[Defend Workflows] Analyzer for sentinelone alerts is showing "No Process Events Found"

[sukhwindersingh-qasource]

Describe the bug: Analyzer for sentinelone alerts is showing "No Process Events Found"

Build Details:

VERSION: 8.13.0 snapshot
BUILD: 71393
COMMIT: 4f3bc35472dfeb88c02466790bd3c96dcc98f4de

Preconditions

• Kibana should be running.
• Feature flag for analyzer should be enabled.
  • xpack.securitySolution.enableExperimental:
    • sentinelOneDataInAnalyzerEnabled
• Sentinelone Alert should be present

Steps to Reproduce

• Navigate to Alerts tab
• Click on analyzer Icon of the sentinelone alert
• Observe Analyzer for sentinelone alerts is showing "No Process Events Found"

Actual result

• Analyzer for sentinelone alerts is showing "No Process Events Found"

Expected Result

• Analyzer for sentinelone alerts is should be showing analyzer graph

Screen-Cast

https://github.com/elastic/kibana/assets/108654988/82c5d17a-baa3-45e0-bc29-10868a022a05

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[sukhwindersingh-qasource]

@manishgupta-qasource Kindly review this Thanks!

[dasansol92]

@tomsonpl could you take a look at this? Thanks!

[tomsonpl]

Hey @sukhwindersingh-qasource thanks for raising this 👍 Do you have access to S1 instance, where you could compare how the graph looks for for the same event?

[manishgupta-qasource]

Reviewed and assigned to @dasansol92

[tomsonpl]

We talked with @sukhwindersingh-qasource on slack, and thanks to his observations we are able to understand this issue better 👏

So the issue here is: We have two integrations for Sentinel One (one in beta cloud funnel) that fetch different logs. First SentinelOne fetches malware alerts (along with some other types) - as in this case. Second Sentinel One Cloud Funnel fetches processes (along with some other types too) - missing in this case. So even though we have a S1 alert and we open the analyzer, we do not have the related process event fetched, therefore the Analyzer renders the 'No processes' promt. Which is a correct behavior.

What we should do is probably state it more clearly that the user needs Cloud Funnel integration to be able to render Analyzer graphs. @caitlinbetz @dasansol92 FYI

[ferullo]

Is it possible for us to update the text that displays in the No Process Events Found display when an S1 alert was clicked on to alert the user that they need to enable Cloud Funnel?

[sukhwindersingh-qasource]

Hi @dasansol92 ,

We have validated this ticket on the latest 8.13.0 BC 7 build with the Sentinel One Cloud Funnel integration and we are able to test the Analyzer for Sentinelone ✔️

Please find below the testing details

Build Details:

VERSION: 8.13.0 BC7 Build : 72069 Commit : 2e3a5cd43e835baa1d596b1aa54735992259ecb9

Screenshot:

https://github.com/elastic/kibana/assets/108654988/71602edc-293a-4d26-919e-b135921ba557

Hence, we are closing this issue and marking it as QA Validated.

Thanks!!

[muskangulati-qasource]

Bug Conversion

• Test-Case not required as this particular checkpoint is already covered in the following test cases:
  • https://elastic.testrail.io/index.php?/cases/view/271459
  • https://elastic.testrail.io/index.php?/cases/view/271460
  • https://elastic.testrail.io/index.php?/cases/view/271461
  • https://elastic.testrail.io/index.php?/cases/view/271462

Thanks!