[Security Solution]Highlighted field information not available after deleting rule

[karanbirsingh-qasource]

Describe the bug: Highlighted field information not available after deleting rule

Kibana/Elasticsearch Stack version Version: 8.11.0 BC3 Commit: 714189fa2b0f0a4d9f3865a8fce08261211570c8 Build: 67923

Browser and Browser OS Version: Firefox for windows OS Version: 118.0.1

Elastic Endpoint Version: 8.11

Original install method: None

Functional Area: Alert Flyout

Initial Setup:

• Create Rule and generate alert
• Open Alert details fly out and check the highlighted field details Delete the rule

Steps to reproduce

• Go to Alert page
• Click on view details of alert ( deleted rule )
• Observed that Highlighted field details are not showing

Additional Observation

• Issue is not occuring on 8.10.3

https://github.com/elastic/kibana/assets/59917825/ce8fd7ae-f052-4469-89df-82a2e03ee78a

Current behavior

• Highlighted field information not available after deleting rule

Expected behavior:

• Highlighted field information should be available even after deleting rule

Screen-Shot:

https://github.com/elastic/kibana/assets/59917825/f023d7dd-fc85-46ac-b95e-d1f66ba0c665

details of field( that are not showing under highlighted fields )are unavailable under the table tag

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[MadameSheema]

@karanbirsingh-qasource may you please quickly check if the same behaviour is present on 8.10.x release? Also can you let us know if the rule that generated the alert had any custom hightlighted fields? Thanks!! :)

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[karanbirsingh-qasource]

@MadameSheema glo issue is not occuring on 8.10.3 and screen cast is present in Additional Observation section of bug

[MadameSheema]

Thanks @karanbirsingh-qasource!! :)

[karanbirsingh-qasource]

and no there was no additional custom highlighted field added in rule just default set of field which show at own

[michaelolo24]

@karanbirsingh-qasource, do the highlighted fields appear in the old flyout if you toggle the advanced setting to the old flyout?

[karanbirsingh-qasource]

@michaelolo24 on changing the fly out to old style the highlighted field get present.

[michaelolo24]

Great, thanks so much @karanbirsingh-qasource !

[michaelolo24]

@karanbirsingh-qasource one last question...in the new flyout does the loading state that you see eventually timeout?

Looks like the issue is here: https://github.com/elastic/kibana/blob/11b1bc77a6260d5f59b977607eae4a1f4ab63a0a/x-pack/plugins/security_solution/public/flyout/document_details/right/components/highlighted_fields.tsx#L98-L103

@yctercero I'm not sure if there's a timeout for this, but from @karanbirsingh-qasource 's test, I'm not sure what happens from a fallback persepctive if a rule only ever generated one alert before being deleted?

[karanbirsingh-qasource]

@michaelolo24 the highlighted field do shows for some seconds and after it timeout and does not load ever.

I am sharing the instance credentials with you over gmail in case you need to check other things

[yctercero]

@michaelolo24 Hey! Is the useRuleWithFallback call not resolving? If a rule generated 1+ alerts before being deleted, it should resolve as expected.

[christineweng]

@michaelolo24 @yctercero I believe it is coming from:

https://github.com/elastic/kibana/blob/11b1bc77a6260d5f59b977607eae4a1f4ab63a0a/x-pack/plugins/security_solution/public/flyout/document_details/right/components/highlighted_fields.tsx#L123-L127

Here we show an empty table in case of an error. When a rule is deleted, I'm seeing errors in console despite some items are being returned. Should we ignore the error even though there are errors?

Error: Not Found
    at Fetch.fetchResponse (fetch.ts:151:1)
    at async interceptResponse (intercept.ts:44:1)
    at async fetch.ts:48:1

The error checking is part of a state clean up during 8.11. I will open a PR to revert back to ignoring error so that we are not disrupting any user workflows.

[christineweng]

@karanbirsingh-qasource the fix is merged and back ported, this should be fixed in BC4

[MadameSheema]

great!! Thanks @christineweng :)

[michaelolo24]

@karanbirsingh-qasource - can we verify this fix? Thank you!

[karanbirsingh-qasource]

Hi @michaelolo24

we have validated this issue on 8.11 Release and found the issue to be fixed ✔️ . Highlighted field information is present on the alert after deleting the rule.

Build Details:

Version: 8.11.0
Commit: f2ea0c43ec0d854259d63d926b97e5c556b5f6b2
Build: 68160

Screen-Cast:

https://github.com/elastic/kibana/assets/59917825/f99a9936-af3c-44b9-92cf-160b16a1cc90

Hence we are closing this issue and adding "QA:Validated" tag to it.

thanks !!