Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution]Suppression configuration displaying on switching from Query to EQL Rule under Define Rule Section #157358

Closed
ghost opened this issue May 11, 2023 · 6 comments
Closed

[Security Solution]Suppression configuration displaying on switching from Query to EQL Rule under Define Rule Section #157358

ghost opened this issue May 11, 2023 · 6 comments
Labels
8.14 candidate bug Fixes for quality problems that affect the customer experience consider-next impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. invalid Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.9.0
Milestone
8.14

Comments

@ghost
Copy link

ghost commented May 11, 2023

Originally found by @MadameSheema

Describe the bug
Suppression configuration displaying on switching from Query to EQL Rule under Define Rule Section

Build Details:

Version: 8.8 BC3
Commit:85b22d307ab93fca95c1698ede4cb61d85f3d314
Build:62994

Steps

  1. Navigate to Rule Details page
  2. Click on Create Rule
  3. Fill the Custom query
  4. Fill the Sypression configuration
  5. Change the Rule Type for instance: Event Correlation
  6. Fill the EQL Query
  7. Click in continue
  8. Observed that on the Define rule step summary information about the rule suppression is displayed which is incorrect.

Additional Note

suppression is not getting performed for the created EQL rule just suppression configuration are showing under the created EQL Rule

#156247 (comment)

Screen-Cast

Create.new.rule.-.Kibana.Mozilla.Firefox.2023-05-11.13-11-51.mp4
@ghost ghost added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels May 11, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ghost ghost added the impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. label May 11, 2023
@ghost ghost mentioned this issue May 11, 2023
Closed
@ghost ghost assigned MadameSheema May 11, 2023
@MadameSheema
Copy link
Member

@vitaliidm @peluja1012 may you please take a look at this issue? Thanks!

@vitaliidm
Copy link
Contributor

I can confirm this behaviour is not a regression related to recent changes in suppressions settings and can be encountered in 8.7 version as well.

@peluja1012 , which version we want to target with this fix? Maybe not BC4, but 8.8.1 or later (8.9.0)? What do you think?

@MadameSheema MadameSheema added Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team labels May 15, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@MadameSheema MadameSheema removed their assignment May 15, 2023
@yctercero
Copy link
Contributor

I think it's ok for this to be fixed 8.9. Its a gnarly one but also an edge case.

@yctercero yctercero added this to the D&R 8.14 milestone Mar 21, 2024
@yctercero yctercero modified the milestones: D&R 8.14, 8.14 Mar 26, 2024
@pborgonovi
Copy link
Contributor

Since suppression feature has been implemented for all rule types, I'm closing this bug as invalid.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
8.14 candidate bug Fixes for quality problems that affect the customer experience consider-next impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. invalid Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.9.0
Projects
None yet
Milestone
8.14
Development

No branches or pull requests
5 participants
@yctercero @elasticmachine @MadameSheema @vitaliidm @pborgonovi