[Security Solution] User is not able to search for a custom Rule Name containing special character.

[ghost]

User is not able to search for a custom Rule Name containing special character.

Build Details:
Version: 7.13.0 Snapshot
Build number: 40223
Commit: 302ee56
Artifacts: https://artifacts-api.elastic.co/v1/search/7.13.0-SNAPSHOT

Browser Details:
All

Preconditions:

• Kibana Environment should exist.
• Endpoint security and Elastic Agent should be installed
• A Rule name with special character should exist

Steps to Reproduce:

1. Navigate to 'Detections' under Security app.
2. Click on 'Manage Detection Rules' button.
3. Click on Create New Rule and provide any query say host.name : * in Custom Query field & click on Continue button.
4. Now, Provide any special character say '@@' in 'Name' field on 'About' section & click on 'Create & activate rule' button.
5. Notice that Rule with special character in the name field gets created successfully.
6. Now, Click on Back to Detections link and provide rule name i.e '@@' in rule search box and hit enter key.
7. Observe that 'We weren't able to find any rules with the above filters.' is getting displayed

Impacted Test case:
N/A

Actual Result:
User is not able to search for a custom Rule Name containing special character.

Expected Result:
User should be able to search for a custom Rule Name containing special character.

What's not working:

• Also, An error message is getting displayed for invalid search for special character ''.
• Refer:
  

What's working:

• This error message is not getting displayed on searching with other special character.

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[ghost]

Reviewed & Assigned @MadameSheema

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[MadameSheema]

@peluja1012 @spong can you please help to prioritise this? Thanks 😊

[ghost]

Hi @MadameSheema ,

We have validated this ticket on 7.15.0-SNAPSHOT build and found that issue is Still Occurring.

Build Details:

Version:7.15.0 SNAPSHOT
Commit:aa12d107c38c5cda96fc32bcd1f8226df172826a
Build:43370

Screenshot:

Thanks.

[cybersecdiva]

Tested in current 8.7.0 deployment:

Preconditions:

• Kibana should be running
• Custom Rule created with a special character as the name (@@@, !!!, %%%!!, etc.)

Steps to reproduce behavior:

1. Go to Security -> Manage -> Create new rule
2. Select Rule type -> Custom query
3. Tab down to Custom query field and fill in any custom query. In this case, I used host.name:*
4. Continue to About rule section
5. Under the Name field, enter special characters for the name
6. In the Description field, enter a description. In this scenario, I entered "test for special character search"
7. Continue to the Schedule rule section, and change the Additional look-back time to 30 seconds
8. Continue and click on Create & enable rule
9. Go back to Rules section, In the search box, enter the name of the custom rule containing a special character name

Results:
No results are displayed from custom rules with special character names and the UI displays a the following message:
No rules found We weren't able to find any rules with the above filters.

Expected results:
Custom rules with special character names should display from search results

Screen video capture:

Bug.Custom.rule.names.containing.special.characters.no.search.results.display.mp4

Observations:

• Custom rules containing all special characters for the name will not display from search results in the Rules UI search box

Screenshots of search results of custom rules with special character names:
The two custom rules used in the Rules search box are "%%%!!" and "!!!!@@@@"

• Tested to compare behavior with a custom rule containing both alpha and special characters in the name
  • For rules with a combination of alpha and special characters in the name, a search can be performed and results are displayed

Screenshot of search results of custom rules containing both special and alpha characters in the name:

Conclusion:

This is a bug 🐛 in the UI that is still occurring in 8.7.0.

cc: @MadameSheema Update FYI Observations

[cybersecdiva]

Tested in 8.9.0 BC4

Kibana/Elasticsearch Stack version:

VERSION: 8.9.0 BC4
BUILD: 64661
COMMIT: ddf0c1972e43898b6890ddb38f4c016e96538239

Preconditions:

• Kibana should be running
• Custom Rule created with a special character as the name (@@@, !!!, %%%!!, etc.)

Steps to reproduce behavior:

1. Go to Security -> Manage -> Create new rule
2. Select Rule type -> Custom query
3. Tab down to Custom query field and fill in any custom query. In this case, I used host.name:*
4. Continue to About rule section
5. Under the Name field, enter special characters for the name
6. In the Description field, enter a description. In this scenario, I entered "test for special character search"
7. Continue to the Schedule rule section, and change the Additional look-back time to 30 seconds
8. Continue and click on Create & enable rule
9. Go back to Rules section, In the search box, enter the name of the custom rule containing a special character name

Results:
No results are displayed from custom rules with special character names and the UI displays a the following message:
We weren't able to find any rules with the above filters.

Expected results:
Custom rules with special character names should display from search results

Screen video capture:

Special.character.search.mp4

Observations:

• Custom rules containing all special characters for the name will not display from search results in the Rules UI search box

Screenshots of search results of a custom rule with a special character name:
The custom rule used in the Rules search box id "%%%%!!!"

• Tested to compare behavior with a custom rule ("special!!!%%charactersrule") containing both alpha and special characters in the name

  • For rules with a combination of alpha and special characters in the name, a search can be performed and results are displayed

Screenshot of search results of custom rule containing both special and alpha characters in the name:

Conclusion:

This is a bug 🐛 in the UI that is still occurring in 8.9.0 BC4.

cc: @MadameSheema Update FYI Observations

[pborgonovi]

Validated on latest 8.15 BC. Below are the outcomes:

1. Creating a rule with only special chars as name:

Screen.Recording.2024-07-29.at.11.01.52.AM.mov

❌ Searching does not work.

2. Creating a rule with a name starting with special char:

Screen.Recording.2024-07-29.at.11.04.25.AM.mov

❌ Searching does not work.

3. Creating a rule with special chard in the middle:

Screen.Recording.2024-07-29.at.11.05.48.AM.mov

✅ Searching works fine.

[banderror]

@pborgonovi This is a very low impact one, but since rules filtering and searching is a core workflow of our users, I don't see a reason why we shouldn't fix this bug eventually. Fixing it could be a part of a larger effort of improving the rules search and filtering UX, we have an epic (internal) for that in our product backlog. I added this bug to it.

[nikitaindik]

I agree. I'd also file it under "low impact". Users can still find the rule if they type in its name in the searchbox without special chars. Although this behaviour is embarrassing given that we are a search company 🤦 .