[Security Solution][Timeline]

[stevengoossensB]

Summary

Timeline does not include the NOT Exceptions filter, depending on where it's launched from the quick button next to the alert.

Steps to reproduce:

1. Open Kibana -> Security Solution -> Alerts
2. Click on the timeline button in the alert overview
   
3. This opens a timeline without NOT Exceptions filter, showing all excluded events
4. Click on the view details button and Take action -> Investigate in Timeline
   
   
5. This opens a timeline with NOT Exceptions filter, hiding all excluded events

Expected behavior

Both ways to access the timeline have the same behavior, including the NOT Exceptions filter

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[elasticmachine]

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

[michaelolo24]

Thanks for opening this issue @stevengoossensB ! We'll take a look into why this inconsistency is happening, thanks!

[PhilippeOberti]

@stevengoossensB thanks for opening this ticket! In order to help here we would need some more information. Could you answer the following questions when you get a chance:

• which version of Kibana you are using?
• what do you mean by NOT exceptions filter? Could you provide a screenshot of the timeline opened from the alert table and another one from the alert details flyout so we can compare? When trying locally both look exactly the same for me
• can you tell us if this behavior is happening for alerts generated by a specific rule or are you seeing the problem across multiple rules?
  • if it is happening for a specific rule, could you give us details about this rule?

Thanks!

[stevengoossensB]

@PhilippeOberti

• I've noticed the issue in version 8.12 and 8.13, so I assume it always has been present and is present everywhere

• The not exceptions filter, is a filter that gets added automatically. It contains all exceptions that are configured as part of the rule, so you need an alert for a rule with exceptions to possibly see the difference. In the below screenshots you can see the difference.

  • From the flyout:
  • From the alert table:
    

• It happens for all rules that have exceptions configured

[PhilippeOberti]

@stevengoossensB thanks for the details. At the moment I'm unable to reproduce the issue locally, on 8.12, 8.13 or current state of our main branch. I asked a colleague and she was also unable to reproduce this. For us, the NOT Exceptions filter is never added to Timeline, independently from where we open it. I tried for a rule that has a single or multiple exceptions set up.

I'm pinging the rule management team to see if they have an idea. We'll get back to you as soon as we know more!

[stevengoossensB]

@PhilippeOberti Thanks, let me know if you need any more detail...

btw, maybe it wasn't clear from the message, but the prefered behavior would be to have all of the exclusions always excluded when pivoting toward the timeline. Without that, too much irrelevant data is shown to analysts.

[PhilippeOberti]

@PhilippeOberti Thanks, let me know if you need any more detail...

btw, maybe it wasn't clear from the message, but the prefered behavior would be to have all of the exclusions always excluded when pivoting toward the timeline. Without that, too much irrelevant data is shown to analysts.

Agreed on the preferred behavior!