Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution]{{alert.id}} and {{state.signals_count}} Object not working #156472

Closed
ghost opened this issue May 3, 2023 · 9 comments
Closed

[Security Solution]{{alert.id}} and {{state.signals_count}} Object not working #156472

ghost opened this issue May 3, 2023 · 9 comments
Assignees
@e40pud
Labels
bug Fixes for quality problems that affect the customer experience fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.8.0

Comments

@ghost
Copy link

ghost commented May 3, 2023

Describe the bug
{{alert.id}} and {{state.signals_count}} Object not working

Build Details:

Version:8.8
Commit:d0327fc75720e56ee76b640f07ffd1b154a348a8
Build:62765

Pre-conditions

  • Rule Should be available on kibana instance
  • Any one Connector should be available let say we have Ethereal mail instance

Steps

  • Navigate to Rule Details page and Edit it
  • Go to Actions and select any one connector let say Email
  • Choose For each Alert with Per Rule Run as Action Frequency
  • under Message body box click on add variable and search for state.signals_count and add that variable to message

{{state.signals_count}}

  • Save the changes and generate the alert
  • Observed on Connector that is Ethereal the {{state.signals_count}} variable value is not showing
  • Now Edit the Rule again
  • Choose Summary of Alert with Per Rule Run as Action Frequency
  • Edit the existing Message body texx by appending {{alert.id}} variable

Rule {{context.rule.name}} generated {{state.signals_count}} alerts {{alert.id}}

  • Save the changes and generate the alert
  • Observed on Connector that is Ethereal the {{alert.id}} variable value is not showing
Action Frequency Working Not Workring
Summary of Alert Per Rule Run {{state.signals_count}} {{alert.id}} ❌
For Each Alert Per Rule Run {{alert.id}} {{state.signals_count}} ❌

Expected Result

  • state.signals_count and alert.id variable should work for both action frequency or if they are not practical we have to restrict them being added in Message body plus not show invalid variable like state.signals_count variable is showing in variable list to be used for For Each Alert but as it is not working

Screen-Shot

image

image

Rules.-.Kibana.Mozilla.Firefox.2023-05-03.12-58-10.mp4
@ghost ghost added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels May 3, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ghost ghost added the impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. label May 3, 2023
@ghost
Copy link
Author

ghost commented May 3, 2023

@sukhwindersingh-qasource Please review

@MadameSheema MadameSheema added Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team labels May 3, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@marshallmain marshallmain removed their assignment May 3, 2023
@e40pud
Copy link
Contributor

e40pud commented May 4, 2023

alert.id is specific to "For each alert" option. It won't be available for "Summary of alerts" because there we work with the multiple alerts. You can see that alert.* options are absent in the variable popup menu when you select "summary of alerts", instead you can see alerts.* options:

Screenshot 2023-05-04 at 17 20 52

cc @karanbirsingh-qasource

e40pud added a commit to e40pud/kibana that referenced this issue May 4, 2023
@e40pud
[Security Solution] {{state.signals_count}} Object not working (elast…
d717df6 
…ic#156472)
@e40pud e40pud mentioned this issue May 4, 2023
Merged
@e40pud e40pud moved this from Awaiting Triage to In Review in AppEx: ResponseOps - Rules & Alerts Management May 4, 2023
@ghost
Copy link
Author

ghost commented May 4, 2023

correct @e40pud for "Summary of alerts" the alert.id object variable is not showing but we are thinking of if user manually add alert.id in message box so any way we can restrict that behavior also

image

moreover for other case "for each alert" the state.signals_count is available in variable list in first place for user to add and use in message body.

image

@e40pud
Copy link
Contributor

e40pud commented May 4, 2023
edited
Loading

Right now you can add whatever you want, but only those options that are available in the popup will work. There is no way at the moment to highlight the objects that won't work.

As for the state.signals_count it will be fixed in this PR #156707

e40pud added a commit that referenced this issue May 5, 2023
@e40pud
[Security Solution] {{state.signals_count}} Object not working (#156472
99e5e38 
…) (#156707)

## Summary

Original ticket: #156472

These changes adds `{{state.signals_count}}` object to be available in
message body for the `"For each alert"` option.
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue May 5, 2023
@e40pud
[Security Solution] {{state.signals_count}} Object not working (elast…
30432a9 
…ic#156472) (elastic#156707)

## Summary

Original ticket: elastic#156472

These changes adds `{{state.signals_count}}` object to be available in
message body for the `"For each alert"` option.

(cherry picked from commit 99e5e38)
jloleysens added a commit that referenced this issue May 5, 2023
@jloleysens
Merge branch 'main' into versioned-router-and-oas
630343b 
* main: (153 commits)
  [Security Solution] {{state.signals_count}} Object not working (#156472) (#156707)
  [Synthetics] refresh data on visualization scrubbing (#156777)
  [RAM] Docs for slack improvements (#153885)
  [RAM] Alert search bar only KQL (#155947)
  [ML] Functional tests - stabilize export job tests (#156586)
  [Saved Search] Update saved search schema to allow empty `sort` arrays (#156769)
  [ML] Rename `curated` model type to `elastic` (#156684)
  [Discover] Enable sharing for text based languages (#156652)
  [api-docs] 2023-05-05 Daily api_docs build (#156781)
  Upgrade EUI to v77.2.2 (#155208)
  [RAM][Maintenance Window][8.8]Fix window maintenance workflow (#156427)
  [DOCS] Case file attachments (#156459)
  [D4C] additional error handling for 'block' action added + policy editor UI fixes (#156629)
  [Enterprise Search] refactor(SearchApplications): rename telemetry ids (#156733)
  [Enterprise Search] Add telemetry to ELSER deployment buttons + error (#156545)
  [Security Solution] fixes Data Quality dashboard errors when a `basePath` is configured (#156233)
  [Logs onboarding] StepsFooter outside of main panel (#156686)
  [Security Solution] Add a migration to unmute custom Security Solution rules (#156593)
  [Enterprise Search][Behavioral Analytics] Update formulas (#156704)
  Add API Events to Endpoint Security Advanced Policy (#156718)
  ...
kibanamachine added a commit that referenced this issue May 5, 2023
@kibanamachine @e40pud
[8.8] [Security Solution] {{state.signals_count}} Object not working (#…
3546b82 
…156472) (#156707) (#156800)

# Backport

This will backport the following commits from `main` to `8.8`:
- [[Security Solution] {{state.signals_count}} Object not working
(#156472) (#156707)](#156707)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Ievgen
Sorokopud","email":"ievgen.sorokopud@elastic.co"},"sourceCommit":{"committedDate":"2023-05-05T08:23:37Z","message":"[Security
Solution] {{state.signals_count}} Object not working (#156472)
(#156707)\n\n## Summary\r\n\r\nOriginal ticket:
https://github.com/elastic/kibana/issues/156472\r\n\r\nThese changes
adds `{{state.signals_count}}` object to be available in\r\nmessage body
for the `\"For each alert\"`
option.","sha":"99e5e38111b9c82fca16645f939628aa72bfef73","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:ResponseOps","Team:Detection
Alerts","backport:prev-minor","ci:cloud-deploy","v8.9.0"],"number":156707,"url":"https://github.com/elastic/kibana/pull/156707","mergeCommit":{"message":"[Security
Solution] {{state.signals_count}} Object not working (#156472)
(#156707)\n\n## Summary\r\n\r\nOriginal ticket:
https://github.com/elastic/kibana/issues/156472\r\n\r\nThese changes
adds `{{state.signals_count}}` object to be available in\r\nmessage body
for the `\"For each alert\"`
option.","sha":"99e5e38111b9c82fca16645f939628aa72bfef73"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/156707","number":156707,"mergeCommit":{"message":"[Security
Solution] {{state.signals_count}} Object not working (#156472)
(#156707)\n\n## Summary\r\n\r\nOriginal ticket:
https://github.com/elastic/kibana/issues/156472\r\n\r\nThese changes
adds `{{state.signals_count}}` object to be available in\r\nmessage body
for the `\"For each alert\"`
option.","sha":"99e5e38111b9c82fca16645f939628aa72bfef73"}}]}]
BACKPORT-->

Co-authored-by: Ievgen Sorokopud <ievgen.sorokopud@elastic.co>
@e40pud e40pud added the fixed label May 5, 2023
@e40pud e40pud added the v8.8.0 label May 5, 2023
@e40pud
Copy link
Contributor

e40pud commented May 5, 2023

@karanbirsingh-qasource @MadameSheema this bug was fixed and merged in both main and 8.8 branches.

@MadameSheema
Copy link
Member

awesome!! thanks @e40pud !! :)

@karanbirsingh-qasource please validate the fix on BC3. Thanks!

@ghost
Copy link
Author

ghost commented May 11, 2023

Hi @MadameSheema

we have validated this issue on 8.8 BC3 and found the issue to be fixed ✔️ .

Build Details:

Version: 8.8 BC3
Commit:85b22d307ab93fca95c1698ede4cb61d85f3d314
Build:62994

Screen-Cast:

image

Hence we are Closing this issue and adding QA:Validated label to it.

thanks !!

c.c @e40pud

@ghost ghost closed this as completed May 11, 2023
@ghost ghost added the QA:Validated Issue has been validated by QA label May 11, 2023
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@e40pud e40pud

Labels
bug Fixes for quality problems that affect the customer experience fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.8.0
Projects
No open projects
AppEx: ResponseOps - Rules & Alerts Management
Status: Done
Milestone
No milestone
Development

No branches or pull requests
5 participants
@e40pud @elasticmachine @MadameSheema @marshallmain @sukhwindersingh-qasource