[Defend workflows]After License upgrade from Platinum to Enterprise, User is not able to access the Respond from take action on alert details flyout for the old alerts

[sukhwindersingh-qasource]

Describe the bug: After License upgrade from Platinum to Enterprise, User is not able to access the Respond from take action on alert details flyout for the old alerts

Build Details:

VERSION: 8.12.2
BUILD: 70281
COMMIT: f5bd489c5ff9c676c4f861c42da6ea99ae350832

Preconditions

• Kibana should be running.
• Downgrade the kibana to Platinum License from the Dev Tools
• Now Generate some Malware alerts.
• Upgrade the kibana to Enterprise License.

Steps to Reproduce

• Navigate to Alerts tab
• Click on Alerts details flyout icon
• Click on Take Action button
• Observe the Respond button is disabled and showing the warning message

Whats working

• It is working correctly for the Alerts we trigger after the License upgrade.

Actual result

• After License upgrade from Platinum to Enterprise, User is not able to access the Respond from take action on alert details flyout for the old alerts

Expected Result

• User should be able to access the analyzer for all the alerts present.

Screen-Cast Alert which was triggered on the platinum license

https://github.com/elastic/kibana/assets/108654988/f4fd0d37-2279-42c6-8f32-858adb3f1532

Alert triggered after the license upgraded to enterprise

https://github.com/elastic/kibana/assets/108654988/27c753d3-51ba-4d08-88ce-8d4dcec1d336

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[muskangulati-qasource]

Reviewed and assigned to @dasansol92

[dasansol92]

Thanks @sukhwindersingh-qasource for checking this. Is this happening in older stack versions or is it only happening in 8.12.2? Thanks! cc: @paul-tavares @ashokaditya

[sukhwindersingh-qasource]

Hi @dasansol92 ,

We have Tried to this on the 8.12.0 build and found the issue is not occurring on the same.

Please find below the testing details

Build Details:

VERSION: 8.12.0 BUILD: 70088 COMMIT: e9092c0a17923f4ed984456b8a5db619b0a794b3

Screencast

https://github.com/elastic/kibana/assets/108654988/da740bb7-a567-435a-be83-36fe70b4ed16

Thanks!!

[tomsonpl]

@sukhwindersingh-qasource hey, thanks for raising this 👍 I am not able to reproduce this locally, could you share your cloud instance that has the bug, so I could play with it a bit? Thank you! 🙇

[paul-tavares]

@sukhwindersingh-qasource - A few things we need to debug this issue:

• As @tomsonpl pointed it out: please sends us the env. details so we can login and look around
• Is the Respond option available when you look at the host under the Endpoint LIst? if so, can you validate that the UUID of the agent.id matches on both the host displayed in the endpoint list and the value from the alert that you were viewing in the alerts list
• How were you able to get your env. down to a Platinum license? I was not able to do it from the "Dev console" in kibana as it kept giving me an error indicating I was not a provider (I also don't seem to have a valid Platinum test license 😞 )

FYI: The fact that the Respond option is showing up on the Alert "Take Action" menu but disabled with the message that indicates "install endpoint" means that we were not able to find the Host agent.id when we queried with it against the /api/endpoint/metadata/{agent.id_value_here} - which means the host is not running endpoint

[sukhwindersingh-qasource]

Hi @paul-tavares, @tomsonpl,

Below are the steps we followed to downgrade to a platinum license:

1. Navigate to the Licensing page using this link: Internal License - X-Pack and Endgame.

2. Download the JSON file of the required license.

3. For release builds, we use the following JSON:

4. For Snapshot builds we use this -

5. Then add the JSON text of the required License below this PUT _license?acknowledge=true and click on run button.

Note: It's advisable to first downgrade the license to basic and then upgrade it to the desired license. For a basic license, use the following Dev Tool command: POST /_license/start_basic?acknowledge=true

After investigating the issue, we discovered that the endpoint was not running, which caused this behavior.

Please let us know if anything else is required from our end. We are closing this ticket as it is working as expected.

Thank you!

[tomsonpl]

Thank you @sukhwindersingh-qasource, i added the licenses page to my favorites ❤️ I am glad that in the end it works as excepted :)