[EDR Workflows] `Action failed` response is not shown under `Response actions history` panel. about kibana HOT 10 CLOSED

@tomsonpl ,
Yes, and no.
For endpoint, we do allow isolate to be create for hosts that are already isolated (similar with release). For SentinelOne, Patryk implemented code in the Connector that first checks that the host is in the correct state. Not sure why that was done that way - perhaps the S1 system rejects it? 🤷

That being said - this is expected behaviour for HTTP API requests for all agent types - meaning: if there is an error along the way, we don't create the action documents because that could just fill up the index with "junk".

Note, however, that automated response actions behaviour is a bit different because there is no user behind it. For automated response actions, we do create a failed response action in this case.

from kibana.

@muskangulati-qasource Thanks for bringing this up. This is expected as the action request is not created. We show response history for actions that are actually created and that have pending/failed/successful responses.

from kibana.

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

from kibana.

@ashokaditya could you take a closer look to this one?

from kibana.

Out of curiosity, is this expected only for S1 actions, or also Endpoint's ?

from kibana.

Thanks @paul-tavares :)

from kibana.

@ashokaditya @paul-tavares can we close this as won't do then?
cc: @arvindersingh-qasource

from kibana.

Yes - it should be closed. Its working as intended.

from kibana.

Thank you for the update @dasansol92 and @paul-tavares .

We are closing this issue as it is WORKING AS DESIGNED. We will keep note of the same.

Thank you!

from kibana.

Bug Conversion

No Test case is required since it is expected behavior!

Thanks!

from kibana.