Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Detection Engine][Preview] Threshold preview fails when no alerts index exists #198209

Closed
yctercero opened this issue Oct 29, 2024 · 3 comments
Closed
Assignees
Labels
bug Fixes for quality problems that affect the customer experience Team:Detection Engine Security Solution Detection Engine Area Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.17.0

Comments

@yctercero
Copy link
Contributor

Summary

Rule preview fails when trying to generate a preview on a fresh instance prior to the alerts index being created. Alerts indices are created on first write. If a threshold rule does not have execution history, it falls back to trying to recreate it using the alerts index. When it attempts to query the alerts index and no index exists, the execution fails.

Steps to reproduce

  1. On a fresh install, ensure you have data available to query.
  2. Navigate to rule creation and select Threshold Rule.
  3. Input something simple like query: * and threshold host.name with threshold value of 1
  4. Select Rule Preview
  5. Notice the error stating that it failed to search and no alerts index found.
  6. Select Custom query rule and run Rule Preview - notice alerts generated.
  7. Go back to Threshold Rule and rune Rule Preview - notice now alerts are generated.
@yctercero yctercero self-assigned this Oct 29, 2024
@yctercero yctercero added bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Engine Security Solution Detection Engine Area v8.17.0 labels Oct 29, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-engine (Team:Detection Engine)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

yctercero added a commit that referenced this issue Oct 30, 2024
…hreshold preview bug (#197368)

## Summary

This PR breaks down long running FTR groups into smaller chunks that now
run in <~15 min.
- Addresses #192109
- There is no existing ticket but rule_execution group tests are taking
~55m to run and will soon be a bottle neck for us.
- No edits made to any existing tests.
- Purely just a reshuffle of the tests.

See #198209 for details on bug.
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Oct 30, 2024
…hreshold preview bug (elastic#197368)

## Summary

This PR breaks down long running FTR groups into smaller chunks that now
run in <~15 min.
- Addresses elastic#192109
- There is no existing ticket but rule_execution group tests are taking
~55m to run and will soon be a bottle neck for us.
- No edits made to any existing tests.
- Purely just a reshuffle of the tests.

See elastic#198209 for details on bug.

(cherry picked from commit cd1fafe)
@yctercero
Copy link
Contributor Author

Addressed in #197368

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience Team:Detection Engine Security Solution Detection Engine Area Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.17.0
Projects
None yet
Development

No branches or pull requests

2 participants