Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Sourcerer] Delay in Alerts Security Data View initialization after Alerts index is created #131427

Open
Tracked by #165878
spong opened this issue May 3, 2022 · 4 comments
Open
Tracked by #165878

[Security Solution][Sourcerer] Delay in Alerts Security Data View initialization after Alerts index is created #131427

spong opened this issue May 3, 2022 · 4 comments
Assignees
@michaelolo24 @PhilippeOberti
Labels
8.4 candidate bug Fixes for quality problems that affect the customer experience Feature:Data Views Data Views code and UI - index patterns before 8.0 Feature:Detection Alerts Security Solution Detection Alerts Feature Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team

Comments

@spong
Copy link
Member

spong commented May 3, 2022
edited
Loading

First identified by @xcrzx over in #130072 (comment), it was noticed that there can be a delay between when Sourcerer initializes the Alert Security Data View and when the actual index is created, resulting in a few errors on the page and some features not working as expected until the Alert Security Data View is fully initialized. This is a by-product of the alerts index not being created until the first alert is detected/written, and Sourcerer not being synced with other network requests on the Rule Details page (and so you can refresh Alerts/Execution Logs without an active Sourcerer, resulting in errors).

To reproduce:

  • Start clean ES (from kibana root)

    yarn es snapshot --license trial -E xpack.security.authc.api_key.enabled=true -E path.data=$DEV_HOME/es-data -E path.repo=${DEV_HOME}/snapshots

  • Start kibana

    yarn kbn bootstrap && yarn start

  • Navigate to Security Solution and create a Rule
  • Notice error toasts
Error shown to user when Sourcerer can't initialize

Sourcerer uninitialized in UI

Refresh after alerts index is created Sourcerer is then initialized

Expected behavior:

  • Suppress error shown when Sourcerer is uninitialized on Alerts/Rules Pages -- this isn't helpful to the user in this instance as they don't need to do anything to fix it, but rather just need to wait for their first alert to be created
    • Edit: This error actually is useful as it tells the user to refresh, but in this instance refreshing before an alert is made will not resolve the issue, so may want to just adjust copy here.
  • Attempt to refresh Sourcerer state if uninitialized when /api/detection_engine/index is updated on the page or before other dependent requests are made. I.e., ensure subsequent calls to get alerts/execution logs/etc also trigger a re-initialization of Sourcerer so they aren't in a bad state.
@spong spong added bug Fixes for quality problems that affect the customer experience triage_needed Feature:Data Views Data Views code and UI - index patterns before 8.0 Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Detection Alerts Security Solution Detection Alerts Feature Team:Security Solution Platform Security Solution Platform Team labels May 3, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@spong spong mentioned this issue May 3, 2022
Merged
4 tasks
@peluja1012 peluja1012 added the Team:Detections and Resp Security Detection Response Team label Aug 4, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@yctercero yctercero added Team:Detection Engine Security Solution Detection Engine Area and removed Team:Security Solution Platform Security Solution Platform Team labels May 14, 2023
@yctercero yctercero mentioned this issue Sep 6, 2023
Closed
@yctercero yctercero added Team:Threat Hunting Security Solution Threat Hunting Team Team:Threat Hunting:Investigations Security Solution Investigations Team labels Sep 28, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

@yctercero yctercero removed Team:Detections and Resp Security Detection Response Team Team:Detection Engine Security Solution Detection Engine Area labels Sep 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelolo24 michaelolo24

@PhilippeOberti PhilippeOberti

Labels
8.4 candidate bug Fixes for quality problems that affect the customer experience Feature:Data Views Data Views code and UI - index patterns before 8.0 Feature:Detection Alerts Security Solution Detection Alerts Feature Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@peluja1012 @spong @yctercero @elasticmachine @michaelolo24 @PhilippeOberti