[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines)#259658
Merged
PhilippeOberti merged 1 commit intoelastic:mainfrom Mar 26, 2026
Conversation
PhilippeOberti
added
release_note:fix
Team:Threat Hunting:Investigations
Contributor
|
Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations) |
agusruidiazgd
approved these changes
Mar 26, 2026
Contributor
agusruidiazgd
left a comment
agusruidiazgd
left a comment
There was a problem hiding this comment.
LGTM Thanks for this amazing one line fix ✨ 💖
Contributor
|
Wonder why this commit has happened 2188cbe 🤔 |
…tpy string from draft timelines)
PhilippeOberti
force-pushed
the
fix-timeline-note-list
branch
from
2188cbe to
65ee8f2
Compare
Contributor
Author
I saw it happening on a bunch of unrelated PR yesterday. There was an issue with some |
Contributor
|
Starting backport for target branches: 8.19, 9.2, 9.3 https://github.com/elastic/kibana/actions/runs/23602109651 |
Contributor
💚 Build Succeeded
Metrics [docs]Async chunks
History
|
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 26, 2026
…tpy string from draft timelines) (elastic#259658) ## Summary This one-liner PR fixes a very annoying bug we've had for a while, where some unwanted notes show up in draft Timelines. While the fix is extremely simple and easy, finding why this was happening was interesting. ### Some context For a while now, we were seeing some unwanted notes showing up when investigating in Timeline. We were not sure why sometimes these notes were showing up, and sometimes they were not. The weirdest thing is we were seeing notes that had been saved only to a document (meaning not associated with a Timeline). Those should never show up on the Timeline Notes tab... > [!NOTE] > All notes created in the video below are associated with a document only (not Timeline) https://github.com/user-attachments/assets/e2aabe64-41e0-4db6-b78a-8e1fabe86ba2 As you can see in the video above, the behavior is inconsistent: - for the first alert we investigate, no notes are showing up - for the second alert we investigate, some random notes are showing up - for the attack we investigate, those same random notes are showing up ### Explanation of the issue What is happening because of the following bug: this [makeSelectNotesBySavedObjectId](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/notes/store/notes.slice.ts#L393) function is returning all notes that have the same `savedObjectId` field as the passed value. This includes empty string! ### Why isn't that happening for some alerts? In the video above, you can see that for the first alert, the issue is not happening. This is because that alert was generated by a rule that has an investigation guide. When we investigate in Timeline for an alert generated by a rule with an investigation guide, we automatically create a note (see [this line here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/components/open_timeline/use_update_timeline.tsx#L138)), which then triggers this middleware and saves the Timeline [here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/store/middlewares/timeline_note.ts#L49). Saving the Timeline basically sets a `savedObject` in Redux. This combined with the selector issue mentioned above results in the different behaviors we're seeing. Investigate in Timeline for the 2 different rules: | Rule with investigation guide |Rule without investigation guide | | ------------- | ------------- | | <img width="460" height="125" alt="Screenshot 2026-03-25 at 3 34 39 PM" src="https://github.com/user-attachments/assets/927aff70-9773-4d11-b95b-c7044fe94016" /> | <img width="361" height="162" alt="Screenshot 2026-03-25 at 3 33 34 PM" src="https://github.com/user-attachments/assets/725f0db3-bbbb-40c3-bf56-0aec54823cf9" /> | ### The fix This fix basically prevents any notes that are NOT associated with a timeline saved object to show up in the Timeline Notes tab. This is also valid for attacks! https://github.com/user-attachments/assets/33bb193c-557d-4a15-84d7-100532e330f9 ### Checklist Check the PR satisfies following conditions. - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. elastic/security-team#16396 (cherry picked from commit 8f9bd51)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 26, 2026
…tpy string from draft timelines) (elastic#259658) ## Summary This one-liner PR fixes a very annoying bug we've had for a while, where some unwanted notes show up in draft Timelines. While the fix is extremely simple and easy, finding why this was happening was interesting. ### Some context For a while now, we were seeing some unwanted notes showing up when investigating in Timeline. We were not sure why sometimes these notes were showing up, and sometimes they were not. The weirdest thing is we were seeing notes that had been saved only to a document (meaning not associated with a Timeline). Those should never show up on the Timeline Notes tab... > [!NOTE] > All notes created in the video below are associated with a document only (not Timeline) https://github.com/user-attachments/assets/e2aabe64-41e0-4db6-b78a-8e1fabe86ba2 As you can see in the video above, the behavior is inconsistent: - for the first alert we investigate, no notes are showing up - for the second alert we investigate, some random notes are showing up - for the attack we investigate, those same random notes are showing up ### Explanation of the issue What is happening because of the following bug: this [makeSelectNotesBySavedObjectId](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/notes/store/notes.slice.ts#L393) function is returning all notes that have the same `savedObjectId` field as the passed value. This includes empty string! ### Why isn't that happening for some alerts? In the video above, you can see that for the first alert, the issue is not happening. This is because that alert was generated by a rule that has an investigation guide. When we investigate in Timeline for an alert generated by a rule with an investigation guide, we automatically create a note (see [this line here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/components/open_timeline/use_update_timeline.tsx#L138)), which then triggers this middleware and saves the Timeline [here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/store/middlewares/timeline_note.ts#L49). Saving the Timeline basically sets a `savedObject` in Redux. This combined with the selector issue mentioned above results in the different behaviors we're seeing. Investigate in Timeline for the 2 different rules: | Rule with investigation guide |Rule without investigation guide | | ------------- | ------------- | | <img width="460" height="125" alt="Screenshot 2026-03-25 at 3 34 39 PM" src="https://github.com/user-attachments/assets/927aff70-9773-4d11-b95b-c7044fe94016" /> | <img width="361" height="162" alt="Screenshot 2026-03-25 at 3 33 34 PM" src="https://github.com/user-attachments/assets/725f0db3-bbbb-40c3-bf56-0aec54823cf9" /> | ### The fix This fix basically prevents any notes that are NOT associated with a timeline saved object to show up in the Timeline Notes tab. This is also valid for attacks! https://github.com/user-attachments/assets/33bb193c-557d-4a15-84d7-100532e330f9 ### Checklist Check the PR satisfies following conditions. - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. elastic/security-team#16396 (cherry picked from commit 8f9bd51)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 26, 2026
…tpy string from draft timelines) (elastic#259658) ## Summary This one-liner PR fixes a very annoying bug we've had for a while, where some unwanted notes show up in draft Timelines. While the fix is extremely simple and easy, finding why this was happening was interesting. ### Some context For a while now, we were seeing some unwanted notes showing up when investigating in Timeline. We were not sure why sometimes these notes were showing up, and sometimes they were not. The weirdest thing is we were seeing notes that had been saved only to a document (meaning not associated with a Timeline). Those should never show up on the Timeline Notes tab... > [!NOTE] > All notes created in the video below are associated with a document only (not Timeline) https://github.com/user-attachments/assets/e2aabe64-41e0-4db6-b78a-8e1fabe86ba2 As you can see in the video above, the behavior is inconsistent: - for the first alert we investigate, no notes are showing up - for the second alert we investigate, some random notes are showing up - for the attack we investigate, those same random notes are showing up ### Explanation of the issue What is happening because of the following bug: this [makeSelectNotesBySavedObjectId](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/notes/store/notes.slice.ts#L393) function is returning all notes that have the same `savedObjectId` field as the passed value. This includes empty string! ### Why isn't that happening for some alerts? In the video above, you can see that for the first alert, the issue is not happening. This is because that alert was generated by a rule that has an investigation guide. When we investigate in Timeline for an alert generated by a rule with an investigation guide, we automatically create a note (see [this line here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/components/open_timeline/use_update_timeline.tsx#L138)), which then triggers this middleware and saves the Timeline [here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/store/middlewares/timeline_note.ts#L49). Saving the Timeline basically sets a `savedObject` in Redux. This combined with the selector issue mentioned above results in the different behaviors we're seeing. Investigate in Timeline for the 2 different rules: | Rule with investigation guide |Rule without investigation guide | | ------------- | ------------- | | <img width="460" height="125" alt="Screenshot 2026-03-25 at 3 34 39 PM" src="https://github.com/user-attachments/assets/927aff70-9773-4d11-b95b-c7044fe94016" /> | <img width="361" height="162" alt="Screenshot 2026-03-25 at 3 33 34 PM" src="https://github.com/user-attachments/assets/725f0db3-bbbb-40c3-bf56-0aec54823cf9" /> | ### The fix This fix basically prevents any notes that are NOT associated with a timeline saved object to show up in the Timeline Notes tab. This is also valid for attacks! https://github.com/user-attachments/assets/33bb193c-557d-4a15-84d7-100532e330f9 ### Checklist Check the PR satisfies following conditions. - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. elastic/security-team#16396 (cherry picked from commit 8f9bd51)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Mar 26, 2026
…ing emtpy string from draft timelines) (#259658) (#259811) # Backport This will backport the following commits from `main` to `9.2`: - [[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines) (#259658)](#259658) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Philippe Oberti","email":"philippe.oberti@elastic.co"},"sourceCommit":{"committedDate":"2026-03-26T15:14:31Z","message":"[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines) (#259658)\n\n## Summary\n\nThis one-liner PR fixes a very annoying bug we've had for a while, where\nsome unwanted notes show up in draft Timelines. While the fix is\nextremely simple and easy, finding why this was happening was\ninteresting.\n\n### Some context\n\nFor a while now, we were seeing some unwanted notes showing up when\ninvestigating in Timeline. We were not sure why sometimes these notes\nwere showing up, and sometimes they were not. The weirdest thing is we\nwere seeing notes that had been saved only to a document (meaning not\nassociated with a Timeline). Those should never show up on the Timeline\nNotes tab...\n\n> [!NOTE]\n> All notes created in the video below are associated with a document\nonly (not Timeline)\n\n\nhttps://github.com/user-attachments/assets/e2aabe64-41e0-4db6-b78a-8e1fabe86ba2\n\nAs you can see in the video above, the behavior is inconsistent:\n- for the first alert we investigate, no notes are showing up\n- for the second alert we investigate, some random notes are showing up\n- for the attack we investigate, those same random notes are showing up\n\n### Explanation of the issue\n\nWhat is happening because of the following bug: this\n[makeSelectNotesBySavedObjectId](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/notes/store/notes.slice.ts#L393)\nfunction is returning all notes that have the same `savedObjectId` field\nas the passed value. This includes empty string!\n\n### Why isn't that happening for some alerts?\n\nIn the video above, you can see that for the first alert, the issue is\nnot happening. This is because that alert was generated by a rule that\nhas an investigation guide. When we investigate in Timeline for an alert\ngenerated by a rule with an investigation guide, we automatically create\na note (see [this line\nhere](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/components/open_timeline/use_update_timeline.tsx#L138)),\nwhich then triggers this middleware and saves the Timeline\n[here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/store/middlewares/timeline_note.ts#L49).\nSaving the Timeline basically sets a `savedObject` in Redux. This\ncombined with the selector issue mentioned above results in the\ndifferent behaviors we're seeing.\n\nInvestigate in Timeline for the 2 different rules:\n\n| Rule with investigation guide |Rule without investigation guide |\n| ------------- | ------------- |\n| <img width=\"460\" height=\"125\" alt=\"Screenshot 2026-03-25 at 3 34\n39 PM\"\nsrc=\"https://github.com/user-attachments/assets/927aff70-9773-4d11-b95b-c7044fe94016\"\n/> | <img width=\"361\" height=\"162\" alt=\"Screenshot 2026-03-25 at 3 33\n34 PM\"\nsrc=\"https://github.com/user-attachments/assets/725f0db3-bbbb-40c3-bf56-0aec54823cf9\"\n/> |\n\n### The fix\n\nThis fix basically prevents any notes that are NOT associated with a\ntimeline saved object to show up in the Timeline Notes tab. This is also\nvalid for attacks!\n\n\nhttps://github.com/user-attachments/assets/33bb193c-557d-4a15-84d7-100532e330f9\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\nhttps://github.com/elastic/security-team/issues/16396","sha":"8f9bd5138d42b8aae143c18bfd485f102106bf53","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Threat Hunting:Investigations","backport:version","v9.4.0","v9.3.3","v9.2.8","v8.19.14"],"title":"[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines)","number":259658,"url":"https://github.com/elastic/kibana/pull/259658","mergeCommit":{"message":"[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines) (#259658)\n\n## Summary\n\nThis one-liner PR fixes a very annoying bug we've had for a while, where\nsome unwanted notes show up in draft Timelines. While the fix is\nextremely simple and easy, finding why this was happening was\ninteresting.\n\n### Some context\n\nFor a while now, we were seeing some unwanted notes showing up when\ninvestigating in Timeline. We were not sure why sometimes these notes\nwere showing up, and sometimes they were not. The weirdest thing is we\nwere seeing notes that had been saved only to a document (meaning not\nassociated with a Timeline). Those should never show up on the Timeline\nNotes tab...\n\n> [!NOTE]\n> All notes created in the video below are associated with a document\nonly (not Timeline)\n\n\nhttps://github.com/user-attachments/assets/e2aabe64-41e0-4db6-b78a-8e1fabe86ba2\n\nAs you can see in the video above, the behavior is inconsistent:\n- for the first alert we investigate, no notes are showing up\n- for the second alert we investigate, some random notes are showing up\n- for the attack we investigate, those same random notes are showing up\n\n### Explanation of the issue\n\nWhat is happening because of the following bug: this\n[makeSelectNotesBySavedObjectId](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/notes/store/notes.slice.ts#L393)\nfunction is returning all notes that have the same `savedObjectId` field\nas the passed value. This includes empty string!\n\n### Why isn't that happening for some alerts?\n\nIn the video above, you can see that for the first alert, the issue is\nnot happening. This is because that alert was generated by a rule that\nhas an investigation guide. When we investigate in Timeline for an alert\ngenerated by a rule with an investigation guide, we automatically create\na note (see [this line\nhere](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/components/open_timeline/use_update_timeline.tsx#L138)),\nwhich then triggers this middleware and saves the Timeline\n[here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/store/middlewares/timeline_note.ts#L49).\nSaving the Timeline basically sets a `savedObject` in Redux. This\ncombined with the selector issue mentioned above results in the\ndifferent behaviors we're seeing.\n\nInvestigate in Timeline for the 2 different rules:\n\n| Rule with investigation guide |Rule without investigation guide |\n| ------------- | ------------- |\n| <img width=\"460\" height=\"125\" alt=\"Screenshot 2026-03-25 at 3 34\n39 PM\"\nsrc=\"https://github.com/user-attachments/assets/927aff70-9773-4d11-b95b-c7044fe94016\"\n/> | <img width=\"361\" height=\"162\" alt=\"Screenshot 2026-03-25 at 3 33\n34 PM\"\nsrc=\"https://github.com/user-attachments/assets/725f0db3-bbbb-40c3-bf56-0aec54823cf9\"\n/> |\n\n### The fix\n\nThis fix basically prevents any notes that are NOT associated with a\ntimeline saved object to show up in the Timeline Notes tab. This is also\nvalid for attacks!\n\n\nhttps://github.com/user-attachments/assets/33bb193c-557d-4a15-84d7-100532e330f9\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\nhttps://github.com/elastic/security-team/issues/16396","sha":"8f9bd5138d42b8aae143c18bfd485f102106bf53"}},"sourceBranch":"main","suggestedTargetBranches":["9.3","9.2","8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/259658","number":259658,"mergeCommit":{"message":"[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines) (#259658)\n\n## Summary\n\nThis one-liner PR fixes a very annoying bug we've had for a while, where\nsome unwanted notes show up in draft Timelines. While the fix is\nextremely simple and easy, finding why this was happening was\ninteresting.\n\n### Some context\n\nFor a while now, we were seeing some unwanted notes showing up when\ninvestigating in Timeline. We were not sure why sometimes these notes\nwere showing up, and sometimes they were not. The weirdest thing is we\nwere seeing notes that had been saved only to a document (meaning not\nassociated with a Timeline). Those should never show up on the Timeline\nNotes tab...\n\n> [!NOTE]\n> All notes created in the video below are associated with a document\nonly (not Timeline)\n\n\nhttps://github.com/user-attachments/assets/e2aabe64-41e0-4db6-b78a-8e1fabe86ba2\n\nAs you can see in the video above, the behavior is inconsistent:\n- for the first alert we investigate, no notes are showing up\n- for the second alert we investigate, some random notes are showing up\n- for the attack we investigate, those same random notes are showing up\n\n### Explanation of the issue\n\nWhat is happening because of the following bug: this\n[makeSelectNotesBySavedObjectId](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/notes/store/notes.slice.ts#L393)\nfunction is returning all notes that have the same `savedObjectId` field\nas the passed value. This includes empty string!\n\n### Why isn't that happening for some alerts?\n\nIn the video above, you can see that for the first alert, the issue is\nnot happening. This is because that alert was generated by a rule that\nhas an investigation guide. When we investigate in Timeline for an alert\ngenerated by a rule with an investigation guide, we automatically create\na note (see [this line\nhere](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/components/open_timeline/use_update_timeline.tsx#L138)),\nwhich then triggers this middleware and saves the Timeline\n[here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/store/middlewares/timeline_note.ts#L49).\nSaving the Timeline basically sets a `savedObject` in Redux. This\ncombined with the selector issue mentioned above results in the\ndifferent behaviors we're seeing.\n\nInvestigate in Timeline for the 2 different rules:\n\n| Rule with investigation guide |Rule without investigation guide |\n| ------------- | ------------- |\n| <img width=\"460\" height=\"125\" alt=\"Screenshot 2026-03-25 at 3 34\n39 PM\"\nsrc=\"https://github.com/user-attachments/assets/927aff70-9773-4d11-b95b-c7044fe94016\"\n/> | <img width=\"361\" height=\"162\" alt=\"Screenshot 2026-03-25 at 3 33\n34 PM\"\nsrc=\"https://github.com/user-attachments/assets/725f0db3-bbbb-40c3-bf56-0aec54823cf9\"\n/> |\n\n### The fix\n\nThis fix basically prevents any notes that are NOT associated with a\ntimeline saved object to show up in the Timeline Notes tab. This is also\nvalid for attacks!\n\n\nhttps://github.com/user-attachments/assets/33bb193c-557d-4a15-84d7-100532e330f9\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\nhttps://github.com/elastic/security-team/issues/16396","sha":"8f9bd5138d42b8aae143c18bfd485f102106bf53"}},{"branch":"9.3","label":"v9.3.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.14","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Philippe Oberti <philippe.oberti@elastic.co>
This was referenced Mar 26, 2026
Merged
2 tasks
kibanamachine
added a commit
that referenced
this pull request
Mar 27, 2026
…ing emtpy string from draft timelines) (#259658) (#259812) # Backport This will backport the following commits from `main` to `9.3`: - [[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines) (#259658)](#259658) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Philippe Oberti","email":"philippe.oberti@elastic.co"},"sourceCommit":{"committedDate":"2026-03-26T15:14:31Z","message":"[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines) (#259658)\n\n## Summary\n\nThis one-liner PR fixes a very annoying bug we've had for a while, where\nsome unwanted notes show up in draft Timelines. While the fix is\nextremely simple and easy, finding why this was happening was\ninteresting.\n\n### Some context\n\nFor a while now, we were seeing some unwanted notes showing up when\ninvestigating in Timeline. We were not sure why sometimes these notes\nwere showing up, and sometimes they were not. The weirdest thing is we\nwere seeing notes that had been saved only to a document (meaning not\nassociated with a Timeline). Those should never show up on the Timeline\nNotes tab...\n\n> [!NOTE]\n> All notes created in the video below are associated with a document\nonly (not Timeline)\n\n\nhttps://github.com/user-attachments/assets/e2aabe64-41e0-4db6-b78a-8e1fabe86ba2\n\nAs you can see in the video above, the behavior is inconsistent:\n- for the first alert we investigate, no notes are showing up\n- for the second alert we investigate, some random notes are showing up\n- for the attack we investigate, those same random notes are showing up\n\n### Explanation of the issue\n\nWhat is happening because of the following bug: this\n[makeSelectNotesBySavedObjectId](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/notes/store/notes.slice.ts#L393)\nfunction is returning all notes that have the same `savedObjectId` field\nas the passed value. This includes empty string!\n\n### Why isn't that happening for some alerts?\n\nIn the video above, you can see that for the first alert, the issue is\nnot happening. This is because that alert was generated by a rule that\nhas an investigation guide. When we investigate in Timeline for an alert\ngenerated by a rule with an investigation guide, we automatically create\na note (see [this line\nhere](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/components/open_timeline/use_update_timeline.tsx#L138)),\nwhich then triggers this middleware and saves the Timeline\n[here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/store/middlewares/timeline_note.ts#L49).\nSaving the Timeline basically sets a `savedObject` in Redux. This\ncombined with the selector issue mentioned above results in the\ndifferent behaviors we're seeing.\n\nInvestigate in Timeline for the 2 different rules:\n\n| Rule with investigation guide |Rule without investigation guide |\n| ------------- | ------------- |\n| <img width=\"460\" height=\"125\" alt=\"Screenshot 2026-03-25 at 3 34\n39 PM\"\nsrc=\"https://github.com/user-attachments/assets/927aff70-9773-4d11-b95b-c7044fe94016\"\n/> | <img width=\"361\" height=\"162\" alt=\"Screenshot 2026-03-25 at 3 33\n34 PM\"\nsrc=\"https://github.com/user-attachments/assets/725f0db3-bbbb-40c3-bf56-0aec54823cf9\"\n/> |\n\n### The fix\n\nThis fix basically prevents any notes that are NOT associated with a\ntimeline saved object to show up in the Timeline Notes tab. This is also\nvalid for attacks!\n\n\nhttps://github.com/user-attachments/assets/33bb193c-557d-4a15-84d7-100532e330f9\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\nhttps://github.com/elastic/security-team/issues/16396","sha":"8f9bd5138d42b8aae143c18bfd485f102106bf53","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Threat Hunting:Investigations","backport:version","v9.4.0","v9.3.3","v9.2.8","v8.19.14"],"title":"[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines)","number":259658,"url":"https://github.com/elastic/kibana/pull/259658","mergeCommit":{"message":"[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines) (#259658)\n\n## Summary\n\nThis one-liner PR fixes a very annoying bug we've had for a while, where\nsome unwanted notes show up in draft Timelines. While the fix is\nextremely simple and easy, finding why this was happening was\ninteresting.\n\n### Some context\n\nFor a while now, we were seeing some unwanted notes showing up when\ninvestigating in Timeline. We were not sure why sometimes these notes\nwere showing up, and sometimes they were not. The weirdest thing is we\nwere seeing notes that had been saved only to a document (meaning not\nassociated with a Timeline). Those should never show up on the Timeline\nNotes tab...\n\n> [!NOTE]\n> All notes created in the video below are associated with a document\nonly (not Timeline)\n\n\nhttps://github.com/user-attachments/assets/e2aabe64-41e0-4db6-b78a-8e1fabe86ba2\n\nAs you can see in the video above, the behavior is inconsistent:\n- for the first alert we investigate, no notes are showing up\n- for the second alert we investigate, some random notes are showing up\n- for the attack we investigate, those same random notes are showing up\n\n### Explanation of the issue\n\nWhat is happening because of the following bug: this\n[makeSelectNotesBySavedObjectId](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/notes/store/notes.slice.ts#L393)\nfunction is returning all notes that have the same `savedObjectId` field\nas the passed value. This includes empty string!\n\n### Why isn't that happening for some alerts?\n\nIn the video above, you can see that for the first alert, the issue is\nnot happening. This is because that alert was generated by a rule that\nhas an investigation guide. When we investigate in Timeline for an alert\ngenerated by a rule with an investigation guide, we automatically create\na note (see [this line\nhere](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/components/open_timeline/use_update_timeline.tsx#L138)),\nwhich then triggers this middleware and saves the Timeline\n[here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/store/middlewares/timeline_note.ts#L49).\nSaving the Timeline basically sets a `savedObject` in Redux. This\ncombined with the selector issue mentioned above results in the\ndifferent behaviors we're seeing.\n\nInvestigate in Timeline for the 2 different rules:\n\n| Rule with investigation guide |Rule without investigation guide |\n| ------------- | ------------- |\n| <img width=\"460\" height=\"125\" alt=\"Screenshot 2026-03-25 at 3 34\n39 PM\"\nsrc=\"https://github.com/user-attachments/assets/927aff70-9773-4d11-b95b-c7044fe94016\"\n/> | <img width=\"361\" height=\"162\" alt=\"Screenshot 2026-03-25 at 3 33\n34 PM\"\nsrc=\"https://github.com/user-attachments/assets/725f0db3-bbbb-40c3-bf56-0aec54823cf9\"\n/> |\n\n### The fix\n\nThis fix basically prevents any notes that are NOT associated with a\ntimeline saved object to show up in the Timeline Notes tab. This is also\nvalid for attacks!\n\n\nhttps://github.com/user-attachments/assets/33bb193c-557d-4a15-84d7-100532e330f9\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\nhttps://github.com/elastic/security-team/issues/16396","sha":"8f9bd5138d42b8aae143c18bfd485f102106bf53"}},"sourceBranch":"main","suggestedTargetBranches":["9.3","9.2","8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/259658","number":259658,"mergeCommit":{"message":"[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines) (#259658)\n\n## Summary\n\nThis one-liner PR fixes a very annoying bug we've had for a while, where\nsome unwanted notes show up in draft Timelines. While the fix is\nextremely simple and easy, finding why this was happening was\ninteresting.\n\n### Some context\n\nFor a while now, we were seeing some unwanted notes showing up when\ninvestigating in Timeline. We were not sure why sometimes these notes\nwere showing up, and sometimes they were not. The weirdest thing is we\nwere seeing notes that had been saved only to a document (meaning not\nassociated with a Timeline). Those should never show up on the Timeline\nNotes tab...\n\n> [!NOTE]\n> All notes created in the video below are associated with a document\nonly (not Timeline)\n\n\nhttps://github.com/user-attachments/assets/e2aabe64-41e0-4db6-b78a-8e1fabe86ba2\n\nAs you can see in the video above, the behavior is inconsistent:\n- for the first alert we investigate, no notes are showing up\n- for the second alert we investigate, some random notes are showing up\n- for the attack we investigate, those same random notes are showing up\n\n### Explanation of the issue\n\nWhat is happening because of the following bug: this\n[makeSelectNotesBySavedObjectId](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/notes/store/notes.slice.ts#L393)\nfunction is returning all notes that have the same `savedObjectId` field\nas the passed value. This includes empty string!\n\n### Why isn't that happening for some alerts?\n\nIn the video above, you can see that for the first alert, the issue is\nnot happening. This is because that alert was generated by a rule that\nhas an investigation guide. When we investigate in Timeline for an alert\ngenerated by a rule with an investigation guide, we automatically create\na note (see [this line\nhere](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/components/open_timeline/use_update_timeline.tsx#L138)),\nwhich then triggers this middleware and saves the Timeline\n[here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/store/middlewares/timeline_note.ts#L49).\nSaving the Timeline basically sets a `savedObject` in Redux. This\ncombined with the selector issue mentioned above results in the\ndifferent behaviors we're seeing.\n\nInvestigate in Timeline for the 2 different rules:\n\n| Rule with investigation guide |Rule without investigation guide |\n| ------------- | ------------- |\n| <img width=\"460\" height=\"125\" alt=\"Screenshot 2026-03-25 at 3 34\n39 PM\"\nsrc=\"https://github.com/user-attachments/assets/927aff70-9773-4d11-b95b-c7044fe94016\"\n/> | <img width=\"361\" height=\"162\" alt=\"Screenshot 2026-03-25 at 3 33\n34 PM\"\nsrc=\"https://github.com/user-attachments/assets/725f0db3-bbbb-40c3-bf56-0aec54823cf9\"\n/> |\n\n### The fix\n\nThis fix basically prevents any notes that are NOT associated with a\ntimeline saved object to show up in the Timeline Notes tab. This is also\nvalid for attacks!\n\n\nhttps://github.com/user-attachments/assets/33bb193c-557d-4a15-84d7-100532e330f9\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\nhttps://github.com/elastic/security-team/issues/16396","sha":"8f9bd5138d42b8aae143c18bfd485f102106bf53"}},{"branch":"9.3","label":"v9.3.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.14","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Philippe Oberti <philippe.oberti@elastic.co>
kibanamachine
added a commit
that referenced
this pull request
Mar 27, 2026
…ring emtpy string from draft timelines) (#259658) (#259810) # Backport This will backport the following commits from `main` to `8.19`: - [[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines) (#259658)](#259658) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Philippe Oberti","email":"philippe.oberti@elastic.co"},"sourceCommit":{"committedDate":"2026-03-26T15:14:31Z","message":"[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines) (#259658)\n\n## Summary\n\nThis one-liner PR fixes a very annoying bug we've had for a while, where\nsome unwanted notes show up in draft Timelines. While the fix is\nextremely simple and easy, finding why this was happening was\ninteresting.\n\n### Some context\n\nFor a while now, we were seeing some unwanted notes showing up when\ninvestigating in Timeline. We were not sure why sometimes these notes\nwere showing up, and sometimes they were not. The weirdest thing is we\nwere seeing notes that had been saved only to a document (meaning not\nassociated with a Timeline). Those should never show up on the Timeline\nNotes tab...\n\n> [!NOTE]\n> All notes created in the video below are associated with a document\nonly (not Timeline)\n\n\nhttps://github.com/user-attachments/assets/e2aabe64-41e0-4db6-b78a-8e1fabe86ba2\n\nAs you can see in the video above, the behavior is inconsistent:\n- for the first alert we investigate, no notes are showing up\n- for the second alert we investigate, some random notes are showing up\n- for the attack we investigate, those same random notes are showing up\n\n### Explanation of the issue\n\nWhat is happening because of the following bug: this\n[makeSelectNotesBySavedObjectId](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/notes/store/notes.slice.ts#L393)\nfunction is returning all notes that have the same `savedObjectId` field\nas the passed value. This includes empty string!\n\n### Why isn't that happening for some alerts?\n\nIn the video above, you can see that for the first alert, the issue is\nnot happening. This is because that alert was generated by a rule that\nhas an investigation guide. When we investigate in Timeline for an alert\ngenerated by a rule with an investigation guide, we automatically create\na note (see [this line\nhere](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/components/open_timeline/use_update_timeline.tsx#L138)),\nwhich then triggers this middleware and saves the Timeline\n[here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/store/middlewares/timeline_note.ts#L49).\nSaving the Timeline basically sets a `savedObject` in Redux. This\ncombined with the selector issue mentioned above results in the\ndifferent behaviors we're seeing.\n\nInvestigate in Timeline for the 2 different rules:\n\n| Rule with investigation guide |Rule without investigation guide |\n| ------------- | ------------- |\n| <img width=\"460\" height=\"125\" alt=\"Screenshot 2026-03-25 at 3 34\n39 PM\"\nsrc=\"https://github.com/user-attachments/assets/927aff70-9773-4d11-b95b-c7044fe94016\"\n/> | <img width=\"361\" height=\"162\" alt=\"Screenshot 2026-03-25 at 3 33\n34 PM\"\nsrc=\"https://github.com/user-attachments/assets/725f0db3-bbbb-40c3-bf56-0aec54823cf9\"\n/> |\n\n### The fix\n\nThis fix basically prevents any notes that are NOT associated with a\ntimeline saved object to show up in the Timeline Notes tab. This is also\nvalid for attacks!\n\n\nhttps://github.com/user-attachments/assets/33bb193c-557d-4a15-84d7-100532e330f9\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\nhttps://github.com/elastic/security-team/issues/16396","sha":"8f9bd5138d42b8aae143c18bfd485f102106bf53","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Threat Hunting:Investigations","backport:version","v9.4.0","v9.3.3","v9.2.8","v8.19.14"],"title":"[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines)","number":259658,"url":"https://github.com/elastic/kibana/pull/259658","mergeCommit":{"message":"[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines) (#259658)\n\n## Summary\n\nThis one-liner PR fixes a very annoying bug we've had for a while, where\nsome unwanted notes show up in draft Timelines. While the fix is\nextremely simple and easy, finding why this was happening was\ninteresting.\n\n### Some context\n\nFor a while now, we were seeing some unwanted notes showing up when\ninvestigating in Timeline. We were not sure why sometimes these notes\nwere showing up, and sometimes they were not. The weirdest thing is we\nwere seeing notes that had been saved only to a document (meaning not\nassociated with a Timeline). Those should never show up on the Timeline\nNotes tab...\n\n> [!NOTE]\n> All notes created in the video below are associated with a document\nonly (not Timeline)\n\n\nhttps://github.com/user-attachments/assets/e2aabe64-41e0-4db6-b78a-8e1fabe86ba2\n\nAs you can see in the video above, the behavior is inconsistent:\n- for the first alert we investigate, no notes are showing up\n- for the second alert we investigate, some random notes are showing up\n- for the attack we investigate, those same random notes are showing up\n\n### Explanation of the issue\n\nWhat is happening because of the following bug: this\n[makeSelectNotesBySavedObjectId](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/notes/store/notes.slice.ts#L393)\nfunction is returning all notes that have the same `savedObjectId` field\nas the passed value. This includes empty string!\n\n### Why isn't that happening for some alerts?\n\nIn the video above, you can see that for the first alert, the issue is\nnot happening. This is because that alert was generated by a rule that\nhas an investigation guide. When we investigate in Timeline for an alert\ngenerated by a rule with an investigation guide, we automatically create\na note (see [this line\nhere](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/components/open_timeline/use_update_timeline.tsx#L138)),\nwhich then triggers this middleware and saves the Timeline\n[here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/store/middlewares/timeline_note.ts#L49).\nSaving the Timeline basically sets a `savedObject` in Redux. This\ncombined with the selector issue mentioned above results in the\ndifferent behaviors we're seeing.\n\nInvestigate in Timeline for the 2 different rules:\n\n| Rule with investigation guide |Rule without investigation guide |\n| ------------- | ------------- |\n| <img width=\"460\" height=\"125\" alt=\"Screenshot 2026-03-25 at 3 34\n39 PM\"\nsrc=\"https://github.com/user-attachments/assets/927aff70-9773-4d11-b95b-c7044fe94016\"\n/> | <img width=\"361\" height=\"162\" alt=\"Screenshot 2026-03-25 at 3 33\n34 PM\"\nsrc=\"https://github.com/user-attachments/assets/725f0db3-bbbb-40c3-bf56-0aec54823cf9\"\n/> |\n\n### The fix\n\nThis fix basically prevents any notes that are NOT associated with a\ntimeline saved object to show up in the Timeline Notes tab. This is also\nvalid for attacks!\n\n\nhttps://github.com/user-attachments/assets/33bb193c-557d-4a15-84d7-100532e330f9\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\nhttps://github.com/elastic/security-team/issues/16396","sha":"8f9bd5138d42b8aae143c18bfd485f102106bf53"}},"sourceBranch":"main","suggestedTargetBranches":["9.3","9.2","8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/259658","number":259658,"mergeCommit":{"message":"[Security Solution] only show notes for a saved timeline (ignoring emtpy string from draft timelines) (#259658)\n\n## Summary\n\nThis one-liner PR fixes a very annoying bug we've had for a while, where\nsome unwanted notes show up in draft Timelines. While the fix is\nextremely simple and easy, finding why this was happening was\ninteresting.\n\n### Some context\n\nFor a while now, we were seeing some unwanted notes showing up when\ninvestigating in Timeline. We were not sure why sometimes these notes\nwere showing up, and sometimes they were not. The weirdest thing is we\nwere seeing notes that had been saved only to a document (meaning not\nassociated with a Timeline). Those should never show up on the Timeline\nNotes tab...\n\n> [!NOTE]\n> All notes created in the video below are associated with a document\nonly (not Timeline)\n\n\nhttps://github.com/user-attachments/assets/e2aabe64-41e0-4db6-b78a-8e1fabe86ba2\n\nAs you can see in the video above, the behavior is inconsistent:\n- for the first alert we investigate, no notes are showing up\n- for the second alert we investigate, some random notes are showing up\n- for the attack we investigate, those same random notes are showing up\n\n### Explanation of the issue\n\nWhat is happening because of the following bug: this\n[makeSelectNotesBySavedObjectId](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/notes/store/notes.slice.ts#L393)\nfunction is returning all notes that have the same `savedObjectId` field\nas the passed value. This includes empty string!\n\n### Why isn't that happening for some alerts?\n\nIn the video above, you can see that for the first alert, the issue is\nnot happening. This is because that alert was generated by a rule that\nhas an investigation guide. When we investigate in Timeline for an alert\ngenerated by a rule with an investigation guide, we automatically create\na note (see [this line\nhere](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/components/open_timeline/use_update_timeline.tsx#L138)),\nwhich then triggers this middleware and saves the Timeline\n[here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/store/middlewares/timeline_note.ts#L49).\nSaving the Timeline basically sets a `savedObject` in Redux. This\ncombined with the selector issue mentioned above results in the\ndifferent behaviors we're seeing.\n\nInvestigate in Timeline for the 2 different rules:\n\n| Rule with investigation guide |Rule without investigation guide |\n| ------------- | ------------- |\n| <img width=\"460\" height=\"125\" alt=\"Screenshot 2026-03-25 at 3 34\n39 PM\"\nsrc=\"https://github.com/user-attachments/assets/927aff70-9773-4d11-b95b-c7044fe94016\"\n/> | <img width=\"361\" height=\"162\" alt=\"Screenshot 2026-03-25 at 3 33\n34 PM\"\nsrc=\"https://github.com/user-attachments/assets/725f0db3-bbbb-40c3-bf56-0aec54823cf9\"\n/> |\n\n### The fix\n\nThis fix basically prevents any notes that are NOT associated with a\ntimeline saved object to show up in the Timeline Notes tab. This is also\nvalid for attacks!\n\n\nhttps://github.com/user-attachments/assets/33bb193c-557d-4a15-84d7-100532e330f9\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\nhttps://github.com/elastic/security-team/issues/16396","sha":"8f9bd5138d42b8aae143c18bfd485f102106bf53"}},{"branch":"9.3","label":"v9.3.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.14","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Philippe Oberti <philippe.oberti@elastic.co>
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Apr 1, 2026
…tpy string from draft timelines) (elastic#259658) ## Summary This one-liner PR fixes a very annoying bug we've had for a while, where some unwanted notes show up in draft Timelines. While the fix is extremely simple and easy, finding why this was happening was interesting. ### Some context For a while now, we were seeing some unwanted notes showing up when investigating in Timeline. We were not sure why sometimes these notes were showing up, and sometimes they were not. The weirdest thing is we were seeing notes that had been saved only to a document (meaning not associated with a Timeline). Those should never show up on the Timeline Notes tab... > [!NOTE] > All notes created in the video below are associated with a document only (not Timeline) https://github.com/user-attachments/assets/e2aabe64-41e0-4db6-b78a-8e1fabe86ba2 As you can see in the video above, the behavior is inconsistent: - for the first alert we investigate, no notes are showing up - for the second alert we investigate, some random notes are showing up - for the attack we investigate, those same random notes are showing up ### Explanation of the issue What is happening because of the following bug: this [makeSelectNotesBySavedObjectId](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/notes/store/notes.slice.ts#L393) function is returning all notes that have the same `savedObjectId` field as the passed value. This includes empty string! ### Why isn't that happening for some alerts? In the video above, you can see that for the first alert, the issue is not happening. This is because that alert was generated by a rule that has an investigation guide. When we investigate in Timeline for an alert generated by a rule with an investigation guide, we automatically create a note (see [this line here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/components/open_timeline/use_update_timeline.tsx#L138)), which then triggers this middleware and saves the Timeline [here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/store/middlewares/timeline_note.ts#L49). Saving the Timeline basically sets a `savedObject` in Redux. This combined with the selector issue mentioned above results in the different behaviors we're seeing. Investigate in Timeline for the 2 different rules: | Rule with investigation guide |Rule without investigation guide | | ------------- | ------------- | | <img width="460" height="125" alt="Screenshot 2026-03-25 at 3 34 39 PM" src="https://github.com/user-attachments/assets/927aff70-9773-4d11-b95b-c7044fe94016" /> | <img width="361" height="162" alt="Screenshot 2026-03-25 at 3 33 34 PM" src="https://github.com/user-attachments/assets/725f0db3-bbbb-40c3-bf56-0aec54823cf9" /> | ### The fix This fix basically prevents any notes that are NOT associated with a timeline saved object to show up in the Timeline Notes tab. This is also valid for attacks! https://github.com/user-attachments/assets/33bb193c-557d-4a15-84d7-100532e330f9 ### Checklist Check the PR satisfies following conditions. - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. elastic/security-team#16396
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Apr 2, 2026
…tpy string from draft timelines) (elastic#259658) ## Summary This one-liner PR fixes a very annoying bug we've had for a while, where some unwanted notes show up in draft Timelines. While the fix is extremely simple and easy, finding why this was happening was interesting. ### Some context For a while now, we were seeing some unwanted notes showing up when investigating in Timeline. We were not sure why sometimes these notes were showing up, and sometimes they were not. The weirdest thing is we were seeing notes that had been saved only to a document (meaning not associated with a Timeline). Those should never show up on the Timeline Notes tab... > [!NOTE] > All notes created in the video below are associated with a document only (not Timeline) https://github.com/user-attachments/assets/e2aabe64-41e0-4db6-b78a-8e1fabe86ba2 As you can see in the video above, the behavior is inconsistent: - for the first alert we investigate, no notes are showing up - for the second alert we investigate, some random notes are showing up - for the attack we investigate, those same random notes are showing up ### Explanation of the issue What is happening because of the following bug: this [makeSelectNotesBySavedObjectId](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/notes/store/notes.slice.ts#L393) function is returning all notes that have the same `savedObjectId` field as the passed value. This includes empty string! ### Why isn't that happening for some alerts? In the video above, you can see that for the first alert, the issue is not happening. This is because that alert was generated by a rule that has an investigation guide. When we investigate in Timeline for an alert generated by a rule with an investigation guide, we automatically create a note (see [this line here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/components/open_timeline/use_update_timeline.tsx#L138)), which then triggers this middleware and saves the Timeline [here](https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/security_solution/public/timelines/store/middlewares/timeline_note.ts#L49). Saving the Timeline basically sets a `savedObject` in Redux. This combined with the selector issue mentioned above results in the different behaviors we're seeing. Investigate in Timeline for the 2 different rules: | Rule with investigation guide |Rule without investigation guide | | ------------- | ------------- | | <img width="460" height="125" alt="Screenshot 2026-03-25 at 3 34 39 PM" src="https://github.com/user-attachments/assets/927aff70-9773-4d11-b95b-c7044fe94016" /> | <img width="361" height="162" alt="Screenshot 2026-03-25 at 3 33 34 PM" src="https://github.com/user-attachments/assets/725f0db3-bbbb-40c3-bf56-0aec54823cf9" /> | ### The fix This fix basically prevents any notes that are NOT associated with a timeline saved object to show up in the Timeline Notes tab. This is also valid for attacks! https://github.com/user-attachments/assets/33bb193c-557d-4a15-84d7-100532e330f9 ### Checklist Check the PR satisfies following conditions. - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. elastic/security-team#16396
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This one-liner PR fixes a very annoying bug we've had for a while, where some unwanted notes show up in draft Timelines. While the fix is extremely simple and easy, finding why this was happening was interesting.
Some context
For a while now, we were seeing some unwanted notes showing up when investigating in Timeline. We were not sure why sometimes these notes were showing up, and sometimes they were not. The weirdest thing is we were seeing notes that had been saved only to a document (meaning not associated with a Timeline). Those should never show up on the Timeline Notes tab...
Note
All notes created in the video below are associated with a document only (not Timeline)
Screen.Recording.2026-03-25.at.12.48.37.PM.mov
As you can see in the video above, the behavior is inconsistent:
Explanation of the issue
What is happening because of the following bug: this makeSelectNotesBySavedObjectId function is returning all notes that have the same
savedObjectIdfield as the passed value. This includes empty string!Why isn't that happening for some alerts?
In the video above, you can see that for the first alert, the issue is not happening. This is because that alert was generated by a rule that has an investigation guide. When we investigate in Timeline for an alert generated by a rule with an investigation guide, we automatically create a note (see this line here), which then triggers this middleware and saves the Timeline here. Saving the Timeline basically sets a
savedObjectin Redux. This combined with the selector issue mentioned above results in the different behaviors we're seeing.Investigate in Timeline for the 2 different rules:
The fix
This fix basically prevents any notes that are NOT associated with a timeline saved object to show up in the Timeline Notes tab. This is also valid for attacks!
Screen.Recording.2026-03-25.at.12.54.21.PM.mov
Checklist
Check the PR satisfies following conditions.
release_note:*label is applied per the guidelinesbackport:*labels.https://github.com/elastic/security-team/issues/16396