Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution]inspect index pattern not aligned with data view index pattern #121377

Closed
ghost opened this issue Dec 16, 2021 · 8 comments
Closed

[Security Solution]inspect index pattern not aligned with data view index pattern #121377

ghost opened this issue Dec 16, 2021 · 8 comments
Assignees
@stephmilovic
Labels
fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. needs design QA:Validated Issue has been validated by QA Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Explore v8.0.1 v8.1.0

Comments

@ghost
Copy link

ghost commented Dec 16, 2021

Describe the bug
inspect index pattern not aligned with data view index pattern

Build Details

Version: 8.0.0-SNAPSHOT
commit:474d83d2bbc5dbe28ac4b4d2e9ddcecd434671fa
Build:48754

Pre-Conditions

  • Few Alerts should be generated on Kibana
  • file-beat should be installed on kibana with threat Intel module

Steps

  • Login to Kibana
  • Navigate to Overview page
  • click on data view and change it to metrics-*
  • click on save
  • scroll down and came to threat Intel card and click on inspect icon
  • observed that index pattern logs-ti_* of threat Intel card not getting aligned with data view index pattern metrics-*

image

  • Now go to timeline and select default data view
  • filter timeline result with any query let say process.name: *
  • click on inspect icon on top right corner
  • observed that index pattern -*elastic-cloud-logs-* not getting aligned with the data view index pattern

image

Expected Result

  • Index pattern should be aligned
    OR
  • If these index pattern are kind of built in index pattern there should be mention of these index in data view

image
@ghost ghost added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Dec 16, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ghost ghost added Team:Threat Hunting:Explore estimate:medium Medium Estimated Level of Effort labels Dec 16, 2021
@manishgupta-qasource
Copy link

Reviewed & Assigned to @MadameSheema

@manishgupta-qasource manishgupta-qasource added impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. and removed estimate:medium Medium Estimated Level of Effort labels Dec 16, 2021
@MadameSheema
Copy link
Member

@karanbirsingh-qasource the behaviors you are describing here are expected.

  • The threat intelligence card has its own index pattern, and that one does not change with the data view.
  • The - at the beginning of the index pattern inform the user that specific index pattern is excluded. So it is a way to inform the user that index pattern is not going to be present.

@ecezalp @stephmilovic what do you want to do regarding the above issues? Thanks :)

@stephmilovic
Copy link
Contributor

@monina-n needs design, some indicator of when cards are not associated with the Data View selector

@monina-n
Copy link

Here is the design discussion for this bug elastic/security-design-team#20

There's some additional context needed on the second scenario (timeline inspect) so whoever engineer is assigned to this, we can set up a meeting to talk more.

@stephmilovic stephmilovic self-assigned this Feb 7, 2022
@stephmilovic stephmilovic mentioned this issue Feb 8, 2022
Merged
2 tasks
@stephmilovic stephmilovic added fixed and removed bug Fixes for quality problems that affect the customer experience labels Feb 10, 2022
@stephmilovic
Copy link
Contributor

Hi @karanbirsingh-qasource this is ready to be re-tested, thank you!

@MadameSheema
Copy link
Member

@karanbirsingh-qasource please validate this on next 8.1.0BC3, thanks!!

@ghost
Copy link
Author

ghost commented Feb 17, 2022
edited by ghost
Loading

Hi @MadameSheema

We have validated this issue on 8.1.0-BC3 Self Managed and found that expected changes are now present on the build.

Build Details:

Version: 8.1.0-BC3
Commit:0335dd6a26ef29ae9021d0fae9347dc88f3b7d6e
Build:50346

Screen-Shoot:

  • Overview Page Threat Intel

image
image

  • Timeline

image
image

  • Timeline
  • Timeline Inspect modal of timeline event

Hence we are closing this issue and adding "QAValidated" label to it.

c.c. @stephmilovic

@ghost ghost closed this as completed Feb 17, 2022
@ghost ghost added the QA:Validated Issue has been validated by QA label Feb 17, 2022
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stephmilovic stephmilovic

Labels
fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. needs design QA:Validated Issue has been validated by QA Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Explore v8.0.1 v8.1.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@stephmilovic @elasticmachine @MadameSheema @manishgupta-qasource @monina-n