search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.72k stars 8.13k forks source link

[Security Solution][Detection Engine] custom highlighted fields not displaying in preview flyout #178082

Open vitaliidm opened 6 months ago

vitaliidm commented 6 months ago

Describe the bug:

Custom highlighted fields not displaying in preview flyout

Kibana/Elasticsearch Stack version:

At least 8.14, but likely early versions affected too

Steps to reproduce:

  1. Add custom highlighted field for detection rule
  2. Run rule preview
  3. Observe custom highlighted field is not displayed in Highlighted fields of Investigation section
  4. Same custom highlighted field is displayed, when opening alert preview of actually generated alert.

Screenshots (if relevant):

Preview flyout

Screenshot 2024-03-06 at 11 15 25

Actual alert flyout

Screenshot 2024-03-06 at 11 16 14

Any additional context (logs, chat logs, magical formulas, etc.):

This happens because highlighted fields component fetches rule and takes highlighted fields property from it. ruleId used to fetch rule is not the id of the rule. So, fetched rule is always undefined, thus custom highlighted fields are always empty. Even if id is correct in this context, not saved in rule custom highlighted fields won't be displayed correctly if fetched from backend. Probably, in this case, rule information should be taken from the form itself or from saved in alert rule.

elasticmachine commented 6 months ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 6 months ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

elasticmachine commented 6 months ago

Pinging @elastic/security-detection-engine (Team:Detection Engine)

vitaliidm commented 6 months ago

cc: @yctercero

yctercero commented 6 months ago

I think we can wrap this into https://github.com/elastic/kibana/issues/171057 - great catch!