Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution]Applying custom field filter on Alerts page filters is not showing alerts table. #155488

Open
sukhwindersingh-qasource opened this issue Apr 21, 2023 · 6 comments
Open

[Security Solution]Applying custom field filter on Alerts page filters is not showing alerts table. #155488

sukhwindersingh-qasource opened this issue Apr 21, 2023 · 6 comments
Labels
bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v8.8.0 v8.9.0

Comments

@sukhwindersingh-qasource
Copy link

sukhwindersingh-qasource commented Apr 21, 2023
edited
Loading

Describe the bug:

  • Applying custom field filter on Alerts page filters is not showing alerts table.

Build Details:

VERSION: 8.8.0 - Snapshot
BUILD: 62260
COMMIT: f150d0149c1a95923e1c9e2858ac8bdc4feec645

Preconditions

  • Alerts should be present on kibana instance.
  • Create a custom field ,lets say Days with set values define script as - emit(doc['@timestamp'].value.getDayOfWeekEnum().toString())

Steps to Reproduce

  • Navigate to Security.
  • Navigate to Alerts tab.
  • Alerts page filter click on overflow menu select edit controls
  • Click on + icon add new filter select the field value of created custom filed.
  • Save the added filter.
  • Now select the filter from the created custom filed.

Actual Result

Applying custom field filter on Alerts page filters is not showing alerts table.

Expected Result

Applying custom field filter on Alerts page filters should be showing alerts table.

Screen-Recording

Alerts.-.Kibana.Mozilla.Firefox.2023-04-21.14-32-18.mp4

image
@sukhwindersingh-qasource sukhwindersingh-qasource added bug Fixes for quality problems that affect the customer experience triage_needed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Apr 21, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@MadameSheema MadameSheema assigned logeekal and michaelolo24 and unassigned ghost Apr 21, 2023
@MadameSheema MadameSheema added Team:Threat Hunting Security Solution Threat Hunting Team Team:Threat Hunting:Investigations Security Solution Investigations Team labels Apr 21, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@logeekal
Copy link
Contributor

Update:
It looks to be an issue with how Alert Table is fetching runtime fields. Adding same filter to the global query bar also results in empty table. Looks like issue with the Alerts Table since it is not using runtime mapping in the request.

Below is the runtimeMappings object, we are sending to timelineSearchStrategy and missing from Trigger actions alert table request.

{
	"runtimeMappings": {
		"Day": {
			"script": {
				"source": "emit(doc['@timestamp'].value.getDayOfWeekEnum().toString())"
			},
			"type": "keyword"
		}
	}
}
Screen.Recording.2023-04-21.at.17.24.33.mov

@logeekal logeekal added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) and removed triage_needed Team:Threat Hunting Security Solution Threat Hunting Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team labels Apr 21, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@michaelolo24 michaelolo24 removed their assignment Apr 24, 2023
@logeekal logeekal mentioned this issue May 2, 2023
Closed
@XavierM XavierM self-assigned this May 2, 2023
@XavierM
Copy link
Contributor

XavierM commented May 2, 2023

@dhurley14 and I would have to fix it together because i need to be aware of the runtime fields to do that on the alert table.

@XavierM XavierM mentioned this issue May 5, 2023
Merged
1 task
XavierM added a commit that referenced this issue May 8, 2023
@XavierM
[RAM] alert table support runtime field (#156899)
73d6008 
## Summary

FIX #156263 &
#155488


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue May 8, 2023
@XavierM
[RAM] alert table support runtime field (elastic#156899)
59a4954 
## Summary

FIX elastic#156263 &
elastic#155488

### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

(cherry picked from commit 73d6008)
kibanamachine added a commit that referenced this issue May 8, 2023
@kibanamachine @XavierM
[8.8] [RAM] alert table support runtime field (#156899) (#157037)
07208d7 
# Backport

This will backport the following commits from `main` to `8.8`:
- [[RAM] alert table support runtime field
(#156899)](#156899)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Xavier
Mouligneau","email":"xavier.mouligneau@elastic.co"},"sourceCommit":{"committedDate":"2023-05-08T17:44:13Z","message":"[RAM]
alert table support runtime field (#156899)\n\n## Summary\r\n\r\nFIX
#156263
&\r\nhttps://github.com//issues/155488\r\n\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"73d60085d11cd28b1eadefa63c2fcc1704336ef9","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","impact:high","Team:ResponseOps","v8.8.0","v8.9.0"],"number":156899,"url":"https://github.com/elastic/kibana/pull/156899","mergeCommit":{"message":"[RAM]
alert table support runtime field (#156899)\n\n## Summary\r\n\r\nFIX
#156263
&\r\nhttps://github.com//issues/155488\r\n\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"73d60085d11cd28b1eadefa63c2fcc1704336ef9"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/156899","number":156899,"mergeCommit":{"message":"[RAM]
alert table support runtime field (#156899)\n\n## Summary\r\n\r\nFIX
#156263
&\r\nhttps://github.com//issues/155488\r\n\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"73d60085d11cd28b1eadefa63c2fcc1704336ef9"}}]}]
BACKPORT-->

Co-authored-by: Xavier Mouligneau <xavier.mouligneau@elastic.co>
@cnasikas
Copy link
Member

cnasikas commented Jul 5, 2024

Hey @sukhwindersingh-qasource! Is this still valid?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v8.8.0 v8.9.0
Projects
No open projects
AppEx: ResponseOps - Rules & Alerts Management
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
7 participants
@XavierM @logeekal @cnasikas @elasticmachine @michaelolo24 @MadameSheema @sukhwindersingh-qasource