Kibana: [SIEM] Signal's rule name is not showing properly on signals table

Created on 7 May 2020 · 3Comments · Source: elastic/kibana

Kibana version:
7.6.1

Elasticsearch version:
7.6.1

Server OS version:

Browser version:
Chrome 81.0.4044.129

Browser OS version:
macOS Catalina 10.15.4

Original install method (e.g. download page, yum, from source, etc.):
Elastic Cloud

Describe the bug:
The name of the signal's rule (signals.rule.name) is not showing on the expanded (detailed) table of the signal. JSON View shows the name correctly.

Steps to reproduce:

Go to SIEM -> Detections -> Signals (Table at the bottom of the page).
Click the arrow at the left of the timestamp.
Go to the signals.rule.name. The value of the fields is - where it should be the name of the rule.

Expected behavior:
It should show the name of the rule correctly.

Screenshots (if relevant):
bug3

bug1

bug2

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context:
I reproduce the bug on master.

SecuritySolution SIEM Threat Hunting bug fixed

Source

cnasikas

👍1

Most helpful comment

It appears to be a bug in x-pack/plugins/siem/public/components/timeline/body/renderers/formatted_field_helpers.tsx. The function renderRuleName is checking for linkValue to exist for it to render the name value. However, linkValue is never being passed through to it in that view (see x-pack/plugins/siem/public/components/event_details/columns.tsx line 176).

yctercero on 7 May 2020

👍2

All 3 comments

Pinging @elastic/siem (Team:SIEM)

elasticmachine on 7 May 2020

yctercero on 7 May 2020

👍2

I'm also experiencing this issue. Native signals generated by Elasticsearch detection rules seem to have their signal.rule.name values show up in the table but for the signals we directly write to the .siem-signals-* index, those signal.rule.name values do not render in the table. (To be clear, the events render in the table, but the signal.rule.name value does not.)