Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution]User selecting alerts by select all option, disables attach to new case and existing case options. #153354

Open
sukhwindersingh-qasource opened this issue Mar 21, 2023 · 7 comments
Labels
enhancement New value added to drive a business result Feature:Cases Cases feature Question Ticket having question for Dev team Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team

Comments

@sukhwindersingh-qasource

Describe the Question:

  • User selecting alerts by select all option, disables attach to new case and existing case options.
  • Even if the count of alerts are very less like 10, 20 .But if we select 10, 20 alerts manually then we can use these options.
  • What is the logic behind this and is this behavior is expected.

Build Details:

VERSION: 8.7.0 BC6
BUILD: 61051
COMMIT: 04ef24287f26854ad99a46ae983854c6184717cb

Preconditions

  • Kibana should be running.
  • User should have 10 alerts present on alerts tab.

Steps to Reproduce

  • Navigate to Security.
  • Navigate to Alerts tab.
  • Select 10 alerts manually and click on selected 10 alerts tab.
  • Observe that attach to new case and existing case options are enable.
  • Now select alerts by select all option.
  • Observe that attach to new case and existing case options are disable.

Screen-Recording

Alerts.-.Kibana.Mozilla.Firefox.2023-03-21.11-17-26.mp4
@sukhwindersingh-qasource sukhwindersingh-qasource added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Question Ticket having question for Dev team labels Mar 21, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ghost ghost assigned MadameSheema and unassigned ghost Mar 21, 2023
@MadameSheema MadameSheema added Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team labels Mar 22, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@MadameSheema
Copy link
Member

@michaelolo24 can you please take a look at this when you have a chance? sounds like a bug to me.

@XavierM
Copy link
Contributor

XavierM commented Mar 23, 2023

OOps sorry @michaelolo24, I made a mistake here, wrong ticket

@michaelolo24
Copy link
Contributor

Hey @sukhwindersingh-qasource - Thanks for the question! I'm actually not sure myself. Looking at this PR #130958 I think that maybe @academo or someone on the @elastic/response-ops-cases team may have input / feedback? The behavior is the same for the alert table in Security as well as the one in Observability.

@michaelolo24 michaelolo24 added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Cases Cases feature labels Mar 23, 2023
@cnasikas
Copy link
Member

cnasikas commented Mar 24, 2023

When the user uses the "Select All alerts" button the alerts table posts an ES query to update the alerts and not the alert IDs. Cases do not support ES queries to add alerts to a case. For this reason, the buttons are disabled in query mode here. I understand that it feels weird if you have only a few alerts. Maybe the "Select All" button can switch to alert IDs if it selects only what the user sees (like the bulk actions). @XavierM What do you think?

@michaelolo24 michaelolo24 removed their assignment Mar 27, 2023
@michaelolo24 michaelolo24 added enhancement New value added to drive a business result and removed bug Fixes for quality problems that affect the customer experience triage_needed labels May 2, 2023
@PhilippeOberti
Copy link
Contributor

@cnasikas I see from the ticket linked above back on May 4th that this was fixed, though when I test it on latest main I still see the same behavior...
https://github.com/user-attachments/assets/50715b4c-542b-4e96-9bc8-dd9be2225086

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New value added to drive a business result Feature:Cases Cases feature Question Ticket having question for Dev team Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team
Projects
None yet
Development

No branches or pull requests

7 participants