[Security Solution] On hover actions are not present for "message" field when it has data under timelines.

elastic / kibana

Your window into the Elastic Stack

https://www.elastic.co/products/kibana

Other

19.63k stars 8.22k forks source link

[Security Solution] On hover actions are not present for "message" field when it has data under timelines. #120741

Open ghost opened 2 years ago

ghost commented 2 years ago

Describe the bug: On hover actions are not present for "message" field when it has data under timelines.

Build Details:

Version: 8.0.0-SNAPSHOT
Commit:ad3660f3acbfe6eb809d869b908221edf2846313
Build:48594

Preconditions

Kibana should be running Beats should be installed

Steps to Reproduce

Navigate to Timelines tab and click on create new timeline.
Enter the KQL query and generate the events.

Screen-Records

https://user-images.githubusercontent.com/91867110/145194037-a299c943-cce2-4efd-85e7-fda84e1fc92c.mp4

Remarks

Same issue is occurring on 7.16.0 as well

https://user-images.githubusercontent.com/91867110/145194770-cba26b6b-70f4-474e-a6ea-6ed62d735c24.mp4

elasticmachine commented 2 years ago

Pinging @elastic/security-solution (Team: SecuritySolution)

michaelolo24 commented 2 years ago

@karanbirsingh-qasource I don't think this is a bug as the message field isn't one that was ever actionable I believe? The hover actions only show on draggable fields in the timeline, and that is not draggable either.

ghost commented 2 years ago

Hi @michaelolo24 ,

We would like to confirm if message field is empty, On hover actions are available for it and if it has data actions are missing. Please confirm if this is expected, so we are good to close this bug.

Screen records:

8.0.0 Snapshot build

https://user-images.githubusercontent.com/91867110/145335778-bda2702d-3ffb-477e-a885-688739575fe5.mp4

7.16.0 build

https://user-images.githubusercontent.com/91867110/145335840-e97f5368-ccc1-43ec-8129-0c95fb7cc86a.mp4

Thanks !

MadameSheema commented 2 years ago

@michaelolo24 @monina-n can you please confirm the above? Thanks :)

michaelolo24 commented 2 years ago

@MadameSheema - Communicated with @andrew-goldstein on this issue and he graciously took a look at a 7.14 instance he has and saw that the message field was only actionable when the field was empty with (filter in and filter out). We can wait for confirmation from @monina-n, but based on Andrew's investigation I would say the above is correct.

michaelolo24 commented 2 years ago

We may be able to actually enable this moving forward as it seems the rationale behind disabling it on the ecs side may no longer exist. Going to make this issue an enhancement to enable it for messages

monina-n commented 2 years ago

@michaelolo24 that all sounds good with me - thanks for looking into it!

elasticmachine commented 2 years ago

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)