search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.68k stars 8.23k forks source link

[Security Solution] Some Bulk Action Options Are Disabled After Selecting All Alerts Using “Select All X Alerts” #201677

Open pborgonovi opened 1 day ago

pborgonovi commented 1 day ago

Describe the bug:

When performing bulk actions on the Alerts table, the availability of certain bulk action options is inconsistent based on the method used to select the alerts:

  1. When a few alerts or all alerts are selected manually:

    • All bulk action options are available.

  2. When all alerts are selected using “Select All X Alerts”:

    • Some bulk action options (e.g., “Add to case” or “Assign alert”) are unexpectedly disabled, even though they were available in the previous cases.

Kibana/Elasticsearch Stack version: 8.17

Server OS version:

Browser and Browser OS versions:

Elastic Endpoint version:

Original install method (e.g. download page, yum, from source, etc.):

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

Pre requisites:

  1. Rules exist
  2. Alerts have been generated

Steps to reproduce:

  1. Navigate to the Alerts table.
  2. Scenario 1:
    • Manually select a few alerts by checking the individual checkboxes.
    • Click the “Actions” dropdown and observe that all bulk action options are available.
  3. Scenario 2:
    • Use the “Select All X Alerts” option after selecting a single alert.
    • Click the “Actions” dropdown and observe that some options are disabled.

Current behavior:

When using the “Select All X Alerts” option, some bulk action options are disabled, which is inconsistent with other selection scenarios.

Expected behavior:

The bulk action options should remain consistent across all selection methods. Selecting “Select All X Alerts” should enable the same set of options available when manually selecting alerts or using the “Select All” button.

Screenshots (if relevant):

https://github.com/user-attachments/assets/1ebc4917-4860-47ed-8582-4aab64749b43

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context (logs, chat logs, magical formulas, etc.):

elasticmachine commented 1 day ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 1 day ago

Pinging @elastic/security-detection-engine (Team:Detection Engine)

elasticmachine commented 1 day ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

dplumlee commented 1 day ago

This has been brought up in the past, these limitations were intentionally put in that flyout menu for possible performance and use case reasons. If there are good use case reasons to open up the "when all are selected" flag we have in the code, we should definitely performance test these actions (e.g. add to case, alert tags, etc.) with large sets of alerts. Would be a pretty easy switch though.

yctercero commented 5 hours ago

@pborgonovi changing this to an enhancement as this was by design as @dplumlee noted.

cc @approksiu