[Security Solution][Upgrade Issue]An error is preventing this alert from being analyzed in alert Fly-out #169373
Assignees
Labels
bug
Fixes for quality problems that affect the customer experience
fixed
impact:medium
Addressing this issue will have a medium level of impact on the quality/strength of our product.
QA:Validated
Issue has been validated by QA
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:Threat Hunting:Investigations
Security Solution Investigations Team
Team:Threat Hunting
Security Solution Threat Hunting Team
v8.12.1
v8.13.0
Milestone
Comments
ghost
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
ghost
added
impact:high
|
@karanbirsingh-qasource do you have an instance where the error happens? Does it only happens to alerts that were generated before the upgrade. If you generate some new alerts, does the analyzer preview show error? |
|
we have shared the Instance credentials with you over g mail and yes for newly generated the analyzer details are showing correctly and issue is for old generated alerts. Detection.rules.SIEM.-.Kibana.-.Profile.1.-.Microsoft.Edge.2023-10-20.09-42-33.mp4 |
|
Issue is also fixed on 8.11.2 ✔️ . Build Details: Screen-Cast Alerts.-.Kibana.Mozilla.Firefox.2023-12-12.10-17-48.mp4 |
|
Hi @karanbirsingh-qasource is this considered fixed and can we close the issue? |
|
we have validated this issue on 8.12 BC4 and on that issue is still occuring ❌ Upgrade Path: 7.17.16 to 8.12.0 BC4 "An error is preventing this alert from being analyzed." is showing up in the alert fly-out visualization section.
Alerts.-.Kibana.Mozilla.Firefox.2024-01-05.18-20-39.mp4c.c @MadameSheema |
ghost
reopened this
MadameSheema
added
triage_needed
Team:Threat Hunting
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
Merged
1 task
christineweng
added a commit
that referenced
this issue
Jan 16, 2024
…view and same ancestry (#174651) ## Summary Address: #169373 This PR updates the use of `kibana.alert.ancestor.id` to `_id` (available in flyout context as `eventId`) in analyzer preview and alerts by ancestry. This change allows upgrade from 7.x kibana to 8.10+ to utilize analyzer preview. No UI change introduced. **How to test** - Analyzer preview should match that of prior to the change - Alert by ancestry in correlations overview (right section) and correlations tab (left section -> Insights) should match that of prior to the change - Analyzer preview should match the analyzer viewer in alerts table ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Jan 16, 2024
…view and same ancestry (elastic#174651) ## Summary Address: elastic#169373 This PR updates the use of `kibana.alert.ancestor.id` to `_id` (available in flyout context as `eventId`) in analyzer preview and alerts by ancestry. This change allows upgrade from 7.x kibana to 8.10+ to utilize analyzer preview. No UI change introduced. **How to test** - Analyzer preview should match that of prior to the change - Alert by ancestry in correlations overview (right section) and correlations tab (left section -> Insights) should match that of prior to the change - Analyzer preview should match the analyzer viewer in alerts table ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit f288919)
kibanamachine
referenced
this issue
Jan 16, 2024
…zer preview and same ancestry (#174651) (#174972) # Backport This will backport the following commits from `main` to `8.12`: - [[Security Solution] Alert flyout - update document id in analyzer preview and same ancestry (#174651)](#174651) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"christineweng","email":"18648970+christineweng@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-01-16T21:30:32Z","message":"[Security Solution] Alert flyout - update document id in analyzer preview and same ancestry (#174651)\n\n## Summary\r\n\r\nAddress: https://github.com/elastic/kibana/issues/169373\r\n\r\nThis PR updates the use of `kibana.alert.ancestor.id` to `_id`\r\n(available in flyout context as `eventId`) in analyzer preview and\r\nalerts by ancestry. This change allows upgrade from 7.x kibana to 8.10+\r\nto utilize analyzer preview.\r\n\r\nNo UI change introduced.\r\n\r\n**How to test**\r\n- Analyzer preview should match that of prior to the change\r\n- Alert by ancestry in correlations overview (right section) and\r\ncorrelations tab (left section -> Insights) should match that of prior\r\nto the change\r\n- Analyzer preview should match the analyzer viewer in alerts table\r\n\r\n\r\n### Checklist\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"f288919b144dbfc2e99a3ff689ddfc0707c89379","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Threat Hunting","Team:Threat Hunting:Investigations","v8.12.1","v8.13.0"],"title":"[Security Solution] Alert flyout - update document id in analyzer preview and same ancestry","number":174651,"url":"https://github.com/elastic/kibana/pull/174651","mergeCommit":{"message":"[Security Solution] Alert flyout - update document id in analyzer preview and same ancestry (#174651)\n\n## Summary\r\n\r\nAddress: https://github.com/elastic/kibana/issues/169373\r\n\r\nThis PR updates the use of `kibana.alert.ancestor.id` to `_id`\r\n(available in flyout context as `eventId`) in analyzer preview and\r\nalerts by ancestry. This change allows upgrade from 7.x kibana to 8.10+\r\nto utilize analyzer preview.\r\n\r\nNo UI change introduced.\r\n\r\n**How to test**\r\n- Analyzer preview should match that of prior to the change\r\n- Alert by ancestry in correlations overview (right section) and\r\ncorrelations tab (left section -> Insights) should match that of prior\r\nto the change\r\n- Analyzer preview should match the analyzer viewer in alerts table\r\n\r\n\r\n### Checklist\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"f288919b144dbfc2e99a3ff689ddfc0707c89379"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","branchLabelMappingKey":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/174651","number":174651,"mergeCommit":{"message":"[Security Solution] Alert flyout - update document id in analyzer preview and same ancestry (#174651)\n\n## Summary\r\n\r\nAddress: https://github.com/elastic/kibana/issues/169373\r\n\r\nThis PR updates the use of `kibana.alert.ancestor.id` to `_id`\r\n(available in flyout context as `eventId`) in analyzer preview and\r\nalerts by ancestry. This change allows upgrade from 7.x kibana to 8.10+\r\nto utilize analyzer preview.\r\n\r\nNo UI change introduced.\r\n\r\n**How to test**\r\n- Analyzer preview should match that of prior to the change\r\n- Alert by ancestry in correlations overview (right section) and\r\ncorrelations tab (left section -> Insights) should match that of prior\r\nto the change\r\n- Analyzer preview should match the analyzer viewer in alerts table\r\n\r\n\r\n### Checklist\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"f288919b144dbfc2e99a3ff689ddfc0707c89379"}}]}] BACKPORT--> Co-authored-by: christineweng <18648970+christineweng@users.noreply.github.com>
|
@karanbirsingh-qasource this is fixed and should be available in 8.12.1 |
|
thanks @christineweng for the update we will going to regress this once 8.12.1 will be available. |
|
we have validated this issue on 8.12.1 after upgrading from 7.17.17 and found the issue to be still occuring. ❌ Upgrade Path: 7.17.17 to 8.12.1 Build Details: Screen-Cast: Alerts.-.Kibana.Mozilla.Firefox.2024-02-02.16-28-18.mp4 |
|
@karanbirsingh-qasource thanks for checking! could you share this instance with me? |
|
@christineweng what is the current status of this fix? |
CoenWarmer
pushed a commit
to CoenWarmer/kibana
that referenced
this issue
Feb 15, 2024
…view and same ancestry (elastic#174651) ## Summary Address: elastic#169373 This PR updates the use of `kibana.alert.ancestor.id` to `_id` (available in flyout context as `eventId`) in analyzer preview and alerts by ancestry. This change allows upgrade from 7.x kibana to 8.10+ to utilize analyzer preview. No UI change introduced. **How to test** - Analyzer preview should match that of prior to the change - Alert by ancestry in correlations overview (right section) and correlations tab (left section -> Insights) should match that of prior to the change - Analyzer preview should match the analyzer viewer in alerts table ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
christineweng
added
impact:medium
|
@MadameSheema I have a fix but want to test it on a 7.x and go through the upgrade path to confirm. Will ping you on test data. |
1 task
christineweng
added a commit
that referenced
this issue
Mar 11, 2024
…alerts (#178389) ## Summary This PR adds sourcerer index patterns to analyzer preview (cherry picked from [PR](https://github.com/elastic/kibana/pull/176332/files#diff-eed5f590fe397c4ef11097a1f1f05ce4f1906f0066c39cf5e040e367b6680717R50)). Previously we only pull indices from `kibana.alert.rule.indices` but this field is not always present for non-index related rules (ES|QL) or past kibana versions (7.x) Address: #174596 #169373 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
|
@karanbirsingh-qasource this is fixed in #178389, should be reflected in 8.13 BC5 |
|
we have validated this issue on 8.13.1 and found the issue to be fixed ✔️ . Build Details: Screen-Cast: Alerts.-.Kibana.Mozilla.Firefox.2024-04-01.16-01-16.mp4Hence we are closing this issue and adding "QA:Validated" tag to it. thanks !! |
This issue was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug:
An error is preventing this alert from being analyzed in alert Fly-out
Kibana/Elasticsearch Stack version
Version: 8.11.0 BC3
Commit: 714189f
Build: 67923
Browser and Browser OS Version:
Firefox for windows OS
Version: 118.0.1
Elastic Endpoint Version:
8.11
Original install method:
None
Functional Area:
Alert Fly Out
Initial Setup:
Steps to reproduce
An error is preventing this alert from being analyzed in alert Fly-outis shownAdditional Result
Current Result
Expected behavior:
Screen-Cast:
Before Upgrade:
Alerts.-.Kibana.Mozilla.Firefox.2023-10-19.16-54-27.mp4
After Upgrade:
Alerts.-.Kibana.Mozilla.Firefox.2023-10-19.17-21-10.mp4
The text was updated successfully, but these errors were encountered: