Skip to content

[9.3] [Security Solution] Show more alert action error info in error toasts (#269592)#272004

Open
kibanamachine wants to merge 1 commit into
elastic:9.3from
kibanamachine:backport/9.3/pr-269592
Open

[9.3] [Security Solution] Show more alert action error info in error toasts (#269592)#272004
kibanamachine wants to merge 1 commit into
elastic:9.3from
kibanamachine:backport/9.3/pr-269592

Conversation

@kibanamachine
Copy link
Copy Markdown
Contributor

@kibanamachine kibanamachine commented May 29, 2026

Backport

This will backport the following commits from main to 9.3:

Questions ?

Please refer to the Backport tool documentation

@rylnd @cursoragent
[Security Solution] Show more alert action error info in error toasts (
a72fa85 
…elastic#269592)

## Summary

Addresses elastic#269533.

When a user without sufficient index write access performs alert actions
in Security Solution, the error toast appeared with a blank body instead
of the actual reason from Elasticsearch.

### Cause

Several hooks called `addError(error.message, { title })`, passing a
plain string instead of the error object. `useAppToasts.addError` runs
its input through `errorToErrorStackAdapter`, which unpacks a Kibana
`HttpFetchError` (including the nested Elasticsearch reason string) only
when given the full error object. Passing `error.message` bypasses that
logic, leaving the toast body blank on permission errors.

### Fix

Pass `error` directly to `addError` in the following hooks:

- `useSetAlertAssignees` (`use_set_alert_assignees.tsx`) -- assign alert
- `useSetAlertTags` (`use_set_alert_tags.tsx`) -- bulk tag update
- `onAlertStatusUpdateFailure` in `useBulkActionItems`,
`useAlertActions`, and `useGroupTakeActionItems` -- open / close /
acknowledge
- `useCasesFromAlerts` (`use_cases_from_alerts.tsx`) -- cases fetch on
flyout open (fires automatically; users without Cases read access would
have seen a blank toast on every flyout open)

## Steps to reproduce

1. Create a role with `view_index_metadata`, `write`, and `manage` on
`.alerts-security.alerts-{space}`, but without `create_doc` / `index` /
`all`.
2. Log in as a user assigned that role and navigate to Security ->
Alerts.
3. Attempt any of the following:
   - Assign an alert to a user
   - Add or remove a tag via bulk actions
   - Change workflow status (open / close / acknowledge)
   - Open an alert flyout (if the user also lacks Cases read access)
4. Observe the error toast: the body is blank even though the browser
console shows a detailed authorization error.

**Expected:** the toast body shows the Elasticsearch authorization
reason (e.g. "action [indices:data/write/bulk[s]] is unauthorized ...").

Example:
<kbd>
<img width="655" height="599" alt="Screenshot 2026-05-15 at 4 42 24 PM"
src="https://github.com/user-attachments/assets/08fa0524-62f8-41e7-980b-25bbd1e49960"
/>

</kbd>
<kbd>
<img width="857" height="859" alt="Screenshot 2026-05-15 at 4 42 33 PM"
src="https://github.com/user-attachments/assets/d95635c5-f55d-44a7-8509-bb5a0960a74f"
/>

</kbd>

**Actual (before fix):** the toast body is blank.
Example:
<kbd>
<img width="372" height="205" alt="Screenshot 2026-05-15 at 4 44 53 PM"
src="https://github.com/user-attachments/assets/95ba3628-78a8-424c-9af4-0f61e9a2330e"
/>

</kbd>
<kbd>
<img width="857" height="859" alt="Screenshot 2026-05-15 at 4 44 34 PM"
src="https://github.com/user-attachments/assets/74f0e932-92a0-4188-9a43-e69ed28636bb"
/>

</kbd>

## Release note

Error toasts for failed alert actions (assign, tag, open, close,
acknowledge) now show the full error message from Elasticsearch instead
of a blank body.

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
(cherry picked from commit cbabddd)
@kibanamachine kibanamachine added the backport This PR is a backport of another PR label May 29, 2026
@kibanamachine kibanamachine enabled auto-merge (squash) May 29, 2026 22:27
@kibanamachine kibanamachine mentioned this pull request May 29, 2026
Merged
@kibanamachine
Copy link
Copy Markdown
Contributor Author

kibanamachine commented May 29, 2026
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] Defend Workflows Cypress Tests #21 / Automated Response Actions "before all" hook for "should not show the response when no action history privilege" "before all" hook for "should not show the response when no action history privilege"
  • [job] [logs] Defend Workflows Cypress Tests #21 / Automated Response Actions "before all" hook for "should not show the response when no action history privilege" "before all" hook for "should not show the response when no action history privilege"
  • [job] [logs] Defend Workflows Cypress Tests #24 / Document signing: "before all" hook for "should fail if data tampered" "before all" hook for "should fail if data tampered"
  • [job] [logs] Defend Workflows Cypress Tests #24 / Document signing: "before all" hook for "should fail if data tampered" "before all" hook for "should fail if data tampered"
  • [job] [logs] Defend Workflows Cypress Tests #12 / Endpoints page "before all" hook for "Shows endpoint on the list" "before all" hook for "Shows endpoint on the list"
  • [job] [logs] Defend Workflows Cypress Tests #12 / Endpoints page "before all" hook for "Shows endpoint on the list" "before all" hook for "Shows endpoint on the list"
  • [job] [logs] Defend Workflows Cypress Tests #20 / Response console File operations: "before all" hook for ""get-file --path" - should retrieve a file" "before all" hook for ""get-file --path" - should retrieve a file"
  • [job] [logs] Defend Workflows Cypress Tests #20 / Response console File operations: "before all" hook for ""get-file --path" - should retrieve a file" "before all" hook for ""get-file --path" - should retrieve a file"
  • [job] [logs] Defend Workflows Cypress Tests #1 / Response console From endpoint list "before all" hook for "should open responder" "before all" hook for "should open responder"
  • [job] [logs] Defend Workflows Cypress Tests #1 / Response console From endpoint list "before all" hook for "should open responder" "before all" hook for "should open responder"
  • [job] [logs] Defend Workflows Cypress Tests #9 / Response console Host Isolation: "before all" hook for "should isolate a host from response console" "before all" hook for "should isolate a host from response console"
  • [job] [logs] Defend Workflows Cypress Tests #19 / Response console: From Alerts "before all" hook for "should open responder from alert details flyout" "before all" hook for "should open responder from alert details flyout"
  • [job] [logs] Defend Workflows Cypress Tests #19 / Response console: From Alerts "before all" hook for "should open responder from alert details flyout" "before all" hook for "should open responder from alert details flyout"
  • [job] [logs] Defend Workflows Cypress Tests #16 / Unenroll agent from fleet changing agent policy when agent tamper protection is enabled but then is switched to a policy with it also enabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #16 / Unenroll agent from fleet changing agent policy when agent tamper protection is enabled but then is switched to a policy with it also enabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #15 / Unenroll agent from fleet changing when agent tamper protection is enabled but then is switched to a policy with it disabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #15 / Unenroll agent from fleet changing when agent tamper protection is enabled but then is switched to a policy with it disabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #14 / Unenroll agent from fleet when agent tamper protection is disabled but then is switched to a policy with it enabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #14 / Unenroll agent from fleet when agent tamper protection is disabled but then is switched to a policy with it enabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #12 / Unenroll agent from fleet when agent tamper protection is enabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #12 / Unenroll agent from fleet when agent tamper protection is enabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #10 / Unenroll agent from fleet with agent tamper protection is disabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #10 / Unenroll agent from fleet with agent tamper protection is disabled "before each" hook for "should unenroll from fleet without issues" "before each" hook for "should unenroll from fleet without issues"
  • [job] [logs] Defend Workflows Cypress Tests #17 / Uninstall agent from host changing agent policy when agent tamper protection is disabled but then is switched to a policy with it enabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #17 / Uninstall agent from host changing agent policy when agent tamper protection is disabled but then is switched to a policy with it enabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #19 / Uninstall agent from host changing agent policy when agent tamper protection is enabled but then is switched to a policy with it also enabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #19 / Uninstall agent from host changing agent policy when agent tamper protection is enabled but then is switched to a policy with it also enabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #18 / Uninstall agent from host changing agent policy when agent tamper protection is enabled but then is switched to a policy with it disabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #18 / Uninstall agent from host changing agent policy when agent tamper protection is enabled but then is switched to a policy with it disabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #11 / Uninstall agent from host when agent tamper protection is disabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #11 / Uninstall agent from host when agent tamper protection is disabled "before each" hook for "should uninstall from host without issues" "before each" hook for "should uninstall from host without issues"
  • [job] [logs] Defend Workflows Cypress Tests #13 / Uninstall agent from host when agent tamper protection is enabled "before each" hook for "should uninstall from host with the uninstall token" "before each" hook for "should uninstall from host with the uninstall token"
  • [job] [logs] Defend Workflows Cypress Tests #13 / Uninstall agent from host when agent tamper protection is enabled "before each" hook for "should uninstall from host with the uninstall token" "before each" hook for "should uninstall from host with the uninstall token"

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 10.8MB 10.8MB -48.0B

History

cc @rylnd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

@rylnd rylnd

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kibanamachine @rylnd