Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Rule import error toast is too large to view title when many errors happen on import #149994

Open
spong opened this issue Jan 31, 2023 · 3 comments
Open

[Security Solution] Rule import error toast is too large to view title when many errors happen on import #149994

spong opened this issue Jan 31, 2023 · 3 comments
Labels
bug Fixes for quality problems that affect the customer experience Feature:Rule Import/Export Security Solution Detection Rule Import & Export workflow Feature:Rule Management Security Solution Detection Rule Management area impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@spong
Copy link
Member

spong commented Jan 31, 2023

Identified on 8.7/main, but present in previous releases, if your rule import ndjson has plenty of errors the toast is massive and it's hard to discern what actually happened.

This issue is for setting a max-height on this toast so that the title can be seen by the user so they know what actually happened. Should probably truncate the message as well since scrolling through the whole message in the toast isn't really useful and the user can click through to view it in the modal.

To reproduce, copy and paste the below JSON to a rule_import_error.ndjson and import. Errors happen because it's not actually ndjson, so perfect! 🙂

Sample exported ndjson 

{
  "id": "f58b7e40-a1ac-11ed-95d9-0b5e5a36b4dd",
  "updated_at": "2023-01-31T22:32:15.503Z",
  "updated_by": "elastic",
  "created_at": "2023-01-31T21:19:34.708Z",
  "created_by": "elastic",
  "name": "Testing #148703",
  "tags": [],
  "interval": "5m",
  "enabled": false,
  "description": "Testing #148703",
  "risk_score": 21,
  "severity": "low",
  "license": "",
  "output_index": "",
  "meta": {
    "from": "10h",
    "kibana_siem_app_url": "http://localhost:5601/kbn/app/security"
  },
  "author": [],
  "false_positives": [],
  "from": "now-36300s",
  "rule_id": "e806a95c-2999-4aa9-8cdd-b42bbf024d00",
  "max_signals": 100,
  "risk_score_mapping": [],
  "severity_mapping": [],
  "threat": [],
  "to": "now",
  "references": [],
  "version": 4,
  "exceptions_list": [
    {
      "id": "1c5f5410-a1b7-11ed-8a48-674ff789cd60",
      "list_id": "6ded8142-615f-44d4-a9e5-2ebc2d5fdc64",
      "type": "rule_default",
      "namespace_type": "single"
    }
  ],
  "immutable": false,
  "related_integrations": [],
  "required_fields": [],
  "setup": "",
  "type": "query",
  "language": "kuery",
  "index": [
    "apm-*-transaction*",
    "auditbeat-*",
    "endgame-*",
    "filebeat-*",
    "logs-*",
    "packetbeat-*",
    "traces-apm*",
    "winlogbeat-*",
    "-*elastic-cloud-logs-*"
  ],
  "query": "host.name:*",
  "filters": [],
  "throttle": "rule",
  "actions": [
    {
      "group": "default",
      "id": "f2140ac0-a1ac-11ed-95d9-0b5e5a36b4dd",
      "params": {
        "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts"
      },
      "action_type_id": ".slack"
    },
    {
      "group": "default",
      "id": "f2140ac0-a1ac-11ed-95d9-0b5e5a36b4dd",
      "params": {
        "message": "Number 2"
      },
      "action_type_id": ".slack"
    }
  ],
  "execution_summary": {
    "last_execution": {
      "date": "2023-01-31T21:50:09.630Z",
      "status": "succeeded",
      "status_order": 0,
      "message": "Rule execution completed successfully",
      "metrics": {
        "total_indexing_duration_ms": 484,
        "total_search_duration_ms": 2843
      }
    }
  }
}
{
  "id": "f70e5940-a1a2-11ed-bb62-f5edc28041ea",
  "updated_at": "2023-01-31T22:29:08.317Z",
  "updated_by": "elastic",
  "created_at": "2023-01-31T20:08:02.007Z",
  "created_by": "elastic",
  "name": "Windows Script Interpreter Executing Process via WMI [Duplicate]",
  "tags": [
    "Elastic",
    "Host",
    "Windows",
    "Threat Detection",
    "Initial Access"
  ],
  "interval": "5m",
  "enabled": false,
  "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.",
  "risk_score": 47,
  "severity": "medium",
  "license": "Elastic License v2",
  "output_index": "",
  "meta": {
    "from": "4m",
    "kibana_siem_app_url": "http://localhost:5601/kbn/app/security"
  },
  "author": [
    "Elastic"
  ],
  "false_positives": [],
  "from": "now-540s",
  "rule_id": "fdacb1e1-b667-4b63-83b6-6c0f61a2e8af",
  "max_signals": 100,
  "risk_score_mapping": [],
  "severity_mapping": [],
  "threat": [
    {
      "framework": "MITRE ATT&CK",
      "tactic": {
        "reference": "https://attack.mitre.org/tactics/TA0001/",
        "name": "Initial Access",
        "id": "TA0001"
      },
      "technique": [
        {
          "reference": "https://attack.mitre.org/techniques/T1566/",
          "name": "Phishing",
          "id": "T1566",
          "subtechnique": [
            {
              "reference": "https://attack.mitre.org/techniques/T1566/001/",
              "name": "Spearphishing Attachment",
              "id": "T1566.001"
            }
          ]
        }
      ]
    }
  ],
  "to": "now",
  "references": [],
  "version": 103,
  "exceptions_list": [],
  "immutable": false,
  "related_integrations": [],
  "required_fields": [],
  "setup": "",
  "type": "eql",
  "language": "eql",
  "index": [
    "winlogbeat-*",
    "logs-endpoint.events.*",
    "logs-windows.*"
  ],
  "query": "sequence by host.id with maxspan = 5s\n    [any where (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n     (host.name : \"wmiutils.dll\" or host.name : \"wmiutils.dll\") and process.name : (\"wscript.exe\", \"cscript.exe\")]\n    [process where event.type == \"start\" and\n     process.parent.name : \"wmiprvse.exe\" and\n     user.domain != \"NT AUTHORITY\" and\n     (process.pe.original_file_name :\n        (\n          \"cscript.exe\",\n          \"wscript.exe\",\n          \"PowerShell.EXE\",\n          \"Cmd.Exe\",\n          \"MSHTA.EXE\",\n          \"RUNDLL32.EXE\",\n          \"REGSVR32.EXE\",\n          \"MSBuild.exe\",\n          \"InstallUtil.exe\",\n          \"RegAsm.exe\",\n          \"RegSvcs.exe\",\n          \"msxsl.exe\",\n          \"CONTROL.EXE\",\n          \"EXPLORER.EXE\",\n          \"Microsoft.Workflow.Compiler.exe\",\n          \"msiexec.exe\"\n        ) or\n      process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n     )\n    ]\n",
  "filters": [],
  "throttle": "1d",
  "actions": [
    {
      "group": "default",
      "id": "d5b1a010-a1af-11ed-95d9-0b5e5a36b4dd",
      "params": {
        "documents": [
          {
            "test": ""
          }
        ]
      },
      "action_type_id": ".index"
    }
  ]
}
{
  "id": "c4c4d270-a1b1-11ed-8a48-674ff789cd60",
  "updated_at": "2023-01-31T21:54:23.248Z",
  "updated_by": "elastic",
  "created_at": "2023-01-31T21:54:00.601Z",
  "created_by": "elastic",
  "name": " Testing #148703 Pt2",
  "tags": [],
  "interval": "5m",
  "enabled": false,
  "description": "Testing #148703 Pt2",
  "risk_score": 21,
  "severity": "low",
  "license": "",
  "output_index": "",
  "meta": {
    "from": "1m",
    "kibana_siem_app_url": "http://localhost:5601/kbn/app/security"
  },
  "author": [],
  "false_positives": [],
  "from": "now-360s",
  "rule_id": "d319db0a-8b4d-4b30-afeb-16a4e0f75fbe",
  "max_signals": 100,
  "risk_score_mapping": [],
  "severity_mapping": [],
  "threat": [],
  "to": "now",
  "references": [],
  "version": 1,
  "exceptions_list": [],
  "immutable": false,
  "related_integrations": [],
  "required_fields": [],
  "setup": "",
  "type": "query",
  "language": "kuery",
  "index": [
    "apm-*-transaction*",
    "auditbeat-*",
    "endgame-*",
    "filebeat-*",
    "logs-*",
    "packetbeat-*",
    "traces-apm*",
    "winlogbeat-*",
    "-*elastic-cloud-logs-*"
  ],
  "query": "host.name:*",
  "filters": [],
  "throttle": "no_actions",
  "actions": [],
  "execution_summary": {
    "last_execution": {
      "date": "2023-01-31T21:54:02.805Z",
      "status": "succeeded",
      "status_order": 0,
      "message": "Rule execution completed successfully",
      "metrics": {
        "total_indexing_duration_ms": 56,
        "total_search_duration_ms": 1003
      }
    }
  }
}
{
  "_version": "WzQ5MzIsMV0=",
  "created_at": "2023-01-31T22:32:14.545Z",
  "created_by": "elastic",
  "description": "Exception list containing exceptions for rule with id: f58b7e40-a1ac-11ed-95d9-0b5e5a36b4dd",
  "id": "1c5f5410-a1b7-11ed-8a48-674ff789cd60",
  "immutable": false,
  "list_id": "6ded8142-615f-44d4-a9e5-2ebc2d5fdc64",
  "name": "Exceptions for rule - Testing #148703",
  "namespace_type": "single",
  "os_types": [],
  "tags": [
    "default_rule_exception_list"
  ],
  "tie_breaker_id": "e8d9e23a-f9aa-47a5-8199-aa11d917ad53",
  "type": "rule_default",
  "updated_at": "2023-01-31T22:32:14.545Z",
  "updated_by": "elastic",
  "version": 1
}
{
  "_version": "WzQ5MzQsMV0=",
  "comments": [],
  "created_at": "2023-01-31T22:32:16.514Z",
  "created_by": "elastic",
  "description": "Exception list item",
  "entries": [
    {
      "field": "host.name",
      "operator": "included",
      "type": "match",
      "value": "asdf"
    }
  ],
  "id": "1d8bc620-a1b7-11ed-8a48-674ff789cd60",
  "item_id": "0c7e46ad-7fbd-48d2-ae90-4159a0ac65e8",
  "list_id": "6ded8142-615f-44d4-a9e5-2ebc2d5fdc64",
  "name": "Number 1 Exception",
  "namespace_type": "single",
  "os_types": [],
  "tags": [],
  "tie_breaker_id": "749699cd-52da-45e2-821f-6151017505e1",
  "type": "simple",
  "updated_at": "2023-01-31T22:32:16.514Z",
  "updated_by": "elastic"
}
{
  "id": "f2140ac0-a1ac-11ed-95d9-0b5e5a36b4dd",
  "type": "action",
  "updated_at": "2023-01-31T21:19:28.623Z",
  "created_at": "2023-01-31T21:19:28.623Z",
  "version": "WzM0NDcsMV0=",
  "attributes": {
    "actionTypeId": ".slack",
    "name": "Slack Garrett",
    "isMissingSecrets": true,
    "config": {},
    "secrets": {}
  },
  "references": [],
  "migrationVersion": {
    "action": "8.3.0"
  },
  "coreMigrationVersion": "8.7.0"
}
{
  "id": "d5b1a010-a1af-11ed-95d9-0b5e5a36b4dd",
  "type": "action",
  "updated_at": "2023-01-31T21:40:09.492Z",
  "created_at": "2023-01-31T21:40:09.492Z",
  "version": "WzQ0OTksMV0=",
  "attributes": {
    "actionTypeId": ".index",
    "name": "Indexxy",
    "isMissingSecrets": false,
    "config": {
      "index": ".kibana-event-log-8.7.0",
      "refresh": false,
      "executionTimeField": null
    },
    "secrets": {}
  },
  "references": [],
  "migrationVersion": {
    "action": "8.3.0"
  },
  "coreMigrationVersion": "8.7.0"
}
{
  "exported_count": 7,
  "exported_rules_count": 3,
  "missing_rules": [],
  "missing_rules_count": 0,
  "exported_exception_list_count": 1,
  "exported_exception_list_item_count": 1,
  "missing_exception_list_item_count": 0,
  "missing_exception_list_items": [],
  "missing_exception_lists": [],
  "missing_exception_lists_count": 0,
  "exported_action_connector_count": 2,
  "missing_action_connection_count": 0,
  "missing_action_connections": [],
  "excluded_action_connection_count": 0,
  "excluded_action_connections": []
}
@spong spong added bug Fixes for quality problems that affect the customer experience triage_needed impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Security Solution Platform Security Solution Platform Team labels Jan 31, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@spong spong added the Feature:Rule Import/Export Security Solution Detection Rule Import & Export workflow label Jan 31, 2023
@WafaaNasr WafaaNasr mentioned this issue Feb 2, 2023
Merged
7 tasks
@yctercero yctercero added Team:Detection Rule Management Security Detection Rule Management Team and removed Team:Security Solution Platform Security Solution Platform Team labels Apr 4, 2023
@banderror banderror added Feature:Rule Management Security Solution Detection Rule Management area and removed triage_needed 8.8 candidate v8.8.0 labels May 5, 2023
@banderror banderror removed their assignment May 5, 2023
@pborgonovi
Copy link
Contributor

Validated on latest 8.15 BC and it's still happening:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Feature:Rule Import/Export Security Solution Detection Rule Import & Export workflow Feature:Rule Management Security Solution Detection Rule Management area impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@spong @banderror @yctercero @elasticmachine @pborgonovi