Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Value list not properly updated when the file already exists #81153

Open
MadameSheema opened this issue Oct 20, 2020 · 1 comment
Open

[Security Solution] Value list not properly updated when the file already exists #81153

MadameSheema opened this issue Oct 20, 2020 · 1 comment
Assignees
@yiyangliu9286
Labels
Feature:Rule Value Lists Security Solution Detection Rule Value Lists impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. needs design Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@MadameSheema
Copy link
Member

Info:

  • Found during testing on 7.9 branch
  • Commit: 79a311a

Preconditions:

  • To have a value list already uploaded.

Steps to reproduce:

  1. Go to Security > Detections
  2. Click on Manage detection rules
  3. Click on Upload value lists
  4. Upload a file with the same name as the previous one uploaded and a different content

Current behaviour:

  • The toaster displayed informs you that the file was properly uploaded
  • The Upload Date is not updated, what reflects that the file was not uploaded or updated

Expected behaviour:

  • TBD

Commented on 18th Aug by @spong:
Note Upload Date is not updated as it references created_at which will not be updated. So we potentially want to use updated_at instead/in addition. Additionally, these new list items will not be de-duped.
@MadameSheema MadameSheema added Team:Detections and Resp Security Detection Response Team bug Fixes for quality problems that affect the customer experience labels Oct 20, 2020
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
@peluja1012 peluja1012 added the impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. label Oct 28, 2020
@peluja1012 peluja1012 added the Feature:Rule Value Lists Security Solution Detection Rule Value Lists label Nov 17, 2020
@MadameSheema MadameSheema mentioned this issue May 13, 2021
Closed
@peluja1012 peluja1012 added the Team:Security Solution Platform Security Solution Platform Team label Mar 18, 2022
@yctercero yctercero added needs design and removed bug Fixes for quality problems that affect the customer experience labels May 10, 2022
@yctercero
Copy link
Contributor

Updated the ticket tags to remove bug as there isn't a bug in functionality, but an update needed to this modal to improve user experience.

@spong referenced this in the ticket details, but to go into it a bit more in depth for context... Large value lists are composed of the parent list document and the child items (each individual documents). When a list with matching title and type is uploaded, it appends those items to the existing list, NO updates are made to the parent list document. That means, that just by viewing the parent list document, you cannot tell that items were added, deleted, etc. Even exposing the updated_at date would not give the user any more context in this scenario.

We need to revisit large value lists to determine what changes might be needed. A few notes:

  • Per the larger Kibana pattern, this modal should probably be moved to a flyout
  • Users should be prompted that a matching list was found and asked if they want items appended (there's no deduplication done) or if they want a new list created
  • Any plans on having a list management view? Right now the only place large value lists can be seen is in this modal.

cc @yiyangliu9286 @peluja1012

@yctercero yctercero added Team:Detection Engine Security Solution Detection Engine Area and removed Team:Security Solution Platform Security Solution Platform Team labels May 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yiyangliu9286 yiyangliu9286

Labels
Feature:Rule Value Lists Security Solution Detection Rule Value Lists impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. needs design Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@peluja1012 @MindyRS @yctercero @MadameSheema @yiyangliu9286