Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Fields with more than one value may display different Alert prevalence counts in the alert flyout vs a timeline #131967

Closed
andrew-goldstein opened this issue May 10, 2022 · 2 comments
Closed

[Security Solution] Fields with more than one value may display different Alert prevalence counts in the alert flyout vs a timeline #131967

andrew-goldstein opened this issue May 10, 2022 · 2 comments
Assignees
@janmonschke
Labels
bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team

Comments

@andrew-goldstein
Copy link
Contributor

Summary

Fields with more than one value may display different Alert prevalence counts in the alert flyout vs a timeline

Background

#131255 adds the Investigate in timeline action to the Alert prevalence column of the Highlighted fields table in the alert flyout, as shown in the screenshot below:

alert_prevalence

Fields that typically have just one value, like process.name, consistently display the same alert counts in both the Alert prevalence column in the flyout, and in a timeline when the Investigate in timeline action is performed by clicking the hover action next to the count.

Fields that have more than one value sometimes display different counts between the flyout and Timeline.

Example: The process.args in the sample JSON below contains two values:

    "process": {
      "args": [
        "\"C:\\lsass.exe\"",
        "--jyf"
      ],
      "name": "lsass.exe",
    },

In the video below:

  • The process.args field displays 570 in the Alert prevalence column in the flyout
  • Timeline displays a count of 285 alerts when the Investigate in timeline action is invoked
process_args.mov

Kibana/Elasticsearch Stack version:

8.3.0

Steps to reproduce:

  1. Navigate to the Alerts page in the Security Solution

  2. Add the following query to the search bar to filter for process events where process.args exists:

event.category: "process" and process.args : *

  1. Keep clicking the View details action on alerts in the table until an alert that has multiple values for the process.args field is displayed in the alerts flyout

  2. For a field with a single value, like process.name, click the Investigate in timeline action next to the count in the Alert prevalence column

Expected result

  • The Alert prevalence count displayed in the flyout exactly matches the count displayed in Timeline's Query tab

  1. Close timeline

  2. In the alerts flyout, click the click the Investigate in timeline action next to the process.args column, which contains multiple values

Expected result

  • Once agin, the Alert prevalence count displayed in the flyout exactly matches the count displayed in Timeline's Query tab

Actual result

  • The counts are different, per the video below:
process_args.mov
@andrew-goldstein andrew-goldstein added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team labels May 10, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@andrew-goldstein andrew-goldstein mentioned this issue May 10, 2022
Merged
1 task
@MadameSheema MadameSheema added the Team:Threat Hunting Security Solution Threat Hunting Team label May 11, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@michaelolo24 michaelolo24 added impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. and removed triage_needed labels May 12, 2022
@michaelolo24 michaelolo24 removed their assignment May 12, 2022
@janmonschke janmonschke self-assigned this May 20, 2022
@janmonschke janmonschke mentioned this issue Apr 6, 2023
Merged
2 tasks
janmonschke added a commit that referenced this issue Apr 19, 2023
@janmonschke @kibanamachine
[SecuritySolution] Use correct queries and filters for prevalence cal…
c3c55e7 
…ls (#154544)

## Summary

Bug ticket #131967 describes an
issue where the alert prevalence count is not correct for fields that
have array values (such as `process.args`).

## Solution

Getting the correct count for those fields involved adding more `term`
conditions to the prevalence query and the timeline filter. This ensures
that only alerts with the *exact* same array values match instead of
partial matches as before.




https://user-images.githubusercontent.com/68591/231395154-b5a1c968-8308-49fb-a218-f3611f8331c3.mov


### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] Get approval from the product team

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
nikitaindik pushed a commit to nikitaindik/kibana that referenced this issue Apr 25, 2023
@janmonschke @kibanamachine @nikitaindik
[SecuritySolution] Use correct queries and filters for prevalence cal…
5c2f98f 
…ls (elastic#154544)

## Summary

Bug ticket elastic#131967 describes an
issue where the alert prevalence count is not correct for fields that
have array values (such as `process.args`).

## Solution

Getting the correct count for those fields involved adding more `term`
conditions to the prevalence query and the timeline filter. This ensures
that only alerts with the *exact* same array values match instead of
partial matches as before.




https://user-images.githubusercontent.com/68591/231395154-b5a1c968-8308-49fb-a218-f3611f8331c3.mov


### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] Get approval from the product team

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@janmonschke janmonschke

Labels
bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@janmonschke @andrew-goldstein @elasticmachine @michaelolo24 @MadameSheema