Skip to content

[Security Solution][Attacks/Alerts][Attacks page][Table section] Preserver "Sort by" state on Attacks page (#256717)#256795

Merged
e40pud merged 7 commits intoelastic:mainfrom
e40pud:security/attack-alerts-alignment/256717-persist-sort-state
Mar 11, 2026
Merged

[Security Solution][Attacks/Alerts][Attacks page][Table section] Preserver "Sort by" state on Attacks page (#256717)#256795
e40pud merged 7 commits intoelastic:mainfrom
e40pud:security/attack-alerts-alignment/256717-persist-sort-state

Conversation

@e40pud
Copy link
Copy Markdown
Contributor

@e40pud e40pud commented Mar 9, 2026

Summary

Closes #256717

This PR introduces state persistence for the "Sort by" dropdown on the Attacks page table, resolving an issue where users would lose their sort preferences when navigating away from the page or refreshing.

By replacing the local useState hook with useLocalStorage in the TableSection component, the table's sorting configuration is now preserved across sessions and page reloads, falling back to the default sort (DEFAULT_ATTACKS_SORT) if no previous selection exists or if the stored state is invalid.

Verification Steps

Prerequisites

  1. Enable the enableAlertsAndAttacksAlignment experimental feature flag in kibana.dev.yml or kibana.yml:
xpack.securitySolution.enableExperimental: ['enableAlertsAndAttacksAlignment']
  1. Navigate to Stack Management > Advanced Settings > Space Settings > Security Solution.
  2. Find the setting Enable alerts and attacks alignment (securitySolution:enableAlertsAndAttacksAlignment).
  3. Enable the setting and save.
  4. Refresh the page if necessary.

Test the change

  1. Navigate to the Attacks page within the Security Solution.
  2. Observe the "Sort by" dropdown on the Alerts/Attacks table. It should default to "Most recent" (or whichever default is configured).
  3. Change the sorting option to something else (e.g., sort by "Least alerts").
  4. Refresh the page in your browser.
  5. Verify that the table is still sorted by the option you selected in step 3.
  6. Navigate to another page in Kibana (e.g., Dashboards or Discover) and then navigate back to the Attacks page.
  7. Verify that the table retains your selected sort preference.
  8. Optional: Open the browser's developer tools, go to the Application/Storage tab, find the local storage key securitySolution:attacksTableSort, and delete it or set it to an invalid value (e.g., null or []). Refresh the page and verify that it falls back gracefully to the default sorting option without errors.

PR developed with Cursor + Gemini 3.1 Pro

@e40pud e40pud self-assigned this Mar 9, 2026
@e40pud e40pud added the release_note:skip Skip the PR/issue when compiling release notes label Mar 9, 2026
@e40pud e40pud requested a review from a team as a code owner March 9, 2026 21:16
@e40pud e40pud added backport:skip This PR does not require backporting Team:Threat Hunting Security Solution Threat Hunting Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Threat Hunting Investigations Team labels Mar 9, 2026
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Mar 9, 2026

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Mar 9, 2026

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Mar 9, 2026

Pinging @elastic/security-solution (Team: SecuritySolution)

NicholasPeretti
NicholasPeretti approved these changes Mar 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@NicholasPeretti NicholasPeretti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! 🚀

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Mar 10, 2026
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #157 / Cloud Security Posture Vulnerability Dashboard API responds with a 200 status code and matching data mock
  • [job] [logs] FTR Configs #157 / Cloud Security Posture Vulnerability Dashboard API responds with a 200 status code and matching data mock

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 11.3MB 11.3MB +105.0B

History

cc @e40pud

@e40pud e40pud merged commit 9d44610 into elastic:main Mar 11, 2026
18 checks passed
mbondyra added a commit to mbondyra/kibana that referenced this pull request Mar 11, 2026
@mbondyra
Merge commit '565f7545c422192218b803874fbdf93e8d8f08ee' into timerang…
e20c307 
…e_fix

* commit '565f7545c422192218b803874fbdf93e8d8f08ee': (27 commits)
  [Lens API] ESQL schema for XY separately for Agent and some small token optimizations (elastic#256885)
  Fix "Accessing resource attributes before async attributes settled" telemetry error (elastic#256880)
  [Security Solution][Attacks/Alerts][Attacks page][Table section] Preserver "Sort by" state on Attacks page (elastic#256717) (elastic#256795)
  [APM] Improve redirect with default date range guard (elastic#256887)
  [Security Solution][Attacks/Alerts][Attacks page][Table section] Add assignees avatars to the group component (elastic#250126) (elastic#256901)
  [Docs] add xpack.alerting.rules.maxScheduledPerMinute setting description (elastic#257041)
  [SO] Fix non-deterministic ordering in nested find API integration tests (elastic#256447)
  [Write-restricted dashboards] Update user profile retrieval for getShouldAddAccessControl (elastic#255065)
  [One Workflow] Add Scout API test scaffold and execution tests (elastic#256300)
  [Fleet] add use_apm if dynamic_signal_types are enabled (elastic#256429)
  [Fleet] ignore data streams starting with `.` in Fleet API (elastic#256625)
  [ES|QL] METRICS_INFO support: columns_after & summary (elastic#256758)
  [Agent Builder] Agent plugins: initial installation support (elastic#256478)
  [Streams] Add field descriptions and documentation-only field overrides (elastic#255136)
  [api-docs] 2026-03-11 Daily api_docs build (elastic#257023)
  [Security Solution] fix alerts page infinite loading state due to data view error (elastic#256983)
  [Logging] Add `service.*` global fields (elastic#256878)
  [Canvas] Apply embeddable transforms to embeddable elements (elastic#252191)
  [table_list_view_table] stabilize jest test (elastic#254991)
  [Obs AI] get_index_info: add unit tests (elastic#256802)
  ...
@divyaaghi-qasource
Copy link
Copy Markdown

divyaaghi-qasource commented Mar 13, 2026

/ci

sorenlouv pushed a commit that referenced this pull request Mar 17, 2026
@e40pud @kibanamachine @sorenlouv
[Security Solution][Attacks/Alerts][Attacks page][Table section] Pres…
16f5b8b 
…erver "Sort by" state on Attacks page (#256717) (#256795)

## Summary

Closes #256717

This PR introduces state persistence for the "Sort by" dropdown on the
Attacks page table, resolving an issue where users would lose their sort
preferences when navigating away from the page or refreshing.

By replacing the local `useState` hook with `useLocalStorage` in the
`TableSection` component, the table's sorting configuration is now
preserved across sessions and page reloads, falling back to the default
sort (`DEFAULT_ATTACKS_SORT`) if no previous selection exists or if the
stored state is invalid.

## Verification Steps

### Prerequisites
1. Enable the `enableAlertsAndAttacksAlignment` experimental feature
flag in `kibana.dev.yml` or `kibana.yml`:
```yaml
xpack.securitySolution.enableExperimental: ['enableAlertsAndAttacksAlignment']
```
2. Navigate to **Stack Management > Advanced Settings > Space Settings >
Security Solution**.
3. Find the setting **Enable alerts and attacks alignment**
(`securitySolution:enableAlertsAndAttacksAlignment`).
4. Enable the setting and save.
5. Refresh the page if necessary.

### Test the change
1. Navigate to the **Attacks** page within the Security Solution.
2. Observe the "Sort by" dropdown on the Alerts/Attacks table. It should
default to "Most recent" (or whichever default is configured).
3. Change the sorting option to something else (e.g., sort by "Least
alerts").
4. Refresh the page in your browser.
5. Verify that the table is still sorted by the option you selected in
step 3.
6. Navigate to another page in Kibana (e.g., Dashboards or Discover) and
then navigate back to the Attacks page.
7. Verify that the table retains your selected sort preference.
8. Optional: Open the browser's developer tools, go to the
Application/Storage tab, find the local storage key
`securitySolution:attacksTableSort`, and delete it or set it to an
invalid value (e.g., `null` or `[]`). Refresh the page and verify that
it falls back gracefully to the default sorting option without errors.

---

_PR developed with Cursor + Gemini 3.1 Pro_

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NicholasPeretti NicholasPeretti NicholasPeretti approved these changes

Assignees

@e40pud e40pud

Labels

backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Threat Hunting Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team v9.4.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security Solution][Attacks/Alerts][Attacks page][Table section] Preserver "Sort by" state on Attacks page

6 participants

@e40pud @elasticmachine @divyaaghi-qasource @NicholasPeretti @dmlemeshko @kibanamachine