Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Sourcerer] - Prevent setting update from solution component #201847

Closed
michaelolo24 opened this issue Nov 26, 2024 · 3 comments
Closed

[Security Solution][Sourcerer] - Prevent setting update from solution component #201847

michaelolo24 opened this issue Nov 26, 2024 · 3 comments
Assignees
@lgestc
Labels
bug Fixes for quality problems that affect the customer experience Team:Threat Hunting:Investigations Security Solution Investigations Team
Milestone
8.19

Comments

@michaelolo24
Copy link
Contributor

michaelolo24 commented Nov 26, 2024
edited
Loading

Summary

Relevant background information: #138181

In the Kibana advanced settings, users have the ability to set a default security data view that serves a default data view that is applied across multiple views in the security solution such as the explore pages and timeline. The setting for the advanced setting is below:

Image

From within security solution itself, users are able to make changes to this default security dataview at the security solution level, in which it'll show a modified label to indicate that the dataview has been changed from the default setting in the advanced settings page.

Image

Back in 8.0, a change was made to help users with 7.x saved timelines that had index patterns migrate to 8.0 and utilize the new data view service. As part of this a notification was made for users to help them identify when the index pattern in their timeline differed from the default security data view set in the Advanced Setting as seen in the image below.

Image

The issue here presents when a user has a mismatch between the index patterns in the security solution data view and the data view in an existing timeline. Easy way to replicate:

Steps to reproduce

  1. Create a timeline and save it
  2. Update the advanced settings by removing an index pattern.
  3. Re-visit the saved timeline and refresh
  4. Find the update message saying the dataview needs to be updated with the index pattern that was just removed.
  5. Click update, and find that the advanced setting default index has been modified.

In short, any time there is a mismatch between a saved set of index patterns and the advanced setting (as it is would be in any timelines saved prior to the advanced setting change), then it will deem the data view to need an 'update', which when clicked, will then re-add those indices to the default index in the advanced settings.
@botelastic botelastic bot added the needs-team Issues missing a team label label Nov 26, 2024
@michaelolo24 michaelolo24 added triage_needed Team:Threat Hunting:Investigations Security Solution Investigations Team labels Nov 26, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Nov 26, 2024
@michaelolo24 michaelolo24 added the bug Fixes for quality problems that affect the customer experience label Nov 26, 2024
@michaelolo24 michaelolo24 changed the title [Security Solution][Sourcerer] - Unlink advanced setting from solution [Security Solution][Sourcerer] - Prevent setting update from solution component Nov 26, 2024
@PhilippeOberti PhilippeOberti added this to the 8.18 milestone Dec 3, 2024
@michaelolo24 michaelolo24 assigned lgestc and unassigned michaelolo24 Jan 27, 2025
@logeekal
Copy link
Contributor

@lgestc , @michaelolo24

I have changed the description to include the SDHs raised for the same issue so that we can tests for them when we resolve this issue.

@lgestc lgestc mentioned this issue Feb 4, 2025
Closed
@PhilippeOberti PhilippeOberti modified the milestones: 8.18, 8.19 Feb 18, 2025
@lgestc
Copy link
Contributor

lgestc commented Mar 4, 2025

closing in favor of #210585 which handles this scenario

@lgestc lgestc closed this as completed Mar 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lgestc lgestc

Labels
bug Fixes for quality problems that affect the customer experience Team:Threat Hunting:Investigations Security Solution Investigations Team
Projects
None yet
Milestone
8.19
Development

Successfully merging a pull request may close this issue.

[Security Solution] Adhoc views in sourcerer lgestc/kibana
5 participants
@logeekal @lgestc @elasticmachine @michaelolo24 @PhilippeOberti