Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution]comma separated process.arg not wraps properly #129154

Open
ghost opened this issue Apr 1, 2022 · 7 comments
Open

[Security Solution]comma separated process.arg not wraps properly #129154

ghost opened this issue Apr 1, 2022 · 7 comments
Assignees
Labels
bug Fixes for quality problems that affect the customer experience fixed impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team

Comments

@ghost
Copy link

ghost commented Apr 1, 2022

Describe the bug
comma separated process.arg not wraps properly

Build Details

Version:8.2.0-SNAPSHOT
BUILD 51431
COMMIT a743498436a863e142592cb535b43f44c448851a

Steps

  • Login to Kibana
  • Generate some alert data , in our case we create a custom rule for process.name: "cmd.exe" and executed mutiple instance of cmd on windows host
  • Click on Alert Flyout
  • Observed that comma separated process.arg not wraps properly

Screen-Shoot

image

image

image

Additional Details:

  • actual content copied in clipboard: process.args: "cmd,/c,rmdir,C:\Users\zeus\AppData\Local\Temp\peazip-tmp.pztmp\neutral22033117,/s,/q"

  • filter in of above process.args

image

@ghost ghost added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Apr 1, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@manishgupta-qasource
Copy link

Reviewed & assigned to @MadameSheema

@MadameSheema MadameSheema added Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team labels Apr 1, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@michaelolo24
Copy link
Contributor

@karanbirsingh-qasource - I'm not sure if this is a bug as each argument is shown on it's own line? Do you have a screenshot of how it might have worked before?

@michaelolo24 michaelolo24 added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. and removed triage_needed labels Apr 27, 2022
@ghost
Copy link
Author

ghost commented Apr 28, 2022

Hi @michaelolo24 thanks for looking into the issue, Yes each arguments should be shown in its own line , but if see the screen-shoot we can see some arguments which are long in length they moves to the next line . so it becomes difficult for user to known where the arguments actually ends using comma or proper warping will be good for this instance

please look into the below details for clarification:

image

actual content: process.args:"C:\Users\zeus\AppData\Local\Temp\peazip-tmp.pztmp\neutral22033117"

we can see as this argument is long in length it moved to next line which contradict our functioning that is each argument show on its own line but currently as per current UI it looks like they are 2 different arguments but actuall it is one argument

first argument : C:\Users\zeus\AppData\Local\Temp\peazip-
second argument : tmp.pztmp\neutral22033117

image

@michaelolo24
Copy link
Contributor

michaelolo24 commented Apr 29, 2022

Thanks @karanbirsingh-qasource - Maybe we can provide some spacing between each argument to make it a little bit more distinct. That should help, because I think we'd still need to wrap the arguments given the space we have.

@PhilippeOberti
Copy link
Contributor

While I couldn't reproduce the process.arg exactly, I looked at the new Table on the expandable flyout, and we show a value per row, so I believe this was fixed when we moved to the expandable flyout
Image
Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience fixed impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team
Projects
None yet
Development

No branches or pull requests

5 participants