search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.69k stars 8.24k forks source link

[Security Solutions] [Alerts] Alert Displays Filtering and Sorting Icons for Non-ECS Fields #166168

Open WafaaNasr opened 1 year ago

WafaaNasr commented 1 year ago

Kibana version: recent

Describe the bug: The Alert details flyout displays the icon for filtering and sorting for non-ECS fields. However, clicking these icons leads to a blank page, and the associated API requests fail to provide the expected results.

image image image

Steps to reproduce:

  1. If using the Windows integration is not feasible, employ the winlog mappings as an alternative.
  2. Install the prebuilt rule Potential Credential Access via DCSync.

  3. Create an index containing a non-ecs field using the following POST request:

     POST winlogbeat-test/_doc
    {
      "@timestamp":"2023-09-11T12:17:29.753Z",
      "event":{
        "action":"Directory Service Access",
        "code":"4662",
        "ingested":"2023-09-11T12:17:29.753Z"
      },
      "winlog":{
        "event_data":{
          "Properties":"DS-Replication-Get-Changes",
          "AccessMask":"0x100",
          "SubjectUserName":"subject username " <=== non-ecs fields
        }
      }
    }

Expected behavior:

The Alerts UI should avoid indicating that users have the ability to filter on fields that are absent from the Alerts mapping.

elasticmachine commented 1 year ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 8 months ago

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

elasticmachine commented 8 months ago

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

michaelolo24 commented 8 months ago

@WafaaNasr - Thank you for opening this issue! If you don't mind, can you check if this is also happening for the new expandable flyout as well?

michaelolo24 commented 8 months ago

Linking this related issue: https://github.com/elastic/kibana/issues/170167

christineweng commented 7 months ago

@michaelolo24 it appears this is happening in the new flyout as well.

Opening an endpoint event and filter in a field in table tab image

PhilippeOberti commented 1 week ago

This is still an ongoing issue and part of a broader issue about working with non-ECS compliant fields. We can keep this ticket open but the issue will most likely be resolved in a broader effort...