Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] [Osquery] Policy search in Osquery Live Queries is restricted to top 10 Policies #166268

Closed
kevinlog opened this issue Sep 12, 2023 · 5 comments
Closed

[Bug] [Osquery] Policy search in Osquery Live Queries is restricted to top 10 Policies #166268

kevinlog opened this issue Sep 12, 2023 · 5 comments
Assignees
@szwarckonrad
Labels
bug Fixes for quality problems that affect the customer experience OLM Sprint QA:Validated Issue has been validated by QA Team:Defend Workflows “EDR Workflows” sub-team of Security Solution

Comments

@kevinlog
Copy link
Contributor

Kibana version:
8.10 and below, presumably

Describe the bug:
In Osquery Live queries, in the Agent selection dropdown, we are unable to search beyond the top 10 Agent Policies by Agent count. The dropdown will initially show 10 Policies. If we try to search for an 11th Agent Policy by typing a part of the name in the dropdown, we will be unable to find it.

Steps to reproduce:

  1. Create at least 11 Policies with Osquery assigned to Agents
  2. Go to Osquery "Live Query" and use the Agent selector dropdown
  3. Try to search for the 11th Policy which has the least amount of Agents assigned to it, see that you cannot find it

Expected behavior:
Using the string search in the Live Query component, we should be able to find any Policy with the Osquery Management integration and Agents assigned to it.

Screenshots (if relevant):

Any additional context:
It seems we addressed this issue partially with this PR: #151315

But we need to revisit.
@kevinlog kevinlog added bug Fixes for quality problems that affect the customer experience grooming Team:Defend Workflows “EDR Workflows” sub-team of Security Solution labels Sep 12, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

@szwarckonrad szwarckonrad mentioned this issue Sep 18, 2023
Merged
szwarckonrad added a commit that referenced this issue Sep 21, 2023
@szwarckonrad
[Defend Workflows][Osquery] New live query policy lookup (#166615)
f50edde 
#166268

closes elastic/security-team#7676

Aggregations that return policy list that is being used for looking up
search term defaults to 10 results when no `size` param passed. At this
point size is set to `2000`.

Before


https://github.com/elastic/kibana/assets/29123534/7571378e-e1e9-4aa9-a179-e17fe50c502e

After 


https://github.com/elastic/kibana/assets/29123534/56a395e1-f9a9-4cf9-90f8-07d4758b8136


Added callout informing user that no agents are available, copy provided
here - elastic/security-team#7676

![Screenshot 2023-09-21 at 11 31
24](https://github.com/elastic/kibana/assets/29123534/1c44db9b-5bc3-4737-8fed-ed4ff56e018b)
@szwarckonrad
Copy link
Contributor

szwarckonrad commented Sep 21, 2023
edited
Loading

Merged with 8.10 backport

gergoabraham pushed a commit to gergoabraham/kibana that referenced this issue Sep 21, 2023
@szwarckonrad @gergoabraham
[Defend Workflows][Osquery] New live query policy lookup (elastic#166615
7166586 
)

elastic#166268

closes elastic/security-team#7676

Aggregations that return policy list that is being used for looking up
search term defaults to 10 results when no `size` param passed. At this
point size is set to `2000`.

Before


https://github.com/elastic/kibana/assets/29123534/7571378e-e1e9-4aa9-a179-e17fe50c502e

After 


https://github.com/elastic/kibana/assets/29123534/56a395e1-f9a9-4cf9-90f8-07d4758b8136


Added callout informing user that no agents are available, copy provided
here - elastic/security-team#7676

![Screenshot 2023-09-21 at 11 31
24](https://github.com/elastic/kibana/assets/29123534/1c44db9b-5bc3-4737-8fed-ed4ff56e018b)
@szwarckonrad
Copy link
Contributor

8.10 Backport creation failed, awaiting #167024 to unblock CI

szwarckonrad added a commit that referenced this issue Sep 27, 2023
@szwarckonrad @kibanamachine
[8.10] [Defend Workflows][Osquery] New live query policy lookup (#166615
4ac2827 
) (#166926)

# Backport

This will backport the following commits from `main` to `8.10`:
- [[Defend Workflows][Osquery] New live query policy lookup
(#166615)](#166615)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Konrad
Szwarc","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-09-21T10:47:14Z","message":"[Defend
Workflows][Osquery] New live query policy lookup
(#166615)\n\nhttps://github.com//issues/166268\r\n\r\ncloses
https://github.com/elastic/security-team/issues/7676\r\n\r\nAggregations
that return policy list that is being used for looking up\r\nsearch term
defaults to 10 results when no `size` param passed. At this\r\npoint
size is set to
`2000`.\r\n\r\nBefore\r\n\r\n\r\nhttps://github.com/elastic/kibana/assets/29123534/7571378e-e1e9-4aa9-a179-e17fe50c502e\r\n\r\nAfter
\r\n\r\n\r\nhttps://github.com/elastic/kibana/assets/29123534/56a395e1-f9a9-4cf9-90f8-07d4758b8136\r\n\r\n\r\nAdded
callout informing user that no agents are available, copy
provided\r\nhere -
https://github.com/elastic/security-team/issues/7676\r\n\r\n![Screenshot
2023-09-21 at 11
31\r\n24](https://github.com/elastic/kibana/assets/29123534/1c44db9b-5bc3-4737-8fed-ed4ff56e018b)","sha":"f50edde37e4fd4603c5b118dd9f395b8675cd7bc","branchLabelMapping":{"^v8.11.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:Defend
Workflows","Osquery","v8.11.0","v8.10.3"],"number":166615,"url":"https://github.com/elastic/kibana/pull/166615","mergeCommit":{"message":"[Defend
Workflows][Osquery] New live query policy lookup
(#166615)\n\nhttps://github.com//issues/166268\r\n\r\ncloses
https://github.com/elastic/security-team/issues/7676\r\n\r\nAggregations
that return policy list that is being used for looking up\r\nsearch term
defaults to 10 results when no `size` param passed. At this\r\npoint
size is set to
`2000`.\r\n\r\nBefore\r\n\r\n\r\nhttps://github.com/elastic/kibana/assets/29123534/7571378e-e1e9-4aa9-a179-e17fe50c502e\r\n\r\nAfter
\r\n\r\n\r\nhttps://github.com/elastic/kibana/assets/29123534/56a395e1-f9a9-4cf9-90f8-07d4758b8136\r\n\r\n\r\nAdded
callout informing user that no agents are available, copy
provided\r\nhere -
https://github.com/elastic/security-team/issues/7676\r\n\r\n![Screenshot
2023-09-21 at 11
31\r\n24](https://github.com/elastic/kibana/assets/29123534/1c44db9b-5bc3-4737-8fed-ed4ff56e018b)","sha":"f50edde37e4fd4603c5b118dd9f395b8675cd7bc"}},"sourceBranch":"main","suggestedTargetBranches":["8.10"],"targetPullRequestStates":[{"branch":"main","label":"v8.11.0","labelRegex":"^v8.11.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/166615","number":166615,"mergeCommit":{"message":"[Defend
Workflows][Osquery] New live query policy lookup
(#166615)\n\nhttps://github.com//issues/166268\r\n\r\ncloses
https://github.com/elastic/security-team/issues/7676\r\n\r\nAggregations
that return policy list that is being used for looking up\r\nsearch term
defaults to 10 results when no `size` param passed. At this\r\npoint
size is set to
`2000`.\r\n\r\nBefore\r\n\r\n\r\nhttps://github.com/elastic/kibana/assets/29123534/7571378e-e1e9-4aa9-a179-e17fe50c502e\r\n\r\nAfter
\r\n\r\n\r\nhttps://github.com/elastic/kibana/assets/29123534/56a395e1-f9a9-4cf9-90f8-07d4758b8136\r\n\r\n\r\nAdded
callout informing user that no agents are available, copy
provided\r\nhere -
https://github.com/elastic/security-team/issues/7676\r\n\r\n![Screenshot
2023-09-21 at 11
31\r\n24](https://github.com/elastic/kibana/assets/29123534/1c44db9b-5bc3-4737-8fed-ed4ff56e018b)","sha":"f50edde37e4fd4603c5b118dd9f395b8675cd7bc"}},{"branch":"8.10","label":"v8.10.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Kibana Machine <[email protected]>
@szwarckonrad
Copy link
Contributor

Backported, ready to be verified.

@szwarckonrad szwarckonrad added the QA:Ready for Testing Code is merged and ready for QA to validate label Sep 27, 2023
@arvindersingh-qasource
Copy link

Hi @szwarckonrad

Thanks for the update.

We have tested this issue on latest Kibana v8.13.0 and found that issue is now fixed.

Please find the below observations

Build Details

VERSION: 8.13.0
BUILD: 71815
COMMIT: c2fc8da128504d437897970d142efd4d06970c0b

Observations

  • User is able to search search for an 11th Agent Policy by typing a part of the name in the dropdown
New.-.Live.queries.-.Osquery.-.Elastic.-.Google.Chrome.2024-02-28.13-18-24.mp4

Hence, we are closing this ticket as QA Approved.

Thanks.

@arvindersingh-qasource arvindersingh-qasource added QA:Validated Issue has been validated by QA and removed QA:Ready for Testing Code is merged and ready for QA to validate labels Feb 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@szwarckonrad szwarckonrad

Labels
bug Fixes for quality problems that affect the customer experience OLM Sprint QA:Validated Issue has been validated by QA Team:Defend Workflows “EDR Workflows” sub-team of Security Solution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@elasticmachine @szwarckonrad @kevinlog @arvindersingh-qasource