Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution]Incorrect Total Alert count under Group alert by filter #150840

Closed
Tracked by #152134
ghost opened this issue Feb 10, 2023 · 6 comments · Fixed by #152035
Closed
Tracked by #152134

[Security Solution]Incorrect Total Alert count under Group alert by filter #150840

ghost opened this issue Feb 10, 2023 · 6 comments · Fixed by #152035
Assignees
@stephmilovic
Labels
bug Fixes for quality problems that affect the customer experience fixed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Explore Team:Threat Hunting Security Solution Threat Hunting Team

Comments

@ghost
Copy link

ghost commented Feb 10, 2023
edited by ghost
Loading

Describe the bug
Incorrect Total Alert count under Group alert by filter

Build Details:

Version: 8.7.0-BC1
Commit: d3b239d76aa04f073836f6100782134ac86887e2
Build: 60614

Preconditions

  • Elastic Agent with Elastic Defend integrations should be installed
  • Generate some Alert data on the build

Steps

  • Go to Security App
  • Navigate to Alert Page
  • Apply the Group Alert by Filter let say choose Group Alert by: Username
  • Grouped Alert Will show up
  • Observer the Total Alert count on alert table middle left position ( let say this as A )
  • Observe the count of each group and sum it ( let say this as B )
  • Observed that Count of A and B is not matching

Additionally in one of the group internal table alert count and group alert count is also not matching

Screen-Cast

- Group Alert by : None : 12241 Alerts
- Group Alert by : Source IP: 12341 Alerts ( increase of 100 in count )
- 5 Group Alerts Total : ( 927 + 372 +7 +7 + 2 : 1315)

if below video not works try this link

Alerts.-.Kibana.Mozilla.Firefox.2023-02-10.15-19-44.mp4

- Group outer count : 927
- Expanded Group alert table count: 964

Inspect Information

image

Request 

  "size": 0,
  "aggs": {
    "stackByMultipleFields0": {
      "terms": {
        "field": "source.ip",
        "size": 10000
      },
      "aggs": {
        "bucket_truncate": {
          "bucket_sort": {
            "from": 0,
            "size": 25
          }
        },
        "alertsCount": {
          "cardinality": {
            "field": "kibana.alert.uuid"
          }
        },
        "rulesCountAggregation": {
          "cardinality": {
            "field": "kibana.alert.rule.rule_id"
          }
        },
        "countSeveritySubAggregation": {
          "cardinality": {
            "field": "kibana.alert.severity"
          }
        },
        "severitiesSubAggregation": {
          "terms": {
            "field": "kibana.alert.severity"
          }
        },
        "usersCountAggregation": {
          "cardinality": {
            "field": "host.name"
          }
        }
      }
    },
    "alertsCount": {
      "terms": {
        "field": "kibana.alert.rule.producer",
        "exclude": [
          "alerts"
        ]
      }
    },
    "groupsNumber": {
      "cardinality": {
        "field": "source.ip"
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [],
            "filter": [
              {
                "term": {
                  "kibana.alert.workflow_status": "open"
                }
              }
            ],
            "should": [],
            "must_not": [
              {
                "exists": {
                  "field": "kibana.alert.building_block_type"
                }
              }
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2023-02-09T18:30:00.000Z",
              "lte": "2023-02-10T18:29:59.999Z"
            }
          }
        }
      ]
    }
  },
  "runtime_mappings": {
    "Enhanced Time": {
      "type": "keyword",
      "script": {
        "source": "emit(doc['@timestamp'].value.getDayOfWeekEnum().toString())"
      }
    }
  },
  "_source": false
}

Response 

  "took": 7,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 10000,
      "relation": "gte"
    },
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "groupsNumber": {
      "value": 5
    },
    "alertsCount": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": [
        {
          "key": "siem",
          "doc_count": 12341
        }
      ]
    },
    "stackByMultipleFields0": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": [
        {
          "key": "172.31.9.210",
          "doc_count": 927,
          "alertsCount": {
            "value": 927
          },
          "rulesCountAggregation": {
            "value": 1
          },
          "severitiesSubAggregation": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "key": "medium",
                "doc_count": 927
              }
            ]
          },
          "countSeveritySubAggregation": {
            "value": 1
          },
          "usersCountAggregation": {
            "value": 1
          }
        },
        {
          "key": "127.0.0.1",
          "doc_count": 372,
          "alertsCount": {
            "value": 372
          },
          "rulesCountAggregation": {
            "value": 1
          },
          "severitiesSubAggregation": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "key": "medium",
                "doc_count": 372
              }
            ]
          },
          "countSeveritySubAggregation": {
            "value": 1
          },
          "usersCountAggregation": {
            "value": 1
          }
        },
        {
          "key": "59.89.33.107",
          "doc_count": 7,
          "alertsCount": {
            "value": 7
          },
          "rulesCountAggregation": {
            "value": 1
          },
          "severitiesSubAggregation": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "key": "medium",
                "doc_count": 7
              }
            ]
          },
          "countSeveritySubAggregation": {
            "value": 1
          },
          "usersCountAggregation": {
            "value": 1
          }
        },
        {
          "key": "223.178.210.153",
          "doc_count": 7,
          "alertsCount": {
            "value": 7
          },
          "rulesCountAggregation": {
            "value": 1
          },
          "severitiesSubAggregation": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "key": "medium",
                "doc_count": 7
              }
            ]
          },
          "countSeveritySubAggregation": {
            "value": 1
          },
          "usersCountAggregation": {
            "value": 1
          }
        },
        {
          "key": "185.167.96.150",
          "doc_count": 2,
          "alertsCount": {
            "value": 2
          },
          "rulesCountAggregation": {
            "value": 1
          },
          "severitiesSubAggregation": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "key": "medium",
                "doc_count": 2
              }
            ]
          },
          "countSeveritySubAggregation": {
            "value": 1
          },
          "usersCountAggregation": {
            "value": 1
          }
        }
      ]
    }
  }
}

@ghost ghost added bug Fixes for quality problems that affect the customer experience triage_needed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Feb 10, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@MadameSheema
Copy link
Member

@karanbirsingh-qasource may you please confirm if you have any other filter activated? i.e. building block alerts? Per the attached screencast seems that there is also a mismatch between the Severity Levels card and Alerts by Type. Can you please take a look at that as well?? Thanks! :)

@ghost
Copy link
Author

ghost commented Feb 10, 2023

Hi @MadameSheema

No additional filter is applied please find the new screen-cast and for severity there is an another issue here #150278

group by : 3048
Alert Table count: 22604
Alerts.-.Kibana.Mozilla.Firefox.2023-02-10.18-15-09.mp4

@MadameSheema MadameSheema removed their assignment Feb 10, 2023
@MadameSheema MadameSheema added Team:Threat Hunting Security Solution Threat Hunting Team Team:Threat Hunting:Explore labels Feb 10, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@stephmilovic stephmilovic mentioned this issue Feb 23, 2023
Merged
@stephmilovic stephmilovic reopened this Feb 24, 2023
@stephmilovic
Copy link
Contributor

@karanbirsingh-qasource the issue was fixed. Can you please confirm the fix in BC4? Thanks!

@stephmilovic stephmilovic mentioned this issue Feb 24, 2023
Closed
11 tasks
@ghost
Copy link
Author

ghost commented Mar 6, 2023

Hi @stephmilovic

We have validated this issue on 8.7 BC4 and found the issue to be fixed ✔️ . Correct count is showing on complete alert page including the charts , groups .

Build Details:

Version: 8.7.0 BC4
Commit: de22cd9361a0dbf429f9648d3c7b7c45aa862e90
Build: 60949

screen-cast

Alerts.-.Kibana.Mozilla.Firefox.2023-03-06.11-29-12.mp4

Hence we are closing this issue and adding "QA:Validated"

@ghost ghost closed this as completed Mar 6, 2023
@ghost ghost added the QA:Validated Issue has been validated by QA label Mar 6, 2023
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stephmilovic stephmilovic

Labels
bug Fixes for quality problems that affect the customer experience fixed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Explore Team:Threat Hunting Security Solution Threat Hunting Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security Solution] Fix total count in alert grouping stephmilovic/kibana
5 participants
@stephmilovic @elasticmachine @MadameSheema @YulNaumenko @sukhwindersingh-qasource