[Security Solution] Enriched fields are not displayed on the alert timeline view

[MadameSheema]

Describe the bug:
Enriched fields are not displayed on the alert timeline view

Kibana/Elasticsearch Stack version:
main (c6f491c)

Steps to reproduce:

1. Generate alerts for an indicator match rule using the filebeat threatintel module
2. Navigate to the alerts timeline view

Current behavior:

• On the field browser of the alerts timeline view only the threat.indicator.matched* fields are available
• Once those fields are selected we can see that there are no values displayed for them

• The fields mentioned above are not available on the alert details view

• The enriched fields available in the alerts details view are:

• Those fields are not available on the alerts timeline field browser

Expected behavior:

• The correct enriched fields are available to be selected on the fields browser
• Once selected the data is properly displayed on the timeline view

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[ecezalp]

https://github.com/elastic/security-team/issues/1984#issuecomment-970884580

[ecezalp]

@MadameSheema

the linked PR has been merged. Could you verify that the fix works? Happy to close the issue upon your confirmation.

[MadameSheema]

Hi @ecezalp!! I checked the issue, is fixed!! I'll add the fixed label. I prefer to keep the issue open so QASource can have it on their radar once the 8.0 first BC is ready. Let me know if that works for you.

I have created a PR in order to unskip the Displays enrichment matched.* fields on the timeline test, and I have added the new fields to it as well. Please, take a look at the PR when you have the chance.

Thanks!! :)

[MadameSheema]

@deepikakeshav-qasource can you please validate this on the latest 8.0.0 snapshot? Thanks!

[ghost]

Hi @MadameSheema ,

We have validated this issue on latest 8.0.0 SNAPSHOT. Please find the below observations:

Build Details:

Version: 8.0.0-SNAPSHOT
Commit: 9087e164c6890aa9b3a4ae61746753fabdfb27d2
Build:48894

• threat.enrichments.matched fields are displayed in the alerts details view under table tab.

Screenshot:

• threat.enrichments.matched fields are displayed on the fields browser

Screenshot:

• Data is displayed in threat.enrichments.matched fields after added in alerts table

Screenshot:

• threat.indicator.matched fields are not displayed in the alerts details view under table tab.

Screenshot:

• threat.indicator.matched fields are not displayed on the fields browser

Screenshot:

Please let us know if anything else is need to be test. else we are good to close this issue.

Thanks!!

[ecezalp]

thank you @deepikakeshav-qasource!

Observed behavior is expected. If an event is enriched in 7.16 it will have threat.indicator fields. if it is enriched in 8.0 it will have threat.enrichments fields. the most important part of this work is that the JavaScript error is no longer present with the CTI row renderer.

Are you able to verify that there are no javascript errors when a CTI event is viewed on timeline (with the CTI row renderer?) Once we have confirmation of that we should be good to close.

[MadameSheema]

@deepikakeshav-qasource can you please verify @ecezalp request on 8.0.0-rc1? Thanks!

[ghost]

Hi @MadameSheema and @ecezalp

We have validated this issue on 8.0.0-rc1 production and observed that no java script error is displayed.

Please find the below testing details:

Build Details:

Version: 8.0.0 rc1
Commit: 51f4ded427abb6fd96c7d65e179fb367d450448c
Build:48917

Screen record:

indicator.mp4

Please let us know if we are missing anything

Thanks!!