Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] 'Unsupported operation exception' error is thrown and Alerts table become inoperable upon addition of field '_source' #198220

Open
pborgonovi opened this issue Oct 29, 2024 · 8 comments
Assignees
Labels
bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team
Milestone

Comments

@pborgonovi
Copy link
Contributor

pborgonovi commented Oct 29, 2024

Describe the bug:
When adding field _source to Alerts table, 'Unsupported operation exception' error is thrown and user can no longer interact with it.

Kibana/Elasticsearch Stack version:
8.16

Server OS version:

Browser and Browser OS versions:

Elastic Endpoint version:

Original install method (e.g. download page, yum, from source, etc.):

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Alerts table

Pre-requisites:

  1. Have rules installed
  2. Have alerts generated by the rule

Steps to reproduce:

  1. Launch Alerts page
  2. In Alerts table, select 'Fields'
  3. Add _source field as a column to the table

Current behavior:
'Unsupported operation exception' error is thrown and user can no longer interact with it.

Expected behavior:
User should be able to interact with Alerts table and undo the action

Screenshots (if relevant):

Screen.Recording.2024-10-29.at.3.08.30.PM.mov

Image

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context (logs, chat logs, magical formulas, etc.):

@pborgonovi pborgonovi added bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team triage_needed labels Oct 29, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-engine (Team:Detection Engine)

@yctercero
Copy link
Contributor

@michaelolo24 would this be threat hunting investigations? We can ask @paulewing if we should disable allowing the user adding _source to the table.

@yctercero yctercero added Team:Threat Hunting Security Solution Threat Hunting Team Team:Threat Hunting:Investigations Security Solution Investigations Team labels Nov 8, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@yctercero yctercero removed Team:Detections and Resp Security Detection Response Team Team:Detection Engine Security Solution Detection Engine Area labels Nov 8, 2024
@michaelolo24
Copy link
Contributor

@yctercero I believe it's all related to this: #170167

While this error seems to happen immediately on query, the error from the related issue happens when trying to sort on an unmapped field which isn't allowed. Now we can stop _source from being an available option in the field browser and also prevent sorting on unmapped fields, but I think the easiest first step is to just separate the field browser rendering from the table rendering to allow users to revert their changes. Thoughts?

@PhilippeOberti
Copy link
Contributor

We should also investigate adding a button somewhere on the page (or in the error pop up) to allow the user to remove the local storage keys that will clear what is causing the issue.

@PhilippeOberti PhilippeOberti added this to the 8.17 milestone Nov 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team
Projects
None yet
Development

No branches or pull requests

6 participants