[Security Solution] [Question] Same result is displayed in show top host.name for "Raw events" and "Detection Alerts" under the detection alert table.

[ghost]

Description
[Question] Same result is displayed in show top host.name for "Raw events" and "Detection Alerts" under the detection alert table.

Build Details:

Version: 7.12.0-BC4
Platform: Production
Commit:99ac38d70e426f589bb61a034c96e602d759cfab
Build:39242
https://staging.elastic.co/7.12.0-336ff10d/summary-7.12.0.html

Browser Details:
All

Preconditions:

1. 7.12.0 Kibana Environment should exist.
2. Endpoint should be installed.
3. Multiple alerts should be generated

Steps to Reproduce:

1. Navigate to the detection tab of security.
2. Hover on hostname under the host.name column of detection alert table
3. Click on show top host.name icon
4. Select the Raw events from drop-down and observe that same results are displaying for "Raw events" and "Detection Alerts"

Observation:

1. Navigate to the External tab under the host tab.
2. Hover on hostname under the host.name column
3. Click on show top host.name icon
4. Select the Raw events from drop-down and observe that correct results are displaying for "Raw events"
   

Impacted Test case:
N/A

Actual Result:
Same result is displayed in show top host.name for "Raw events" and "Detection Alerts" under the detection alert table.

Expected Result:
Correct result should be displayed in show top host.name for "Raw events" and "Detection Alerts" under the detection alert table.

What's working:
N/A

What's not working:
N/A

Screenshot:
Detection Alerts

Raw events

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[ghost]

@manishgupta-qasource Please review!!

[manishgupta-qasource]

Reviewed & Assigned to @MadameSheema

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[MadameSheema]

@XavierM can you please help to prioritise this? Thanks :)

[XavierM]

yes, we know about it, we should have a PR this week

[MadameSheema]

@deepikakeshav-qasource can you please check if this is fixed already on 7.12.x branch? Thanks :)

[ghost]

Hi @MadameSheema,

We have validated this issue on 7.12.0, 7.12.1 SNAPSHOT and 7.13.0 SNAPSHOT build and Below are the observations:

7.12.0

We observed that issue is still occurring on 7.12.0. Same result is displayed in show top host.name for "Raw events" and "Detection Alerts" under the detection alert table. 🔴

Build Details:

Version:7.12.0
Commit:b7f9a41f486a2910ef22a1274ec734219c35ca3e
Build:39309

Screenshot:

7.12.1 SNAPSHOT

We observed that issue is fixed on 7.12.1 SNAPSHOT. Correct result is displayed in show top host.name for "Raw events" under the detection alert table. 🟢

Build Details:

Version:7.12.1 SNAPSHOT
Commit:e01b1c2af2c9b9d068c2829463b9c8dd42cbf099
Build:39401

Screenshot:

7.13.0 SNAPSHOT

We observed that issue is fixed on 7.13.0 SNAPSHOT. Correct result is displayed in show top host.name for "Raw events" under the detection alert table. 🟢

Build Details:

Version:7.13.0 SNAPSHOT
Commit:6f0d093915d937453c617a63cff5aee00a12a4c6
Build:40112

Screenshot:

Hence, We will revalidate this ticket once 7.12.1 BC build available.

Thanks!!

[ghost]

Hi @MadameSheema,

We have validated this issue on 7.12.1 BC1 and observed that issue is fixed. The correct result is displayed in show top host.name for "Raw events" under the detection alert table.

Build Details:

Version:7.12.1 BC1
Commit:bb662886fc93cd04030e66223bb1ffa8512e0705
Build:39445

Screenshot:

Hence, We are closing this ticket.

Thanks!!

[ghost]

Hi @MadameSheema

We tested this ticket & found that the issue exists on the 7.15.0-BC1 environment under count canvas. Please find below the testing details:

Build Details:

VERSION:7.15.0-BC1
BUILD: 43636
COMMIT: d791226d9385122f33f4a5ca38fa5369012fbec3
ARTIFACT: https://staging.elastic.co/7.15.0-d9929120/summary-7.15.0.html

Steps to Reproduce:

1. Navigate to the Detection tab under Security App.
2. Go to the count tab.
3. Select stack by signal.rule.risk_score , signal.rule.severity , signal.rule.name and signal.rule.type.
4. Observe that for stack by signal.rule.risk_score , signal.rule.severity , signal.rule.name and signal.rule.type it doesn't show Raw events but shows Detection alerts.

Screen-Recording:

Alerts.-.Kibana.-.Google.Chrome.2021-08-24.16-54-05.mp4

Hence, reopening the issue.

Thanks!!

[MadameSheema]

@angorayc can you please take a look at this? Thanks :)

[machadoum]

I noticed that this bug doesn't happen on master because the user can't select the top event graph anymore. It doesn't show up as an option when hovering count table and trend graph items.

[ghost]

Hi @MadameSheema

We tested this ticket on the 7.15.0-BC4 environment & found that the 'Show Top' is removed from the count tab however, the issue still exist under alert table. Please find below the testing details:

Build Details:

VERSION:7.15.0-BC4
BUILD: 43886
COMMIT: 29a6969dc230abf16dc65a41c535cb534ae64fa7
ARTIFACT:https://staging.elastic.co/7.15.0-9e0972b3/summary-7.15.0.html

Screen-Recording:

Alerts.-.Kibana.-.Google.Chrome.2021-09-03.13-55-40.mp4

Screenshot:

Let me know if you need more information on this.
Thanks!!

[MadameSheema]

I checked 7.15 branch (71768bb) and I face the same behaviour.

@machadoum any thoughts on this? Thanks :)

[machadoum]

I see one clear bug here, which is the inconsistent total number of events:

But this issue seems to be related to the fact that it returns zero events when the user selects "Raw events".

it doesn't show Raw events but shows Detection alerts.

The reason for that is that they query different indices. When "Detection alerts" is selected, it queries ".siem-signals-*", but when "raw events" is selected, it queries an index pattern like packetbeat-*, which doesn't include alerts.

Isn't it the expected behavior? How should it work, though?

[MadameSheema]

@XavierM @asnehalb can you please help us with our doubts? Thanks :)

[machadoum]

As discussed with Xavier, displaying zero events for fields like signal.rule.name on Raw events is expected because these fields are not present on any raw event index. I am addressing the inconsistent total count bug here: #111256

[angorayc]

I noticed that this bug doesn't happen on master because the user can't select the top event graph anymore. It doesn't show up as an option when hovering count table and trend graph items.

This was to fix infinite popovers from topN chart, but to me I think it's fine to enable launching topN chart in the Count table, as users are not able to launch another topN chart again again from the existing topN.

[machadoum]

Hey @andrew-goldstein! Since you have more context about this issue, I would like to hear your opinion. Angela's comment does make sense to me, but are we missing something here?

This was to fix infinite popovers from topN chart, but to me I think it's fine to enable launching topN chart in the Count table, as users are not able to launch another topN chart again again from the existing topN.

[MadameSheema]

@deepikakeshav-qasource @samratbhadra-qasource please validate on 7.15BC5 thanks

Note that on the count table it is expected to don't be able to launch the Top x behaviour

[ghost]

Hi @MadameSheema,

We have validated this ticket on 7.15.0 BC5 build and observed that issue is Fixed. Correct information is displayed for Raw events under Alerts table

Build Details:

Version:7.15.0 BC5
Commit:0239ff6864dd9930cfe9bcd9a679272f2b7465c2
Build:43957

Screenshot:

raw_events.mp4

Hence, We are closing this ticket and marking as QA Validated

Thanks!!