[Security Solution][Detections] Alerts Count panel component conflates missing/others buckets #108283
Labels
bug
Fixes for quality problems that affect the customer experience
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:Threat Hunting
Security Solution Threat Hunting Team
Theme: rac
label obsolete
v7.15.0
Similar to what was addressed in #105126, the Alerts Count table (#106358) looks to be conflating
missing
andall others
buckets. The former being the absence of a field, and the latter being the catch-all bucket for unique fields over the configuredsize
(or max buckets) from the query (currently set to 10000)For IP's, all documents missing the IP field will be bucketed as 0.0.0.0, even though this is not the actual value, but rather the absence of the value.
For non-IP fields, the missing bucket is being labeled as
All others
, leading the user to believe these are the overflow buckets rather than the missing bucket.Additionally, the missing/empty bucket appears to intentionally have its hover actions disabled, when we could still provide them as a not exists filter (i.e.
not host.name: *
).As for the black scroll-bars, this came up in a design review on another PR (#106541 (comment)), and I think is an artifact of a system/browser theme setting and EUI (not all folks are seeing this behavior). The workaround in the aforementioned PR should probably be done at the EUI layer, so may want to open a subsequent ticket for handling that one once more details are available.
Note: For the IP scenario, this is also the case for the Alerts Histogram:
and Top N histogram from the contextual hover action:
Leaving as a single issue for now, as I believe this logic has been consolidated to power all the above components, but please do create additional issues if there is a separation here.
cc @elastic/security-design for consolidating on UX here, as I know these intricacies can get confusing, so may want to review to ensure we're consistent throughout the app when performing aggregations.
The text was updated successfully, but these errors were encountered: