Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solutions] [Alerts] Alert Displays Filtering and Sorting Icons for Non-ECS Fields #166168

Open
WafaaNasr opened this issue Sep 11, 2023 · 7 comments
Open

[Security Solutions] [Alerts] Alert Displays Filtering and Sorting Icons for Non-ECS Fields #166168

WafaaNasr opened this issue Sep 11, 2023 · 7 comments
Assignees
@christineweng
Labels
bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team

Comments

@WafaaNasr
Copy link
Contributor

WafaaNasr commented Sep 11, 2023
edited
Loading

Kibana version: recent

Describe the bug:
The Alert details flyout displays the icon for filtering and sorting for non-ECS fields. However, clicking these icons leads to a blank page, and the associated API requests fail to provide the expected results.
image
image
image

Steps to reproduce:

  1. If using the Windows integration is not feasible, employ the winlog mappings as an alternative.

  2. Install the prebuilt rule Potential Credential Access via DCSync.

  3. Create an index containing a non-ecs field using the following POST request:

      POST winlogbeat-test/_doc
     {
       "@timestamp":"2023-09-11T12:17:29.753Z",
       "event":{
         "action":"Directory Service Access",
         "code":"4662",
         "ingested":"2023-09-11T12:17:29.753Z"
       },
       "winlog":{
         "event_data":{
           "Properties":"DS-Replication-Get-Changes",
           "AccessMask":"0x100",
           "SubjectUserName":"subject username " <=== non-ecs fields
         }
       }
     }

Expected behavior:

The Alerts UI should avoid indicating that users have the ability to filter on fields that are absent from the Alerts mapping.
@WafaaNasr WafaaNasr added the bug Fixes for quality problems that affect the customer experience label Sep 11, 2023
@botelastic botelastic bot added the needs-team Issues missing a team label label Sep 11, 2023
@WafaaNasr WafaaNasr added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 11, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Sep 11, 2023
@stefnestor stefnestor mentioned this issue Sep 15, 2023
Open
@Cora-young Cora-young pinned this issue Oct 19, 2023
@lukeelmers lukeelmers unpinned this issue Oct 19, 2023
@yctercero yctercero mentioned this issue Nov 10, 2023
Open
@MadameSheema MadameSheema added Team:Threat Hunting Security Solution Threat Hunting Team Team:Threat Hunting:Investigations Security Solution Investigations Team labels Apr 1, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

@michaelolo24
Copy link
Contributor

@WafaaNasr - Thank you for opening this issue! If you don't mind, can you check if this is also happening for the new expandable flyout as well?

@michaelolo24 michaelolo24 added impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. and removed triage_needed labels Apr 2, 2024
@michaelolo24 michaelolo24 added this to the 8.14 milestone Apr 2, 2024
@michaelolo24
Copy link
Contributor

Linking this related issue: #170167

@christineweng
Copy link
Contributor

@michaelolo24 it appears this is happening in the new flyout as well.

Opening an endpoint event and filter in a field in table tab
image

@christineweng christineweng removed this from the 8.14 milestone May 6, 2024
@PhilippeOberti
Copy link
Contributor

This is still an ongoing issue and part of a broader issue about working with non-ECS compliant fields. We can keep this ticket open but the issue will most likely be resolved in a broader effort...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@christineweng christineweng

Labels
bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@banderror @WafaaNasr @elasticmachine @michaelolo24 @PhilippeOberti @MadameSheema @christineweng