Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Empty execution results is showing when rule is created with non existing index #139889

Open
ghost opened this issue Sep 1, 2022 · 6 comments
Open

[Security Solution] Empty execution results is showing when rule is created with non existing index #139889

ghost opened this issue Sep 1, 2022 · 6 comments
Labels
bug Fixes for quality problems that affect the customer experience Feature:Rule Monitoring Security Solution Detection Rule Monitoring area impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@ghost
Copy link

ghost commented Sep 1, 2022
edited by banderror
Loading

Related to: #136138, #137935

Describe the bug:
Empty execution results is showing under execution results when rule is created with non existing index and warnings are coming.

Build Details:

VERSION: 8.5.0 snapshot
BUILD: 55925
COMMIT: dc43193d73c5869335a239c7012528bb1fffd509

Pre-conditions:

  1. Elasticsearch should be up and running
  2. Kibana should be up and running

Steps to Reproduce:

  1. Navigate to Security-->Manage-->Rules.
  2. Click on create rule.
  3. Select custom query rule.
  4. Enter any index pattern which is not created.
  5. Enter all the other fields and create the rule.
  6. Check the Execution results.

Expected Result
Empty values should not be present under execution results.

Actual Result
Empty values are present under execution results.

Screenshots:

Annotation 2022-09-01 123637

Annotation 2022-09-01 123705
@ghost ghost added bug Fixes for quality problems that affect the customer experience triage_needed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team v8.5.0 labels Sep 1, 2022
@ghost ghost self-assigned this Sep 1, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ghost ghost changed the title [Security Solution] Empty execution results is showing under execution results when rule is created with non existing index [Security Solution] Empty execution results is showing when rule is created with non existing index Sep 1, 2022
@ghost ghost assigned banderror and unassigned ghost Sep 1, 2022
@banderror banderror added Team:Detections and Resp Security Detection Response Team Feature:Rule Monitoring Security Solution Detection Rule Monitoring area and removed triage_needed v8.5.0 labels Sep 6, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@banderror banderror removed their assignment Sep 6, 2022
@banderror
Copy link
Contributor

Could be caused by the same reasons as this one: #136138

@banderror
Copy link
Contributor

@karanverma-qasource If you have any other details to share about your setup and steps, that could help. I wasn't able to reproduce it using the Steps to Reproduce from the description. It showed only warnings as expected:

Screenshot 2022-09-06 at 15 44 56

This was referenced Sep 6, 2022
Open
Open
@ghost
Copy link
Author

ghost commented Sep 8, 2022

Hi @banderror,

I have used small runtime like 10 seconds with non existing index, and Empty string entry came, can you please check this with small runtime. Please let us know if are missing something.

image

image

Thanks!

@banderror
Copy link
Contributor

@karanverma-qasource Thank you, that is helpful. With the same rule parameters as yours and running this on a local laptop I see this:

Screenshot 2022-09-08 at 13 20 12

  • It always shows the Warning status. I don't see any empty statuses in the table.
  • The (Empty string) timestamp appears from time to time. Sometimes when I refresh the table it appears and sometimes it gets hidden (or maybe replaced by a non-empty timestamp value).

I think this could be enough information for now. Thank you @karanverma-qasource!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Feature:Rule Monitoring Security Solution Detection Rule Monitoring area impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@banderror @elasticmachine