[Security Solution] Warnings in rule filters on the Rule Details page: "Field does not exist in current view" #178908
Assignees
Labels
8.18 candidate
bug
Fixes for quality problems that affect the customer experience
Feature:Rule Details
Security Solution Detection Rule Details page
impact:medium
Addressing this issue will have a medium level of impact on the quality/strength of our product.
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.16.3
v8.17.1
v8.18.0
Comments
banderror
added
bug
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
banderror
changed the title
6 tasks
|
Hi @banderror :) How is this issue progressing? |
|
Hi @shayfeld, thanks, I'm raising the priority for this one. Although it's not a commitment, there is a chance that we will have some freed up resources to work on that closer to the end of this year. |
|
Hey @shayfeld and @banderror! I've investigated the bug and figured out what causes the issue. The issue affects only the filters that have "AND" or "OR" conditions. In our app both index patterns and data views are represented as "data view" objects. TS type is either On the Rule Details page we are using an incomplete When the filters UI component renders it checks if filter is applicable to a data view (index patterns). It does this by verifying that "data view" Why it works on Rule Editing page, but not on Rule Details page?Rule Editing page creates complete Rule Details page creates incomplete Possible fixI noticed this issue while working on one of my previous tasks and made a branch with a fix. In short, the fix is creating |
|
Thank you @nikitaindik for documenting your findings here, this will be useful when we get back to finalizing the fix 👍 |
2 tasks
|
Hi @banderror , The bug fixed in 8.16.2? |
|
Hi @shayfeld, we're aiming to fix it in |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Dec 18, 2024
**Resolves: elastic#178908** ## Summary This PR fixes a warning displayed for the rule when certain filter is present. I followed the suggestion from @nikitaindik in the original ticket and pulled his fix and tested that it works, but it also needed some modification borrowed from QueryBar component, namely to update the filters before displaying the FilterItems component. Note: This PR only covers the Rule Creation / Rules Details page. Two new tickets have been created to cover issues found in other places: elastic#203600 and elastic#203615 # BEFORE <img width="899" alt="image" src="https://github.com/user-attachments/assets/62b300b4-bc70-481f-8042-dc9d7c4b3ff0"> # AFTER <img width="901" alt="image" src="https://github.com/user-attachments/assets/6c2915f8-e2e1-477d-bf6c-4ededf1a6907"> ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed --------- Co-authored-by: Nikita Indik <[email protected]> (cherry picked from commit 2e3a748)
kibanamachine
added a commit
that referenced
this issue
Dec 18, 2024
…204704) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Remove warning for rule filter (#201776)](#201776) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jacek Kolezynski","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-18T09:47:05Z","message":"[Security Solution] Remove warning for rule filter (#201776)\n\n**Resolves: #178908**\n\n## Summary\n\nThis PR fixes a warning displayed for the rule when certain filter is\npresent.\nI followed the suggestion from @nikitaindik in the original ticket and\npulled his fix and tested that it works, but it also needed some\nmodification borrowed from QueryBar component, namely to update the\nfilters before displaying the FilterItems component.\n\nNote: This PR only covers the Rule Creation / Rules Details page. Two\nnew tickets have been created to cover issues found in other places:\n#203600 and #203615\n\n# BEFORE\n<img width=\"899\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/62b300b4-bc70-481f-8042-dc9d7c4b3ff0\">\n\n# AFTER\n<img width=\"901\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/6c2915f8-e2e1-477d-bf6c-4ededf1a6907\">\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n\n---------\n\nCo-authored-by: Nikita Indik <[email protected]>","sha":"2e3a74829d953e3a968c75e0edaed21dce332c03","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Rule Creation","Feature:Rule Details","Feature:Rule Edit","backport:version","v8.18.0","v8.16.3","v8.17.1"],"title":"[Security Solution] Remove warning for rule filter","number":201776,"url":"https://github.com/elastic/kibana/pull/201776","mergeCommit":{"message":"[Security Solution] Remove warning for rule filter (#201776)\n\n**Resolves: #178908**\n\n## Summary\n\nThis PR fixes a warning displayed for the rule when certain filter is\npresent.\nI followed the suggestion from @nikitaindik in the original ticket and\npulled his fix and tested that it works, but it also needed some\nmodification borrowed from QueryBar component, namely to update the\nfilters before displaying the FilterItems component.\n\nNote: This PR only covers the Rule Creation / Rules Details page. Two\nnew tickets have been created to cover issues found in other places:\n#203600 and #203615\n\n# BEFORE\n<img width=\"899\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/62b300b4-bc70-481f-8042-dc9d7c4b3ff0\">\n\n# AFTER\n<img width=\"901\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/6c2915f8-e2e1-477d-bf6c-4ededf1a6907\">\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n\n---------\n\nCo-authored-by: Nikita Indik <[email protected]>","sha":"2e3a74829d953e3a968c75e0edaed21dce332c03"}},"sourceBranch":"main","suggestedTargetBranches":["8.x","8.16","8.17"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201776","number":201776,"mergeCommit":{"message":"[Security Solution] Remove warning for rule filter (#201776)\n\n**Resolves: #178908**\n\n## Summary\n\nThis PR fixes a warning displayed for the rule when certain filter is\npresent.\nI followed the suggestion from @nikitaindik in the original ticket and\npulled his fix and tested that it works, but it also needed some\nmodification borrowed from QueryBar component, namely to update the\nfilters before displaying the FilterItems component.\n\nNote: This PR only covers the Rule Creation / Rules Details page. Two\nnew tickets have been created to cover issues found in other places:\n#203600 and #203615\n\n# BEFORE\n<img width=\"899\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/62b300b4-bc70-481f-8042-dc9d7c4b3ff0\">\n\n# AFTER\n<img width=\"901\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/6c2915f8-e2e1-477d-bf6c-4ededf1a6907\">\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n\n---------\n\nCo-authored-by: Nikita Indik <[email protected]>","sha":"2e3a74829d953e3a968c75e0edaed21dce332c03"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.16","label":"v8.16.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Jacek Kolezynski <[email protected]>
jkelas
added a commit
to jkelas/kibana
that referenced
this issue
Dec 18, 2024
**Resolves: elastic#178908** ## Summary This PR fixes a warning displayed for the rule when certain filter is present. I followed the suggestion from @nikitaindik in the original ticket and pulled his fix and tested that it works, but it also needed some modification borrowed from QueryBar component, namely to update the filters before displaying the FilterItems component. Note: This PR only covers the Rule Creation / Rules Details page. Two new tickets have been created to cover issues found in other places: elastic#203600 and elastic#203615 # BEFORE <img width="899" alt="image" src="https://github.com/user-attachments/assets/62b300b4-bc70-481f-8042-dc9d7c4b3ff0"> # AFTER <img width="901" alt="image" src="https://github.com/user-attachments/assets/6c2915f8-e2e1-477d-bf6c-4ededf1a6907"> ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed --------- Co-authored-by: Nikita Indik <[email protected]> (cherry picked from commit 2e3a748) # Conflicts: # x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_definition_section.tsx # x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/hooks/use_data_view.ts
jkelas
added a commit
that referenced
this issue
Dec 18, 2024
…204718) # Backport This will backport the following commits from `main` to `8.17`: - [[Security Solution] Remove warning for rule filter (#201776)](#201776) <!--- Backport version: 9.6.2 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Jacek Kolezynski","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-18T09:47:05Z","message":"[Security Solution] Remove warning for rule filter (#201776)\n\n**Resolves: #178908**\n\n## Summary\n\nThis PR fixes a warning displayed for the rule when certain filter is\npresent.\nI followed the suggestion from @nikitaindik in the original ticket and\npulled his fix and tested that it works, but it also needed some\nmodification borrowed from QueryBar component, namely to update the\nfilters before displaying the FilterItems component.\n\nNote: This PR only covers the Rule Creation / Rules Details page. Two\nnew tickets have been created to cover issues found in other places:\n#203600 and #203615\n\n# BEFORE\n<img width=\"899\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/62b300b4-bc70-481f-8042-dc9d7c4b3ff0\">\n\n# AFTER\n<img width=\"901\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/6c2915f8-e2e1-477d-bf6c-4ededf1a6907\">\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n\n---------\n\nCo-authored-by: Nikita Indik <[email protected]>","sha":"2e3a74829d953e3a968c75e0edaed21dce332c03","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Rule Creation","Feature:Rule Details","Feature:Rule Edit","backport:version","v8.18.0","v8.16.3","v8.17.1"],"title":"[Security Solution] Remove warning for rule filter","number":201776,"url":"https://github.com/elastic/kibana/pull/201776","mergeCommit":{"message":"[Security Solution] Remove warning for rule filter (#201776)\n\n**Resolves: #178908**\n\n## Summary\n\nThis PR fixes a warning displayed for the rule when certain filter is\npresent.\nI followed the suggestion from @nikitaindik in the original ticket and\npulled his fix and tested that it works, but it also needed some\nmodification borrowed from QueryBar component, namely to update the\nfilters before displaying the FilterItems component.\n\nNote: This PR only covers the Rule Creation / Rules Details page. Two\nnew tickets have been created to cover issues found in other places:\n#203600 and #203615\n\n# BEFORE\n<img width=\"899\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/62b300b4-bc70-481f-8042-dc9d7c4b3ff0\">\n\n# AFTER\n<img width=\"901\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/6c2915f8-e2e1-477d-bf6c-4ededf1a6907\">\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n\n---------\n\nCo-authored-by: Nikita Indik <[email protected]>","sha":"2e3a74829d953e3a968c75e0edaed21dce332c03"}},"sourceBranch":"main","suggestedTargetBranches":["8.16","8.17"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201776","number":201776,"mergeCommit":{"message":"[Security Solution] Remove warning for rule filter (#201776)\n\n**Resolves: #178908**\n\n## Summary\n\nThis PR fixes a warning displayed for the rule when certain filter is\npresent.\nI followed the suggestion from @nikitaindik in the original ticket and\npulled his fix and tested that it works, but it also needed some\nmodification borrowed from QueryBar component, namely to update the\nfilters before displaying the FilterItems component.\n\nNote: This PR only covers the Rule Creation / Rules Details page. Two\nnew tickets have been created to cover issues found in other places:\n#203600 and #203615\n\n# BEFORE\n<img width=\"899\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/62b300b4-bc70-481f-8042-dc9d7c4b3ff0\">\n\n# AFTER\n<img width=\"901\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/6c2915f8-e2e1-477d-bf6c-4ededf1a6907\">\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n\n---------\n\nCo-authored-by: Nikita Indik <[email protected]>","sha":"2e3a74829d953e3a968c75e0edaed21dce332c03"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/204704","number":204704,"state":"OPEN"},{"branch":"8.16","label":"v8.16.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
jkelas
added a commit
that referenced
this issue
Dec 18, 2024
…204728) # Backport This will backport the following commits from `main` to `8.16`: - [[Security Solution] Remove warning for rule filter (#201776)](#201776) <!--- Backport version: 9.6.2 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Jacek Kolezynski","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-18T09:47:05Z","message":"[Security Solution] Remove warning for rule filter (#201776)\n\n**Resolves: #178908**\n\n## Summary\n\nThis PR fixes a warning displayed for the rule when certain filter is\npresent.\nI followed the suggestion from @nikitaindik in the original ticket and\npulled his fix and tested that it works, but it also needed some\nmodification borrowed from QueryBar component, namely to update the\nfilters before displaying the FilterItems component.\n\nNote: This PR only covers the Rule Creation / Rules Details page. Two\nnew tickets have been created to cover issues found in other places:\n#203600 and #203615\n\n# BEFORE\n<img width=\"899\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/62b300b4-bc70-481f-8042-dc9d7c4b3ff0\">\n\n# AFTER\n<img width=\"901\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/6c2915f8-e2e1-477d-bf6c-4ededf1a6907\">\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n\n---------\n\nCo-authored-by: Nikita Indik <[email protected]>","sha":"2e3a74829d953e3a968c75e0edaed21dce332c03","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","v9.0.0","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Rule Creation","Feature:Rule Details","Feature:Rule Edit","backport:version","v8.18.0","v8.16.3","v8.17.1"],"title":"[Security Solution] Remove warning for rule filter","number":201776,"url":"https://github.com/elastic/kibana/pull/201776","mergeCommit":{"message":"[Security Solution] Remove warning for rule filter (#201776)\n\n**Resolves: #178908**\n\n## Summary\n\nThis PR fixes a warning displayed for the rule when certain filter is\npresent.\nI followed the suggestion from @nikitaindik in the original ticket and\npulled his fix and tested that it works, but it also needed some\nmodification borrowed from QueryBar component, namely to update the\nfilters before displaying the FilterItems component.\n\nNote: This PR only covers the Rule Creation / Rules Details page. Two\nnew tickets have been created to cover issues found in other places:\n#203600 and #203615\n\n# BEFORE\n<img width=\"899\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/62b300b4-bc70-481f-8042-dc9d7c4b3ff0\">\n\n# AFTER\n<img width=\"901\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/6c2915f8-e2e1-477d-bf6c-4ededf1a6907\">\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n\n---------\n\nCo-authored-by: Nikita Indik <[email protected]>","sha":"2e3a74829d953e3a968c75e0edaed21dce332c03"}},"sourceBranch":"main","suggestedTargetBranches":["8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201776","number":201776,"mergeCommit":{"message":"[Security Solution] Remove warning for rule filter (#201776)\n\n**Resolves: #178908**\n\n## Summary\n\nThis PR fixes a warning displayed for the rule when certain filter is\npresent.\nI followed the suggestion from @nikitaindik in the original ticket and\npulled his fix and tested that it works, but it also needed some\nmodification borrowed from QueryBar component, namely to update the\nfilters before displaying the FilterItems component.\n\nNote: This PR only covers the Rule Creation / Rules Details page. Two\nnew tickets have been created to cover issues found in other places:\n#203600 and #203615\n\n# BEFORE\n<img width=\"899\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/62b300b4-bc70-481f-8042-dc9d7c4b3ff0\">\n\n# AFTER\n<img width=\"901\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/6c2915f8-e2e1-477d-bf6c-4ededf1a6907\">\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n\n---------\n\nCo-authored-by: Nikita Indik <[email protected]>","sha":"2e3a74829d953e3a968c75e0edaed21dce332c03"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/204704","number":204704,"state":"MERGED","mergeCommit":{"sha":"2ea020542b5c30066b3728d8b718670c5732ca1e","message":"[8.x] [Security Solution] Remove warning for rule filter (#201776) (#204704)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.x`:\n- [[Security Solution] Remove warning for rule filter\n(#201776)](https://github.com/elastic/kibana/pull/201776)\n\n<!--- Backport version: 9.4.3 -->\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT [{\"author\":{\"name\":\"Jacek\nKolezynski\",\"email\":\"[email protected]\"},\"sourceCommit\":{\"committedDate\":\"2024-12-18T09:47:05Z\",\"message\":\"[Security\nSolution] Remove warning for rule filter (#201776)\\n\\n**Resolves:\n#178908**\\n\\n## Summary\\n\\nThis PR fixes a warning displayed for the\nrule when certain filter is\\npresent.\\nI followed the suggestion from\n@nikitaindik in the original ticket and\\npulled his fix and tested that\nit works, but it also needed some\\nmodification borrowed from QueryBar\ncomponent, namely to update the\\nfilters before displaying the\nFilterItems component.\\n\\nNote: This PR only covers the Rule Creation /\nRules Details page. Two\\nnew tickets have been created to cover issues\nfound in other places:\\n#203600 and #203615\\n\\n# BEFORE\\n<img\nwidth=\\\"899\\\"\nalt=\\\"image\\\"\\nsrc=\\\"https://github.com/user-attachments/assets/62b300b4-bc70-481f-8042-dc9d7c4b3ff0\\\">\\n\\n#\nAFTER\\n<img width=\\\"901\\\"\nalt=\\\"image\\\"\\nsrc=\\\"https://github.com/user-attachments/assets/6c2915f8-e2e1-477d-bf6c-4ededf1a6907\\\">\\n\\n\\n###\nChecklist\\n\\nCheck the PR satisfies following conditions. \\n\\nReviewers\nshould verify this PR satisfies this list as well.\\n\\n- [ ] [Unit or\nfunctional\\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\\nwere\nupdated or added to match the most common scenarios\\n- [ ] [Flaky\nTest\\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)\nwas\\nused on any tests changed\\n\\n---------\\n\\nCo-authored-by: Nikita\nIndik\n<[email protected]>\",\"sha\":\"2e3a74829d953e3a968c75e0edaed21dce332c03\",\"branchLabelMapping\":{\"^v9.0.0$\":\"main\",\"^v8.18.0$\":\"8.x\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"bug\",\"release_note:fix\",\"v9.0.0\",\"Team:Detections\nand Resp\",\"Team: SecuritySolution\",\"Team:Detection Rule\nManagement\",\"Feature:Rule Creation\",\"Feature:Rule Details\",\"Feature:Rule\nEdit\",\"backport:version\",\"v8.18.0\",\"v8.16.3\",\"v8.17.1\"],\"title\":\"[Security\nSolution] Remove warning for rule\nfilter\",\"number\":201776,\"url\":\"https://github.com/elastic/kibana/pull/201776\",\"mergeCommit\":{\"message\":\"[Security\nSolution] Remove warning for rule filter (#201776)\\n\\n**Resolves:\n#178908**\\n\\n## Summary\\n\\nThis PR fixes a warning displayed for the\nrule when certain filter is\\npresent.\\nI followed the suggestion from\n@nikitaindik in the original ticket and\\npulled his fix and tested that\nit works, but it also needed some\\nmodification borrowed from QueryBar\ncomponent, namely to update the\\nfilters before displaying the\nFilterItems component.\\n\\nNote: This PR only covers the Rule Creation /\nRules Details page. Two\\nnew tickets have been created to cover issues\nfound in other places:\\n#203600 and #203615\\n\\n# BEFORE\\n<img\nwidth=\\\"899\\\"\nalt=\\\"image\\\"\\nsrc=\\\"https://github.com/user-attachments/assets/62b300b4-bc70-481f-8042-dc9d7c4b3ff0\\\">\\n\\n#\nAFTER\\n<img width=\\\"901\\\"\nalt=\\\"image\\\"\\nsrc=\\\"https://github.com/user-attachments/assets/6c2915f8-e2e1-477d-bf6c-4ededf1a6907\\\">\\n\\n\\n###\nChecklist\\n\\nCheck the PR satisfies following conditions. \\n\\nReviewers\nshould verify this PR satisfies this list as well.\\n\\n- [ ] [Unit or\nfunctional\\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\\nwere\nupdated or added to match the most common scenarios\\n- [ ] [Flaky\nTest\\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)\nwas\\nused on any tests changed\\n\\n---------\\n\\nCo-authored-by: Nikita\nIndik\n<[email protected]>\",\"sha\":\"2e3a74829d953e3a968c75e0edaed21dce332c03\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[\"8.x\",\"8.16\",\"8.17\"],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v9.0.0\",\"branchLabelMappingKey\":\"^v9.0.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/201776\",\"number\":201776,\"mergeCommit\":{\"message\":\"[Security\nSolution] Remove warning for rule filter (#201776)\\n\\n**Resolves:\n#178908**\\n\\n## Summary\\n\\nThis PR fixes a warning displayed for the\nrule when certain filter is\\npresent.\\nI followed the suggestion from\n@nikitaindik in the original ticket and\\npulled his fix and tested that\nit works, but it also needed some\\nmodification borrowed from QueryBar\ncomponent, namely to update the\\nfilters before displaying the\nFilterItems component.\\n\\nNote: This PR only covers the Rule Creation /\nRules Details page. Two\\nnew tickets have been created to cover issues\nfound in other places:\\n#203600 and #203615\\n\\n# BEFORE\\n<img\nwidth=\\\"899\\\"\nalt=\\\"image\\\"\\nsrc=\\\"https://github.com/user-attachments/assets/62b300b4-bc70-481f-8042-dc9d7c4b3ff0\\\">\\n\\n#\nAFTER\\n<img width=\\\"901\\\"\nalt=\\\"image\\\"\\nsrc=\\\"https://github.com/user-attachments/assets/6c2915f8-e2e1-477d-bf6c-4ededf1a6907\\\">\\n\\n\\n###\nChecklist\\n\\nCheck the PR satisfies following conditions. \\n\\nReviewers\nshould verify this PR satisfies this list as well.\\n\\n- [ ] [Unit or\nfunctional\\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\\nwere\nupdated or added to match the most common scenarios\\n- [ ] [Flaky\nTest\\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)\nwas\\nused on any tests changed\\n\\n---------\\n\\nCo-authored-by: Nikita\nIndik\n<[email protected]>\",\"sha\":\"2e3a74829d953e3a968c75e0edaed21dce332c03\"}},{\"branch\":\"8.x\",\"label\":\"v8.18.0\",\"branchLabelMappingKey\":\"^v8.18.0$\",\"isSourceBranch\":false,\"state\":\"NOT_CREATED\"},{\"branch\":\"8.16\",\"label\":\"v8.16.3\",\"branchLabelMappingKey\":\"^v(\\\\d+).(\\\\d+).\\\\d+$\",\"isSourceBranch\":false,\"state\":\"NOT_CREATED\"},{\"branch\":\"8.17\",\"label\":\"v8.17.1\",\"branchLabelMappingKey\":\"^v(\\\\d+).(\\\\d+).\\\\d+$\",\"isSourceBranch\":false,\"state\":\"NOT_CREATED\"}]}]\nBACKPORT-->\n\nCo-authored-by: Jacek Kolezynski <[email protected]>"}},{"branch":"8.16","label":"v8.16.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/204718","number":204718,"state":"OPEN"}]}] BACKPORT-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Related to: #177081
Kibana version: 8.14.0-SNAPSHOT
Summary
If you create a rule with a filter, such as
host.name: "some-value" AND host.os.family: "windows", then:host.name: Warning AND host.os.family: Warning.Rule Creation:
Rule Details:
Steps to reproduce
resolver_generatorscript that generates fake endpoint events (events generated by Endpoint Security aka Elastic Defend):node x-pack/plugins/security_solution/scripts/endpoint/resolver_generator.js --node http://elastic:[email protected]:9200 --kibana http://elastic:[email protected]:5601/kbn --numHosts=5 --numDocs=2.resolver_generatorscript. Otherwise, point the rule to the indices you created on the previous step.*as the rule's query.host.name: Host-avy6d0956e AND host.os.family: windows(use any values from your source data).Warnings are displayed.Expected behavior: on the Rule Details page there shouldn't be any warnings in rule filters, when we know that source events with the field values used in the filters exist. Field values should be displayed instead of warnings, just like on the Rule Creation and Editing pages.
Hypothesis
Maybe the bug is caused by the fact that on the Rule Details page we use a data view that includes only the
.alerts-security.alerts-<spaceid>index:The filter's UI component tries to find the filter's fields and their values in this data view, and doesn't find them because there are no alerts created with these fields yet. You can check in Discover that indeed, there are source events with those fields, but there are no alerts:
Source events:
Alerts:
So the fix would be to use on the Rule Details page a data view that would correspond to the list of index patterns or the data view of the rule, instead of the data view pointing to the alerts index of the current Kibana space.
Places the fix needs to be checked:
The text was updated successfully, but these errors were encountered: