Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Unresponsive page when investigating in timeline related alerts by process ancestry #141949

Closed
MadameSheema opened this issue Sep 27, 2022 · 5 comments
Assignees
Labels
bug Fixes for quality problems that affect the customer experience fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team v8.5.0

Comments

@MadameSheema
Copy link
Member

Describe the bug:

  • Unresponsive page is faced when investigating in timeline alerts related by process ancestry when there are lots of alerts related.

Kibana/Elasticsearch Stack version:

  • 8.5.0 BC1

Browser and Browser OS versions:

  • Chrome 105.0.5195.125

Original install method:

  • Cloud

Initial setup:

  • To have a big amount of alerts related by process ancestry.
  • This issue was found for a rule with 305 alerts related by process ancestry

Steps to reproduce:

  1. Navigate to the alerts page
  2. View the alerts details of one of the above mentioned alerts
  3. Expand the related alerts by process ancestry dropdown
  4. Click on Investigate in timeline button

Current behavior:

Screenshot 2022-09-27 at 16 03 58

  • There is nothing on the page indicating the user the timeline is being opened
  • The page arrives to an unresponsive state
  • It takes a lot of time for the timeline to be opened
  • Once the timeline is opened it takes time to be fully loaded
  • It is not easy to interact with it due to the slowness of the page and because due to the number of filter, just 2 alerts are displayed on the screen (MacBook Pro 15-inch screen)

Screenshot 2022-09-27 at 16 19 11

Expected behavior:

  • The timeline does not take a long time to be loaded
    OR/AND
  • A message is displayed warning the user about the task to take longer than expected to be performed
  • A loading icon is displayed to inform the user something is happening
  • Once the timeline is opened, the interaction with it is smooth
@MadameSheema MadameSheema added bug Fixes for quality problems that affect the customer experience triage_needed Team:Threat Hunting Security Solution Threat Hunting Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team labels Sep 27, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@michaelolo24 michaelolo24 added impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. and removed triage_needed labels Sep 27, 2022
@michaelolo24
Copy link
Contributor

michaelolo24 commented Oct 5, 2022

While we're not sure the frequency at which users will hit related ancestry alerts > 100, it still should be accounted for. After discussing with the team, we're currently considering a few options to improve the performance of this experience.

  1. Implement the changes introduced by @jamster10 here: [Security Solution] Add is one of operator for usage with DataProvider's QueryMatch value. #142436 which will allow us to group the id's within a single filter, greatly improving the UI experience.
  2. We arbitrarily limit the investigated alerts you can investigate in timeline (i.e. 50), until a more performant fix can be introduced
  3. @kqualters-elastic is also investigating a potential solution involving using the query bar filters in place of the data providers.
  4. We apply a technical preview label or similar to the feature until the following release.

@paulewing thoughts?

@michaelolo24
Copy link
Contributor

Also linking this: #142805

Both #3 and #4 were able to be implemented.

@MadameSheema can we close this issue for now since it's not longer blocking the page?

@MadameSheema
Copy link
Member Author

sure!! was tested and working fine :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team v8.5.0
Projects
None yet
Development

No branches or pull requests

3 participants