Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Search button does not filter data under the exception list tab. #88450

Closed
muskangulati-qasource opened this issue Jan 15, 2021 · 8 comments
Closed

[Security Solution] Search button does not filter data under the exception list tab. #88450

muskangulati-qasource opened this issue Jan 15, 2021 · 8 comments
Assignees
@yctercero
Labels
bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.12.0

Comments

@muskangulati-qasource
Copy link

Describe the bug
Search button does not filter data under the exception list tab.

Build Details:

Version: 7.11.0 BC3
Commit: b9c97fb364139c48ef619140534af4eea195a629
Build number: 37694
Artifact: https://staging.elastic.co/7.11.0-e9e2951f/summary-7.11.0.html

Browser Details
All

Preconditions

  1. Cloud environment on staging should exist.

Steps to Reproduce

  1. Navigate to Kibana URL on Browser.
  2. Click on the "Detections" tab under Security from the left navigation bar.
  3. Click on 'Manage Detection Rules' and load all the pre-built Elastic Rules.
  4. Click on the Exception list and observe default entry 'endpoint_list' added for the 'Endpoint Security' rule.
  5. Click on the Search button and observe that data is not filtered.

Test data
N/A

Impacted Test case(s)
N/A

Actual Result
Search button does not filter data under the exception list tab.

Expected Result
Search button should filter data under the exception list tab.

What's Working
N/A

What's not Working
N/A

Screenshots
Searching

Logs
N/A
@muskangulati-qasource muskangulati-qasource added bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Jan 15, 2021
@muskangulati-qasource
Copy link
Author

@manishgupta-qasource Please review!

@manishgupta-qasource manishgupta-qasource added impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. v7.11.0 labels Jan 15, 2021
@manishgupta-qasource
Copy link

Reviewed & Assigned to @MadameSheema

@MadameSheema MadameSheema added the Team:Detections and Resp Security Detection Response Team label Jan 15, 2021
@MadameSheema
Copy link
Member

@peluja1012 @spong can you please help to prioritise this? Thanks :)

@spong
Copy link
Member

spong commented Jan 16, 2021

If simple we should fix for 7.11, and if not, hide the search bar until this can be fixed. @yctercero, would you be able to take a look at this next week please?

This was referenced Jan 19, 2021
Merged
Merged
spong pushed a commit that referenced this issue Jan 20, 2021
@yctercero
[Security Solution][Exceptions] - Remove exceptions table search #88784
f718e90 
… (#88784)

## Summary

Temporarily addresses #88450

A follow PR will address full fix.

### Issue
Exceptions table search not functioning as expected.

### Diagnostic
The exception list SO properties are mapped as keywords, meaning ES does not tokenize them. Need to add a `text` mapping for fields we want to search on in order for search to work as expected. Expectations for exceptions table search being:
- I can search `Endpoint Security` and get results that match `Endpoint` or `Security`
- I can search `"Endpoint Security"` and it will conduct an exact match search

It's too late in the release cycle for mappings updates - a follow up PR will properly fix search.

### Without Search
<img width="1766" alt="Screen Shot 2021-01-19 at 7 52 01 PM" src="https://user-images.githubusercontent.com/10927944/105112279-aed64300-5a90-11eb-95fc-1922eb2055e9.png">

 
### Checklist

- [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
spong pushed a commit to spong/kibana that referenced this issue Jan 20, 2021
@yctercero @spong
[Security Solution][Exceptions] - Remove exceptions table search elas…
ca85dbe 
…tic#88784 (elastic#88784)

## Summary

Temporarily addresses elastic#88450

A follow PR will address full fix.

### Issue
Exceptions table search not functioning as expected.

### Diagnostic
The exception list SO properties are mapped as keywords, meaning ES does not tokenize them. Need to add a `text` mapping for fields we want to search on in order for search to work as expected. Expectations for exceptions table search being:
- I can search `Endpoint Security` and get results that match `Endpoint` or `Security`
- I can search `"Endpoint Security"` and it will conduct an exact match search

It's too late in the release cycle for mappings updates - a follow up PR will properly fix search.

### Without Search
<img width="1766" alt="Screen Shot 2021-01-19 at 7 52 01 PM" src="https://user-images.githubusercontent.com/10927944/105112279-aed64300-5a90-11eb-95fc-1922eb2055e9.png">

 
### Checklist

- [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
spong pushed a commit to spong/kibana that referenced this issue Jan 20, 2021
@yctercero @spong
[Security Solution][Exceptions] - Remove exceptions table search elas…
22e2df3 
…tic#88784 (elastic#88784)

## Summary

Temporarily addresses elastic#88450

A follow PR will address full fix.

### Issue
Exceptions table search not functioning as expected.

### Diagnostic
The exception list SO properties are mapped as keywords, meaning ES does not tokenize them. Need to add a `text` mapping for fields we want to search on in order for search to work as expected. Expectations for exceptions table search being:
- I can search `Endpoint Security` and get results that match `Endpoint` or `Security`
- I can search `"Endpoint Security"` and it will conduct an exact match search

It's too late in the release cycle for mappings updates - a follow up PR will properly fix search.

### Without Search
<img width="1766" alt="Screen Shot 2021-01-19 at 7 52 01 PM" src="https://user-images.githubusercontent.com/10927944/105112279-aed64300-5a90-11eb-95fc-1922eb2055e9.png">

 
### Checklist

- [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
peluja1012 pushed a commit that referenced this issue Jan 20, 2021
@spong @yctercero
[Security Solution][Exceptions] - Remove exceptions table search #88784
f029ff9 
… (#88784) (#88795)

## Summary

Temporarily addresses #88450

A follow PR will address full fix.

### Issue
Exceptions table search not functioning as expected.

### Diagnostic
The exception list SO properties are mapped as keywords, meaning ES does not tokenize them. Need to add a `text` mapping for fields we want to search on in order for search to work as expected. Expectations for exceptions table search being:
- I can search `Endpoint Security` and get results that match `Endpoint` or `Security`
- I can search `"Endpoint Security"` and it will conduct an exact match search

It's too late in the release cycle for mappings updates - a follow up PR will properly fix search.

### Without Search
<img width="1766" alt="Screen Shot 2021-01-19 at 7 52 01 PM" src="https://user-images.githubusercontent.com/10927944/105112279-aed64300-5a90-11eb-95fc-1922eb2055e9.png">

 
### Checklist

- [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com>
peluja1012 pushed a commit that referenced this issue Jan 20, 2021
@spong @yctercero
[Security Solution][Exceptions] - Remove exceptions table search #88784
de6159a 
… (#88784) (#88794)

## Summary

Temporarily addresses #88450

A follow PR will address full fix.

### Issue
Exceptions table search not functioning as expected.

### Diagnostic
The exception list SO properties are mapped as keywords, meaning ES does not tokenize them. Need to add a `text` mapping for fields we want to search on in order for search to work as expected. Expectations for exceptions table search being:
- I can search `Endpoint Security` and get results that match `Endpoint` or `Security`
- I can search `"Endpoint Security"` and it will conduct an exact match search

It's too late in the release cycle for mappings updates - a follow up PR will properly fix search.

### Without Search
<img width="1766" alt="Screen Shot 2021-01-19 at 7 52 01 PM" src="https://user-images.githubusercontent.com/10927944/105112279-aed64300-5a90-11eb-95fc-1922eb2055e9.png">

 
### Checklist

- [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com>
@yctercero
Copy link
Contributor

Because fix included changes to mappings - simply removed search for 7.11.

However fix for this is now included in #88701

yctercero added a commit that referenced this issue Feb 11, 2021
@yctercero
[Security Solution][Exceptions Table] - Fix exceptions table search b…
6e44496 
…y name (#88701)

Addresses #88450

Issue
Search was not working as expected was because the exception list property name is mapped as a keyword - this means it does not get tokenized which is why one word searches were working but if the name included multiple words and was partial, it was not filtering properly.
yctercero added a commit to yctercero/kibana that referenced this issue Feb 11, 2021
@yctercero
[Security Solution][Exceptions Table] - Fix exceptions table search b…
d75d126 
…y name (elastic#88701)

Addresses elastic#88450

Issue
Search was not working as expected was because the exception list property name is mapped as a keyword - this means it does not get tokenized which is why one word searches were working but if the name included multiple words and was partial, it was not filtering properly.
yctercero added a commit that referenced this issue Feb 12, 2021
@yctercero
[Security Solution][Exceptions Table] - Fix exceptions table search b…
54c06ec 
…y name (#88701) (#91255)

Addresses #88450

Issue
Search was not working as expected was because the exception list property name is mapped as a keyword - this means it does not get tokenized which is why one word searches were working but if the name included multiple words and was partial, it was not filtering properly.
@MadameSheema
Copy link
Member

@muskangulati-qasource can you please validate this issue on 7.12? Thanks :)

@muskangulati-qasource
Copy link
Author

Hi @MadameSheema,

We tested this ticket on the latest 7.12.0 BC2 and found that issue is now fixed. We are able to search the exception lists correctly. Please find details information below.

Build Details:

Version: 7.12.0 BC2
Commit: 4f65a5a1268fa78f1af9117d12312e1cee433376
Build number: 39000
Artifact: https://staging.elastic.co/7.12.0-37f40745/summary-7.12.0.html

Refer Screenshots:

  • Searched the existing entry:
    Search1

  • Searched a non-existing entry:
    Search2

Hence closing this ticket and marking it as 'Validated'.

Thanks!!

@muskangulati-qasource muskangulati-qasource added the QA:Validated Issue has been validated by QA label Feb 25, 2021
@ghost
Copy link

ghost commented Mar 26, 2021

Bug Conversion:

Created 01 Test-Case for this Ticket
https://elastic.testrail.io/index.php?/cases/view/76924

Thanks!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yctercero yctercero

Labels
bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.12.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@peluja1012 @spong @yctercero @MadameSheema @manishgupta-qasource @muskangulati-qasource