[Security Solution] All the fields for all indices show when trying to add the a filters in a rule

[jsanz]

Kibana version:
8.12.2

Original install method:
Cloud

Describe the bug:
When editing a security rule, the UI in the filter pill does not honor the index(es) that define the rule.

Steps to reproduce: (Original issue with index patterns, fixed in 8.13)

1. Create a minimal new index
2. Create a threshold security rule for that index
3. Edit the rule and try to add a filter
4. Fields for all indices show up instead of the fields from the rule index

Re-adding the index forces makes the UI to refresh and get just the fields from the defined index.

video with the index pattern bug

vokoscreenNG-2024-03-26_17-52-47.mp4

Steps to reproduce: (Issue with data views, present in 8.15)

1. Create a minimal new index and corresponding data view

   PUT fields_index
   PUT fields_index/_mapping
   {
     "properties": {
       "@timestamp": {
         "type": "date"
       },
       "field-1": {
         "type": "keyword"
       },
       "field-2": {
         "type": "keyword"
       },
       "field-3": {
         "type": "keyword"
       }
     }
   }
   
   POST fields_index/_doc
   {
    "@timestamp": "2024-10-01T09:26:30.425Z",
    "field-1": "test-0"
   }

2. Create a security rule with that data view
3. Edit the rule and try to add a filter
4. Fields for all indices show up instead of the fields from the rule index
5. Switching to indices and back to data view on rule form fixes issue

video with the Data view bug

Screen.Recording.2024-10-03.at.10.57.05.mov

Expected behavior:

Only the index/data view defined in the rule drives the fields showing up in the filter UI.

Screenshots (if relevant):

Errors in browser console (if relevant):
Nothing shows up

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-detection-engine (Team:Detection Engine)

[jsanz]

Seems to be fixed by #178207, but keeping it open for the team to confirm.

[shayfeld]

Hi @jsanz ,

Is there any chance this problem can be resolved with index pattern and not with data view?

[jsanz]

Is there any chance this problem can be resolved with index pattern and not with data view?

@shayfeld, I'm not sure what you mean here. Are you referring to the fix implemented at #178207 or something else?

[shayfeld]

@jsanz ,
Yes , Because of the bug (#178207) in version 8.12, my rules work with index patterns as sources instead of data views. Is the bug in this ticket fixed with index patterns or only with data views as sources?

[nkhristinin]

Hey @shayfeld, can you provide more details/examples about ?

my rules work with index patterns as sources instead of data views

[shayfeld]

Hey @shayfeld, can you provide more details/examples about ?

my rules work with index patterns as sources instead of data views

As you can see in the link of create new rule, using Index patterns: winlogbeat-* as source of the rule. In 178207 they are using Data View as a source.

[shayfeld]

Hi @jsanz @nkhristinin @yctercero ,

In v8.13.4, the bug still exists. I sent a video to the support team.

[yctercero]

Thanks so much @shayfeld ! This is on our radar. We'll update the ticket as soon as we are able to take it up.

[vitaliidm]

@shayfeld , @jsanz

I tried to reproduce the issue in 8.13.4, following the instructions in the ticket, but could not.
But issue is easily can be easily reproduced in 8.12.2 as reported in the issue

Issue reproduced in 8.12.2

Screen.Recording.2024-10-01.at.10.17.19.mov

Issue NOT reproduced in 8.13.4

Screen.Recording.2024-10-01.at.10.19.18.mov

What are the steps to reproduce it in 8.13.4? Is something missing in my approach?
Actions are identical in both videos, but for newer version, not issue found. It works as expected

[shayfeld]

@vitaliidm ,

If you'd like, I can schedule a Zoom meeting for tomorrow to show you the steps I took.
Looking at the video again:

1. Create rule with the dataview .kibana-event-logs* (contain index pattern .kibana-event-logs*)
2. give it make 1 run (maybe it will help)
3. Edit the rule and check if the filter showing other fields. (when I switch between dataview and index pattern, it works without the bug)

[vitaliidm]

@shayfeld

So, I was able to reproduce the issue.

It does, in fact, fixed for indices, as in original ticket's description.
But your case is different, your rule is configured with Data view, not index.
When I reconfigured my rule, to use Data view, I was able to see the issue.

[vitaliidm]

fixed in #194678

[MadameSheema]

@pborgonovi 8.15.3 BC has been built already, please validate the fix and keep the ticket open until is validated in 8.16.0 BC, thanks!

[pborgonovi]

Validated latest 8.15.3 BC and bug fix looks good:

Screen.Recording.2024-10-11.at.11.37.06.AM.mov

Waiting to validate with 8.16 BC

[vitaliidm]

looks like this fix did not make to 8.15.3, despite PR being labeled as 8.15.3 by Kibana bot.
According to https://staging.elastic.co/8.15.3-82db83de/summary-8.15.3.html -
https://github.com/elastic/kibana/commits/3933429968aafb1ba31319fc38649d0f974044bf, 8.15.3 does not contain that fix.
I have relabelled it as 8.15.4. Not sure why it did not reproduce in your video. I as able consistently reproduce it

[pborgonovi]

Thanks for the analysis @vitaliidm I'll make sure to validate 8.15.4 and 8.16 BC

cc @MadameSheema

[pborgonovi]

Issue is fixed in 8.16.

Screen.Recording.2024-10-18.at.9.31.10.AM.mov

Waiting to validate with 8.15.4

[pborgonovi]

Validated with 8.15.4 BC and fix looks good.

Creating new rule:

Screen.Recording.2024-11-05.at.2.38.33.PM.mov

Updating a rule:

Screen.Recording.2024-11-05.at.2.39.49.PM.mov