search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.81k stars 8.2k forks source link

[Security Solution] [Query] User risk and Host risk score are not available under Entity Analytics Dashboard even when Entity risk score is enabled but Entity store is disabled #196644

Open muskangulati-qasource opened 2 days ago

muskangulati-qasource commented 2 days ago

Describe the bug User risk and Host risk score are not available under Entity Analytics Dashboard even when Entity risk score is enabled but Entity store is disabled

Kibana/Elasticsearch Stack version

VERSION: 8.16.0
BUILD: 79269
COMMIT: 574ec2fc5f383da6bff0d506cc6ab76803119dae

Steps

  1. Kibana version 8.16.0 or above should exist without endpoints
  2. Navigate to the Management >> Stack Management
  3. Navigate to the Entity Store under Alerts and Insights section
  4. Disable the Entity Store
  5. Navigate to the Entity risk score under Alerts and Insights section
  6. Enable the Entity risk score
  7. Navigate to the Entity Analytics Dashboard under the Dashboards tab of security
  8. Observe the tables for host risk score, user risk score and Entities are all missing

Question Why are we disabling host risk score, user risk score even when Entity Risk Score is enabled. Even when we clear data for entity, it disabled entity store then only Entities table is hidden, but host risk score and user risk score is still enabled.

https://github.com/user-attachments/assets/19519200-673a-4ebb-9a93-eadee6050b71

Screenshots

elasticmachine commented 2 days ago

Pinging @elastic/security-solution (Team: SecuritySolution)

muskangulati-qasource commented 2 days ago

@amolnater-qasource please review!

elasticmachine commented 2 days ago

Pinging @elastic/security-entity-analytics (Team:Entity Analytics)

amolnater-qasource commented 2 days ago

Reviewed & assigned to @MadameSheema

jaredburgettelastic commented 2 days ago

This is a higher priority due to the Serverless release upcoming, will assess.

jaredburgettelastic commented 1 day ago

Tested and confirmed that this problem does not yet exist in Serverless, because the Entity Store is completely unavailable in Serverless, and the dashboard view correctly shows the Risk Enablement. Still a high priority ticket, but not required for Monday's Serverless release.