elastic/kibana

[Security Solution][Bug] Commenter Identity Mismatch in Rule Exceptions (ID vs. Username)

Open

#259743 opened on Mar 26, 2026

View on GitHub
 (5 comments) (0 reactions) (2 assignees)TypeScript (19,065 stars) (8,021 forks)batch import
Feature:Rule ExceptionsTeam: SecuritySolutionTeam:Detection EngineTeam:Detections and Respbugeffort:lowgood first issueimpact:lowv9.4.0value:medium

Description

Describe the bug:

  • When a user adds a comment to a Rule Exception, the UI correctly displays their Username and Avatar during the drafting phase. However, once the comment is saved and viewed in the "Active exceptions" list, the UI displays the User ID (e.g., a numeric string like 2983883891) instead of the actual Username.

Kibana/Elasticsearch Stack version:

VERSION: 9.4.0
BUILD: 99548
COMMIT: 5f7b89e1881bc6e1466b6723aaf19c54f8777719

Pre conditions: 1.Kibana 9.4.0 must be running. 2.User have rules running and some alerts generated.

Steps to reproduce:

  1. Navigate to Security > Rules > Detection rules (SIEM).
  2. Select a rule and go to the Rule exceptions tab.
  3. Click on the "..." (Actions) menu for an existing exception and select "Edit rule exception".
  4. Scroll to the Add comments section and type a comment.
  5. Note that the avatar and username are correctly displayed next to the text box while typing.
  6. Click "Edit rule exception" (Save button).
  7. On the main exceptions list, click "Show comments (X)" to expand the thread.
  8. Observe the name displayed next to the saved comment.

Current behavior:

  • The UI displays the raw User ID (e.g., 2983883891), making it difficult for team members to identify the commenter without looking up the ID manually.

Expected behavior:

  • The saved comment should display the Username to ensure clear accountability and readability.

Screen capture:

https://github.com/user-attachments/assets/a0ae3736-408b-49f4-91e2-b739bfc663d6

Contributor guide

Tech stack
typescriptreactnodejs
Domain
frontend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
ReactKibana development setup
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
30
Research direction
Investigate the component responsible for displaying saved comments in the 'Active exceptions' list, likely located in the Security Solution's rule exceptions UI. Compare it with the comment drafting component that correctly shows usernames. Look for where the comment data is fetched and how the user identifier is resolved: the saved comment might store only the user ID, and the UI might be missing a lookup to the username. Check if there is a utility or hook that maps user IDs to usernames elsewhere in the codebase, and apply it to the saved comment display.