[Security Solution]comma separated process.arg not wraps properly

[ghost]

Describe the bug comma separated process.arg not wraps properly

Build Details

Version:8.2.0-SNAPSHOT
BUILD 51431
COMMIT a743498436a863e142592cb535b43f44c448851a

Steps

• Login to Kibana
• Generate some alert data , in our case we create a custom rule for process.name: "cmd.exe" and executed mutiple instance of cmd on windows host
• Click on Alert Flyout
• Observed that comma separated process.arg not wraps properly

Screen-Shoot

Additional Details:

• actual content copied in clipboard: process.args: "cmd,/c,rmdir,C:\Users\zeus\AppData\Local\Temp\peazip-tmp.pztmp\neutral22033117,/s,/q"

• filter in of above process.args

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[manishgupta-qasource]

Reviewed & assigned to @MadameSheema

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[michaelolo24]

@karanbirsingh-qasource - I'm not sure if this is a bug as each argument is shown on it's own line? Do you have a screenshot of how it might have worked before?

[ghost]

Hi @michaelolo24 thanks for looking into the issue, Yes each arguments should be shown in its own line , but if see the screen-shoot we can see some arguments which are long in length they moves to the next line . so it becomes difficult for user to known where the arguments actually ends using comma or proper warping will be good for this instance

please look into the below details for clarification:

actual content: process.args:"C:\Users\zeus\AppData\Local\Temp\peazip-tmp.pztmp\neutral22033117"

we can see as this argument is long in length it moved to next line which contradict our functioning that is each argument show on its own line but currently as per current UI it looks like they are 2 different arguments but actuall it is one argument

first argument : C:\Users\zeus\AppData\Local\Temp\peazip- second argument : tmp.pztmp\neutral22033117

[michaelolo24]

Thanks @karanbirsingh-qasource - Maybe we can provide some spacing between each argument to make it a little bit more distinct. That should help, because I think we'd still need to wrap the arguments given the space we have.

[PhilippeOberti]

While I couldn't reproduce the process.arg exactly, I looked at the new Table on the expandable flyout, and we show a value per row, so I believe this was fixed when we moved to the expandable flyout

[MadameSheema]

@PhilippeOberti I've checked the latest version and the problem is still there, so we cannot consider the issue to be fixed.

[PhilippeOberti]

@PhilippeOberti I've checked the latest version and the problem is still there, so we cannot consider the issue to be fixed.

@MadameSheema could you post a screenshot or video? I'm looking at endpoint.dev and things seem to be just fine... Do you see any issues in the video below? https://github.com/user-attachments/assets/b83c54b1-f55f-4f47-a7bc-b83cbce8c70b

[PhilippeOberti]

OK so it seems that the intent here is to better differentiate a long text that would overflow to the next line from a different entry. In the picture below, we have multiple entries and it is difficult to visually see that the last entry is just one long text that wraps onto the next rows and not multiple entries

@ferenrigue I can see a few ways to improve this:

• add some sort of separation symbol at the end of each row
• have some taller spacing between different entries and normal spacing when the text just wraps