Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM] [Detections] Stale data in Rules/Monitoring table implies Rule isn't running #63865

Closed
spong opened this issue Apr 17, 2020 · 2 comments · Fixed by #82062
Closed

[SIEM] [Detections] Stale data in Rules/Monitoring table implies Rule isn't running #63865

spong opened this issue Apr 17, 2020 · 2 comments · Fixed by #82062
Assignees
@yctercero
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine fixed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM UX v7.11.0

Comments

@spong
Copy link
Member

spong commented Apr 17, 2020

In testing the latest rules for 7.7 there was confusion around if a rule was running at its configured interval as when the page/table is not refreshed, the Last run run column will continue to update since it's being rendered as a relative date. This update seems to convey to the user that the page is refreshing data when it is not. Because of this, when the Last run time exceeds the interval that the rule runs at, it may seem to the user that the rule is failing to run or is stuck.

For example, the rules in the two tables below are configured to run every 10 minutes, but since the page hadn't been refreshed the last run dates are stale and are showing 18 minutes. This doesn't seem to be an issue on Rule Details as we don't use relative dates there and have a refresh button right next to the Last response value indicating the user must update this manually.

Possible solutions:

  • Provide a Last updated at: label somewhere on the tables to show the user the last time their view has been updated
  • After the Last run relative date has exceeded the Rule's run interval we switch back to just displaying the exact date as opposed to the relative date
  • Don't show relative dates at all (less useful to the user)
  • Provide an auto-refresh feature to ensure the data isn't stale (nice to bundle with adding a Last updated at)
    • This solves the issue full sail, but we'll need to make sure that all configuration to the table (rules per page, sorting, search query, selected groups) remains such that the users desired view stays the same between refreshes
All Rules table

Monitoring table

Rule Details

cc @elastic/security-intelligence-analytics
@spong spong added bug Fixes for quality problems that affect the customer experience Team:SIEM UX Feature:Detection Rules Security Solution rules and Detection Engine labels Apr 17, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@spong
Copy link
Member Author

spong commented Jun 25, 2020

@MadameSheema this is still relevant as of the latest 7.9.0-snapshot and should be prioritized a usability enhancement as this behavior is misleading to the user.

@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
@yctercero yctercero mentioned this issue Oct 29, 2020
Merged
6 tasks
@yctercero yctercero linked a pull request Oct 29, 2020 that will close this issue
[Security Solution][Detections] - Auto refresh all rules/monitoring tables #82062
Merged
6 tasks
yctercero added a commit that referenced this issue Nov 6, 2020
@yctercero
[Security Solution][Detections] - Auto refresh all rules/monitoring t…
e53da76 
…ables (#82062)

## Summary

This PR addresses #63865 . Please read the issue for more detail, but essentially, stale data on the tables and use of relative date format leads to confusion as to whether the table was auto refreshing or not.
yctercero added a commit to yctercero/kibana that referenced this issue Nov 6, 2020
@yctercero
[Security Solution][Detections] - Auto refresh all rules/monitoring t…
ba12a67 
…ables (elastic#82062)

## Summary

This PR addresses elastic#63865 . Please read the issue for more detail, but essentially, stale data on the tables and use of relative date format leads to confusion as to whether the table was auto refreshing or not.
yctercero added a commit that referenced this issue Nov 7, 2020
@yctercero
[Security Solution][Detections] - Auto refresh all rules/monitoring t…
88f7ca0 
…ables (#82062) (#82890)

## Summary

This PR addresses #63865 . Please read the issue for more detail, but essentially, stale data on the tables and use of relative date format leads to confusion as to whether the table was auto refreshing or not.
@peluja1012 peluja1012 reopened this Nov 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yctercero yctercero

Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine fixed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM UX v7.11.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security Solution][Detections] - Auto refresh all rules/monitoring tables yctercero/kibana
7 participants
@peluja1012 @MindyRS @spong @yctercero @elasticmachine @MadameSheema @marrasherrier