[Security Solution]User selecting alerts by select all option, disables attach to new case and existing case options.

elastic / kibana

Your window into the Elastic Stack

https://www.elastic.co/products/kibana

Other

19.64k stars 8.23k forks source link

[Security Solution]User selecting alerts by select all option, disables attach to new case and existing case options. #153354

Open sukhwindersingh-qasource opened 1 year ago

sukhwindersingh-qasource commented 1 year ago

Describe the Question:

User selecting alerts by select all option, disables attach to new case and existing case options.
Even if the count of alerts are very less like 10, 20 .But if we select 10, 20 alerts manually then we can use these options.
What is the logic behind this and is this behavior is expected.

Build Details:

VERSION: 8.7.0 BC6
BUILD: 61051
COMMIT: 04ef24287f26854ad99a46ae983854c6184717cb

Preconditions

Kibana should be running.
User should have 10 alerts present on alerts tab.

Steps to Reproduce

Navigate to Security.
Navigate to Alerts tab.
Select 10 alerts manually and click on selected 10 alerts tab.
Observe that attach to new case and existing case options are enable.
Now select alerts by select all option.
Observe that attach to new case and existing case options are disable.

Screen-Recording

https://user-images.githubusercontent.com/108654988/226565662-230a3dc3-66c7-4a09-8b3a-c7e298885e60.mp4

elasticmachine commented 1 year ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 1 year ago

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

MadameSheema commented 1 year ago

@michaelolo24 can you please take a look at this when you have a chance? sounds like a bug to me.

XavierM commented 1 year ago

OOps sorry @michaelolo24, I made a mistake here, wrong ticket

michaelolo24 commented 1 year ago

Hey @sukhwindersingh-qasource - Thanks for the question! I'm actually not sure myself. Looking at this PR https://github.com/elastic/kibana/pull/130958 I think that maybe @academo or someone on the @elastic/response-ops-cases team may have input / feedback? The behavior is the same for the alert table in Security as well as the one in Observability.

cnasikas commented 1 year ago

When the user uses the "Select All alerts" button the alerts table posts an ES query to update the alerts and not the alert IDs. Cases do not support ES queries to add alerts to a case. For this reason, the buttons are disabled in query mode here. I understand that it feels weird if you have only a few alerts. Maybe the "Select All" button can switch to alert IDs if it selects only what the user sees (like the bulk actions). @XavierM What do you think?

PhilippeOberti commented 2 weeks ago

@cnasikas I see from the ticket linked above back on May 4th that this was fixed, though when I test it on latest main I still see the same behavior... https://github.com/user-attachments/assets/50715b4c-542b-4e96-9bc8-dd9be2225086