[Security Solution] By default, the subject field is empty and the user is able to add the exception list. However, if we click on the field, it starts showing an error that the field can't be empty. And the user is unable to add the exception list

[muskangulati-qasource]

Describe the feature
By default, the subject field is empty and the user is able to add the exception list. However, if we click on the field, it starts showing an error that the field can't be empty. And the user is unable to add the exception list

Build Details:

Version: 7.13.0-BC4
Commit: 5a6bad454ffe263aafed54cbd3f764253694bf37
Build number: 40749
Artifact: https://staging.elastic.co/7.13.0-5c4bc719/summary-7.13.0.html

Preconditions

1. Elastic 7.13.0 environment should be deployed.
2. Alerts should be generated( For eg, Mimikatz.exe)

Steps to Reproduce

1. Navigate to the Detections tab under the Security
2. Click on the three dots in front of the alert and click on add to the Endpoint exception

Test data
N/A

Impacted Test case(s)
N/A

Actual Result
By default, the subject field is empty and the user is able to add the exception list. However, if we click on the field, it starts showing an error that the field can't be empty. And the user is unable to add the exception list

Expected Result
If empty values are not allowed, the user should not be able to add the exception list value

What's Working
N/A

What's Not Working
N/A

Screenshot

• By default:
  

• If the user clicks on the empty box:
  

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[muskangulati-qasource]

@manishgupta-qasource please review !!

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[arvindersingh-qasource-zz]

Hi @MadameSheema ,

We have validated this ticket on 7.15.0 - SNAPSHOT build and found that issue is still occurring.

Build Details

Version:7.15.0 SNAPSHOT
Commit:f448fcd00b319a3be0d1a1ae356956446e4d7ef8
Build:43322

Please find below observations

Thanks.

[yctercero]

Looks like it was fixed a while back with this PR - #106685

@MadameSheema ready for QA check to then close out. Thank you!

[ghost]

Hi @MadameSheema @yctercero,

• We have validated above issue on 8.3.0 BC2 and and found that it's still occurring 🔴.

Build info:

Version: 8.3.0 BC2
Build: 53231
Commit: 25476b531ba9f32292bde85508d342aa5e1c29eb

• By default:

• If the user clicks on the empty box:

Thanks!

[yctercero]

Thanks @prachigupta-qasource - I'll add this back into our 8.4 plan.

[ghost]

Hi @yctercero

We are seeing QAAssist Label on this ticket also Glo has shared one GitHub filter according to that we have to create test-plan and this ticket is present under that . So please let us known if we need to create test-case of it or do we need to regress only.

Thanks !

[yctercero]

Hi - looks like the fix I put in was only partial fix so it still needs to be addressed and then tested out once fix is in. So far it's slated for 8.5.

[peluja1012]

Hi @prachigupta-qasource, This was fixed by #143127. Could you please retest when you get a chance?

[muskangulati-qasource]

Hi Team,

We are blocked to test this issue as we are unable to get alerts from the Windows Endpoint.

So once, the issue for installation is fixed, we will retest this issue and post our observations.

Thanks!!

[kevinlog]

@muskangulati-qasource

Can you try to run the Windows Endpoint on a Windows VM with Test Signing turned OFF? It looks like you will be able to install the Endpoint using that workaround until the signing build issue is resolved.

See @karanbirsingh-qasource comment right here.

I think we can verify this bug using the above workaround. Let me know if you have any questions

[muskangulati-qasource]

Hi Team,

We have this issue on the latest 8.6 BC4 and found the issue is ** partially fixed**. 🟤

Please find below the testing details:

Build Details

Version: 8.6.0 BC4
BUILD: 58612
COMMIT: 218162f282314db5b3833c84752dd24395949b3f

Observations

• The Subject field is empty by default
• If we click on the subject field, it still generates an error and user is not able to add the entry
• If user changes value in any other field, the subject field is reset to default and the error message is also gone.

Screen Recording

Exception.mp4

Please let us know if anything else is required from our end.

Thanks!!

[MadameSheema]

@dhurley14 @peluja1012 may you please take a look at the above? Thanks!

[MadameSheema]

@dhurley14 @peluja1012 any update on the above?

[cybersecdiva]

Tested in current 8.7.0 deployment:

Preconditions:

• Endpoint alerts should be generated

Steps to reproduce behavior:

1. Navigate to Security -> Alerts
2. Filter Alerts by Rule name and select Malware Detection Alert
3. Once the Rule event Malware Detection Alert displays, Click on the the dots and select Add Endpoint Exception

Results:

The subject_name field automatically populates the field value with the host, in this case Microsoft WindowsThe field value is not empty and no error message is displayed

Expected results:

No error message is displayed

Screen video capture:

Bug_.subject_name.field.empty.value.for.add.endpoint.exception.mp4

Observations:

• The subject_name field is populated by default with the host as the field value
• There are no error messages that display

Screenshots:

Conclusion:

Validated that this is fixed ✅ in the UI for 8.7.0 and closing this case.

cc: @MadameSheema @yctercero @peluja1012 Update FYI Observations