[Security Solution] Show more alert action error info in error toasts#269592
Merged
Conversation
Passing the message string directly into `addError` bypasses all the parsing logic we have in that method. By passing the full object instead, we properly pull out and display all the information from the error.
…n hooks Fixes elastic#269533. Several hooks called `addError(error.message, { title })`, passing a plain string instead of the error object. `useAppToasts.addError` runs its input through `errorToErrorStackAdapter`, which unpacks a Kibana `HttpFetchError` (including the nested Elasticsearch reason string) only when given the full error object. Passing `error.message` bypasses that logic, leaving the toast body blank on permission errors. Affected hooks: - `useSetAlertAssignees` (assignees update) - `useSetAlertTags` (tags update) - `onAlertStatusUpdateFailure` in `useBulkActionItems`, `useAlertActions`, and `useGroupTakeActionItems` (open/close/acknowledge) - `useCasesFromAlerts` (cases fetch on flyout open) Co-authored-by: Cursor <cursoragent@cursor.com>
rylnd
added
release_note:fix
backport:all-open
rylnd
changed the title
rylnd
changed the title
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
agusruidiazgd
approved these changes
May 27, 2026
Contributor
agusruidiazgd
left a comment
agusruidiazgd
left a comment
There was a problem hiding this comment.
LGTM - thanks for this fix ✨
dhurley14
approved these changes
May 29, 2026
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Async chunks
History
cc @rylnd |
Contributor
|
Starting backport for target branches: 8.19, 9.3, 9.4 |
This was referenced May 29, 2026
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
May 29, 2026
…toasts (#269592) (#272005) # Backport This will backport the following commits from `main` to `9.4`: - [[Security Solution] Show more alert action error info in error toasts (#269592)](#269592) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Ryland Herrick","email":"ryalnd@gmail.com"},"sourceCommit":{"committedDate":"2026-05-29T22:16:57Z","message":"[Security Solution] Show more alert action error info in error toasts (#269592)\n\n## Summary\n\nAddresses #269533.\n\nWhen a user without sufficient index write access performs alert actions\nin Security Solution, the error toast appeared with a blank body instead\nof the actual reason from Elasticsearch.\n\n### Cause\n\nSeveral hooks called `addError(error.message, { title })`, passing a\nplain string instead of the error object. `useAppToasts.addError` runs\nits input through `errorToErrorStackAdapter`, which unpacks a Kibana\n`HttpFetchError` (including the nested Elasticsearch reason string) only\nwhen given the full error object. Passing `error.message` bypasses that\nlogic, leaving the toast body blank on permission errors.\n\n### Fix\n\nPass `error` directly to `addError` in the following hooks:\n\n- `useSetAlertAssignees` (`use_set_alert_assignees.tsx`) -- assign alert\n- `useSetAlertTags` (`use_set_alert_tags.tsx`) -- bulk tag update\n- `onAlertStatusUpdateFailure` in `useBulkActionItems`,\n`useAlertActions`, and `useGroupTakeActionItems` -- open / close /\nacknowledge\n- `useCasesFromAlerts` (`use_cases_from_alerts.tsx`) -- cases fetch on\nflyout open (fires automatically; users without Cases read access would\nhave seen a blank toast on every flyout open)\n\n## Steps to reproduce\n\n1. Create a role with `view_index_metadata`, `write`, and `manage` on\n`.alerts-security.alerts-{space}`, but without `create_doc` / `index` /\n`all`.\n2. Log in as a user assigned that role and navigate to Security ->\nAlerts.\n3. Attempt any of the following:\n - Assign an alert to a user\n - Add or remove a tag via bulk actions\n - Change workflow status (open / close / acknowledge)\n - Open an alert flyout (if the user also lacks Cases read access)\n4. Observe the error toast: the body is blank even though the browser\nconsole shows a detailed authorization error.\n\n**Expected:** the toast body shows the Elasticsearch authorization\nreason (e.g. \"action [indices:data/write/bulk[s]] is unauthorized ...\").\n\nExample: \n<kbd>\n<img width=\"655\" height=\"599\" alt=\"Screenshot 2026-05-15 at 4 42 24 PM\"\nsrc=\"https://github.com/user-attachments/assets/08fa0524-62f8-41e7-980b-25bbd1e49960\"\n/>\n\n</kbd>\n<kbd>\n<img width=\"857\" height=\"859\" alt=\"Screenshot 2026-05-15 at 4 42 33 PM\"\nsrc=\"https://github.com/user-attachments/assets/d95635c5-f55d-44a7-8509-bb5a0960a74f\"\n/>\n\n</kbd>\n\n**Actual (before fix):** the toast body is blank.\nExample: \n<kbd>\n<img width=\"372\" height=\"205\" alt=\"Screenshot 2026-05-15 at 4 44 53 PM\"\nsrc=\"https://github.com/user-attachments/assets/95ba3628-78a8-424c-9af4-0f61e9a2330e\"\n/>\n\n</kbd>\n<kbd>\n<img width=\"857\" height=\"859\" alt=\"Screenshot 2026-05-15 at 4 44 34 PM\"\nsrc=\"https://github.com/user-attachments/assets/74f0e932-92a0-4188-9a43-e69ed28636bb\"\n/>\n\n</kbd>\n\n## Release note\n\nError toasts for failed alert actions (assign, tag, open, close,\nacknowledge) now show the full error message from Elasticsearch instead\nof a blank body.\n\n---------\n\nCo-authored-by: Cursor <cursoragent@cursor.com>","sha":"cbabddd93c9093dc18077b044e6cac6d2e82232f","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","backport:all-open","Team:Detection Engine","v9.5.0"],"title":"[Security Solution] Show more alert action error info in error toasts","number":269592,"url":"https://github.com/elastic/kibana/pull/269592","mergeCommit":{"message":"[Security Solution] Show more alert action error info in error toasts (#269592)\n\n## Summary\n\nAddresses #269533.\n\nWhen a user without sufficient index write access performs alert actions\nin Security Solution, the error toast appeared with a blank body instead\nof the actual reason from Elasticsearch.\n\n### Cause\n\nSeveral hooks called `addError(error.message, { title })`, passing a\nplain string instead of the error object. `useAppToasts.addError` runs\nits input through `errorToErrorStackAdapter`, which unpacks a Kibana\n`HttpFetchError` (including the nested Elasticsearch reason string) only\nwhen given the full error object. Passing `error.message` bypasses that\nlogic, leaving the toast body blank on permission errors.\n\n### Fix\n\nPass `error` directly to `addError` in the following hooks:\n\n- `useSetAlertAssignees` (`use_set_alert_assignees.tsx`) -- assign alert\n- `useSetAlertTags` (`use_set_alert_tags.tsx`) -- bulk tag update\n- `onAlertStatusUpdateFailure` in `useBulkActionItems`,\n`useAlertActions`, and `useGroupTakeActionItems` -- open / close /\nacknowledge\n- `useCasesFromAlerts` (`use_cases_from_alerts.tsx`) -- cases fetch on\nflyout open (fires automatically; users without Cases read access would\nhave seen a blank toast on every flyout open)\n\n## Steps to reproduce\n\n1. Create a role with `view_index_metadata`, `write`, and `manage` on\n`.alerts-security.alerts-{space}`, but without `create_doc` / `index` /\n`all`.\n2. Log in as a user assigned that role and navigate to Security ->\nAlerts.\n3. Attempt any of the following:\n - Assign an alert to a user\n - Add or remove a tag via bulk actions\n - Change workflow status (open / close / acknowledge)\n - Open an alert flyout (if the user also lacks Cases read access)\n4. Observe the error toast: the body is blank even though the browser\nconsole shows a detailed authorization error.\n\n**Expected:** the toast body shows the Elasticsearch authorization\nreason (e.g. \"action [indices:data/write/bulk[s]] is unauthorized ...\").\n\nExample: \n<kbd>\n<img width=\"655\" height=\"599\" alt=\"Screenshot 2026-05-15 at 4 42 24 PM\"\nsrc=\"https://github.com/user-attachments/assets/08fa0524-62f8-41e7-980b-25bbd1e49960\"\n/>\n\n</kbd>\n<kbd>\n<img width=\"857\" height=\"859\" alt=\"Screenshot 2026-05-15 at 4 42 33 PM\"\nsrc=\"https://github.com/user-attachments/assets/d95635c5-f55d-44a7-8509-bb5a0960a74f\"\n/>\n\n</kbd>\n\n**Actual (before fix):** the toast body is blank.\nExample: \n<kbd>\n<img width=\"372\" height=\"205\" alt=\"Screenshot 2026-05-15 at 4 44 53 PM\"\nsrc=\"https://github.com/user-attachments/assets/95ba3628-78a8-424c-9af4-0f61e9a2330e\"\n/>\n\n</kbd>\n<kbd>\n<img width=\"857\" height=\"859\" alt=\"Screenshot 2026-05-15 at 4 44 34 PM\"\nsrc=\"https://github.com/user-attachments/assets/74f0e932-92a0-4188-9a43-e69ed28636bb\"\n/>\n\n</kbd>\n\n## Release note\n\nError toasts for failed alert actions (assign, tag, open, close,\nacknowledge) now show the full error message from Elasticsearch instead\nof a blank body.\n\n---------\n\nCo-authored-by: Cursor <cursoragent@cursor.com>","sha":"cbabddd93c9093dc18077b044e6cac6d2e82232f"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/269592","number":269592,"mergeCommit":{"message":"[Security Solution] Show more alert action error info in error toasts (#269592)\n\n## Summary\n\nAddresses #269533.\n\nWhen a user without sufficient index write access performs alert actions\nin Security Solution, the error toast appeared with a blank body instead\nof the actual reason from Elasticsearch.\n\n### Cause\n\nSeveral hooks called `addError(error.message, { title })`, passing a\nplain string instead of the error object. `useAppToasts.addError` runs\nits input through `errorToErrorStackAdapter`, which unpacks a Kibana\n`HttpFetchError` (including the nested Elasticsearch reason string) only\nwhen given the full error object. Passing `error.message` bypasses that\nlogic, leaving the toast body blank on permission errors.\n\n### Fix\n\nPass `error` directly to `addError` in the following hooks:\n\n- `useSetAlertAssignees` (`use_set_alert_assignees.tsx`) -- assign alert\n- `useSetAlertTags` (`use_set_alert_tags.tsx`) -- bulk tag update\n- `onAlertStatusUpdateFailure` in `useBulkActionItems`,\n`useAlertActions`, and `useGroupTakeActionItems` -- open / close /\nacknowledge\n- `useCasesFromAlerts` (`use_cases_from_alerts.tsx`) -- cases fetch on\nflyout open (fires automatically; users without Cases read access would\nhave seen a blank toast on every flyout open)\n\n## Steps to reproduce\n\n1. Create a role with `view_index_metadata`, `write`, and `manage` on\n`.alerts-security.alerts-{space}`, but without `create_doc` / `index` /\n`all`.\n2. Log in as a user assigned that role and navigate to Security ->\nAlerts.\n3. Attempt any of the following:\n - Assign an alert to a user\n - Add or remove a tag via bulk actions\n - Change workflow status (open / close / acknowledge)\n - Open an alert flyout (if the user also lacks Cases read access)\n4. Observe the error toast: the body is blank even though the browser\nconsole shows a detailed authorization error.\n\n**Expected:** the toast body shows the Elasticsearch authorization\nreason (e.g. \"action [indices:data/write/bulk[s]] is unauthorized ...\").\n\nExample: \n<kbd>\n<img width=\"655\" height=\"599\" alt=\"Screenshot 2026-05-15 at 4 42 24 PM\"\nsrc=\"https://github.com/user-attachments/assets/08fa0524-62f8-41e7-980b-25bbd1e49960\"\n/>\n\n</kbd>\n<kbd>\n<img width=\"857\" height=\"859\" alt=\"Screenshot 2026-05-15 at 4 42 33 PM\"\nsrc=\"https://github.com/user-attachments/assets/d95635c5-f55d-44a7-8509-bb5a0960a74f\"\n/>\n\n</kbd>\n\n**Actual (before fix):** the toast body is blank.\nExample: \n<kbd>\n<img width=\"372\" height=\"205\" alt=\"Screenshot 2026-05-15 at 4 44 53 PM\"\nsrc=\"https://github.com/user-attachments/assets/95ba3628-78a8-424c-9af4-0f61e9a2330e\"\n/>\n\n</kbd>\n<kbd>\n<img width=\"857\" height=\"859\" alt=\"Screenshot 2026-05-15 at 4 44 34 PM\"\nsrc=\"https://github.com/user-attachments/assets/74f0e932-92a0-4188-9a43-e69ed28636bb\"\n/>\n\n</kbd>\n\n## Release note\n\nError toasts for failed alert actions (assign, tag, open, close,\nacknowledge) now show the full error message from Elasticsearch instead\nof a blank body.\n\n---------\n\nCo-authored-by: Cursor <cursoragent@cursor.com>","sha":"cbabddd93c9093dc18077b044e6cac6d2e82232f"}}]}] BACKPORT--> Co-authored-by: Ryland Herrick <ryalnd@gmail.com> Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses #269533.
When a user without sufficient index write access performs alert actions in Security Solution, the error toast appeared with a blank body instead of the actual reason from Elasticsearch.
Cause
Several hooks called
addError(error.message, { title }), passing a plain string instead of the error object.useAppToasts.addErrorruns its input througherrorToErrorStackAdapter, which unpacks a KibanaHttpFetchError(including the nested Elasticsearch reason string) only when given the full error object. Passingerror.messagebypasses that logic, leaving the toast body blank on permission errors.Fix
Pass
errordirectly toaddErrorin the following hooks:useSetAlertAssignees(use_set_alert_assignees.tsx) -- assign alertuseSetAlertTags(use_set_alert_tags.tsx) -- bulk tag updateonAlertStatusUpdateFailureinuseBulkActionItems,useAlertActions, anduseGroupTakeActionItems-- open / close / acknowledgeuseCasesFromAlerts(use_cases_from_alerts.tsx) -- cases fetch on flyout open (fires automatically; users without Cases read access would have seen a blank toast on every flyout open)Steps to reproduce
view_index_metadata,write, andmanageon.alerts-security.alerts-{space}, but withoutcreate_doc/index/all.Expected: the toast body shows the Elasticsearch authorization reason (e.g. "action [indices:data/write/bulk[s]] is unauthorized ...").
Example:
Actual (before fix): the toast body is blank.
Example:
Release note
Error toasts for failed alert actions (assign, tag, open, close, acknowledge) now show the full error message from Elasticsearch instead of a blank body.