Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution]Adding rule exception from alerts tab is closing all the alerts which match the added exception from other rules also. #145675

Closed
sukhwindersingh-qasource opened this issue Nov 18, 2022 · 5 comments · Fixed by #145939
Assignees
Labels
bug Fixes for quality problems that affect the customer experience Feature:Rule Exceptions Security Solution Detection Rule Exceptions area impact:critical This issue should be addressed immediately due to a critical level of impact on the product. QA:Validated Issue has been validated by QA Team:Detections and Resp Security Detection Response Team Team:Security Solution Platform Security Solution Platform Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@sukhwindersingh-qasource

Describe the bug:
Adding rule exception from alerts tab is closing all the alerts which match the added exception from other rules also.

Build Details:

VERSION: 8.6.0
BUILD: 58392
COMMIT: 50a7feb0a5eb068d3acccc49c83b9ccb6db6734f

Preconditions

  1. Kibana should be running.
  2. Generate alerts from all rule with same query i.e process.name : *

Steps to Reproduce

  1. Navigate to Security
  2. Click on Alerts tab
  3. Click on more option and select Add rule exception.
  4. Add rule exception and select check of close all alerts.

Actual Result
Adding rule exception from alerts tab is closing all the alerts which match the added exception from other rules also.

Expected Result
Adding rule exception from alerts tab Should close all the alerts which match the added exception of that rules only.

Whats working
It is working correctly when we add exception from rules detail page

Rules.-.Kibana.Mozilla.Firefox.2022-11-18.11-12-19.mp4

Screen-recording

Custom query rule

Alerts.-.Kibana.Mozilla.Firefox.2022-11-18.11-10-12.mp4

Threshold rule

Alerts.-.Kibana.Mozilla.Firefox.2022-11-18.11-08-31.mp4

Eql Rule

Alerts.-.Kibana.Mozilla.Firefox.2022-11-18.11-06-19.mp4
@sukhwindersingh-qasource sukhwindersingh-qasource added bug Fixes for quality problems that affect the customer experience triage_needed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Nov 18, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@sukhwindersingh-qasource
Copy link
Author

@karanverma-qasource Please review this bug.

@ghost ghost assigned MadameSheema and unassigned ghost Nov 18, 2022
@MadameSheema MadameSheema added impact:critical This issue should be addressed immediately due to a critical level of impact on the product. Team:Detections and Resp Security Detection Response Team and removed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. labels Nov 18, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@MadameSheema MadameSheema added the Team:Security Solution Platform Security Solution Platform Team label Nov 18, 2022
@MadameSheema
Copy link
Member

@peluja1012 @dhurley14 can you please take a look at this issue? if the described behaviour is not expected this might be a critical/blocker issue. Thanks!

@peluja1012 peluja1012 added Feature:Rule Exceptions Security Solution Detection Rule Exceptions area and removed triage_needed labels Nov 18, 2022
@nkhristinin nkhristinin assigned nkhristinin and unassigned dhurley14 Nov 21, 2022
nkhristinin added a commit that referenced this issue Nov 23, 2022

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
## Closing alerts from flyout effect only alerts related to this rule

Fix: #145675

For the exceptions component, we need to have `rule.rule_id` which
wasn't initially in the timeline response.
We can't safely use `rule.id`, it is [described
here](#120053).

Co-authored-by: Kibana Machine <[email protected]>
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Nov 23, 2022
## Closing alerts from flyout effect only alerts related to this rule

Fix: elastic#145675

For the exceptions component, we need to have `rule.rule_id` which
wasn't initially in the timeline response.
We can't safely use `rule.id`, it is [described
here](elastic#120053).

Co-authored-by: Kibana Machine <[email protected]>
(cherry picked from commit 6102f0e)
kibanamachine referenced this issue Nov 23, 2022
# Backport

This will backport the following commits from `main` to `8.6`:
- [Fix close alerts from flyout
(#145939)](#145939)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Khristinin
Nikita","email":"[email protected]"},"sourceCommit":{"committedDate":"2022-11-23T17:21:04Z","message":"Fix
close alerts from flyout (#145939)\n\n## Closing alerts from flyout
effect only alerts related to this rule\r\n\r\nFix:
https://github.com/elastic/kibana/issues/145675\r\n\r\nFor the
exceptions component, we need to have `rule.rule_id` which\r\nwasn't
initially in the timeline response.\r\nWe can't safely use `rule.id`, it
is
[described\r\nhere](https://github.com/elastic/kibana/pull/120053).\r\n\r\nCo-authored-by:
Kibana Machine
<[email protected]>","sha":"6102f0e39b1b4053886e1dc6ccd8696fe1bf6967","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Security
Solution
Platform","backport:prev-minor","v8.7.0"],"number":145939,"url":"https://github.com/elastic/kibana/pull/145939","mergeCommit":{"message":"Fix
close alerts from flyout (#145939)\n\n## Closing alerts from flyout
effect only alerts related to this rule\r\n\r\nFix:
https://github.com/elastic/kibana/issues/145675\r\n\r\nFor the
exceptions component, we need to have `rule.rule_id` which\r\nwasn't
initially in the timeline response.\r\nWe can't safely use `rule.id`, it
is
[described\r\nhere](https://github.com/elastic/kibana/pull/120053).\r\n\r\nCo-authored-by:
Kibana Machine
<[email protected]>","sha":"6102f0e39b1b4053886e1dc6ccd8696fe1bf6967"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/145939","number":145939,"mergeCommit":{"message":"Fix
close alerts from flyout (#145939)\n\n## Closing alerts from flyout
effect only alerts related to this rule\r\n\r\nFix:
https://github.com/elastic/kibana/issues/145675\r\n\r\nFor the
exceptions component, we need to have `rule.rule_id` which\r\nwasn't
initially in the timeline response.\r\nWe can't safely use `rule.id`, it
is
[described\r\nhere](https://github.com/elastic/kibana/pull/120053).\r\n\r\nCo-authored-by:
Kibana Machine
<[email protected]>","sha":"6102f0e39b1b4053886e1dc6ccd8696fe1bf6967"}}]}]
BACKPORT-->

Co-authored-by: Khristinin Nikita <[email protected]>
@sukhwindersingh-qasource
Copy link
Author

Hi @MadameSheema

We have validated this issue on 8.6.0 BC4 build and observed that issue is Fixed. ✔️

Please find the below Testing Details:

Build info

VERSION: 8.6.0
BUILD: 58612
COMMIT: 218162f282314db5b3833c84752dd24395949b3f

Screen recoding

Alerts.-.Kibana.Mozilla.Firefox.2022-11-30.15-24-50.mp4

Hence, We are marking this issue as QA Validated!!

Thanks!!

@sukhwindersingh-qasource sukhwindersingh-qasource added the QA:Validated Issue has been validated by QA label Nov 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience Feature:Rule Exceptions Security Solution Detection Rule Exceptions area impact:critical This issue should be addressed immediately due to a critical level of impact on the product. QA:Validated Issue has been validated by QA Team:Detections and Resp Security Detection Response Team Team:Security Solution Platform Security Solution Platform Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants