[Security Solution][Sourcerer] Delay in Alerts Security Data View initialization after Alerts index is created

spong commented 2 years ago

First identified by @xcrzx over in https://github.com/elastic/kibana/pull/130072#discussion_r862946360, it was noticed that there can be a delay between when Sourcerer initializes the Alert Security Data View and when the actual index is created, resulting in a few errors on the page and some features not working as expected until the Alert Security Data View is fully initialized. This is a by-product of the alerts index not being created until the first alert is detected/written, and Sourcerer not being synced with other network requests on the Rule Details page (and so you can refresh Alerts/Execution Logs without an active Sourcerer, resulting in errors).

To reproduce:

Start clean ES (from kibana root)

yarn es snapshot --license trial -E xpack.security.authc.api_key.enabled=true -E path.data=$DEV_HOME/es-data -E path.repo=${DEV_HOME}/snapshots
Start kibana

yarn kbn bootstrap && yarn start
Navigate to Security Solution and create a Rule
Notice error toasts

Error shown to user when Sourcerer can't initialize

Sourcerer uninitialized in UI

Refresh after alerts index is created Sourcerer is then initialized

Expected behavior:

Suppress error shown when Sourcerer is uninitialized on Alerts/Rules Pages -- this isn't helpful to the user in this instance as they don't need to do anything to fix it, but rather just need to wait for their first alert to be created
- Edit: This error actually is useful as it tells the user to refresh, but in this instance refreshing before an alert is made will not resolve the issue, so may want to just adjust copy here.
Attempt to refresh Sourcerer state if uninitialized when /api/detection_engine/index is updated on the page or before other dependent requests are made. I.e., ensure subsequent calls to get alerts/execution logs/etc also trigger a re-initialization of Sourcerer so they aren't in a bad state.

elasticmachine commented 2 years ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 2 years ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

elasticmachine commented 1 month ago

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

elasticmachine commented 1 month ago

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

elastic / kibana