Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] The Windows 11 is showing as Windows 10 under Hosts tab #122205

Closed
muskangulati-qasource opened this issue Jan 3, 2022 · 15 comments
Closed

[Security Solution] The Windows 11 is showing as Windows 10 under Hosts tab #122205

muskangulati-qasource opened this issue Jan 3, 2022 · 15 comments
Assignees
@semd
Labels
bug Fixes for quality problems that affect the customer experience fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Explore v8.0.0 v8.0.1

Comments

@muskangulati-qasource
Copy link

Description:
The Windows 11 is showing as Windows 10 under Hosts tab

Build Details:

Kibana version: 8.0.0 SNAPSHOT
Build: 48889
Commit: bacb608a62bbea2b732c5e704c450a1b40c66bc1
Artifact page: https://artifacts-api.elastic.co/v1/search/8.0.0-SNAPSHOT

Browser Details:
All

Preconditions:

  1. Kibana user should be logged in.
  2. Windows 11 should be installed on the Kibana

Steps to Reproduce:

  1. Navigate to the Host tab under the Security section from the left hand side navigation
  2. Observe the version for the Windows 11

Impacted Test case:
N/A

Actual Result:
The Windows 11 is showing as Windows 10 under Hosts tab

Expected Result:
The correct OS version should show up under Host tab for all the OSes

What's working:
N/A

What's not working:
N/A

Screen Recording:

Windows.issue.for.v11.mp4

Logs:
N/A
@muskangulati-qasource muskangulati-qasource added bug Fixes for quality problems that affect the customer experience triage_needed v8.0.0 impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Jan 3, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@muskangulati-qasource
Copy link
Author

@manishgupta-qasource please review!!

@manishgupta-qasource
Copy link

Reviewed & assigned to @stephmilovic

@stephmilovic stephmilovic removed their assignment Jan 4, 2022
@semd semd self-assigned this Jan 5, 2022
@semd
Copy link
Contributor

semd commented Jan 11, 2022
edited
Loading

Hello, I checked the problem using the environment from which the issue was detected (thanks @muskangulati-qasource for that) and I detected this is caused by having more than one OS data for the same host name. You can check that executing this os aggregation in the dev tools:

os aggregation 
{
  "aggregations": {
    "host_count": {
      "cardinality": {
        "field": "host.name"
      }
    },
    "host_data": {
      "terms": {
        "size": 10,
        "field": "host.os.name",
        "order": {
          "lastSeen": "desc"
        }
      },
      "aggs": {
        "lastSeen": {
          "max": {
            "field": "@timestamp"
          }
        },
        "os": {
          "top_hits": {
            "size": 1,
            "sort": [
              {
                "@timestamp": {
                  "order": "desc"
                }
              }
            ],
            "_source": {
              "includes": [
                "host.os.*"
              ]
            }
          }
        }
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "@timestamp": {
              "gte": "2022-01-10T23:00:00.000Z",
              "lte": "2022-01-11T22:59:59.999Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ]
    }
  },
  "size": 0
}
response 
"hits" : {
    "total" : {
      "value" : 10000,
      "relation" : "gte"
    },
    "max_score" : null,
    "hits" : [ ]
  },
  "aggregations" : {
    "host_data" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "Windows 10 Pro",
          "doc_count" : 27314,
          "lastSeen" : {
            "value" : 1.641915386605E12,
            "value_as_string" : "2022-01-11T15:36:26.605Z"
          },
          "os" : {
            "hits" : {
              "total" : {
                "value" : 27314,
                "relation" : "eq"
              },
              "max_score" : null,
              "hits" : [
                {
                  "_index" : ".ds-logs-elastic_agent.metricbeat-default-2022.01.11-000001",
                  "_id" : "Ws7ISX4BrlxMNKBinfm-",
                  "_score" : null,
                  "_source" : {
                    "host" : {
                      "os" : {
                        "build" : "22000.376",
                        "kernel" : "10.0.22000.376 (WinBuild.160101.0800)",
                        "name" : "Windows 10 Pro",
                        "type" : "windows",
                        "family" : "windows",
                        "version" : "10.0",
                        "platform" : "windows"
                      }
                    }
                  },
                  "sort" : [
                    1641915386605
                  ]
                }
              ]
            }
          }
        },
        {
          "key" : "Windows",
          "doc_count" : 915,
          "lastSeen" : {
            "value" : 1.641897771649E12,
            "value_as_string" : "2022-01-11T10:42:51.649Z"
          },
          "os" : {
            "hits" : {
              "total" : {
                "value" : 915,
                "relation" : "eq"
              },
              "max_score" : null,
              "hits" : [
                {
                  "_index" : ".ds-logs-endpoint.alerts-default-2022.01.11-000001",
                  "_id" : "N8y7SH4B_Mj9nBGgyLQK",
                  "_score" : null,
                  "_source" : {
                    "host" : {
                      "os" : {
                        "Ext" : {
                          "variant" : "Windows 11 Pro"
                        },
                        "kernel" : "21H2 (10.0.22000.376)",
                        "name" : "Windows",
                        "family" : "windows",
                        "type" : "windows",
                        "version" : "21H2 (10.0.22000.376)",
                        "platform" : "windows",
                        "full" : "Windows 11 Pro 21H2 (10.0.22000.376)"
                      }
                    }
                  },
                  "sort" : [
                    1641897771649
                  ]
                }
              ]
            }
          }
        }
      ]
    },
    "host_count" : {
      "value" : 1
    }
  }
}

As you can see there is only one host name, with two different OS results.
The aggregation that the "All Hosts" table does is very similar, but aggregating by host.name and taking only one OS item which is the "lastSeen" by the query sorting (Windows 10).
This is not the case for the Endpoint detail view, which performs a bool query by agent.id to another index, and the OS result is always the same (Windows 11).
I am not sure which would be the best fix to solve this problem, maybe show both? Or even if it is correct to have different OS data for the same host name, maybe this is more a host name configuration problem rather than a visualization one?
Any ideas? @stephmilovic

@semd semd mentioned this issue Jan 19, 2022
Merged
@MadameSheema
Copy link
Member

@muskangulati-qasource can you please validate this on 8.0-rc2 BC2? Thanks!

@semd
Copy link
Contributor

semd commented Jan 26, 2022

@muskangulati-qasource We decided that by now we will just show a message saying that the OS data shown is the last we have observed, this change is already merged and backported. This will give some information to the user about what is going on.
And also, we are going to investigate how to show all the OS data we have for each hostname.
cc @paulewing

@MadameSheema
Copy link
Member

@muskangulati-qasource can you please validate this on latest 8.0-rc2 BC? Thanks

@muskangulati-qasource
Copy link
Author

muskangulati-qasource commented Feb 1, 2022
edited
Loading

Hi @MadameSheema,

We are unable to deploy the 8.0.0 RC2 BC4 build from any cloud site. However, we tested on BC3 for 8.0.0 RC2 and found that issue is occurring there.

Build Details

Kibana version: 8.0.0 RC2 BC3
Build: 49180
Commit: 8f8b91e8ce3b58e28e25caa5c5540ba6c4cc348e
Artifact page: https://staging.elastic.co/8.0.0-rc2-59ed50db/summary-8.0.0-rc2.html

Screenshot
image

So once we are unblocked to deploy the environment, we will test this ticket again.

Thanks!

@semd
Copy link
Contributor

semd commented Feb 1, 2022

Hello @muskangulati-qasource ,

As commented above, by now we just added a tooltip in the OS header to help the user understand what we are showing.

os_tooltip

@muskangulati-qasource
Copy link
Author

Hi @MadameSheema,

Thank you @semd for the clarification and sorry for the confusions!

We tested this ticket & found that the issue is Fixed on 8.0.0 RC2-BC4 but no tooltip found on 8.1.0-SNAPSHOT build. Please find below the testing details:

Build Details:

Kibana Version: 8.0.0 RC2 BC4
Build: 49192
Commit: 57ca5e139a33dd2eed927ce98d8231a1f217cd15
Artifacts link: https://staging.elastic.co/8.0.0-rc2-27a50a27/summary-8.0.0-rc2.html

Kibana Version: 8.1.0-SNAPSHOT
Build: 49753
Commit: ab5741ff78bfbf7a9df6a664c741278f21582ea7
Artifacts link: https://artifacts-api.elastic.co/v1/search/8.1.0-SNAPSHOT

Screenshots:

  • 8.0.0 RC2 BC4 🟢
    8 0rc

  • 8.1.0-SNAPSHOT 🔴
    8 1

Please let us know if anything is missing from our end.

Thanks!

@MadameSheema
Copy link
Member

@semd can you please take a look at the above?

@semd
Copy link
Contributor

semd commented Feb 3, 2022

Hi @muskangulati-qasource that's weird, the code is in main, it was merged 10 days ago. I can see the tooltip, are you sure it is the correct version?

@MadameSheema
Copy link
Member

@muskangulati-qasource can you please double check on the first 8.1.0 BC? Thanks :)

@muskangulati-qasource
Copy link
Author

Hi @semd,

We have validated this issue on 8.1.0 BC1 and observed that issue is Fixed.

Please find below testing details:

Build Details:

Version: 8.1.0 BC1
Build: 50114
Commit: 47a2516a0cf6c227f0cb180e9a085d7d99c77d12
Artifacts: https://staging.elastic.co/8.1.0-3c27bc9c/summary-8.1.0.html

Screenshot:
8 1HostTan

Hence, we are closing this issue and marking it as 'QA Validated'.

Thanks!!

@muskangulati-qasource muskangulati-qasource added the QA:Validated Issue has been validated by QA label Feb 4, 2022
@muskangulati-qasource
Copy link
Author

muskangulati-qasource commented Feb 22, 2022
edited
Loading

Hi @MadameSheema

We have validated this issue on 8.0.1 BC1 and found it still fixed. ✔️

Please find below the testing details:

Build Details:

Version: 8.0.1
Commit: f4b44d7eb7355c9d1e38d9f2dc753b3fe10c601c
Build: 49342

Screenshot:
image

Thanks !!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@semd semd

Labels
bug Fixes for quality problems that affect the customer experience fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Explore v8.0.0 v8.0.1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@stephmilovic @elasticmachine @MadameSheema @semd @manishgupta-qasource @muskangulati-qasource