Report false result when using logical operator

[elwali10]

Wazuh	Elastic	Rev	Security
4.2.4	7.10.2	4205-1	ODFE

Browser
Chrome, Firefox

Description

When using a Lucene search query containing a logical operator, the real result is not reflected in the report

Steps to reproduce

1. Navigate to any dashboard and apply the filter agent.name:(*w*) OR agent.name:(*D*) as shown below:

2. Generate a report:

3. Result reflects only the Windows agent, although it should have the Debian agent as well

[Desvelao]

Hi @elwali10 ,

I see, in the screenshot you posted, that you have sample data added. The highlighted agents are called Windows and Debian, these could be 2 agents from the sample data.

The table in the report shows the information about the top agents with medium vulnerabilities of real agents that your environment has. This means that getting the top agent IDs with more alerts under the mentioned condition, then these agent IDs are used to get the agent data of the Wazuh API. If your environment has not an agent with ID of the top, this won't appear in the table of the report.

For another hand, the agent name in the report table is IE11Win10, neither Debian nor Windows as displayed in the dashboard, and it could appear in the table because the real agent ID is the same as Debian or Windows fake agents (that generated the alerts).

[elwali10]

Hello @Desvelao,

The same behavior occurs in environments with real data. I am including screenshots for your reference:

Regards,
Wali