elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.58k stars 8.21k forks source link

[Security Solution] Nested fields don't load autocomplete values #81299

Open MadameSheema opened 4 years ago

MadameSheema commented 4 years ago

Originally reported by: @dplumlee

Info:

Steps to reproduce:

  1. Load an alert into the detections alert table
  2. Open either Add exception modal
  3. Choose a non-boolean nested field such as file.Ext.code_signature.subject_name as the field name

Current behavior:

Screen Shot 2020-07-28 at 2 00 17 AM

Expected behavior:

Dev notes:

Commented by @yctercero on 28th Jul: @dplumlee did you try this with the timeline Add Filter and KQL search bar? Trying it there, it seems to be the same issue (as we're using the same service).

Commented by @dplumlee on 28th Jul: @yctercero i looked through the KQL code and saw they were passing nested fields down a slightly different way but the Add Filter seems to be getting the same issue for me, yeah

yctercero commented 2 years ago

For whoever grabs this one - needs to be revisited as it was a known issue (core issue) when originally coded up.

yctercero commented 2 years ago

This sees to be related to https://github.com/elastic/kibana/issues/137709 - could QA confirm that the steps outlined in that other issue resolve this as well?

cc @MadameSheema

MadameSheema commented 2 years ago

@samratbhadra-qasource can you please validate if the above issue is still happening after following this?: https://github.com/elastic/kibana/issues/137709#issuecomment-1205783338 Thanks!!! :)

ghost commented 2 years ago

Hi @MadameSheema

We have tested this issue on the latest 8.5.0-Snapshot build and observed that the issue is still occurring. Please find below the testing details:

Build Details: VERSION: 8.5.0-SNAPSHOT BUILD: 55993 COMMIT: 436b2874794a6ffc05ad3b9ef28c298ff5384ca4

Screenshot:

Screenshot (930) Screenshot (928)

Screenshot (929) Screenshot (932)

Thanks!

MadameSheema commented 2 years ago

Thanks @samratbhadra-qasource!!

@yctercero can you please take a look at the above comment when you have the chance?

yctercero commented 2 years ago

Thanks! I'll put it in for 8.6 - I'm not sure we'll get to it 8.5 but will prioritize if we can.

dhurley14 commented 1 year ago

Related: https://github.com/elastic/kibana/issues/144229

dhurley14 commented 1 year ago

@WafaaNasr Can you take a look at this bug? It looks like the autosuggest is populating but the validation for the "Add Exception" button is preventing us from adding this nested exception. I know you were in the validation code recently so hopefully this is an easy fix.

To test you will need endpoint data which you can generate by using the following script:

cd ~/kibana/x-pack/plugins/security_solution/scripts/endpoint && nvm use && yarn test:generate

Here is a screenshot:

Screen Shot 2022-11-29 at 4 58 50 PM
cybersecdiva commented 1 year ago

Tested in current 8.7.0 deployment:

Preconditions:

Steps to reproduce behavior:

  1. Trigger an alert for the Endpoint Security rule
    • In this case, I triggered mimikatz
  2. Navigate to Security -> Alerts
  3. Next to the triggered alert Under Actions column click on the three dots⚈⚈⚈icon
  4. Click on Add Rule exception enter an exception name
  5. In the Field section, key in file.Ext.code and select from the drop down list menu options 🔽 File.Ext.code_signature.subject_name for the field.
  6. In the Value section, click on the drop down list 🔽

Results:

Autocomplete values for the nested field does not load and displays a message "There aren't any options available" when drop down list is selected

Expected results:

Autocomplete values are returned with drop down list options 🔽

Screen video capture:

https://user-images.githubusercontent.com/35679937/232628013-7bf392c3-4f9a-4bc5-9f9a-60cd220f16a4.mp4

Observations:

Screenshots:

Rule Exception Field File.Ext.code_signature.subject_name that shows Autocomplete values not generating:

Screenshot 2023-04-17 at 6 29 18 PM

Endpoint Exception Field File.Ext.code_signature.subject_name that shows Autocomplete values not generating: Note: I deleted the automatic populated fields that display and generate when creating an Endpoint Exception and added under the Field sectionFile.Ext.code_signature.subject_name

Screenshot 2023-04-17 at 6 39 07 PM

Endpoint Exception Field File.Ext.code_signature.subject_namewith boolean operator that shows Autocomplete values not generating:

Screenshot 2023-04-17 at 4 39 56 PM

Conclusion:

Validated that the behavior is still occurring in 8.7.0

cc: @MadameSheema @dhurley14 @WafaaNasr Update FYI Observations

cybersecdiva commented 1 year ago

Tested in8.9.0:

Build Details:
VERSION: 8.9.0 BC5
BUILD: 64715
COMMIT: beb56356c5c037441f89264361302513ff5bd9f8

Preconditions:

Steps to reproduce behavior:

  1. Trigger an alert for the Endpoint Security rule
    • In this case, I triggered mimikatz
  2. Navigate to Security -> Alerts
  3. Next to the triggered alert Under Actions column click on the three dots⚈⚈⚈icon
  4. Click on Add Rule exception enter an exception name
  5. In the Field section, key in file.Ext.code and select from the drop down list menu options 🔽 File.Ext.code_signature.subject_name for the field.
  6. In the Value section, click on the drop down list 🔽

Results:

Autocomplete values for the non-nested field does not load and displays a message "There aren't any options available" when drop down list is selected

Expected results:

Autocomplete values are returned with drop down list options 🔽

Screen video capture:

https://github.com/elastic/kibana/assets/35679937/01cf2590-e84a-49f3-8206-b19c526b1458

Observations:

Screenshots:

Rule Exception Field File.Ext.code_signature.subject_name that shows Autocomplete values not generating for non-nested fields:

Screenshot 2023-08-11 at 12 21 51 PM

Endpoint Exception Field File.Ext.code_signature.subject_name that shows Autocomplete values not generating for non-nested fields: Note: I deleted the automatic populated fields that display and generate when creating an Endpoint Exception and added under the Field sectionFile.Ext.code_signature.subject_name

Screenshot 2023-08-11 at 12 21 18 PM

.

Conclusion:

cc: @MadameSheema @dhurley14 @WafaaNasr Updated FYI Observations