[EDR] [BUG] The user is able to add OS Query in the rule actions even when OS Query integration is not added. #166040
Comments
muskangulati-qasource
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
muskangulati-qasource
added
Team:Defend Workflows
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
muskangulati-qasource
added
the
impact:medium
|
@karanbirsingh-qasource please review!! |
ghost
assigned 
|
It's strange that you can still add Osquery, but I think we show an informative message in the beginning. Ideally we don't allow the user to follow through and add it. @muskangulati-qasource - when you see the empty responses tab, does this only happen when we add Osquery without the integration added? Or does it also happen on alerts which do not originate from Agents with Osquery? We can take a closer look in 8.10.1 |
|
Hey, it's been like this since the beginning. However we used to hide the Response's Tab if there are no results before - we do not do that in the new Flyout if I am correct. I think we might add this check. I think that having Osquery action (that is not triggered) is not a problem. What do you think? |
I agree with this. I don't think we need to look too deeply into this as it doesn't pose a problem and we tell the user initially in the rule creation flow that they need to add Osquery integration
Either remove the tab or add a message saying that there are no responses for this Alert. @paulewing - do you have any preference for this case? |
|
As I'm ready to begin working on this issue, do you have any preferences regarding it, @paulewing? 😊 |
|
thanks @szwarckonrad I would say let's go with the solution in your PR to give a message in the tab as opposed to removing. The Response tab is always there, here's what it looks like even if you have no response actions configured: 
Given the above, it makes sense to always have the tab regardless of if we have results or not. cc @paulewing |
#166040 Inform user that there are no responses associated with and alert instead of returning `null`. 
…#166916) elastic#166040 Inform user that there are no responses associated with and alert instead of returning `null`.  (cherry picked from commit c7bb851)
…166916) (#167602) # Backport This will backport the following commits from `main` to `8.10`: - [[Osquery][Defend Workflows] No responses for alert on flyout (#166916)](#166916) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Konrad Szwarc","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-09-29T08:17:30Z","message":"[Osquery][Defend Workflows] No responses for alert on flyout (#166916)\n\nhttps://github.com//issues/166040\r\n\r\nInform user that there are no responses associated with and alert\r\ninstead of returning `null`.\r\n\r\n","sha":"c7bb851ded898f0a64f3ad9d0618c954e20a78de","branchLabelMapping":{"^v8.11.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Defend Workflows","Osquery","v8.11.0","v8.10.3"],"number":166916,"url":"https://github.com/elastic/kibana/pull/166916","mergeCommit":{"message":"[Osquery][Defend Workflows] No responses for alert on flyout (#166916)\n\nhttps://github.com//issues/166040\r\n\r\nInform user that there are no responses associated with and alert\r\ninstead of returning `null`.\r\n\r\n","sha":"c7bb851ded898f0a64f3ad9d0618c954e20a78de"}},"sourceBranch":"main","suggestedTargetBranches":["8.10"],"targetPullRequestStates":[{"branch":"main","label":"v8.11.0","labelRegex":"^v8.11.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/166916","number":166916,"mergeCommit":{"message":"[Osquery][Defend Workflows] No responses for alert on flyout (#166916)\n\nhttps://github.com//issues/166040\r\n\r\nInform user that there are no responses associated with and alert\r\ninstead of returning `null`.\r\n\r\n","sha":"c7bb851ded898f0a64f3ad9d0618c954e20a78de"}},{"branch":"8.10","label":"v8.10.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Konrad Szwarc <[email protected]>
|
Merged and backported to |
szwarckonrad
added
the
QA:Ready for Testing
|
Hi @szwarckonrad, We have validated this issue on the 8.10.3 BC1 and found the issue is not fixed there. Please find below the testing details: Build Details Screenshots
Thanks! |
|
Hi @dasansol92, We have validated the issue on the latest 8.13.0-SNAPSHOT build. Please find below the testing details: Build Details Observation & Screenshot
Hence, we are closing this issue and marking this issue as 'QA Validated'. Thanks! |
muskangulati-qasource
added
QA:Validated
Description:
The user is able to add OS Query in the rule actions even when OS Query integration is not added
Build Details:
Browser Details:
All
Preconditions:
Steps to Reproduce:
Actual Result:
The user is able to add OS Query and the alerts has an empty section for the response section under alert details flyout
Expected Result:
The expected result can be as follow:
Screen Recordings:
EditRule.mp4
Alert.mp4
Logs
N/A
The text was updated successfully, but these errors were encountered: