Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution]data viewOnly .alerts-security.alerts-default index should show under add filter alert page #173958

Closed
ghost opened this issue Dec 26, 2023 · 8 comments
Closed

[Security Solution]data viewOnly .alerts-security.alerts-default index should show under add filter alert page #173958

ghost opened this issue Dec 26, 2023 · 8 comments
Labels
bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@ghost
Copy link

ghost commented Dec 26, 2023
edited by ghost
Loading

Describe the bug:
Only .alerts-security.alerts-default index should show under add filter data view

Kibana/Elasticsearch Stack version

Version: 8.12 BC3
Commit: 2a8afed8572a4c709aa1c64216748197eeb9b18f
Build: 69985

Browser and Browser OS Version:
Firefox for windows OS
Version: 121.0

Elastic Endpoint Version:
N/A

Original install method:
None

Functional Area:
Add Filter on Alert Page

Initial Setup:

  • None

precondition

  • Alert should be present on 8.12 kibana instance.

Steps to reproduce

  • Go to Alert Table
  • Click on Add filter under the query bar
  • Click on data view and check the list of the index not match with alert page index set
  • On Alert page only one index is expected to show however under data view all index are showing

Additional Result

  • Issue is also occuring on 8.11.0

Current Result

  • All present index are showing under the add filter data view list

Expected behavior:

  • Only .alerts-security.alerts-default index should show under add filter data view

Screen-Cast:

add.filter.mp4

image

image
@ghost ghost added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Dec 26, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ghost ghost assigned MadameSheema Dec 26, 2023
@ghost ghost added the impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. label Dec 26, 2023
@MadameSheema MadameSheema added Team:Detections and Resp Security Detection Response Team Team:Detection Engine Security Solution Detection Engine Area labels Dec 27, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@yctercero yctercero removed their assignment Jan 2, 2024
@yctercero yctercero mentioned this issue Jan 10, 2024
Merged
@angorayc angorayc mentioned this issue Jan 18, 2024
Closed
1 task
@angorayc angorayc self-assigned this Jan 30, 2024
@semd
Copy link
Contributor

semd commented Feb 20, 2024
edited
Loading

This inconsistency happens because the global filters are linked with a data view, using the dataview id. The data view saved object is retrieved to render the index pattern in the component, assuming the entire index pattern is used.

In Security, we have the sourcerer which allows selecting a subset of the index patterns present in the data view. However, the global filters do not support that.

To fix this inconsistency we would have to either adapt the global filters to work with explicit index patterns (not likely since data views exist to abstract this information), or drop the sourcerer implementation in favor of raw data views in Security.

@yctercero
Copy link
Contributor

cc @paulewing we're currently focused on sourcerer performance wins. A longer term discussions needs to be had around migrating to core components and endpoints.

@yctercero
Copy link
Contributor

@paulewing revisiting this ticket - we may need more insight into the enhancements needed for sourcerer. There are a number of asks that require thinking through what we want the user experience to be.

@pborgonovi
Copy link
Contributor

@yctercero I tried to reproduce this behavior but I don't see the option to filter by Data View and I also see by the evidences that it was under Technical Preview.
Has this feature been released?

@yctercero
Copy link
Contributor

@pborgonovi sourcerer has been out for a while. If we can't reproduce, let's close out.

@pborgonovi
Copy link
Contributor

Closing this bug since it's not reproducible.

@pborgonovi pborgonovi closed this as not planned Won't fix, can't repro, duplicate, stale Aug 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@angorayc @yctercero @elasticmachine @MadameSheema @semd @pborgonovi