[Security Solution] Timeline fails to show hits for docs missing chosen sort by fields

[dainperkins]

ESS - 8.1.0, Chrome V100, FF 98.0.2

Describe the bug:
Timeline fails to show docs when those docs are missing selected sorting fields

Steps to reproduce:

1. Create Timeline
2. add search to populate timeline with docs missing e.g. event.action (apm data works well)
3. Sort on event.action

Expected behavior:
show docs even if missing sort field

Screenshots (if relevant):

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):
timeline response.json.zip

Any additional context:
https://observe-aws.prod-3.eden.elastic.dev/app/security/timelines/default?sourcerer=(default:(id:security-solution-default,selectedPatterns:!(%27apm-*-transaction*%27,%27filebeat-*%27,%27logs-*%27,%27packetbeat-*%27,%27traces-apm*%27)))&timerange=(global:(linkTo:!(),timerange:(from:%272022-04-06T04:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272022-04-07T03:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(),timerange:(from:%272022-04-01T20:00:00.000Z%27,kind:absolute,to:%272022-04-01T22:00:00.000Z%27)))&timeline=(activeTab:query,graphEventId:%27%27,id:dd6c1ef0-b5a3-11ec-aaa2-efdbe68cf756,isOpen:!t)

remove sort on event.action and timeline populates.

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[andrew-goldstein]

Summary

@dainperkins the team is closing this issue (with no changes), but per the details below, there's a separate issue for addressing scenarios where Elasticsearch "fails open", returning a 200 OK status when partial results are returned due to:

• shard failures
• network partitions
• any other scenario where Elasticsearch is capable of returning partial results

Details

• There are no issues with sorting itself, or with the request being made to Elasticsearch
• An error toaster is not being displayed, because Elasticsearch is returning a 200 OK status
• In this environment:

1. There are shard failures specific to this environment, per the timeline response.json.zip attached in the description above:

{
  "took": 704,
  "timed_out": false,
  "_shards": {
    "total": 267,
    "successful": 252,
    "skipped": 241,
    "failed": 15,
    "failures": [
      {
        "shard": 0,
        "index": ".ds-logs-apm.error-default-2022.03.30-000002",
        "node": "VRram2piQculIj5bRgf--w",
        "reason": {
          "type": "illegal_argument_exception",
          "reason": "No mapper found for type [string]"
        }
      },
      {
        "shard": 0,
        "index": ".ds-logs-elastic_agent-default-2022.04.01-000176",
        "node": "VRram2piQculIj5bRgf--w",
        "reason": {
          "type": "illegal_argument_exception",
          "reason": "No mapper found for type [string]"
        }
      },
   ...

The failures in the attached zip are also displayed in the Response tab when the query is inspected in that environment, per the screenshot below:

2. The response from Elasticsearch has a 200 OK status, but (in this environment) it happened to have 0 hits:

  "hits": {
    "total": 0,
    "max_score": null,
    "hits": []
  },

The 200 status above indicates that Elasticsearch was capable of returning partial results from non-failing shards, but they happened to not have the data being searched for.

There's no error toaster in this scenario, because Elasticsearch "failed open" and returned a 200 OK status, but there should be an indicator that partial results are returned. This makes sense anywhere in the UI where partial results are returned, including Timeline.

To that end, there's an open UX issue for displaying an indicator whenever partial results are displayed for all queries, including Timeline, here: https://github.com/elastic/security-team/issues/1244

[dainperkins]

Excellent - that definitely addresses the issue based on the dev-tools runs of the various tests I had been using from the timeline queries

[andrew-goldstein]

To ensure the shard failures described in this issue are reproducible when verifying the fix, please prepare the environment by executing the following steps:

1. Open Kibana Dev tools

2. Execute the following query to delete any exiting logs-ti_test index:

DELETE logs-ti_test

3. Execute the following query to create an index named logs-ti_test, which has the following properties:

• Dynamic mappings are disabled via "dynamic": false
• It does NOT contain a mapping for event.action (we will sort by this field in later steps)
• It contains a mapping for the non-ECS testing field

PUT logs-ti_test
{
  "mappings": {
    "dynamic": false,
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "event": {
        "properties": {
          "category": {
            "type": "keyword"
          },
          "dataset": {
            "type": "keyword"
          },
          "kind": {
            "type": "keyword"
          },
          "type": {
            "type": "keyword"
          }
        }
      },
      "host": {
        "properties": {
          "name": {
            "type": "keyword"
          }
        }
      },
      "testing": {
        "type": "keyword",
        "ignore_above": 1024
      },
      "threat": {
        "properties": {
          "indicator": {
            "properties": {
              "file": {
                "properties": {
                  "hash": {
                    "properties": {
                      "md5": {
                        "type": "keyword"
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}

4. Execute the following query to add a new document to the logs-ti_test index, and note that:

• It does NOT contain a event.action field
• It contains a value for the non-ECS testing field

POST logs-ti_test/_doc/
{
  "@timestamp": "2022-05-12T00:00:14.725Z",
  "host": {
    "name": "foozle"
  },
  "threat": {
    "indicator": {
      "file": {
        "hash": {
          "md5": "a4f87cbcd2a4241da77b6bf0c5d9e8553fec991f"
        }
      }
    }
  },
  "event": {
    "kind": "enrichment",
    "type": "indicator",
    "dataset": "ti_*",
    "category": "threat"
  },
  "testing": "simulated threat intel data"
}

5. Navigate to the Security > Hosts page

6. Select Last 1 year from the date picker

7. Click the Events tab

8. Enter the following KQL query in the search bar at the top of the page:

host.name: foozle

9. Hover over the foozle entry in the host.name column in the Events table, and click the Add to timeline investigation cell action

10. Open the timeline

11. Hover over the event.action field

Expected result

• The tooltip displays type keyword for the event.action field

Actual result

• The tooltip displays type string for the event.action field

12. Click the event.action column to add a secondary sort

Expected result

• The table is sorted by @timestamp and event.action
• The table contents are (still) visible

Actual result

• The table is sorted by @timestamp and event.action
• The contents of the table are now empty

13. Click the timeline's Inspect button

14. In the Inspect Timeline dialog, click the Request tab

15. Scroll down to the sort property of the request

Expected result

• The event.action field contains a "unmapped_type": "keyword" property, per the example below:

  "sort": [
    {
      "@timestamp": {
        "order": "desc",
        "unmapped_type": "number"
      }
    },
    {
      "event.action": {
        "order": "desc",
        "unmapped_type": "keyword"
      }
    }
  ],

Actual result

• The request's event.action field contains a "unmapped_type": "string" property, per the example below:

  "sort": [
    {
      "@timestamp": {
        "order": "desc",
        "unmapped_type": "number"
      }
    },
    {
      "event.action": {
        "order": "desc",
        "unmapped_type": "string"
      }
    }
  ],

16. In the Inspect Timeline dialog, click the Response tab

Expected result

• The response contains 0 failed shards / no failures

Actual result

• The response contains failures for the logs-ti_test index, with the following reason:

"reason": "No mapper found for type [string]"

per the example below:

{
  "took": 1,
  "timed_out": false,
  "_shards": {
    "total": 4,
    "successful": 3,
    "skipped": 0,
    "failed": 1,
    "failures": [
      {
        "shard": 0,
        "index": "logs-ti_test",
        "node": "NCRcGeDqSlKQiuPWVFvMEg",
        "reason": {
          "type": "illegal_argument_exception",
          "reason": "No mapper found for type [string]"
        }
      }
    ]
  },

[andrew-goldstein]

Please test the fix for this issue in the following branches / releases:

• main / 8.3.0 [Security Solution] Fixes sorting issues related to unmapped fields #132190
• 8.2 / 8.2.1 [8.2] [Security Solution] Fixes sorting issues related to unmapped fields (#132190) #132357
• 7.17 / 7.17.4 [7.17] [Security Solution] Fixes sorting issues related to unmapped fields (#132190) #132369

[ghost]

Hi Team,

We have validated above issue on 8.2. branch and it's working fine ✅.

Build Details:

Branch: 8.2 branch
Commit : f788645c2363933eefac58a8a1569777eaa9b75f

Screenshots:

We will validate this issue on 7.17 branch and will share our observation as well

Thanks!

cc: @MadameSheema

[ghost]

Hi Team,

We have validated above issue on 8.2.1 BC1 build and found that it's still occurring 🔴. Looks like backport is not merged on 8.2.1 BC1

Below are the observations:

• The tooltip displays type string for the event.action field
• The contents of the table are now empty when the table is sorted by @timestamp and event.action
• The request's event.action field contains a "unmapped_type": "string" property
• The response contains failures for the logs-ti_test index, with the following reason:
  "reason": "No mapper found for type [string]"

Build info

Version: 8.2.1 BC1
Build: 52170
Commit: 88889128ccda6f7e13983b0087e9aaa183818473

Screenshots:

We will validate this issue on 7.17.4 and will share our observation as well.

Thanks!

[ghost]

Hi Team,

We have validated above issue on 8.2.1 BC2 Staging build and it's working fine ✅.

Below are the observations:

• The tooltip displays type keyword for the event.action field Pass
• The contents of the table are (still) visible when the table is sorted by @timestamp and event.action Pass
• The request's event.action field contains a "unmapped_type": "keyword" property Pass
• The response contains 0 failed shards / no failures Pass

Build info:

Version: 8.2.1 BC2
Build: 52192
Commit: d4427fadd63ee9face4438cb3a4e17aaec93afe4

Screenshots:

We will validate this issue on 7.17.4 and will share our observation as well.

Thanks!

[ghost]

Hi Team,

We have validated above issue on 7.17.4 build and it's working fine ✅.

Below are the observations:

• The tooltip displays type keyword for the event.action field Pass
• The contents of the table are (still) visible when the table is sorted by @timestamp and event.action Pass
• The request's event.action field contains a "unmapped_type": "keyword" property Pass
• The response contains 0 failed shards / no failures Pass

Build info:

Version: 7.17.4
Build: 46909
Commit: a408358a8fc5671f5eb7985678a1733684441b37

Screenshots:

Hence, marking this as QA Validated.

Thanks!