elasticmachine
commented
3 weeks ago Pinging @elastic/security-solution (Team: SecuritySolution)
Closed muskangulati-qasource closed 1 week ago
elasticmachine
commented
3 weeks ago Pinging @elastic/security-solution (Team: SecuritySolution)
elasticmachine
commented
3 weeks ago Pinging @elastic/security-entity-analytics (Team:Entity Analytics)
muskangulati-qasource
commented
3 weeks ago @amolnater-qasource please review!!
amolnater-qasource
commented
3 weeks ago Reviewed & assigned to @MadameSheema
machadoum
commented
3 weeks ago muskangulati-qasource
commented
1 week ago Hi @jaredburgettelastic,
We have validated this ticket on the latest 8.16.0 BC3 build and found the issue is Partially Fixed.
Please find below the testing details:
Build details:
VERSION: 8.16.0
BUILD: 79556
COMMIT: f02d1303b5230c357ac7e4c49c8adadd5f66af38Observation The host 'ubuntu' does not sort in any matter. However, rest of the host names does sort correctly.
Screen Recording
https://github.com/user-attachments/assets/ac75bbce-b117-4842-9743-a1aa3481e852
Thanks!!
hop-dev
commented
1 week ago @muskangulati-qasource would you be able to past the response of the following dev tools request if possible?
GET /.entities.v1.latest*/_search?q=host.name=ubuntu&size=1From the video, it looks like these "Ubuntu" users are different. One might have some special character, so we need access to the data to investigate further.
Prints of both "ubuntu" users with different timestamp and risk scores.
muskangulati-qasource
commented
1 week ago Hi @machadoum,
Please find below the details for the hit:
{
"took": 17,
"timed_out": false,
"_shards": {
"total": 3,
"successful": 3,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 2,
"relation": "eq"
},
"max_score": 6.293068,
"hits": [
{
"_index": ".entities.v1.latest.security_user_default",
"_id": "dQ4s2kYYwdq-cCKfWyOVqpIAAAAAAAAA",
"_score": 6.293068,
"_source": {
"@timestamp": "2024-11-04T12:27:34.311Z",
"event": {
"ingested": "2024-11-04T12:28:52.046831943Z"
},
"user": {
"name": "ubuntu",
"risk": {
"calculated_score": "250.3209228515625",
"calculated_score_norm": "96.55952453613281",
"calculated_level": "Critical"
},
"id": [
"0",
"1000"
]
},
"entity": {
"name": "ubuntu",
"id": "uIIaJurYeUitd5RBJtVtyw==",
"source": ".ds-logs-endpoint.events.process-default-2024.11.04-000001",
"type": "user"
}
}
}
]
}
}Please let us know if anything else is required!
Thanks
machadoum
commented
1 week ago I also need the API response for the other "ubuntu" user. You can get it form the dev console when you sort the page.
muskangulati-qasource
commented
1 week ago Hi @machadoum,
I am getting same response for both users. Even the other user is not assigned any criticality, it still shows 'Critical' which is assigned to the first user.
You can access the BC3 environment we are using for testing to have a closer look at it: https://p.elstc.co/paste/2nLzt3LE#f89457zdtbVZnCg9Kh77pX4LS7hsJW57KwNgcXaUE9o
Please let us know if anything else is required from our end.
Thanks!
machadoum
commented
1 week ago Thank you @muskangulati-qasource!
I confirmed my assumption. The "ubuntu" user on the last page is prepended with whitespace.
And it comes from this event:
So, the page sorting and the entity store are working as expected. Since the entity store doesn't have user disambiguation, it can't "merge" these users into one instance.
I think we can close the issue. Unless someone wants to create a feature request from this use case @jaredburgettelastic @hop-dev.
muskangulati-qasource
commented
1 week ago Thank you for looking into the issue @machadoum,
Since it is now fixed and working as expected, we are closing this issue and marking it as 'QA Validated'.
Thanks!
Describe the bug Sorting does not work for entities table for the Column: Name
Kibana/Elasticsearch Stack version
Steps
Expected Result Sorting should work for entities table for the Column: Name
Screenshot
https://github.com/user-attachments/assets/a1f1af51-6fba-4102-ba59-3aef4ceefe43