[Security Solution]: Auto suggested value not working for field value while adding rule exception.

[ghost]

Describe the bug:
Auto suggested value not working for field value while adding rule exception.

Build Details:

VERSION : 8.4.0-BC1
BUILD: 54999
COMMIT: 58f7eaf0f8dc3c43cbfcd393e587f155e97b3d0d

Preconditions

1. Kibana should be running.
2. Alerts should be available

Steps to Reproduce

1. Navigate to Alerts tab.
2. Select any alert and click on more actions button (...).
3. Now, select add rule exceptions.
4. On the add rule exceptions flyout select any field and operator.
5. Now, click on field value dropdown.
6. Observe that auto suggested value not working for field value while adding rule exception.

Actual Result
Auto suggested value not working for field value while adding rule exception.

Expected Result
Auto suggested value should work for field value while adding rule exception.

What's Working:
The issue is working fine on 8.2.3 .

Alerts.-.Kibana.-.Google.Chrome.2022-08-01.18-50-08.mp4

Screen-Recording:

Alerts.-.Kibana.-.Google.Chrome.2022-08-01.18-46-34.mp4

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[MadameSheema]

@samratbhadra-qasource can you please provide which type of rule generated the alert? also if had index patterns or data views. Thanks

[ghost]

Hi @MadameSheema

We have used custom query rule to generate the alerts.
Also, we have used index patterns to create the rule.

Rule:
rules_export.zip

Please do let us know if anything else is required from our end.

Thanks!

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[dhurley14]

The exported rule is querying the default index patterns with a query of process.name: *. Since I don't know what was used to populate the data for the default index patterns and I have not been able to reproduce the issue could you possibly check if adding an exception for process.name yields any autosuggested results?

[dhurley14]

Rule I used locally with auditbeat data from local:

Trying to reproduce:

[dhurley14]

Reproduced it in the unified search bar in other places of the security solution. I don't believe this is particular to rule exceptions. Not sure if this is a known issue elsewhere in the app.

cc: @yctercero @rylnd

[dhurley14]

@samratbhadra-qasource can you try to turn this switch off in the Stack Management -> Advanced Settings locally and let us know if you continue to see the values fail to populate?

[yctercero]

If this ends up working - we should add documentation for this on our end.

cc @elastic/security-docs

[ghost]

Hi @yctercero
We have tried turning off the use time range option and observed that we are able to receive auto suggested value for field value while adding rule exception. Please find below the testing details:

Screen-Recording:

Home.-.Elastic.-.Google.Chrome.2022-08-08.13-58-26.mp4

Build Details:

VERSION: 8.4.0-BC2
COMMIT: 9e9e0d6a685cbc2858a85a357f93dcb76259fdee
BUILD: 55166

Please do let us know if anything else is required from our end.

Thanks!

[yctercero]

Per sync discussion - we'll move to documenting this as a troubleshooting issue 7.17--> 8.x

[MadameSheema]

@yctercero can we close this issue or is there any work pending to be finished?

[yctercero]

I think we can close - there's just doc updates that have been filed here - elastic/security-docs#2284

[ghost]

Hi @yctercero
Thanks for the update.
Hence, we are closing this issue.