Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Id is displayed instead of Saved Query name under Rule details page #136178

Closed
ghost opened this issue Jul 12, 2022 · 6 comments
Closed

[Security Solution] Id is displayed instead of Saved Query name under Rule details page #136178

ghost opened this issue Jul 12, 2022 · 6 comments
Labels
bug Fixes for quality problems that affect the customer experience Feature:Rule Details Security Solution Detection Rule Details fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.5.0

Comments

@ghost
Copy link

ghost commented Jul 12, 2022

Describe the bug
Id is displayed instead of Saved Query name under Rule details page

Build info

VERSION : 8.4.0 SNAPSHOT
BUILD: 54370
COMMIT: 27befe47a084f7b046426aa3edac01293d6e407b

Preconditions

  1. Kibana should be running

Steps to Reproduce

  1. Navigate to Rules tab of security
  2. Click on Create a new rule
  3. Add the query from load Saved query
  4. Create the rule with Saved query
  5. After created the rule navigate to rule details page
  6. Observe that id is displayed instead of Saved Query name under Rule details page
  7. Observe that error message is displayed

Actual Result
Id is displayed instead of Saved Query name under Rule details page

Expected Result
Saved Query name should be displayed instead of id under Rule details page

What's Working

  • This issue is also occurring on 8.3.0 build

Screen-Shot
image

Rule
rules_export.zip
@ghost ghost added bug Fixes for quality problems that affect the customer experience triage_needed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.4.0 labels Jul 12, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ghost ghost assigned MadameSheema Jul 12, 2022
@MadameSheema MadameSheema added Team:Detections and Resp Security Detection Response Team Team:Detection Rule Management Security Detection Rule Management Team labels Jul 12, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@banderror banderror added Feature:Rule Details Security Solution Detection Rule Details and removed triage_needed v8.4.0 labels Jul 21, 2022
@rylnd rylnd mentioned this issue Jul 21, 2022
Closed
@marshallmain marshallmain mentioned this issue Aug 22, 2022
Closed
2 tasks
@rylnd
Copy link
Contributor

rylnd commented Aug 30, 2022

In addition to being more legible, a saved query's name should be unique to the kibana instance and so could also be used for lookup. Moving from id to name would then allow rules to be slightly more portable: if the user exports into another space where the saved query is shared, it will just work.

@vitaliidm
Copy link
Contributor

vitaliidm commented Sep 7, 2022
edited
Loading

In addition to being more legible, a saved query's name should be unique to the kibana instance and so could also be used for lookup. Moving from id to name would then allow rules to be slightly more portable: if the user exports into another space where the saved query is shared, it will just work.

@rylnd , if I understand correctly the proposal is keeping in rule object instead of saved_id a new property, let's say, saved_query_name?
We would need a migration to move existing rules from saved_id to saved_query_name then?

Rule with saved_query type always uses saved query and saved query filters while executing. So to display actual values, we would need to fetch saved query and with filters, and display them on the details page. This way, we can also obtain a query name as well.

So, I propose to split work here in 2 pieces:

  • fetching actual filters and query, saved query name. We address this issue and also display correct query and filters for rule, together with the saved query name
  • work on migration to saved_query_name instead of saved_id

@marshallmain
Copy link
Contributor

@deepikakeshav-qasource Can you re-test this on 8.5 BC1? I expect that it was fixed by #140064

@ghost
Copy link
Author

ghost commented Sep 23, 2022
edited by ghost
Loading

Hi @marshallmain

We have validated this issue on 8.5.0-BC1 build and observed that the issue is fixed.

Please find below the testing details:

Build Details:

VERSION: 8.5.0-BC1
COMMIT: 0d8de4df69f8084a94cdd9638d7de510813cb5ce
BUILD: 56595

Screen-Recording:

saved.query.mp4

Hence, We are closing this is issue and marking as QA Validated!!

cc: @MadameSheema
Thanks!

@ghost ghost added the QA:Validated Issue has been validated by QA label Sep 23, 2022
@ghost ghost closed this as completed Sep 23, 2022
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Feature:Rule Details Security Solution Detection Rule Details fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@peluja1012 @rylnd @banderror @elasticmachine @MadameSheema @marshallmain @vitaliidm