[Security Solution]ES|QL query tab resetting to discover tab.

[sukhwindersingh-qasource]

Describe the bug: ES|QL tab query reseting to discover.

Kibana/Elasticsearch Stack version Version:8.11.0-SNAPSHOT commit:b8dc9b47eabdacfd73dde39196f2311eb83d0240 build:67811

Browser and Browser OS Version: Firefox for windows OS Version: 118.0.1

Elastic Endpoint Version: 8.11.0

Original install method: None

Functional Area: ES|QL

Initial Setup:

• Alerts should be present

Steps to reproduce

• Go to Timeline Page and create one timeline
• Move to ES|QL tab of timeline
• Enter the ES|QL query :- " from .alerts-security.alerts-default| limit 100"
• Select quick date select as 1 year.
• Save the timeline
• Now open the timeline and attach it to the Existing case or New case
• Go to Timeline Page.
• Open the saved timeline.
• Observe ES|QL tab query resetting to discover tab

Additional Observation

• Issue is occuring on chrome browser as well
• Same behavior can be seen when we save the timeline then duplicate it, and open the saved timeline again.

Current behavior

• ES|QL query tab resetting to discover tab.

Expected behavior:

• ES|QL query tab should not reset to discover tab.

Screen-Shot:

Create a timeline

https://github.com/elastic/kibana/assets/108654988/cc793fef-972a-4999-8838-4ff9a89e8ea2

Opened the saved timeline to check it is working correctly

https://github.com/elastic/kibana/assets/108654988/d4657eb2-31ad-40b7-8b3f-159c8c6a71fb

Opening the timeline After Attaching it to case

https://github.com/elastic/kibana/assets/108654988/5c352e47-7d94-4a22-8274-77306ec0d919

Errors in browser console:

• None

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[sukhwindersingh-qasource]

@manishgupta-qasource kindly review this

[manishgupta-qasource]

Reviewed & assigned to @MadameSheema

[michaelolo24]

@sukhwindersingh-qasource - Is this happening after an upgrade with older data or is everything on a fresh instance of 8.11? @jamesspi has seen this behavior as well, but following the steps you outlined, I've been unable to reproduce it

[sukhwindersingh-qasource]

Hi @michaelolo24 It happened on the fresh 8.11.0 - Snapshot Insatance, we have tried this today on the latest snapshot

VERSION: 8.11.0
BUILD: 67841
COMMIT: 636a8339cfad92998a5a5adb7be81e3546525ebf

We are also not able to reproduce this on the latest snapshot. But we tried this again on the snapshot build we used yesterday and we are able to reproduce this, Sometimes it get reproduce with these exact steps sometimes not. We are not sure whats causing this behavior we can share the build with you if it is required.

Please find below the testing details

Build Details: VERSION: 8.11.0 BUILD: 67811 COMMIT: b8dc9b47eabdacfd73dde39196f2311eb83d0240

Screen Recording:

https://github.com/elastic/kibana/assets/108654988/fa72c159-d3d0-43c5-816d-344eb2f23cd0

Please do let us know if anything else is required from our end. Thanks !

[MadameSheema]

@sukhwindersingh-qasource may you please share the credentials of the scenario where you can reproduce the issue? Thanks! :)

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[logeekal]

this has been fixed with PR #168716 . Please test it in the next BC

[karanbirsingh-qasource]

thanks @logeekal for the update.

we will regress this issue once this issue get fixed as currently we are facing issue saving timeline getting discovery error.

[karanbirsingh-qasource]

rechecked the issue on creating new 8.11.0 instance and now able to save the timeline but mentioned issue of query tab reset is still persistent.

Build Details:

Version: 8.11.0 BC2
Commit: 636a8339cfad92998a5a5adb7be81e3546525ebf
Build: 67841

Current Result:

https://github.com/elastic/kibana/assets/59917825/aacd70e3-dbe9-475e-856e-1a1ca5aacd24

Expected Result:

[logeekal]

Thanks @karanbirsingh-qasource , I forgot that BC3 is not yet build and will be available tomorrow. Since this issue was fixed after BC2 as mentioned here, could you please test it in BC3?

[cybersecdiva]

Tested in 8.11.0 BC9

Build Details:

VERSION: 8.11.0 BC9
BUILD: 68160
COMMIT: f2ea0c43ec0d854259d63d926b97e5c556b5f6b2

Preconditions:

• Kibana must be running

Describe the bug: ES|QL tab query reseting to discover

Steps to reproduce:

1. Navigate to Security -> Timelines-> Create a Timeline
2. Click on Create a Timeline
3. Select ES|QL Tab
4. Expand the ES|QL Query Window
5. Delete the default ES|QL query and enter your query
6. Select a time period, in this case I selected Last 90 days
7. Click on ▶️ to execute the query
8. Select a rule and click on the calendar icon next to the date time selector
9. In my example ES|QL test scenario, I created two ES|QL queries with the following condition:

• A query I generated to detect and identify threat indicator malware signature file types:

from logs-ti_abusech.malware-default [metadata _id, _index, _version] | where threat.indicator.file.type == "elf" or threat.indicator.file.type == "dll"| sort threat.indicator.type, @timestamp desc

• The initial query executed to test when this bug was reported: from .alerts-security.alerts-default| limit 100

10. After query is executed, observe page results
11. Save the Timeline
12. Go back to Timelines
13. Open the Saved Timeline
14. Attach the Saved Timeline to an existing case or create a new case
15. Click on the Timeline in the case or navigate back to Timelines and click on the saved timeline
16. In the Saved Timeline, Select ES|QL Tab and observer results

Current behavior: ES|QL query tab is not resetting to Discover tab and remaining on the timelines page ES|QL query tab

Expected behavior: ES|QL query tab is not resetting to Discover tab and remaining on the timelines page ES|QL query tab

Observations:

• ES|QL Query was performed using two queries:

Query 1 (provided when bug was first reported): from .alerts-security.alerts-default| limit 100

Query 2 (a custom query I created for threat intel and malware investigations purposes): from logs-ti_abusech.malware-default [metadata _id, _index, _version] | where threat.indicator.file.type == "elf" or threat.indicator.file.type == "dll"| sort threat.indicator.type, @timestamp desc

After execution of both queries and attaching to existing and new cases, the results displayed were that the ES|QL query tab did not reset to Discover tab and remained in the ES|QL Query tab in Timelines

Screenshots of behavior:

Query 1 using query reported in bug (results show after attaching an existing case):

Query 2 generated to query threat indicator files from abuse.ch (results show after attaching a newly created case):

Screen share recording:

https://github.com/elastic/kibana/assets/35679937/c15beba5-40dc-427b-ab96-ed2ce8b798d3

Conclusion:

• Behavior is performing as expected.
• Validating that this bug is fixed ✅ with QA Validation and closing

@MadameSheema @logeekal @michaelolo24 QA Validation Fixed ✅ per testing in 8.11.0