in a few rare cases, like in this instance, when a circuit breaker error interrupts the overall execution, but only after the solution logic was successful.

I was under the impression that the platform's execution status is always successful since we don't re-throw execution failures as exceptions from executors and so the Framework doesn't know about them. We have #106482 for fixing that. Maybe I'm just not getting something @spong or something has changed since then?

@banderror banderror added impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. and removed impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. labels Aug 4, 2022
@banderror banderror mentioned this issue Aug 4, 2022
Open
@banderror banderror mentioned this issue Sep 6, 2022
Open
@banderror banderror changed the title [Security Solution][Detections] Rule Execution Log can display conflicting status when there is a mis-match between platform and solution statuses [Security Solution] Rule Execution Log can display conflicting status when there is a mis-match between platform and solution statuses Nov 24, 2022
@nkhristinin nkhristinin mentioned this issue Jun 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Feature:Rule Monitoring Security Solution Detection Rule Monitoring area impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@spong @banderror @elasticmachine