[Security Solution] Alerts Show All Closed when We Want to See Only Open #159606
Comments
MakoWish
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
MadameSheema
added
Team:Threat Hunting
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
|
@logeekal can you please take a look at the above when you have the chance? Thanks! |
|
To note, I also opened ticket 01386456 for this. |
|
Sure. We are looking into it. |
… Invalid Selections (#160374) This PR changes how Alert Page Filter Controls Work. ## Before 1. Filter Controls use to ignore invalid Selections. For example, if User has selected `Open` as the filter, but there is actually no alert with Status `Open`, filters would ignore that selection and would proceed to show other alerts ( which are NOT `Open`) . - It seemed it was confusing users. [This bug](#159606) and [messages in community slack](https://elasticstack.slack.com/archives/CNRTGB9A4/p1686937708085629?thread_ts=1686841414.978319&cid=CNRTGB9A4) are the examples. @paulewing also emphasized this. - Below video shows what I mean. https://github.com/elastic/kibana/assets/7485038/01771587-e4e8-4331-9535-4ffa09877c02 ## After 1. With this Change Control Filters no longer ignore invalid selection. So if user has chosen to show only `Open` Alerts. Then that filter will be taken into account even though no alert with `Open` exists and a empty table will be show. - Here is a video to demonstrate it. https://github.com/elastic/kibana/assets/7485038/62b17762-16c0-471f-8480-e9f46e2ca5ef
… Invalid Selections (elastic#160374) This PR changes how Alert Page Filter Controls Work. ## Before 1. Filter Controls use to ignore invalid Selections. For example, if User has selected `Open` as the filter, but there is actually no alert with Status `Open`, filters would ignore that selection and would proceed to show other alerts ( which are NOT `Open`) . - It seemed it was confusing users. [This bug](elastic#159606) and [messages in community slack](https://elasticstack.slack.com/archives/CNRTGB9A4/p1686937708085629?thread_ts=1686841414.978319&cid=CNRTGB9A4) are the examples. @paulewing also emphasized this. - Below video shows what I mean. https://github.com/elastic/kibana/assets/7485038/01771587-e4e8-4331-9535-4ffa09877c02 ## After 1. With this Change Control Filters no longer ignore invalid selection. So if user has chosen to show only `Open` Alerts. Then that filter will be taken into account even though no alert with `Open` exists and a empty table will be show. - Here is a video to demonstrate it. https://github.com/elastic/kibana/assets/7485038/62b17762-16c0-471f-8480-e9f46e2ca5ef (cherry picked from commit 54e613b) # Conflicts: # x-pack/plugins/security_solution/cypress/e2e/investigations/alerts/detection_page_filters.cy.ts
… Invalid Selections (elastic#160374) This PR changes how Alert Page Filter Controls Work. ## Before 1. Filter Controls use to ignore invalid Selections. For example, if User has selected `Open` as the filter, but there is actually no alert with Status `Open`, filters would ignore that selection and would proceed to show other alerts ( which are NOT `Open`) . - It seemed it was confusing users. [This bug](elastic#159606) and [messages in community slack](https://elasticstack.slack.com/archives/CNRTGB9A4/p1686937708085629?thread_ts=1686841414.978319&cid=CNRTGB9A4) are the examples. @paulewing also emphasized this. - Below video shows what I mean. https://github.com/elastic/kibana/assets/7485038/01771587-e4e8-4331-9535-4ffa09877c02 ## After 1. With this Change Control Filters no longer ignore invalid selection. So if user has chosen to show only `Open` Alerts. Then that filter will be taken into account even though no alert with `Open` exists and a empty table will be show. - Here is a video to demonstrate it. https://github.com/elastic/kibana/assets/7485038/62b17762-16c0-471f-8480-e9f46e2ca5ef (cherry picked from commit 54e613b) # Conflicts: # x-pack/plugins/security_solution/cypress/e2e/investigations/alerts/detection_page_filters.cy.ts
…ignore Invalid Selections (#160374) (#161208) # Backport This will backport the following commits from `main` to `8.9`: - [[Security Solution][Fix] Alert Page Filter Controls should not ignore Invalid Selections (#160374)](#160374) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jatin Kathuria","email":"jatin.kathuria@elastic.co"},"sourceCommit":{"committedDate":"2023-07-04T12:13:54Z","message":"[Security Solution][Fix] Alert Page Filter Controls should not ignore Invalid Selections (#160374)\n\nThis PR changes how Alert Page Filter Controls Work. \r\n\r\n## Before\r\n\r\n1. Filter Controls use to ignore invalid Selections. For example, if\r\nUser has selected `Open` as the filter, but there is actually no alert\r\nwith Status `Open`, filters would ignore that selection and would\r\nproceed to show other alerts ( which are NOT `Open`) .\r\n\r\n- It seemed it was confusing users. [This\r\nbug](#159606) and [messages in\r\ncommunity\r\nslack](https://elasticstack.slack.com/archives/CNRTGB9A4/p1686937708085629?thread_ts=1686841414.978319&cid=CNRTGB9A4)\r\nare the examples. @paulewing also emphasized this.\r\n\r\n - Below video shows what I mean.\r\n \r\n\r\nhttps://github.com/elastic/kibana/assets/7485038/01771587-e4e8-4331-9535-4ffa09877c02\r\n\r\n\r\n\r\n\r\n\r\n\r\n## After\r\n\r\n1. With this Change Control Filters no longer ignore invalid selection.\r\nSo if user has chosen to show only `Open` Alerts. Then that filter will\r\nbe taken into account even though no alert with `Open` exists and a\r\nempty table will be show.\r\n\r\n - Here is a video to demonstrate it.\r\n \r\n\r\nhttps://github.com/elastic/kibana/assets/7485038/62b17762-16c0-471f-8480-e9f46e2ca5ef","sha":"54e613b1d9341497d40a2c671c527de18beec165","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Threat Hunting:Investigations","ci:cloud-deploy","v8.9.0","v8.10.0"],"number":160374,"url":"#160374 Solution][Fix] Alert Page Filter Controls should not ignore Invalid Selections (#160374)\n\nThis PR changes how Alert Page Filter Controls Work. \r\n\r\n## Before\r\n\r\n1. Filter Controls use to ignore invalid Selections. For example, if\r\nUser has selected `Open` as the filter, but there is actually no alert\r\nwith Status `Open`, filters would ignore that selection and would\r\nproceed to show other alerts ( which are NOT `Open`) .\r\n\r\n- It seemed it was confusing users. [This\r\nbug](#159606) and [messages in\r\ncommunity\r\nslack](https://elasticstack.slack.com/archives/CNRTGB9A4/p1686937708085629?thread_ts=1686841414.978319&cid=CNRTGB9A4)\r\nare the examples. @paulewing also emphasized this.\r\n\r\n - Below video shows what I mean.\r\n \r\n\r\nhttps://github.com/elastic/kibana/assets/7485038/01771587-e4e8-4331-9535-4ffa09877c02\r\n\r\n\r\n\r\n\r\n\r\n\r\n## After\r\n\r\n1. With this Change Control Filters no longer ignore invalid selection.\r\nSo if user has chosen to show only `Open` Alerts. Then that filter will\r\nbe taken into account even though no alert with `Open` exists and a\r\nempty table will be show.\r\n\r\n - Here is a video to demonstrate it.\r\n \r\n\r\nhttps://github.com/elastic/kibana/assets/7485038/62b17762-16c0-471f-8480-e9f46e2ca5ef","sha":"54e613b1d9341497d40a2c671c527de18beec165"}},"sourceBranch":"main","suggestedTargetBranches":["8.9"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"#160374 Solution][Fix] Alert Page Filter Controls should not ignore Invalid Selections (#160374)\n\nThis PR changes how Alert Page Filter Controls Work. \r\n\r\n## Before\r\n\r\n1. Filter Controls use to ignore invalid Selections. For example, if\r\nUser has selected `Open` as the filter, but there is actually no alert\r\nwith Status `Open`, filters would ignore that selection and would\r\nproceed to show other alerts ( which are NOT `Open`) .\r\n\r\n- It seemed it was confusing users. [This\r\nbug](#159606) and [messages in\r\ncommunity\r\nslack](https://elasticstack.slack.com/archives/CNRTGB9A4/p1686937708085629?thread_ts=1686841414.978319&cid=CNRTGB9A4)\r\nare the examples. @paulewing also emphasized this.\r\n\r\n - Below video shows what I mean.\r\n \r\n\r\nhttps://github.com/elastic/kibana/assets/7485038/01771587-e4e8-4331-9535-4ffa09877c02\r\n\r\n\r\n\r\n\r\n\r\n\r\n## After\r\n\r\n1. With this Change Control Filters no longer ignore invalid selection.\r\nSo if user has chosen to show only `Open` Alerts. Then that filter will\r\nbe taken into account even though no alert with `Open` exists and a\r\nempty table will be show.\r\n\r\n - Here is a video to demonstrate it.\r\n \r\n\r\nhttps://github.com/elastic/kibana/assets/7485038/62b17762-16c0-471f-8480-e9f46e2ca5ef","sha":"54e613b1d9341497d40a2c671c527de18beec165"}}]}] BACKPORT-->
|
@MakoWish this should be fixed in @karanbirsingh-qasource when you get a chance, could you verify that the issue has been correctly fixed? |
|
Sure @PhilippeOberti thanks for the update. For now issue is still occuring on 8.9 BC2 However we will recheck the same issue on 8.9 BC3 and share the update here. Alerts.-.Kibana.Mozilla.Firefox.2023-07-06.09-58-06.mp4 |
|
@karanbirsingh-qasource Could you please try it on BC3? It should be fixed. |
|
Hi @logeekal The Issue has been Fixed on 8.9.0 BC3 ✔️ . On Closing all open alert filter retains to open state and we get a banner No result matching search criteria. Build Details: Screen-Cast: Alerts.-.Kibana.Mozilla.Firefox.2023-07-12.16-36-51.mp4Hence we are closing this issue and adding "QA:Validated" tag to it. thanks !! |
|
What is the default filter when navigating to the Alerts page after this change? If there are no open alerts, will it by default show "No results match your search criteria" like it used to? Or if there are no open alerts to show, will it undesirably show all closed alerts? I only ever care about closed alerts if I need to look at something historically. 99.999% of the time, I could care less about closed alerts; that's why they're closed. |
Yes, default filter remains as
This was previous behaviour which has been removed. |
|
There still seems to be an issue here. I have closed all instances of "Privileged Account Brute Force", but they are still showing even when I have the filter set to "Open".
And why are they highlighted a brownish-green color? Only alerts that are closed (and falsely showing here when they should not be) are highlighted like that. Alerts that are still open, and are properly showing, are not highlighted like that.
|
|
Hello @MakoWish ,
Additionally, I tried to reproduce this type of scenario but I could not. Could you please add |
|
The Privileged Account Brute Force rule is not actually a building block rule (as far as I can tell), so that is strange, but unchecking that box did hide those highlighted alerts. It seems the root issue here has still not been resolved, however. I am still not seeing an option to select only "Open" alerts, and it is therefore showing me all alerts again.
|
|
To add... I also noticed last week that the "Toggle column in table" link is no longer working. It does not actually add the column to the table anymore. I have been meaning to open a support ticket for this, but figured I would mention it here as well since you are asking me to add that column.
|
Could you please check again the rule details, it has to be building block ( or may be it was in past ) which created those building block alerts.
This is a different issue and It seems that the previous issue where Now in this case, it seems There are now 2 ways to choose
One good strategy is to keep
We already have ticket for it: #155243 |
It sure looks like a standard EQL query to me. Those alerts that were highlighted in the above screenshot are not building blocks, but the actual alerts. They were not highlighted until I closed them. After I closed them, they remained in view but were highlighted.
I didn't remove the filter, but I selected "Closed" to see if the alerts were showing highlighted there since I did actually close them. They were showing there as closed, but they were not highlighted. I then wanted to revert back to showing only "Open" alerts (none currently, but expecting to see those highlighted closed alerts still), but the option to select "Open" did not exist.
This needs to be changed. Not having a way to go back to showing only "Open" alerts is a problem. The previous design of having "tabs" for "Open", "Acknowledged", or "Closed" worked perfectly fine. I don't know why a decision was made to use the drop-down based only on available values. Every detection MUST have a status of Open, Acknowledged, or Closed, so why can that not be hard-coded into the drop-down?
Sorry, but saying not to check Ackowledged or Closed alerts is not a solution to being able to revert back to seeing only Open alerts. Eric |
This should not happen, would you be able to open a bug with reproduction steps, we will happy to look into it.
I understand what you are saying but I am not suggesting not to check Acknowleged or Closed Alerts. Consider below workflow. Here I was able to include/exclude closed alerts without removing Screen.Recording.2023-08-22.at.16.51.51.movThis is a new feature and we are still working to refine the workflow and currently, we do not have an elegant solution to this problem that event if alerts are not available, we still show the status. Currently, all drop downs are created on the basis of the data available. Edit:
This is because, drop downs are configurable and you can add any field to the drop down. We will see what is the best way to add hard coded values (eg. status and severity ) and it is on the roadmap but we will need to see how. |
|
You should honestly just revert back to the old method. It worked, it was easy, and it had no issues. This is still used on the individual rules, and again works perfectly fine, but it is no longer on the global "Alerts" page. This new method with the dropdown is just not working the way I believe it was intended.
|
|
@MakoWish , Are you on Elastic Community slack? It will be great for you to voice your concerns there as there are other users as well who are using this feature in variety of ways and product members as well who will be happy to take any feedback. Please raise the bug regarding highlighted fields with reproduction steps as well. Thanks. |
|
I am on the Slack channel. Is there an existing thread for this discussion? |
|
after |
Describe the bug: Previously, you could view Open, Acknowledged, or Closed alerts. Now, if there are no Open alerts, you cannot select to only show Open alerts; effectively showing you all closed alerts.
Kibana/Elasticsearch Stack version: 8.8.1
Original install method (e.g. download page, yum, from source, etc.): Yum
Functional Area (e.g. Endpoint management, timelines, resolver, etc.): Detection Rule Alerts
Steps to reproduce:
Current behavior: If there are no open alerts, you are shown all closed alerts.
Expected behavior: You should still have the ability to only show open alerts. If there are no open alerts, you should see 0, or "No results found." Showing closed alerts when you are only interested in seeing open alerts is very confusing.
Screenshots (if relevant):
The text was updated successfully, but these errors were encountered: