Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] [Response Ops] ecsRowData in alerts table improperly formatted #159276

Open
kqualters-elastic opened this issue Jun 8, 2023 · 4 comments
Labels
bug Fixes for quality problems that affect the customer experience Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Threat Hunting:Investigations Security Solution Investigations Team

Comments

@kqualters-elastic
Copy link
Contributor

Kibana version:
8.8+

ecsRowData passed to each row and ultimately to the onClick handler that runs when a user selects "Investigate in Timeline" from an alert row has the kibana.alert.rule.exception_list property formatted very strangely when there is 1 entry in the list, it's an Object who's keys are arrays of 1 string. This makes the code https://github.com/elastic/kibana/blob/051ac85c07bd883550236e6ebca763ef64801507/x-pack/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/use_investigate_in_timeline.tsx#LL72C48-L72C48 here that was working for most of 8.0 no longer function correctly. I'm not sure if the format of the exception list being passed is correct and this code needs to be updated to account for it, or if there's a bug in the logic in

const alerts = rawResponse.hits.hits.reduce<Alerts>((acc, hit) => {
seems more likely to be the latter, but need to confirm that.

@kqualters-elastic kqualters-elastic added bug Fixes for quality problems that affect the customer experience triage_needed Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Threat Hunting:Investigations Security Solution Investigations Team labels Jun 8, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@michaelolo24 michaelolo24 added the impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. label Jun 12, 2023
@kqualters-elastic kqualters-elastic added impact:critical This issue should be addressed immediately due to a critical level of impact on the product. and removed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. labels Jun 21, 2023
@PhilippeOberti
Copy link
Contributor

@kqualters-elastic can you take a look at this and comment if this has been fixed or still needs to be worked on?
Thanks!

@cnasikas
Copy link
Member

@umbopepato is working on a lot of improvements related to the alerts table. @umbopepato Any idea if this issue will be resolved at some point by your work?

@umbopepato
Copy link
Member

umbopepato commented Nov 20, 2024

I didn't know about this issue but yes, it's the perfect occasion to solve this especially since it's my understanding that both ResOps and Security want to finally remove the deprecated alert formats (oldAlertsData and ecsData) 🙂

In any case, I don't know exactly what's the old format and how it changed (I tried to create a Security rule with exceptions but the generated alerts don't have the kibana.alert.rule.exceptions_list field at all... @kqualters-elastic do you have an example before/after document to share?) but I bet it's the conversion to ecsData that produces objects with a wrong format (perhaps lodash's set creates deep keys even where you don't expect them?).

Considered this, the very poor/missing typing information and other issues I'd say the best solution overall would be to finally deprecate these old formats. We'll follow up on this as soon as I finish moving the alerts table code to its dedicated package!

@PhilippeOberti PhilippeOberti removed the impact:critical This issue should be addressed immediately due to a critical level of impact on the product. label Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Threat Hunting:Investigations Security Solution Investigations Team
Projects
None yet
Development

No branches or pull requests

6 participants